methods and instruments for the new digital forensics environments
DESCRIPTION
Ph.D. thesis presentationTRANSCRIPT
Methods and Instruments for the New Digital
Forensics EnvironmentsMario Piccinelli
Ph.D. Candidate in Computer SciencesUniversity of Brescia, dept. of Information EngineeringApril 10, 2014
Branch of forensics science that studies the identification, extraction and analysis of digital data for use in a court of law.
Digital Forensics
In the beginning (from the 80s until now) it was all about (Personal) Computers.
They were all (almost) alike, and there were plenty of standard tools.
From Computer Forensics...
In the last 5-10 years everything began to store digital data.
..to Digital Forensics
A variegated World
Digital Forensics in the Wild
Field skillsAcquisition
AnalysisReporting
Evidence handlingUse of specific tools
...
Theoretical
KnowledgeCriptography,
Filesystems structure,Communication
protocols,...
Digital Forensics Research
iPhone Forensics eBook Reader Forensics Voyage Data Recorder Forensics
Research topics
What do these devices have in common?• Modern devices which contain digital data• Their data could be required during an investigation• No consolidated literature about them
The rationale behind this thesis is the ever-growing need to perform digital investigations on devices and systems that have not already been studied from this point of view.
iOS ForensicsWhat can we find in an iOS device and how can we bring it to a court...
iOS Forensics: why?
Mobile and tablet worldwide market share of operating system usage for November 2013. Net Market Share collects browser data from a worldwide network of over 40,000 websites. (Credit: Net Market Share)
There is no simple way to extract data from an iOS device.
iOS Forensics: issues
No easy way to access its contents without jailbreaking (which, by the way, we can’t).
Encrypted filesystem (HFS+)
Not sharing anything with the rest of the World
No debug interfaces
Easiest way to peek inside the filesystem: the backup system.
iOS Backup Feature
iOS Forensics: the backup
Manifest files
Everything else...
Backup folders (device ID)
iOS Forensics: decoding the backup (manifest.mbdb)
iOS Forensics: hierarchyBackup files are organized in a hierarchy, the first level of it being the «Domain»:• Media domain: media files,
mms attachments, …• Keychain domain: account
data and encrypted passwords…
• Home domain: data for standard apps (contacts, mail client, calendars, …)
• Wireless domain: data about the telephone system (call logs, connection logs, …)
• …
PLIST Files (plain text and binary)
SQLite files ASCII files Data files Media files
iOS Forensics: file types
iOS Forensics: apps data
Installed applications’ data is stored in «Apps» domain (for third party applications) or «Home» domain (for standard ones).The hierarchy of each application’s folder follows a standard structure.
Strong integration with Webkit offline
storage.
iOS Forensics: sample dataSample application data: SMS application
iOS Forensics: sample dataLocalization data (prior to iOS 5)
iOS Forensics: sample dataThumbnails: generated from the media gallery for fast visualization
iOS Forensics: sample dataAddress book data (Home domain)
Knowing about the data location and structure is the first step.
Next step: making it easily usable for the ones who need it.
iPBA2 is a tool developed to: Study the backup
content. Make it easier to
understand for practitioners.
iOS Forensics: iPBA2
Right now it is the only complete open source suite for analysing iOS backup data, and it is used by both researchers and practitioners from all over the world.
http://www.ipbackupanalyzer.com
iPBA2 framework plugins
eBook Reader Forensics
Why an eBook reader is not worthless in a forensics context…
eBook Reader Forensics: why?
• Because is a widely used digital device.• Because it holds digital data.• Because no piece of data can be deemed
«worthless» in advance during an investigation.• Because almost any practitioner says it’s
worthless… which by the way it’s not.
Locard’s exchange principle
"Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. […]"
Forensics profiling refers to the study and exploitation of traces in order to draw a profile relevant to the investigation about criminal or litigious activities.
While traces may not be strictly dedicated to a court use, they may increase knowledge of the subject under investigation.
Forensics profiling
eBook Forensics: a sample device
For our research, we chose a widely available modern device, the PRS-650 by Sony.Of course, many of our results can probably be achieved after further studies also with different devices from different vendors.
• E-paper display (6 inches, 800x600).• Resistive touchscreen.• 5 buttons.• Montavista Linux.• 2GB internal flash memory.• Removable SDHC and Memory Stick
PRO Duo.
Books, documents, images, audio files.
Annotations. Current position of documents. Bookmarks. Notes (written and audio). Dictionary lookups. Last reading of a document. Pages read for each document.
eBook Reader Forensics: what’s inside?
Everything has a timestamp!
eBook Forensics: sample data
We can access the main storage by USB storage interface
For the whole device..
For each document…
eBook Forensics: sample dataFreehand annotations
«Thumbnails» folder
eBook Forensics: sample data
For each document:• current position (page)• timestamp of the last access
eBook Forensics: sample data
For each document:• History of the last 100
page turns, with page number and timestamp.
eBook Forensics: collecting dataTo perform the analysis, we build a Python script which parses cache.xml, media.xml and cacheExt.xml and build a graph of the interactions between the user and the device.
The script extracts the timestamps and produces a data file with all the timestamps found, to be plotted on a timeline.
http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler
eBook Forensics: sample results
eBook reader usage in a two-months time span.
• X axis: time• Y axis: ID of the document involved
eBook Forensics: sample results
Usage of the reader in a ten-minutes span, for a single book.
• X axis: time
Virtually each action performed on the device is logged.
It is possible to build a forensically sound timeline.
The evidence gathered this way could be used in court to:◦ Draw a behavioural profile of a suspected
offender.◦ Support or deny an alibi.◦ Provide additional useful information about the
owner.
eBook Forensics: conclusions
Voyage Data Recorder Forensics
Digital data in a naval accident
What does a Computer Forensics expert do on a modern ship?
So many digital devices!
Digital devices at sea
GPSShip automation Echo sounder
Compass NAPARadar
And much more...
Voyage Data RecorderThe Voyage Data Recorder (VDR) is a mandatory device for all medium-to-big sized modern ship. Its job is to keep a record of ship data to be used in an accident investigation.
• Position, speed, heading• Date and time• Radar plot• Audio from bridge and VHF• Sonar depth• Hull openings (watertight doors, fire
doors)• Rudder position, propellers speed• Meteo station data (wind, ...)• Onboard alarms• ...
VDR Forensics: data sources
Data collecting unitAn industrial computer which collects all data and temporalily stores it in a magnetic disk.
Final Recording MediumA rugged box containing a solid-state memory, designed to survive a catastrophic accident and be recovered for further investigations.
VDR Forensics: the Costa Concordia shipwreck case
VDR Forensics
Starting point: the complete copy of the internal disk of the data collecting unit.
No previous knowledge (all proprietary data).
VDR ForensicsAnalysis of the disk structure.
Partition scheme
Mounting the partition
Partition content
VDR ForensicsAnalysis of the disk content: the «frame» directory
Unknown data files
VDR ForensicsExtraction of an image from the data file
VDR Forensics
The same goes for the «NMEA» directory.
∼800 MB of ASCII data in NMEA format
VDR Forensics: NMEA protocolNMEA 0183 is a data exchange protocol used primarily in the navigation field. It is the preferred way to exchange data between navigational aids.
• $: starting character.• PREFIX: origin and type of data
• First 2 characters: originating device• Other 3 characters: type of sentence
• Checksum: 2-digit hex XOR of the whole sentence.
NMEA sentence:
$PREFIX, data0, data1, …, dataN*CHECKSUM
NMEA sentences are standard, but vendors are allowed to add custom ones for specific purposes.
VDR Forensics
Timestamp: Unix time
= 4F 10 88 90 (hex) = 1’326’483’600 (dec) = Jan 13, 2012 @ 19:40:00 UTC= Jan 13, 2012 @ 20:40:00 local time (UTC+1)
VDR Forensics
Example of standard sentence:$RAZDA,194001.00,13,01,2012,-01,*41
RA: origin (radar) ZDA: date and time 194001.00: time 13,01,2012: date -01: difference between local time and UTC *41: checksum
VDR Forensics
Example of non standard sentence:$PSWTD,07,C----,*34
P: non-standard prefix S: vendor (Seanet) WTD: watertight doors 07: door number C-----: door status (closed, no warnings) *34: checksum
Once we were able to recover the raw data, we proceeded to work on it to: Understand the meaning of the standard
and non-standard elements. Understand the relative importance of each
element. Build tools to parse the data and report the
results in a useful format.
VDR Forensics
VDR Forensics: sample data analysis
Position of the rudders (order and response) before and during the accident.
VDR Forensics: sample data analysis
Evolution of the watertight doors (WTD) status.
Why does the last signal we have for door 8 reads ‘O’ (open)?
VDR Forensics: sample data analysis
Trackpilot settings on both the radar stations.
VDR Forensics: sample data analysis
Interactive data replay tool.
VDR Forensics: sample data analysis
Ship position and heading.
VDR Forensics: sample data analysis
Simulation of the impact by position and heading data.
VDR Forensics
The steps we described are related to this specific VDR model, but they also show a general approach which could probably be applied, with further studies, to any other model and vendor.
The analysis of the VDR data is of course easy to perform with closed and proprietary software from the vendor, but we were the first to publish about a forensically sound approach.
Mario Piccinelli
Methods and Instruments for the New Digital Forensics
Environments
Thanks for listening!
ps: any questions?