Digital Forensics, from floppies to the Cloud

Can Darwin win the game of digital evolution?

@kerouanton #ISC2CongressEMEA

SOME BASICS Digital Sherlock in a nutshell

Types of digital forensics

Investigations – Criminal – Police

Incident Management – Breach analysis

Data recovery – Legal archives

Typical forensic workflow

SEIZING EVIDENCE From theory to reality

The Theory

The Reality

Diversity

Home-made “NAS” for P2P sharing

Physical size vs Logical Size

EVIDENCE COLLECTION Inventory complexity

Extracting physical media

Apple annoyances…

A typical issue…

Moore’s Law, best ennemy!

Major issue with disk size :

- 1.2 million of porn files

- 18 Tb of disks

• Several months analysis…

• Very complex case…

Can quickly become unmanageable.

Media gathering Issues

• Physical Size Micro-SD cards

• Logical Size Terabytes

• Quantity low storage price

• Diversity 10s of formats

Another typical issue

CELL PHONES Cellphone investigation ? Priceless !

The cables nightmare

Very expensive kits...

FIELD KITS Police Loves Hard Cases

DNA Field Kit

Drone Field Kit

GSM Relay Field Kit

Cell-phones Field Kit

Disk imaging Field Kits

All-In-One Field Kit

Seriously, Who can afford this?

IN THE LAB Mindboggling Parallelization

Evidence storage

FILE CARVING

So many filesystems

800 file formats, and more…

Most forensics tools use the same API for file rendering…

The time issue 1. Automated Acquisition Takes Hours…

2. Automated Carving Takes Hours, Sometimes Days…

3. Manual analysis Takes Hours, Days, sometimes Weeks

4. Reporting Takes Days

NEW « CHALLENGES » Dealing with

Disk Encryption

Secure Remote Wiping

Tails, TOR and the Darknet

What NSA thinks of TOR

Darknet Forensics ?

Embedded devices nightmare

Smartphone Encryption

IP Box : bruteforcing the PIN

iMessage, WhatsApp etc.

Escaping investigation

42 = GAMA® ? The Answer about Life, Universe, and Everything (...including Forensics!)

Introducing « GAMA® »

Introducing « GAMA® »

iCloud

Subpoenas

Territoriality issues

Three possible options

1. Cybercrime agreement (EU, USA, …) helps action on third-party country, but only if we are sure the data are physically stored on the agreeing country. Received directly, must be validated by legal prosecutor.

1. Official request : Commission Rogatoire Internationale (CRI). Takes between 6 and 12 months often too late (if log retention < 6 mois).

2. CRI + backup request. Issues with IP timeout validity, and other proof of evidence elements.

The cantonal prosecutor asks Federal Justice Department,

who asks OFA in Washington D.C.

« Instant » data, further legalizing of obtained evidence.

Still not an obligation (for GAMA™) to giveaway data,

based on cultural and legal differences amonst countries.

Cryptowars - Cloud

Cryptowars - Mobile

TOWARDS NEW FORENSICS… GAMA®’s Forensic Tools

Rekall

Open Source Python Forensics Framework

Virtual Machine Live Forensics

• Filesystem, Memory, Registy, Processes…

• Multi-OS (Linux, Windows, OSX…)

• Able to investigate on nested VMs !

www.rekall-forensic.com

GRR (Google Rapid Response)

Open Source, multiplatform Distributed Forensics Management uses Rekall and more. « Cloud-by-design » Can handle large cases and live investigations (10’000 servers !) Scheduling, and much more features.

TO CONCLUDE Final slides

Let’s recap !

• Legacy Forensics tools are no longer efficient.

• Evidence is no longer on Disks, and increasingly in RAM.

• Evidence is now in virtualized U.S. Clouds (GAMA®).

• New forensics tools are run by GAMA® for their own forensic needs, & cyberattack mitigation. – Virtualization and RAM forensics

– Nested VMs forensics

• GAMA® can collaborate… or not, to provide evidence.

Fearing the future ?

• GAMA® Supremacy, even on Law Enforcement (Cryptowars), is a new interesting challenge.

• That will lead to the evolution of Legal Arsenal in most countries : – To force evidence disclosure by GAMA®, – To insert backdoors & crypto / key escrow.

IS THAT WHAT WE, AS CITIZENS

OR COMPANIES, REALLY WANT ?

By Bruno Kerouanton Twitter: @kerouanton / éé.net

Thank You !

@kerouanton #ISC2CongressEMEA