Collection of Evidence

Computer Forensics 152/252

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Ethical and Legal Requirementsfor Collecting Evidence Expectations of Privacy

Stems from the customs of the society. Is an ethical right. Is legally protected. Can be modified or removed by company policy.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Ethical and Legal Requirementsfor Collecting EvidenceStated monitoring policy

Removes most legal and ethical problems. Can explain the reasons behind the policy. Can be formulated and discuss instead of a

reaction in the heat of the moment. Can be (or its existence can be) advertised on

login banners that apply even to intruders through the indirect consent doctrine.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Ethical and Legal Requirementsfor Collecting Evidence Monitoring and logging:

Results in computer records that are probably business records, which makes it easy to admit them directly into evidence.

If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them.

Evidence

Computer Evidence must be Admissible. Authentic. Complete. Reliable. Believable and Understandable.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Logging Its cheap and easy. Intruders are not always successful in erasing

their traces. Log records become business records and are

easier admitted into evidence. Ideally, logs are on write once, read many

devices. In reality, one can come close to WORM.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Volatility Volatility: evidence can degrade Example: Evidence in RAM does not survive a

power-off. Example: network status changes when

connections are closed and new ones opened.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

VolatilityDegrees of Volatility1. Memory2. Running processes3. Network state4. Permanent Storage Devices

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility Plan

What evidence are you looking for. Where can it be found. How do you get it.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility Unplug the power-plug (battery)

Destroys volatile evidence. Preserves completely stored evidence at the point

of seizure.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Thomas Schwarz, S.J. SCU Comp. Eng. 2004

Reacting to Volatility Graceful shutdown

Destroys volatile evidence. Alters system files. Allows for clean-up software to run.

Reacting to Volatility Unplug Network Cable

Removes access of an intruder to a system. Alerts the intruder. “Dead Man Switch” programs can destroy

evidence.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility Life Examination

Intruder with root privileges can watch. System tools can be trojaned incl. booby-trapped Use forensics tools on floppy / CD.

Does not work if system is root-kitted

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility Know the trade-offs. No good reasons for a graceful shutdown. If life-investigation, then monitor network first.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Documentation and Chain of Custody Document each step in a forensics procedure.

Best, if automatically generated. Use forensically sound tools. “Two Pair of Eyes” integrity rule for data

gathering. Best: Clear Procedural Policy.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Do Not Alter Evidence

Evidence can be easily and inadvertently altered by the forensics procedure:

Use of improper tools like tar that alter file access times.

Trojaned system utilities. Dead Man Switch

an intruder tool that changes files when the computer is no longer connected to the internet

System Shutdown and Reboot.

Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Cloud Computing Allows hiding evidence successfully since

account generation is hidden Corporate / Organizational Environment:

Prepare for Incidents Logging of network connections Install monitoring software on corporate computers in a

high security environment

Forensics Duplication

Storage Devices

Forensic Duplication Creating a “mirror image” of a storage device

such as a disk drive “Mirror” is considered bad language since a mirror

actually changes dexterity

Forensics Duplicates as Admissible Evidence Federal Rules of Evidence §1002 requires an

original to prove the content of a writing, record, or photograph.

Follows from the best evidence rule: Copying can introduce errors.

Forensics Duplicates as Admissible Evidence F.R.E. §1001 (3) If data are stored in a computer or similar

device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original".

Forensics Duplicates as Admissible Evidence Federal Rules of Evidence § 1003 A duplicate is admissible to the same extent

as an original unless (1) a genuine question is raised to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.

Forensics Duplicates as Admissible Evidence As familiarity with digital data increases,

behavior of the judicial system will increase in rationality.

Reasons for Forensics Duplication The examination can destroy evidence

inadvertently. The original computer system might only be

available for capturing.

Definition of Forensic Duplication Able to produce identical byte stream from

duplicate as from the original.

Definitions Forensic Duplicate: File that contains every bit

of information from the source in a raw bitstream format.

Qualified Duplicate: Same as above, but allows embedded metadata or certain types of compression.

Definitions Restored Image: A forensic duplicate or

qualified forensic duplicate restored to another storage medium.

Difficult to do if second hard drive does not have the same geometry as the previous one.

Definitions Mirror Image created from hardware that does a bit-to-bit

copy from one hard drive to another.

Issue with disk and file system metadata such as boot sectors.

Creating a Forensics Duplicate of a Hard Drive

Hardware Mirroring.

Can be done in the field.

Creating a Forensics Duplicate of a Hard Drive Hardware Imager

Creates forensic duplicate from suspect drive to evidence drive Sector by Sector Copy

Needs (Integrated) Write Blocker Verification of copy

MD5, SHA1 of complete copy Logging of results

Deal with operation errors Confusion between suspect and evidence drive

Creating a Forensics Duplicate of a Hard Drive Current and Future Issues

Large data size Read errors become more likely

Storage crosses devices RAID Level 5, 6

Need for acquisition from a life system

Creating a Forensics Duplicate of a Hard DriveSoftware tools: Unix dd Tested and proven. Runs on Unix/Linux/Mac OS X which can

recognize almost any hardware. Free.

Creating a Forensics Duplicate of a Hard Drive

Software tools: Encase Expensive. Full Suite of Forensics Tools. Great Market Penetration. Based on Windows, which can be a

problem, since Windows might “discover” a drive connected to the system.

Creating a Forensics Duplicate of a Hard Drive Software Tools: Safeback Specialized Imaging Tool. Uses DOS Target Drive needs FAT 32.

Creating a Forensics Duplicate of a Hard Drive FTK

Drive Duplication tool included in the Forensic Tool Kit

Write-blocking Software or hardware tool that prevents

writes to a disk. Software tools are hard to validate. All forensics tools need to be validated before

use. Manufacturers offer expert testimony when tools are

challenged Forensics institutes publish test results

Test images at Purdue Examiners might to do some testing as well. Publication in peer-reviewed journals increases value of

testimony

Write-blocking Hardware write blocking

Simple device put between the disk and the interface.

Allows acknowledgments of writes to the system on which the drive is mounted, but does not write.

Easy to validate by design and experiment

Write-blocking Hardware write blocking

Use hardware write blocking devices as a standard means to prevent overwriting evidence when making a forensic duplicate

Keep a variety of hardware blockers around because they do not always work. (System does not recognize drive).

Equipment Needs Set of write blockers Set of cables, converters, … Forensics portable (usually not laptop) for

software acquisition Hardware duplicator

NIST http://www.cftt.nist.gov/

Digital Data Acquisition Tool Test Assertions and Test Plan

Digital Data Acquisition Tool Specification Disk Imaging Specifications 3.1.6

The top-level disk imaging tool requirements are the following:

The tool shall make a bit-stream duplicate or an image of an original disk or partition.

The tool shall not alter the original disk. The tool shall be able to verify the integrity of a disk

image file. The tool shall log I/O errors. The tool’s documentation shall be correct.

Solid State Disks Forensics

Solid State Disks Forensics Solid State Disks

Fundamental issues: Storage areas need to be erased before they can be

overwritten The number of write-erase cycles is limited

Common Solution Flash Translation Layer Wear leveling Garbage Collection

Erase Block

Solid State Disks Forensics Data is arranged in pages, which are arranged

in erase blocks

Page 0

Page 1

Page 2

Page 3

Erase Block

Page 4

Page 5

Page 6

Page 7

Erase Block

Page 8

Page 9

Page 10

Page 11

Solid State Disks Forensics Pages are individually read and written All pages in a block need to be erased

Solid State Disks Forensics Flash Translation Layer

Address indirection between virtual and physical pages

System presents an image of written and free pages to the interface

System itself allocates pages in different physical locations

Solid State Disks Forensics Flash Translation Layer

Example: Update page 19874 System reads old page 19874 in a memory buffer Client changes contents and saves System writes contents in a new page Updates translation table to remember the physical

address of page 19874 Resets valid flag for the old physical page 19874

Solid State Disks Forensics Flash Translation Layer

Wear Leveling: System maintains a count of erasures for an erase block Tries to allocate new pages in erase blocks with low

count of erasures

Solid State Disks Forensics Flash Translation Layer

Garbage Collection System needs to find space for new data Needs to erase erase-blocks If all erase-blocks have valid pages in them:

Find erase-block with few valid pages Copy valid pages into pages in other erase-blocks and mark

the current physical pages invalid Erase the now empty erase-block

Garbage collection process can begin process of emptying erase blocks in anticipation

Solid State Disks Forensics Consequences for forensic duplication

There is no good way to access physical pages The data in empty logical pages can change

through garbage collection whenever the SSD is powered on: Other page was written into the logical page and the

page became valid The logical page was physically relocated and possibly

erased One can no longer prevent changes to the device One cannot calculate a hash of the contents, then

duplicate, then compare the hash