Data Forensics Damien Leake Definition To examine digital

Data Forensics Damien Leake

Definition �To examine digital media to identify and analyze information so that it can be used as evidence in court cases �Involves many data recovery techniques �Process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media � Hard drives, USB flash drives, DVDs �Recovery may be required due to physical damage or logical damage to file system �Digital evidence has to be authentic, reliably obtained, and admissible

Common Scenarios for Data Recovery �Operating system failure �Use Live. CD to copy all files to another disk �Can be avoided by proper disk partitioning �Disk-level failure �Compromised file system or disk partition �Repair file system, partition table, master boot record �Hard disk recovery – one time recovery �Recovering deleted files �Often data is not removed, only the references to them in the file table

Data Reduction During Acquisition �Ever larger hard drives make collecting data very time -consuming �Data analysis can also take much longer if there are large amounts of data �Known files �Operating system and application files can often be disregarded when looking for documents �File types �Many file types can usually be ignored

Live Acquisition �Debate: pull the plug or not when finding suspect’s computers �For: minimizes disturbance to stored data �Against: Critical data may be in RAM �With full disk encryption, files are decrypted on the fly, with the decryption key stored in RAM �Open ports, active processes �Fully volatile OS: Knoppix �Unsaved documents

Examining RAM �Evidence cannot be recorded on a target machine without changing the state �Logs, temp files, network connections opened/closed �Critical data may be overwritten �Analysis utilities may need to be loaded onto target system �Usually, ram data is sent to another machine over a network connection �These problems may be avoided if the target machine was running on a Virtual Machine

Virtual Introspection �Process by which the state of a VM is observed from the Virtual Machine Manager or another VM on the system �No current production tool, but research shows promise �Can allow live system analysis of a VM �May be possible for it to be undetected by target system �Experienced cyber criminals may have safeguards that remove critical data from RAM upon breach detection

Virtual Introspection for Xen �Xen is an open source Virtual Machine Manager �Not as robust as some competitors �Open source means that researchers can modify the VMM should that become necessary �VIX is a suite of tools currently being developed for Xen �Provides API for getting data from different VMs �Pauses target machine, acquires data, un-pauses machine �Ensures machine state is not modified

Future Work �Support for multiple OS �Currently, Linux 2. 6 kernel is supported by VIX �Need Windows and Mac OS support for widespread significance �Analysis of the extent to which VI can be detected by the target VM �Timing analysis, page fault monitoring �Application of these techniques to VMware and other popular VM platforms

Database Forensics �Standard forensics tools tend to be too time consuming to run on large databases �Database tools to search logs are quicker �Can return a lot of useful information �But they may alter the database in ways that complicate the admissibility of the content in court �New field of study with little literature

Mobile Device Forensics �State of device at time of acquisition �Password locks �Remote data deletion �Variety of operating systems �Hard to build tools considered industry standard

FTK Mobile Phone Examiner �Most commonly used tool in US �Simple data acquisition �Cable. Infrared, Bluetooth �Does not alter any data on device �Integration with Forensic Toolkit �Perform analysis on multiple phones at once �Reports are automatically court-usable

Oxygen Forensic Suite �Popular tool with European law enforcement agencies �Extracts all possible information �Phone/SIM card data �Contact list, caller groups, speed dials �All calls sent/received/missed �SMS, calendar events, text notes �Can tap into Life. Blog and geotagging in Nokia Symbian OS phones

En. Case Neutrino �Extension of company’s PC forensic software �Claims to have the only extensively tested signal blocking technology �Data acquisition starts with SIM card first, then searches the phone itself �Easily returns device serial number, cell tower location, and manufacturer information

Anti-Forensics �Avoid detection of events �Disrupt collection of information �Increase time spent on case

Attacking Data �Data wiping �Overwrite erased disk space with random data �Many commercial tools do not do this properly and leave some of the original data �Data hiding �Encryption �Using anonymous web storage �Steganography � Embedding data into another digital form (images, videos) �Data corruption �Aims to stop the acquisition of evidentiary data

Attacking Forensics Tools �Aims to make examination results unreliable in court �Manipulate essential information �Hashes �Timestamps �File signatures �Compression bomb �Compress data hundreds of times �Causes analyzing computer to crash trying to decompress it

Attack the Investigator �Exhaust investigator’s time and resources � Leave large amounts of useless data on hard drives �Cases that take too long are more likely to be dropped

Summary �Data forensics attempts to capture and analyze data for use in court proceedings �Techniques involve traditional data recovery along with live acquisition of volatile data �Relatively new field, with more research needed for databases, mobile devices, and virtual machines �Analysis techniques will need to evolve as cyber criminals develop more sophisticated ways to hide their actions