180529 ComputerForensics final - Home - people.unica.it · While analysing storage devices, it must be considered that requirements of the operating system and of the applications

Pattern Recognition and Applications Lab

Universitàdi Cagliari, Italia

Dipartimento di Ingegneria Elettrica

ed Elettronica

Computer Forensics

Ing. Davide Ariu

[email protected]

May 29th, 2018

http://pralab.diee.unica.it

Definition

“Digital forensics, also known as computer and network forensics, has many definitions. Generally, it is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way.”**

NIST - Guide to Integrating Forensic Techniques into Incident Response


“Digital forensics, also known as computer and network forensics… “

The variety of names used to refer to this discipline depends on the variety of deviceswhich might be subject to analysis

Laptop, Desktop, ServerNetwork Devices (e.g. Router, Switch)Smartphones, Tablets, Mobile PhonesRemovable Devices (External Hard Drives, Usb sticks, Memory Cards, Mouses with internal memory… )MP3 Players, …Console (Nintendo Switch/(3)DS/Wii, Sony Playstation(s), Microsoft Xbox)Wearable (e.g. Smart-watch, Activity Trackers, Smart Glasses, …)Internet of Things, … Medical Devices, Printers, Videorecorder…

Any device able to store information might be subject to forensic analysis

Devices subject to analysis


Vuxis M100


Vuxis M100


IoT & Smart Devices


The four steps“…application of science to the identification, collection, examination, and analysis of data…”

Collectionidentifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

ExaminationForensically processing collected data using a combination of automated and manualmethods, and assessing and extracting data of particular interest, while preserving the integrity of the data.

Analyzinganalyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performingthe collection and examination.

Reportingreporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identifiedvulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

NIST - Guide to Integrating Forensic Techniques into Incident Response


Preserving Data Integrity

“while preserving the integrity of the information and maintaining a strictchain of custody for the data”Preserving data-integrity

Principle: Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons special precautions shouldbe taken to preserve this type of evidence. Failure to do so may render it unus- able or lead to an inaccurate conclusion. “La prova permette al giudice di ricostruire correttamente e dimostrare i fatti affermati dalle parti nel corso del processo” (Computer Forensics, A. Ghirardini, G. Faggioli)

Chain of custodyBefore the analyst begins to collect any data, a decision should be made […] on the need to collect and preserve evidence in a way that supports its use in future legal or internaldisciplinary proceedings. [..] a clearly defined chain of custody should be followed to avoidallegations of mishandling or tampering of evidence. This involves keeping a log of everyperson who had physical custody of the evidence, documenting the actions that theyperformed on the evidence and at what time, storing the evidence in a secure location whenit is not being used, making a copy of the evidence and performing examination and analysis using only the copied evidence, and verifying the integrity of the original and copied evidence.


SeizureNot always possible:

Large systems (e.g. rackmount servers)

Systems which can not be turned off (e.g. SCADA/Industrial Control Systems)

Network traffic or volatile data (e.g. RAM data)

Duplication. It is the most typical situation. It consists in making a forensic copy of the device and in usingit for data extraction and analysis

Interception.Data can be acquired while it is flowing from one system to anohther. Data is not read from the device where it is stored, but instead it is intercepted during transmission.

In any case, the first problem the investigator must face is to identify the devices where information relevant to the investigation can be found.

*Computer Forensics, A. Ghirardini, G. Faggioli

Three ways of acquiring forensics data


It is of utmost importance, before to start with the analysis, to establish if it isor it is not repeatable, as not repeatable analysis are typically subject to a different discipline.

E.g. The Italian Code of Criminal ProcedureL’Art. 359 c.p.p. (Consulenti tecnici del P.M.) prevede che il P.M., quando procede ad accertamenti, rilievi segnaletici, descrittivi o fotografici e ad ogni altra operazione tecnica per cui sono necessarie specifiche competenze, può nominare e avvalersi di consulenti, che non possono rifiutare la loro opera.

L’Art. 360 c.p.p. (Accertamenti Tecnici Non Ripetibili) prevede che, quando gli accertamenti previsti dall’artt. 359 riguardano persone, cose o luoghi il cui stato è soggetto a modificazione, il P.M. avvisa, senza ritardo, la persona sottoposta alle indagini, la persona offesa dal reato e i difensori del giorno, dell’ora e del luogo fissati per il conferimento dell’incarico e della facoltà di nominare consulenti tecnici.

Not repeatable analysis


Layers of analysis based on the design of digitaldata

*B. Carrier – File System Forensic Analysis, Wiley


Process of analyzing data at the physical level to the application level

*B. Carrier – File System Forensic Analysis, Wiley


Hard Disk Geometry

Each track is divided into sectors, which is the smallest addressable storageunit in the hard disk and is typically 512 bytes.

Each sector is uniquely identified by:The plat number

The track number

The sector number


Volumes and Partitioning

While analysing storage devices, it must be considered that requirements of the operating system and of the applications usually make the physical specsdiffering from the logical ones.

Examples:I have a large storage device (1TB), and want data stored in a volume separated from the operating system and the applications

A 250GB Volume is created for OS and Applications

A 750GB Volume is created for Data

I want a virtual volume of size larger than that of the single devices within my availabilityEs. RAID



Volume.Is a set of addressable sectors which the operating system or the applications might use to store data.

It is not necessary that sectors are physically located in adjacent areas of the same physicaldevice.

A volume might be obtained from merging smaller physical devices



Partition.Is a collection of consecutive sectors on a Volume.

Why to partition a Volume:Some file system have not the capability to handle large volumes

UNIX systems typically use separate partitions for OS and data in order to minimize the damagein case of corrupted file system

Dual boot

mmls (Sleuth Kit) allows to inspect the partitions table


File System

File System.Allows to organise and to store data on a volume through a hierarchy of files and directories.

Allows to separate the physical managament of the data on the disk from their logicalorganisation (files and directory) which is managed by the OS, applications, and users.

Allows to manage file names, creation,deletion, and modification.

Allows to associate meta-data to the files:Size

Date and time of creation, last modification, and last access

Permissions


From the previous slides, it emerges that a possible way to analyse an hard drive is as follows:

To make a copy of the supportPhysical copy

Logical copy

To analyse every single partition

Within each partition, to analyse both the file system and the files

Evidence acquisition and analysis


Preserving data integrityThe first step must always consist into making a copy of the digital support, in order to freezethe evidence it might contain

Several problems might arise from working directly on the original dataThe content of the device might result altered (either accidentally or not)

An HDD connected to an Operating System receives automatically data from the first one for the simple fact of being connected

Whenever a file is open, the last access data is automatically modified

Human error

Risk to damage the supportEven if the support is apparently healty, the analysis might result somehow stressful for the device which might somehow result damaged

If the support alredy is in a bad/critical condition, such probability is of course higher.

Human error

Acquiring Digital Evidence


Acquiring Digital Evidence

It is a best practice:To make a copy of the device proofing which is 100% identical to the original

Hash/checksum (e.g. md5sum, sha256sum) on both the source and the copy

Guymager (http://guymager.sourceforge.net, free) or commercial alternatives (FTK Imager, EnCase Imager) allow to calculate the hash while making the copy

Save time!!!

To make a copy of the copyHash check

To work on the copy of the copy


Before to start – Pictures & Video


Making a forensic copy

Any writing from the computer/device used for the analysis on the supportmust be prevented

Even a simple connection through the USB port without any reading is able to change the content of the disk

E.g. the OS creates hidden files useful to make the preview of the contents faster (e.g. Thumbs.db on Windows or .DS_Store on OsX)

This changes the hash

Write Blockers must be usedHardware (e.g. Tableau - Guidance Software).

Software (Linux distros with auto-mount disabled)CAINE - http://caine-live.net

DEFT - http://deftlinux.net


Finding Disks and Partitions

On UNIX machines the list of the disks and of the volumes can be obtainedtyping

fdisk –l*

Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 testine, 63 settori/tracce, 30401 cilindri, totale 488397168 settori Unità = settori di 1 * 512 = 512 byte Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Identificativo disco: 0x42224222Dispositivo Boot Start End Blocks Id

System /dev/sda1 63 9439231 4719584+ 82 Linux swap / Solaris /dev/sda2 * 944622047391532 18972656+ 83 Linux /dev/sda3 47391750 145693484 49150867+ 83 Linux /dev/sda4 145693485 488392064 171349290 83 Linux

*richiede privilegi di amministrazione


Bitstream copyOnce the disk or the partitions to copy have been identified, is it possible to start with a bit-to-bit copy

UNIX systems natively provide a command which can be used for suchpurpose: dd

It allows to save the copy onto an image file

It allows to clone one device onto another (which size must be >=)

Examples:Image file

dd if=/dev/hda of=/mnt/sda/disco.dd bs=512 conv=noerror, sync

Disk Cloningdd if=/dev/hda of=/dev/hdb

Zeroing an hard drivedd if=/dev/zero of=/dev/hdb

Checksum must be always verifiedExample. md5sum /dev/hda and md5sum /mnt/sda/disco.dd shall produce the same result.


Image Creation Tools


Issues - 1

RAIDBoth HW & SW

As a first step is usually useful to make a physical copy of every single device

Then, is also useful to create an image of the whole volume, which is of course much easier to analyse

If we have available a RAID controller (e.g. on the seized machine) we can eventually use it to rebuild the volume

Otherwise, we can use software utilities, such as the mdadm* available on UNIX systems

Issues with RAID systemsSize of the Volume

Non standard RAID implementation

Encrypted volumesMandatory: get the key!!!

Recommendation: think twice before to power off a machine!!

*https://raid.wiki.kernel.org/index.php/RAID_setup


A real case: WD Share Space


A real case: WD Share Space


Issues - 2Solid State Hard Drives

Forensically speaking, they are significantly different from traditional magnetic hard drives*

Organized in pages of 2KiB o 4KiBAnyway presented to the OS as divided in chunks of 512 bytes

Rewriting a specific block doesn’t necessarily means to rewrite the same page on the flash device

A sector of a magnetic hard drive can be re-written millions of times

A page of a SSD device can be re-written approximately 10,000 times

For this reason, SSD disk controllers implement algorithms which allow distributing writingsand thus uniform performance degradation

A page can not be overwritten only. It must be first deleted before being re-usedAs soon as a file is deleted, a controller manages to remove the corresponding pages, so thatthey are immediately available for a new writing

Pages capacity is typically 25% higher than that available with the operating system

Encryption

*http://www.forensicswiki.org/wiki/Solid_State_Drive_(SSD)_Forensicshttp://belkasoft.com/en/ssd-2014


Issues - 3


Device Analysis

Once we have copied the device, we have two options to analyse it:Physical Analysis.

Tries to recover data from the whole hard drive, without considering the file system and thuswithout any logical organisation

Keyword Search; File carving; Partition Tables; Unallocated space

Cons:Information is not organised data might be allocated in not-adjacent sectors

Time consuming (su un disco da 2TB ci sono 4 miliardi di settori…)

Not a starting point. Typically follows a Logical Analysis

Logical Analysis.Much more convenient if the file system is not corrupted.

Allows to work directly on files instead that on blocksKeyword search is much more efficient

Leverages applications to read proprietary file formats


File Carving

File Carving is a search technique which leverages on file contents instead of using meta-data

Metadata is provided by the File-System, which is ignored during carving

Typically, carving is based on the analysis of file headers and footers :For every file type a header/footer pair is defined

Header and Footers are sequences of bytes which makes possible to immediately recognise the file type

E.g. JPEG has header FF D8 and footer FF D9 (hexadecimal)

The carving tools looks for the file header

Once it finds it, also analyses the following sectors, looking for the footer. If it finds it, the file isrecovered.

Issue. Fragmentation.

Carving variantsHeader is searched only at the begin of the sector

Embedded files are not recovered

Statistical Carving, SmartCarvingThe content of the block is analysed to check whether it is similar to that of the close ones


The kind of evidence sought heavily depends on the specific case

Searches which are frequently made are *:Keyword (e.g. Autopsy, EnCase)

Deleted files

File categories, names, directories

Carving (frequently used tools are Foremost, Photorec, Scalpel)

Carving within Thumbs.db files

Browser History

Installed Applications

Virtual Machines

Cracking of protected files/applications

Files in proprietary formatsStarting from the hard drive image, it is useful to create a virtualise environment and to leverage the installed applications

*N. Bassetti, Indagini Digitali

Finding the evidence


A single professional profile. Multiple Roles.

CTConsulente Tecnico, per esempio del PM, nel Penale.

CTPConsulente tecnico di parte, nel Penale e nel Civile.

CTUConsulente tecnico del Giudice nel Civile

PERITOConsulente tecnico del Giudice nel Penale.

Ausiliario Polizia GiudiziariaArt. 348 comma IV°: “La Polizia Giudiziaria, quando, di propria iniziativa o a seguito di delega del Pubblico Ministero, compie atti od operazioni che richiedono specifiche competenze tecniche, può avvalersi di persone idonee le quali non possono rifiutare la propria opera.”

Come sancito dalla Corte di Cassazione, “Qualsiasi atto compiuto dall’Ausiliario di P.G. nelle sue funzioni, è da considerarsi un atto stesso della Polizia Giudiziaria”, esso assume la qualifica di Pubblico Ufficiale ed opera sotto la direzione ed il controllo della P.G.


Example #1. Procedere – con accertamenti di natura ripetibile – all’esame dell’hard disk in sequestro, al fine di accertare:

Corretto funzionamento tecnico ed accessibilità dell’apparecchio

Rilevazione dei dati in esso contenuti con particolare riferimento ai file video

Eventuale recupero di dati rimossi dall’apparecchio

Example #2. … previo esame del materiale informatico in sequestro (personal computer e altri dispositivi elettronici meglio elencati nei verbali di sequestro), provvedere alia duplicazione di tutti i dati, informazioni, programmi e/o sistemi informatici ("memorizzati" nei reperti in sequestro) su adeguati supporti mediante una procedura che assicuri la conformità della copia all'originale e la sua immodificabilità.

Forensic Inspections - Examples


Forensic Inspections - Examples

Example #3. .. ricercare nel materiale informatico sequestrato ogni elemento concernete la vicenda […] in particolare vorrà individuare sequenza numeriche e/o alfanumeriche riconducibili a […]; l’esistenza di documenti contabili […]; messaggi e chat tra i soggetti coinvolti nell'indagine in corso […]"

Example #4. …accertare il contenuto, la provenienza, la datazione ed ogni altro particolare profilo descrittivo (anche mediante predisposizione di immagini fotografiche) dei files in esso contenuti e di interesse ai fini di indagine […] e se le caratteristiche dei files (e la data di creazione degli stessi) siano stati alterati o modificati e, comunque, se di alterazioni si possano rilevare tracce.


Final Reporting

La relazione finale (da consegnare ad esempio al PM se CT/CTP o al giudice se CTU) è un documento che deve presentare e riassumere:

Le attività svolte

I risultati ottenuti

E’ importante:Che la relazione sia leggibile e ragionevolmente comprensibile anche da un personale non tecnico

Voi siete degli elettronici-informatici

Il giudice, l’avvocato, il PM, hanno una formazione giuridica

Pertanto:E’ importante usare la massima proprietà di linguaggio

Spiegando in linguaggio accessibile ad un pubblico non tecnico i concetti meno chiari (e fornendo riferimenti bibliografici, possibilmente fonti autorevoli).

Usando, ovunque esista una traduzione accettabile, vocaboli italiani.

Una relazione non comprensibile può risultare inutile o portare a delle conclusioni errate


Final Reporting

Possibile struttura di una relazioneIntroduzione. Spiega in che contesto l’attività è stata svolta, quali sono le persone che hanno partecipato all’analisi e fornisce i riferimenti al procedimento.

Descrizione del quesito. E’ sufficiente riportare il quesito così come da verbale conferimento incarico.

Descrizione del materiale sottoposto ad analisi.E’ utile riassumere le caratteristiche del materiale che hanno un impatto concreto sulla scelta delle modalità di intervento più appropriata.

Vengono spesso allegate fotografie del materiale sottoposto ad analisi, in cui si evidenziano ad esempio modello e numero di serie.

Metodologie e Procedure di intervento. Descrivere gli strumenti Hardware e Software utilizzati e le procedure attuate.

Gli strumenti e le procedure devono essere scelti coerentemente con le caratteristiche dei dispositivi e con il quesito al quale si deve rispondere.

Risultati. Rispetto a ciascuno dei punti del quesito, è necessario illustrare che cosa le procedure di intervento messe in atto abbiano consentito di appurare.

Conclusioni. Riassumono sinteticamente i risultati più rilevanti, in relazione alle domande poste nel quesito.

Non siete voi il giudice, siete dei periti. Nel formulare le conclusioni, è opportuno mantenere una posizione neutra.


Open Source Distros


References

http://linuxleo.com

http://forensicswiki.org

http://www.cfitaly.net

http://deftlinux.net

http://caine-live.net

http://santoku-linux.com


Hands-On

1. Si acquisisca la penna USB utilizzando il comando ddsi utilizzi l'opzione bs=512 per specificare la dimensione del settore e l'opzioneconv=noerror,sync per consentire al comando di procedere anche nel caso in cui si verifichiuna condizione di errore durante la copia

2. Attraverso l'utilizzo di una funzione di hash, si verifichi che il contenuto del file immagine corrisponde esattamente a quello della penna

3. Utilizzando il comando fdisk si ispezioni la tabella delle partizioni dellapenna USB e del file acquisito.

Suggerimento: si utilizzi l'opzione –l

4. Utilizzando Foremost e Photorec (presenti nella Partizione 2 della penna) sieffettui il carving della penna, recuperando da queste eventuali file precedentemente cancellati

5. Utilizzando il comando mount, si monti da riga di comando almeno una dellepartizioni presenti nell'immagine del disco

Suggerimento: si utilizzi il comando losetup /dev/loop0 pendrive.dd -o OFFSET per creare un disco virtuale da montare successivamente tramite l'utilizzo di mount

Documents

180529 ComputerForensics final - Home - people.unica.it · While analysing storage devices, it must be considered that requirements of the operating system and of the applications