Transcript Data Foresensics

Damien Leake
Definition
 To examine digital media to identify and analyze
information so that it can be used as evidence in court
cases
 Involves many data recovery techniques
 Process of salvaging data from damaged, failed,
corrupted, or inaccessible secondary storage media

Hard drives, USB flash drives, DVDs
 Recovery may be required due to physical damage or
logical damage to file system
 Digital evidence has to be authentic, reliably obtained,
and admissible
Common Scenarios for
Data Recovery
 Operating system failure
 Use LiveCD to copy all files to another disk
 Can be avoided by proper disk partitioning
 Disk-level failure
 Compromised file system or disk partition
 Repair file system, partition table, master boot record
 Hard disk recovery – one time recovery
 Recovering deleted files
 Often data is not removed, only the references to them
in the file table
Data Reduction During Acquisition
 Ever larger hard drives make collecting data very time-
consuming
 Data analysis can also take much longer if there are
large amounts of data
 Known files
 Operating system and application files can often be
disregarded when looking for documents
 File types
 Many file types can usually be ignored
Live Acquisition
 Debate: pull the plug or not when finding suspect’s
computers
 For: minimizes disturbance to stored data
 Against: Critical data may be in RAM
 With full disk encryption, files are decrypted on the fly,
with the decryption key stored in RAM
 Open ports, active processes
 Fully volatile OS: Knoppix
 Unsaved documents
Examining RAM
 Evidence cannot be recorded on a target machine
without changing the state
 Logs, temp files, network connections opened/closed
 Critical data may be overwritten
 Analysis utilities may need to be loaded onto target
system
 Usually, ram data is sent to another machine over a
network connection
 These problems may be avoided if the target machine
was running on a Virtual Machine
Virtual Introspection
 Process by which the state of a VM is observed from the
Virtual Machine Manager or another VM on the system
 No current production tool, but research shows promise
 Can allow live system analysis of a VM
 May be possible for it to be undetected by target system
 Experienced cyber criminals may have safeguards that
remove critical data from RAM upon breach detection
Virtual Introspection for Xen
 Xen is an open source Virtual Machine Manager
 Not as robust as some competitors
 Open source means that researchers can modify the
VMM should that become necessary
 VIX is a suite of tools currently being developed for Xen
 Provides API for getting data from different VMs
 Pauses target machine, acquires data, un-pauses
machine
 Ensures machine state is not modified
Future Work
 Support for multiple OS
 Currently, Linux 2.6 kernel is supported by VIX
 Need Windows and Mac OS support for widespread
significance
 Analysis of the extent to which VI can be detected by
the target VM
 Timing analysis, page fault monitoring
 Application of these techniques to VMware and other
popular VM platforms
Database Forensics
 Standard forensics tools tend to be too time
consuming to run on large databases
 Database tools to search logs are quicker
 Can return a lot of useful information
 But they may alter the database in ways that complicate
the admissibility of the content in court
 New field of study with little literature
Mobile Device Forensics
 State of device at time of acquisition
 Password locks
 Remote data deletion
 Variety of operating systems
 Hard to build tools considered industry standard
FTK Mobile Phone Examiner
 Most commonly used tool in US
 Simple data acquisition
 Cable. Infrared, Bluetooth
 Does not alter any data on device
 Integration with Forensic Toolkit
 Perform analysis on multiple phones at once
 Reports are automatically court-usable
Oxygen Forensic Suite
 Popular tool with European law enforcement agencies
 Extracts all possible information
 Phone/SIM card data
 Contact list, caller groups, speed dials
 All calls sent/received/missed
 SMS, calendar events, text notes
 Can tap into LifeBlog and geotagging in Nokia
Symbian OS phones
EnCase Neutrino
 Extension of company’s PC forensic software
 Claims to have the only extensively tested signal
blocking technology
 Data acquisition starts with SIM card first, then
searches the phone itself
 Easily returns device serial number, cell tower location,
and manufacturer information
Anti-Forensics
 Avoid detection of events
 Disrupt collection of information
 Increase time spent on case
Attacking Data
 Data wiping
 Overwrite erased disk space with random data
 Many commercial tools do not do this properly and leave
some of the original data
 Data hiding
 Encryption
 Using anonymous web storage
 Steganography

Embedding data into another digital form (images, videos)
 Data corruption
 Aims to stop the acquisition of evidentiary data
Attacking Forensics Tools
 Aims to make examination results unreliable in court
 Manipulate essential information
 Hashes
 Timestamps
 File signatures
 Compression bomb
 Compress data hundreds of times
 Causes analyzing computer to crash trying to
decompress it
Attack the Investigator
 Exhaust investigator’s time and resources

Leave large amounts of useless data on hard drives
 Cases that take too long are more likely to be dropped
Summary
 Data forensics attempts to capture and analyze data for
use in court proceedings
 Techniques involve traditional data recovery along
with live acquisition of volatile data
 Relatively new field, with more research needed for
databases, mobile devices, and virtual machines
 Analysis techniques will need to evolve as cyber
criminals develop more sophisticated ways to hide
their actions