using oss for digital forensic
DESCRIPTION
Branch of forensic science which involves forensicinvestigation on digital materialsTRANSCRIPT
Presented by:IBRAHIM YUSOFSAUFI BUKHARI
SIMULTANEOUS DISK IMAGING USING OPEN-SOURCE TOOLS
FOR DIGITAL FORENSIC
• Branch of forensic science which involves forensic investigation on digital materials
• Objectives:– Explain current state of a digital artifact (registries,
storage, documents, packets)– Analyze information inside digital artifacts to be used as
digital evidence– Recover deleted or lost information– Analyze how the system is being
compromised
WHAT IS DIGITAL FORENSIC?
BASIC STEPS IN DIGITAL FORENSICIdentification: identify the system that will be investigated
Preservation: isolate and secure the system to prevent further damage or modification
Collection: obtain digital evidence using disk imaging technique
Examination and analysis: examine digital evidence to discover specific evidence
Presentation and decision: present the result of analysis for decision making
• Process of duplicating hard disk drive or other storage devices sector by sector rather than separated files
• Operates below file-system layer (NTFS,Ext2,Ext3)• Preserves the content, structure, and accounting of
the files• Allows compression and archiving of the image file
to save storage space
WHAT IS DISK IMAGING?
• Commercial software:– AccessData Forensic Tool Kit (FTK) Imager– Guidance Software EnCase
• Open-source software:– dd: originally developed for UNIX/LINUX system now available for
other OS’s such as Windows
– dcfldd: enhanced version of dd developed by U.S. Department of Defense Computer Forensics Lab with integrity verification capability
– dd_rescue & GNU ddrescue: another enhanced version of dd with intelligent error recovery
– aimage: advanced forensic format (AFF) imaging tool with intelligent error recovery, compression and verification
APPLICABLE DISK IMAGING TOOLS
• Advantages:– Save cost– Can be shared and customized freely
• Disadvantages:– Require expertise to configure and use– Most of them do not offer graphical user interface (GUI) to
ease the user• Require execution of raw disk imaging command• Example: dcfldd if=/dev/hda of=/media/disk bs=32K hash=md5 md5log=/media/disk/md5log.txt
WHY USE OPEN-SOURCE TOOLS?
• Adopts normal disk imaging functionalities• Advanced functionalities:
– Integrity verification (checksum and hashing)– Metadata (details about data) preservation– Imaging logs generation
• Must satisfy digital forensic requirements for disk imaging– The tool shall not alter the original– The tool shall perform imaging even if there are I/O errors– The tool shall compute hash or checksum value and perform
verification– The tool shall produce accurate and correct documentation
• Drawback: slower imaging process than normal imaging
FORENSIC DISK IMAGING
THE EFFECTS OF ADVANCED FUNCTIONALITIES TO IMAGING SPEED
Normal
Normal
Normal
Forensic
Forensic
• Prepares the exact duplication of the digital evidence for analysis
• Avoids performing analysis on the original digital evidence to prevent damage or modification
• Allows the original digital evidence to be duplicated unlimitedly
WHY USE FORENSIC DISK IMAGING?
• dcfldd– On-fly hashing (hashing is performed during data transfer
from source to destination)– Image verification and splitting– Logs generation into external applications
• aimage– Image verification, compression, and archiving– Hashing (sha1, md5, sha256)– Metadata preservation– Logs generation
BEST TOOLS FOR FORENSIC DISK IMAGING
• Preparations:– Source hard disk or other storage devices attached to the
target system
– Destination hard disk (external hard disk) USB attachable much larger than the source hard disk size
– Live CD (Linux): contains disk imaging tool and digital forensic analysis utilities
HOW TO PERFORM DISK IMAGING?
• Hardware setup:
CONTINUED…
Figure 1: Illustration of hardware setup
• Hands on execution:– Execute imaging command in Linux terminal (as shown
below)
CONTINUED…
Figure 2: Sample of dcfldd execution
• Simultaneous disk imaging: multiple disk imaging executions done at the same time
• WHY?– Many server computers have more than one hard disks– To simplify the job of the user to image multiple hard
disks– Time utilization
SIMULTANEOUS DISK IMAGING
User doesn’t have to wait for the current imaging process to complete in order to execute next imaging process
• HOW?– Use existing functionalities of Linux OS which allows
multiple commands to be executed– Examples:
• command1 & command2;• command1 ; command2;
• PROBLEM: long and complicated command to execute
• SOLUTION: use of graphical user interface (GUI) to generate the command automatically
CONTINUED…
• Based on AIR (Automated Image and Restore) – GUI front-end to dd/dc3dd created by Steve Gibson
• Using Perl/tk programming language
• Currently developed specifically for Linux (SUSE 10.2)
• Allows two imaging processes to be executed at once
• No memorization of long and complicated commands required
• Collaboration with aimage (AFF disk imaging tool)
• WHY we chose aimage?
OUR GRAPHICAL USER INTERFACE (GUI) OVERVIEW – (AFF) Imager 1.0.x
Its functionalities most meet current digital forensic requirements
Start button Stop button
Dual source and destination browser
Imaging options tab: checkbox based
• Many to one: multiple source hard disk being imaged and stored into one destination hard disk
DIFFERENT MODES OF SIMULTANEOUS DISK IMAGING
Figure 3: Many to one mode illustration
• Many to many: multiple source hard disk being imaged and stored into multiple destination hard disks
CONTINUED…
Figure 4: Many to many mode illustration
MANY TO ONE vs. MANY TO MANY
Figure 5: Average imaging rate comparison of simultaneous disk imaging modes
Normal mode
• In forensic disk imaging, integrity and accuracy are more important than speed
• Open-source disk imaging tool can be very reliable with additional improvement (e.g.: GUI)
• The usage of graphical user interface (GUI) simplifies the process of imaging significantly
• Simultaneous imaging (many to many) is another way to simplify the imaging process and save imaging time– Requires additional storage devices to perform best
CONCLUSIONS
THANK YOU FOR YOUR ATTENTION…
Q & A