André ÅrnesTlf: 9166006andre.arnes@hig.no

IMT 3551/4012Digital ForensicsCourse Overview and Lecture 1Fall 2010

3

Agenda

• Course overview• Objectives• Lectures and exams• Paper presentations• Project work• Curriculum

• Lecture • Introduction to digital forensics• Practical lab work

Course Overview

5

Course Objectives

• What is digital forensics?• Central principles and methodology

rather than standardized procedures• Methods for

– Evidence acquisition– Analysis– Reporting

6

Focus and Disclaimer• Feedback is most welcome – all the time • We will focus on the fundamental principles of

digital forensics, as well as the practical side of the field.

• Practical work will focus on analysis and reconstructions in virtual environments.

• Consider the consequences of all experiments and don’t do anything unethical (or illegal!). Also, don’t trust unknown software – run untrusted software in isolated environments.

7

Course Overview (Preliminary)• Lecture 1, Introduction, 19.10.2009, Room K113 + A115

– Chapters 1, Appendix B• Lecture 2, File system analysis, 02.11.2009, Room K113 + A115

– Chapters 2, 3, 4, 7, Appendix A• Lecture 3, Live and remote forensics, 16.11.2009 , Room A126

+ A115– Chapters 5, 8

• Lecture 4, Evidence analysis, 30.11.2009, Room K113 + A115– Chapter 6

• Lecture 5, Selected topics and review, 07.12.2009, Room K113 + A115– Short project presentations

• Project Deadline: 23:59 on Friday 10.12.2009• Written Exam: 21.12.2009

8

Project Work Requirements• Assignments are marked and count 50%

of mark (see course information)• Groups of 3 to 5 persons• Report can include theoretical and/or

experimental work.• IMT 3551 Groups:

– Standard project report• IMT 4021 Groups:

– Academic paper format

9

Project Requirements (cont’d)• Document all assertions, back up claims

and results, provide academic references, document experimental setup and focus on evidence integrity and forensic soundness.

• Plagiarism is not accepted – ask if you have questions regarding quotations and citations.

10

Project WorkChoose ONE of the following (or propose a new topic):1. Acquiring evidence in the cloud: Perform a theoretical evaluation of

acquiring evidence from a cloud service (e.g., Amazon EC2) and perform experiments as a proof-of-concept.

2. iPad Forensics: Forensic analysis of the iPad (you need an iPad). Perform experiments and perform a forensic analysis of the evidence.

3. Internet Explorer 9 (beta): Perform experiments and a forensic analysis of the evidence.

4. Log2timeline and Simile: Perform experiments, extract the timeline using log2timeline and visualize the results using SIMILE.

5. Android Forensics: Perform experiments using and Android phone and/or Android SDK to evaluate the availability and authenticity of evidence in Android.

6. Processing massive amounts of data: Perform a theoretical study of approaches to handle massive amounts of data in digital forensics cases. Present the results as a comparative study to benchmark the methods based on typical us cases.

7. Database forensics: Perform a survey and experiments of state of the art tools for database forensics, based on, e.g., PostgreSQL or Oracle DB.

8. Evidence authenticity: Evaluate security requirements and a security architecture for managing evidence and preserving evidence integrity and chain of custory. Consider vulnerabilities in popular hash algorithms (e.g., MD5) .

9. Computational forensics: Evaluate computational methods to identify and analyse digital evidence (e.g., fuzzy search, statistical sampling).

10. Rights Management: Forensic analysis of commercial grade rights management systems, e.g., Microsoft Rights Management System or Oracle Information Rights Management

Project Recommendations• We request that all experiments (if possible) are

performed in a sterilized environment and that the data set is preserved and handed in or made available online. We will use this as a data set for training and research in digital forensics.

• We appreciate innovation in experimental environments. Amazon cloud, and http://www.vmlogix.com/Screenshots/ are possible options. Remember to not do malware experiments in the cloud (!)

• Faculty at the forensics lab will nominate suitable papers for scientific publication. One IMT3551 group is publishing @NISK 2010!

11

12

What to cover in this course?

• Internet investigations?• Network forensics?• Device forensics?• Video/audio/image forensics?• Reverse engineering?• Criminal investigations?• Law and judicial issues?

13

Curriculum I

• Dan Farmer and Wietse Venema, ”Forensic Discovery”, Addison-Wesley, 2005http://www.porcupine.org/forensics/forensic-discovery/

• Material covered in class

14

Curriculum II – Presented Papers• Five curriculum papers will be presented in class and will be

part of the course curriculum. The papers may change depending on your feedback, but the curriculum will be finalized by next class.

Curriculum papers: 1. Carrier, Brian, ”An event-based digital forensic investigation

framework”, DFRWS, 2005.2. Casey, ”Error, Uncertainty, and Loss in Digital Evidence”,

International Journal of Digital Evidence, 2002.3. Gutmann, Peter, ”Secure Delection of Data from Magnetic

and Solid-State Memory”, USENiX 19964. Vrizlynn Thing, Kian-Yong Ng, and Ee-Chien Chang, ”Live

Memory Forensics of Mobile Phones”, DFRWS 20105. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore

and Clay Shields, ”Forensic Investigation of Peer-to-Peer File Sharing Network”, DFRWS 2010

15

Presentations

• Each group presents one paper during lecture 2, 3 and 4. Each presentation will be ~15 -- 20 minutes

• The project will be presented at the last lecture day. Each presentation will be short (~10 minutes)

Lecture

Group Paper

2

2

3

3

4

5 All Project

16

Some Useful References1. Brian Carrier, ”File System Forensic Analysis”, Addison Wesley, 20052. Keith J. Jones, Richard Bejtlich, Curtis W. Rose, ”Real Digital Forensics –

Computer Security and Incident Response”, Addison Wesley, 20063. Inger Marie Sunde, ”Lov og rett i Cyberspace”, Fagbokforlaget, 20064. US DOJ, ”NIJ Special Report on Forensic Examination of Digital Evidence:

A Guide for Law Enforcement”5. ACPO, ”Good Practice Guide for Computer Based Electronic Evidence”6. Årnes, Haas, Vigna, and Kemmerer, ”Digital Forensic Reconstruction and

the Virtual Security Testbed ViSe”, Journal in Computer Virology, 2007.7. The Honeynet Project; in particular Scan of the month and forensic

challenges8. Gladychev and Patel, ”Finite state machine approach to digital event

reconstruction”, Digital Investigation 1, 2004.9. DOJ, ”NIJ Special Report on Investigations Involving the Internet and

Computer Networks” (pages 1-27, excluding ”legal considerations”)

17

Internet Bank Fraud

18

Transaction Agents

Before we get started …

• Choose groups (on blackboard)– Choose Project number (or propose a project)– Choose Paper to present (talk to me if all 5 are

taken)• Talk to me if you’re doing an MSc on

digital/computational forensics• Break!

19

Lecture 1

Introduction to Digital Forensics

21

Terminology and Basic Principles

22

Forensic Science

• The application of science and technology to investigate and establish facts of interest to criminal or civil courts of law. For example:– DNA analysis– Trace evidence analysis– Firearms ballistics

• Implies the use of scientific methodology to collect and analyse evidence. For example: – Statistics– Logical reasoning– Experiments

23

Some Terminology

• Digital Forensics• Digital Investigations• Computer Forensics• Network Forensics • Internet Investigations• Computational Forensics

24

Investigation Process

Identification: Verification

of event

Collection: Evidence collection

and acquisition

Examination: Preparation

and examination

Analysis: Using

scientific methods

Reporting: Documentati

on and presentation

25

Digital Evidence

• We define digital evidence as any digital data that contains reliable information that supports or refutes a hypothesis about an incident.

• Evidence dynamics is described to be any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent.

26

Evidence Integrity• Evidence integrity refers to the preservation of

the evidence in its original form. This is a requirement that is valid both for the original evidence and the image.

• Write-blockers ensure that the evidence is not accidentally or intentionally changed– Hardware– Software

• In some cases, evidence has to be changed during acquisition, see discussion of OOV below.

27

Digital Fingerprints• Purpose is to prove that evidence and image

are identical – using cryptographic hash algorithms

• Input is a bit stream (e.g., file/partition/disk) and output is a unique hash (file signature)

• We use cryptographic hash algorithms (e.g., MD5, SHA1, SHA256). These are non-reversible and it is mathematically infeasible to find two different files that create the same hash.

28

Chain of Custody

• Chain of custody refers to the documentation of evidence acquisition, control, analysis and disposition of physical and electronic evidence.

• The documentation can include paper trails, laboratory information management systems, photographies, etc.

• Mechanisms:– Timestamps and hash values– Checklists and notes– Reports

29

Forensic Soundness• The term forensically sound methods and

tools usually refers to the fact that the methods and tools adhere to best practice and legal requirements.

• A typical interpretation:– Source data is not altered in any way– Every bit is copied, incl. empty and unavailable

space– No data is added to the image.

30

Order of Volatility (OOV)

• Collect the most volatile data first – this increases the possibility to capture data about the incident in question.

• BUT: As you capture data in one part of the computer, you’re changing data in another

• The Heisenberg Principle of data gathering and system analysis: It’s not simply difficult to gather all the information on a computer, it is essentially impossible.

31

Order of Volatility: Expected life time of data

Type of data Life spanRegisters, peripheral mem, cache, etc.

Nanoseconds

Main memory Ten nanosecondsNetwork state MillisecondsRunning processes SecondsDisk MinutesFloppies, backup media, etc. YearsCD-ROMs, DVDs, printouts, etc Decades

32

Dual-tool Verification

• Verification of analysis results by independently performing analysis on two or more distinct forensic tools.

• The purpose of this principle is to identify human and software errors in order to assure repeatability of results.

• The tools should ideally be produced by different organizations/ programmers.

33

ACPO Principles (ACPO p. 6)1. No action taken by law enforcement agencies or their

agents should change data held on a computer or storage media which may subsequently be relied upon in court.

2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and to be able to give evidence explaining the relevance and the implications of their actions.

3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same results.

4. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

34

Abstraction Layers

Sleuth Kit Abstraction Layers:• File system layer tools• Data layer tools• Metadata layer tools• Human interface layer• Journal layer• Media management layer• Disk layer

Farmer and Venema p. 9:

35

Analysis

• Unusual activity stands out, e.g.:– Location in file system– Timestamps (most files are rarely used)

• Fossilization of deleted data• Turing test of computer forensic analysis• Digital archaeology vs. geology

36

Virtualization• Virtualization can be used to perform dynamic

testing of evidence and to perform forensic reconstruction experiments. Images of seized evidence can be booted in virtual environments for dynamic analysis.

• It is possible to detect the presence of the virtualization environment. This is seen in malware and in proof of concept code (e.g., ”red pill”).

• Be careful to isolate the testbed properly, in particular if you suspect that you are dealing with malware!

37

Crime Scene Reconstructions• Method to determine the most probable

hypothesis or sequence of events by applying the scientific method to interpret the events that surround the commission of a crime.– State problem, – form a hypothesis, – collect data, – test hypotheses, – follow up on promising hypotheses, – draw conclusions supported by admissible evidence.

38

Digital Reconstructions• Digital crime scene reconstructions can

be tested experimentally in testbeds: – physical, – virtual, or – simulated.

39

Investigation Process

Identification:

Verification of event

Collection: Evidence collection

and acquisition

Examination: Preparation

and examination

Analysis: Using

scientific methods

Reporting: Documenta

tion and presentatio

nEvidence integrity & Chain of Custody

40

Our First Toolkit

41

Acquisition Tools

• Acquisition tools are tools for imaging or copying evidence• Focus should always be on preserving evidence integrity. The

integrity should be verified after acquisition through the use of hash algorithms.

• DD and DCFLDD examples:– dd if=/dev/hda of=/mnt/evidence/hda.dd– dcfldd if=/dev/hda of=/mnt/evidence/hda.dd

• Commercial tool examples:– Encase– FTK Imager Lite

42

The Coroners Toolkit (TCT)

• A collection of forensic utilities written by Wietse Venema and Dan Farmer. Released in 2000 on the authors’ web sites.

• The toolkit contains tools for post-mortem analysis of compromised systems.

• It includes, e.g.:– Grave-robber: data gathering tool– Unrm and lazarus: data recovery tools– Mactime: orders files and directories chronologically

according to timestamps

43

Sleuthkit and Autopsy

• Sleuthkit is built on TCT, supports both Unix and Windows platforms, and contains 27 specialized command line tools.

• Autopsy is an integrated graphical user interface for Sleuthkit. It supports acquisition, analysis, as well as case management, evidence integrity verification, and logging.

Ubuntu 10.04

• Boot CD to install and run Ubuntu• Forensic tools easily installed:

– sudo apt-get install tct– sudo apt-get install sleuthkit– sudo apt-get install autopsy– sudo autopsy

44

45

Helix• Boot CD for incident response

and digital forensics by e-Fense– http://www.e-fense.com/helix/

• Contains many tools, e.g.:– Autopsy, TCT, SleuthKit, foremost– Wireshark, TCPdump– ClamAV, F-prot, chkrootkit– and more …

• No longer free / open source

46

Virtualization Tools• We need a tool for running virtual hosts:

– Mount and analyse image off-line• Snapshots freeze system states and are useful

for event chain analysis• Some examples

– VMware Workstation – most used tool for forensics– Amazon EC2 – Virtualization in the cloud (not free)– Virtualbox – free version available – Xen – free version available– Virtual PC – free version available– Parallels – for MAC

47

VMware and VMware Snapshots• VMware emulates a PC and runs virtual guest

operating systems such as Windows XP and Linux.

• Through the use of VMware snaphots, one can make a tree of system configurations that are based on a common root system (base image).

• One can easily revert to a snapshot and make a new branch with a new configuration.

• The ”full clone” function can be used to write a full disk image for analysis based on a snapshot.

48

49

50

Summary• Basic Principles

– Forensic Science– Methodology– Digital Evidence– Evidence Integrity– Crypographic hashes– Chain of Custody– Order of Volatility– Layers of abstraction– Reconstructions– Virtualization– ACPO

• Our First Toolkit– DD and DCFLDD– TCT– Sleuthkit– Autopsy– Ubuntu– VMware

Lab 1

Rules of the Lab Excercises

• The labs are fairly open and you are free to select both environment and tools. There is no mandatory hand-in or grading of the lab.

• The lab exercises do require some Linux and virtualization literacy – work together in teams!

• Use the lab time to discuss project work and discuss drafts. 52

53

Objectives• Objectives: Get familiar with

– Laboratory environment– Forensic tools

• Tools– VMware (or Amazon EC2 or other virtualization tool)– Ubuntu (or Helix)

• ”Evidence”– Honeynet Scan of the Month 24 and 26

• http://www.honeynet.org/scans/index.html• Take detailed notes and remember

– Evidence integrity– Chain of custody

54

Tasks1. Install vmware workstation on your laptop2. Install Ubuntu as a virtual machine and install tct, sleuthkit, and

autopsy3. Read the Scan of the Month 24 challenge and the police report4. Boot Ubuntu in VMware5. Image evidence

• Virtually mount floppy image for ”Scan24” in VMware• Use DD or DCFLDD to image evidence to file• Verify image hash using md5sum command.

6. Analyse image• Using Autopsy• You can mount the image read-only and use standard linux tools

7. Report findings in your notes• Document chain of custody, evidence integrity• Detailed notes of settings, actions, etc.• Screenshots are useful

8. Optional• Continue the analysis with the Scan26 floppy image.

9. Optional• Send report to teacher by email for feedback and evaluation (not graded)