digital forensic tools - application specific
DESCRIPTION
Based on queries regarding the tools needed for Computer Forensics Investigations. I recommend this presentation. This would help in customizing tools depending upon the requirement of a specific case. This presentation has been presented Jim Lyle. His contact info is available on the first slide. Kindly reach him for further queries. >> raviTRANSCRIPT
![Page 1: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/1.jpg)
04/13/23 1
Computer Forensics Tool Computer Forensics Tool Testing at NISTTesting at NIST
Computer Forensics Tool Computer Forensics Tool Testing at NISTTesting at NIST
Jim Lyle
Information Technology Laboratory
Phone: (301) 975-3207
E-mail: [email protected]
WWW: http://www.cftt.nist.gov
![Page 2: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/2.jpg)
04/13/23 2
Computers &The InternetComputers &The Internet
Marvelous toolsImprove quality of lifeEnable global communicationImprove productivityMakes many activities easer, faster, …… even criminal activity
![Page 3: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/3.jpg)
04/13/23 3
A Shocking Revelation . . .A Shocking Revelation . . .
Computers can be involved in crime …As a victimAs a weaponAs a witnessAs a recordAs contraband
![Page 4: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/4.jpg)
04/13/23 4
Outline of an InvestigationOutline of an Investigation
Get proper authorizationSeize evidence (Hard drives, floppies …)Create duplicates for analysisAnalyze the duplicates
– Exclude known benign files– Examine obvious files– Search for hidden evidence
Report results
![Page 5: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/5.jpg)
04/13/23 5
Investigators Need …Investigators Need …
Computer forensic investigators need tools that …
Work as they shouldProduce results admissible in court
![Page 6: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/6.jpg)
04/13/23 6
Admissible ResultsAdmissible Results
Software tools must meet Daubert criteria– Tested: accurate, reliable & repeatable– Peer reviewed– Generally accepted methodology
![Page 7: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/7.jpg)
04/13/23 7
Response to ProblemResponse to Problem
Independent testing of forensic toolsPublic review of results Apply black box testing theory to tools
![Page 8: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/8.jpg)
04/13/23 8
Goals of CF at NISTGoals of CF at NIST
Establish methodology for testing computer forensic tools (CFTT)
Provide international standard reference data that tool makers and investigators can use in an investigations (NSRL)
![Page 9: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/9.jpg)
04/13/23 9
Why NIST/ITL is involved
• Mission: Assist federal, state & local agencies
• NIST is a neutral organization – not law enforcement or vendor
• NIST provides an open, rigorous process
![Page 10: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/10.jpg)
04/13/23 10
Project SponsorsProject Sponsors
NIST/OLES (Program management)NIJ (Major funding)FBI (Additional funding)DOD (Equipment and support)Homeland Security (Technical input)State & Local agencies (Technical input)
![Page 11: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/11.jpg)
04/13/23 11
Project TasksProject Tasks
Identify forensics functions e.g., – Disk imaging, – Hard drive write protect, – Deleted file recovery– String searching
Develop specification for each function Peer review of specification Test methodology for each function Test Tools (by function) & Report results
![Page 12: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/12.jpg)
04/13/23 12
Current ActivitiesCurrent Activities
Hard drive imaging toolsSoftware hard drive write protectHardware hard drive write protectDeleted file recoveryString Searching
![Page 13: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/13.jpg)
04/13/23 13
ChallengesChallenges
No standards or specifications for toolsArcane knowledge domain (e.g. DOS,
Windows drivers)Reliably faulty hardwareMany versions of each tool
![Page 14: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/14.jpg)
04/13/23 14
Overview of MethodologyOverview of Methodology
CFTT directed by Steering CommitteeFunctionality drivenSpecifications developed for specific
categories of activities, e.g., disk imaging, hard drive write protect, etc.
Test methodology developed for each category
![Page 15: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/15.jpg)
04/13/23 15
Developing a SpecificationDeveloping a Specification
After tool function selected by SC … Focus group (law enforcement + NIST)
develop tool function specification Spec posted to web for public comment Comments incorporated Develop test environment
![Page 16: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/16.jpg)
04/13/23 16
Tool Test ProcessTool Test Process
After SC selects a tool … Acquire tool & review documentation Select test cases Execute test cases Produce test report
![Page 17: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/17.jpg)
04/13/23 17
Disk Imaging Test ParametersDisk Imaging Test Parameters
Parameter Value
Functions Copy, Image, Verify
Source interface BIOS to IDE, BIOS to SCSI, ATA, ASPI, Legacy BIOSDst interface
Relative size Src=Dst, Src<Dst, Src>Dst
Errors None, Src Rd, Dst Wt, Img R/W/C
Object type Disk, FAT12/16/32, NT, Ext2
Remote access Yes, no
![Page 18: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/18.jpg)
04/13/23 18
Capabilities to test disk Capabilities to test disk imagingimaging
Accuracy of copy– Compare disks– Initialize disk sectors to unique content
Verify source disk unchangedCorrupt an image fileError handling: reliably faulty disk
![Page 19: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/19.jpg)
04/13/23 19
Test Case Structure: SetupTest Case Structure: Setup
1. Record details of source disk setup.2. Initialize the source disk to a known value.3. Hash the source disk and save hash value.4. Record details of test case setup.5. Initialize a destination disk.6. If the test requires a partition, create and format
a partition on the destination disk.7. If the test uses an image file, partition and
format a disk for the image file.
![Page 20: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/20.jpg)
04/13/23 20
Test Case Structure: Run ToolTest Case Structure: Run Tool
8. If required, setup I/O error
9. If required, create image file
10. If required, corrupt image file
11. Create destination
![Page 21: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/21.jpg)
04/13/23 21
Test Case Structure: MeasureTest Case Structure: Measure
12. Compare Source to Destination
13. Rehash the Source
![Page 22: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/22.jpg)
04/13/23 22
Test LoggingTest Logging
Log everything, automatically if practicalHardware, Software, VersionsTime/dateOperator
![Page 23: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/23.jpg)
04/13/23 23
Legacy BIOS QuirksLegacy BIOS Quirks
Some may under report drive sizeExample, Quantum SIROCCO1700A has
3335472 sectors 3309/16/63 spc 1008BIOS: 3,330,432 sectors with geometry
826/64/63 spc 4032BIOS under reports by 1.25 logical cyls and
5 physicals
![Page 24: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/24.jpg)
04/13/23 24
Evaluating Test ResultsEvaluating Test Results
If a test exhibits an anomaly …
1. Look for hardware or procedural problem
2. Anomaly seen before
3. If unique, look at more cases
4. Examine similar anomalies
![Page 25: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/25.jpg)
04/13/23 25
Refining the Test ProcedureRefining the Test Procedure
During dd testing some results seemed to indicate that the Linux environment was making a change to the source disk.
After investigation we found that the problem was actually the test procedure.
![Page 26: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/26.jpg)
04/13/23 26
Hard Drive Write ProtectHard Drive Write Protect
Can be done either in hardware or softwareSoftware write protection limited to specific
environment: BIOS access or device driverHardware write protection more general
![Page 27: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/27.jpg)
04/13/23 27
Hard Drive BIOS AccessHard Drive BIOS Access
Application program
issue int 0x13 cmd
BIOS interrupt 0x13
issue cmd to drive
Disk drive & controller
return
![Page 28: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/28.jpg)
04/13/23 28
SWB Tool OperationSWB Tool Operation
BIOS interrupt 0x13
Application program
issue int 0x13 cmd
issue cmd to drive
SWB tool
return
allow
block
Disk drive & controller
return
![Page 29: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/29.jpg)
04/13/23 29
Test Harness OperationTest Harness Operation
BIOS interrupt 0x13
interrupt 13 monitor
tally
allow
block
SWB tool
return
Test harness
issue int 0x13 cmd query result
query
issue cmd to drive
allow
block
Disk drive & controller
return
![Page 30: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/30.jpg)
04/13/23 30
CPU
Device
Send I/O CMD to Device
Return result to CPU
BUS1 BUS 2
PROTOCOL ANALYZER
Monitor Bus Traffic
BUS
HWB TestingHWB Testing
HWB
![Page 31: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/31.jpg)
04/13/23 31
ImpactImpact
Release 18 (Feb 2001) - A US government organization was doing some testing and uncovered an issue under a specific set of circumstances.
Linux doesn’t use the last sector if oddSeveral vendors have made product or
documentation changesCFTT cited in some high profile court cases
![Page 32: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/32.jpg)
04/13/23 32
Available SpecificationsAvailable Specifications
Hard Drive Imaging (e.g., Safeback, EnCase, Ilook, Mares imaging tool)
Write Block Software Tools (e.g., RCMP HDL, Pdblock, ACES)
Write Block Hardware Devices (A-Card, FastBlock, NoWrite) – not final
![Page 33: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/33.jpg)
04/13/23 33
Specifications Under Specifications Under DevelopmentDevelopment
String SearchingDeleted File RecoveryRevised Disk Imaging
![Page 34: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/34.jpg)
04/13/23 34
Available Test ReportsAvailable Test Reports
Sydex SafeBack 2.0NTI Safeback 2.18EnCase 3.20GNU dd 4.0.36 (RedHat 7.1)FreeBSD 4.4 dd RCMP HDL V0.8
![Page 35: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/35.jpg)
04/13/23 35
Test Reports in ProductionTest Reports in Production
RCMP HDL V0.4RCMP HDL V0.5RCMP HDL V0.7
![Page 36: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/36.jpg)
04/13/23 36
Available Testing SoftwareAvailable Testing Software
FS-TST – tools to test disk imaging: drive wipe, drive compare, drive hash (SHA1), partition compare. (DCCI uses these tools)
SWBT – tools to test interrupt 13 software write blockers
![Page 37: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/37.jpg)
04/13/23 37
Benefits of CFTTBenefits of CFTT
Benefits of a forensic tool testing program– Users can make informed choices– Neutral test program (not law enforcement)– Reduce challenges to admissibility of digital
evidence– Tool creators make better tools
![Page 38: Digital Forensic Tools - Application Specific](https://reader036.vdocument.in/reader036/viewer/2022062320/558e03ee1a28ab6e6c8b46fb/html5/thumbnails/38.jpg)
04/13/23 38
ContactsContactsJim Lyle Doug White
www.cftt.nist.gov www.nsrl.nist.gov
[email protected] [email protected]
Mark Skall
Chief, Software Diagnostics & Conformance Testing Div.
www.itl.nist.gov/div897 [email protected]
Sue Ballou, Office of Law Enforcement Standards
Steering Committee Rep. For State/Local Law Enforcement