Selective and Intelligent Imaging Using Digital Evidence

BagsPresented by Ryan O’Donnell

•Selective Imaging•Intelligent Imaging•Digital Evidence Bags

Introduction

Current methods use the bitstream image•Suitable for smaller sized sources•Works for the majority of cases•Is there anything better?

Current Method

With this method the entire drive is NOT captured.

In some best practice guidelines (ACPO) selective imaging may be used as an alternative to the traditional bitstream imaging capture method

Selective Imaging (SI)

•large source (primary reason)•forensic triage•intelligence gathering•legal requirements

Why use Selective Imaging?

•Manualo choose exact files that are captured•Semi-Automatico choose categories (file extensions, file

hash, file signature, etc)•Automatico imager uses configuration for acquisition

Selective Imaging Techniques

To maintain integrity of collected data, we must record all files and their provenance.

Provenance can be recorded by •physical sector location•logical cluster location and offset•folder location

Integrity of Selective Imaging -1

Which is best? Keep in mind, the provenance must be•unique•unambiguous•concise •repeatable

Integrity of Selective Imaging -2

•Primary key- physical sectors•Secondary key- logical clusters and offset•Tertiary key- folder location

All keys should be documented, but use the appropriate key for your audience.

Integrity of Selective Imaging -3

•Automatically images and processes drive•No need for technologically proficient investigator•Acquires all relevant information that would normally be relevant to the case

Intelligent Imaging

• How do you go about capturing the knowledge of the technical experts that are familiar with digital technical complexities and legal domain experts and combine them?

• How do you know that you have captured everything relevant to the case under investigation or have not missed evidence of other offences?

Intelligent Imaging Concerns

DEB is a universal container for digital information from any source. They allow provenance to be recorded and provide continuity maintenance throughout the life of the exhibit.

Digital Evidence Bags (DEB)

DEB Overview Diagram

•tag file•index files•bag files

The index and bag files together are known as an Evidence Unit (EU).

DEB Components

DEB Framework

A plain text file made up of•DEB Header•Evidence Units•DEB Footero records the number of EU in the DEB; sealed

with hash•Tag continuity blocks (TCB)o application function, signature and timestamp

DEB Tag file

•investigating officer•creation timestamp•evidence description•Index format using metatags

Header File

•Labelso file name, origin, attributes, command•Timestampso modified, accessed, created•Numerico sector, cluster, logical size, physical size• Integrityo hash values

Header Index Metatags

•records all EUso includes integrity hash of both index and

bag files•EU 0 is reserved for case noteso imager information

configuration, revision, hash, selection criteriao any case information

Tag File - Evidence Units

Imager Configuration File

DEB Tag File Example

DEB Diagram

Evidence Unit Detail

There must be sufficient information about the provenance so when restored it is identical to what would have been acquired with a bitstream image

The Ultimate Test

The container is key to selectively capturing data.

Utilizing these methods provides structure in investigations with vast amounts of information.

Conclusion