Embed Size (px)
Citation preview
Forensically Prepared Media, Tools and Equipment
Table of Contents
Forensically Prepared Media .......................................................................................................... 2
Preparation of Tools and Equipment ............................................................................................ 13
Notices .......................................................................................................................................... 14
Page 1 of 14
Forensically Prepared Media
11Digital Forensics Preparation 11
Forensically preparing media ensures there is no residual data from previous use.
Drives (often external USB 3.0) of size adequate to hold images for suspect machines
Many ways to wipe digital media• EnCase or FTK• DD
If volatile data will be collected from the live host, format using modern file system that is compatible with the OS of the suspect system.
Digital media for evidence storage should use a file system compatible with the analysis system.
Forensically Prepared Media
**011 The forensically prepared media. This is stuff that doesn't have anything on it. It's been wiped with something that puts zeros and ones across it however many times as required. And you want to have plenty of these on hand so when incidents occur you don't have to worry about running them. They don't take forever, but they do take quite a while if you need to do them on a drive, especially when the drives are terabytes or larger. So you're talking about quite a long time to do zeros and ones multiple times, all the way through every single sector of a hard drive.
Page 2 of 14
Got to make sure you have a large enough image-- or a large enough disk to hold the entire image. And so we haven't talked about it here, but there are two basic ways to pull the drive-- I'm sorry, an image of the drive. It's the logical image, and then there's a physical image. Logical image is actually what has been allocated, what the operating system knows about and uses on a regular basis. There's sometimes where-- you've seen people set up different partitions. You have a D or an E or an F drive, and that's a separate partition. If you don't need that partition for whatever reason, sometimes you will just pull-- or just that partition-- you'll just pull that data. When you go and do a physical image, it's an actual bit-by-bit-- if this says one, I'm putting a one here. If this says zero, whatever. And so you're grabbing-- if it's a terabyte drive, you are pulling the full terabyte, right? You're not just pulling the little 500 megs of the operating system and stuff like that. So when you have those kind of pulls, you definitely want to make sure you're having those-- it seems amazing to me that they have these 5-terabyte hard drives and stuff. But, I should say, it seems amazing to me; as a user, I would never see a use for-- and I realize for servers and such you would need those kind of sizes. But you could also be pulling from a server, so you need to be looking at pretty much the largest and fastest possible drives that you can get hold of. Yes?
Page 3 of 14
Student: So in your opinion, what holds up better in court, a bit-by-bit copy or a virtual copy on like your hard drive of the image of the hard drive? For forensics evidence, if you have to go to court, a one-for-one, bit-by-bit copy, or just the image copied off with a SHA proving that it's the same hard drive? Instructor: Hmm. I would think the bit-by-bit, but I think times are changing. In the past, a lot of digital forensics stuff has-- I guess the precedent, if you will, has always been set on what is most closely relatable to it in the physical world or the traditional forensics world, and so a lot of it's like, "Oh, you got to have the real thing. You got to have the actual picture. You got to have the-- if you don't have the picture, you got to have the actual"-- I can't even remember what you call the negative. The negative of the picture, right? So it's like you got to have the actual thing, versus like a picture of it, or whatever. But slowly I think they're recognizing that a digital copy is a digital copy. If the ones and zeros are the same, and the hash-- they're starting to rely I believe more and more on the accuracy, if you will, of hashing something, and that collision possibilities are so low that another image isn't going to pop up as it. So I do believe they're going to probably head more towards what you're saying as far as like an image and a hash to verify that the integrity is good based on those items, but I
Page 4 of 14
think still right now the bit-by-bit is probably the way to go on that. Student: I think both the original and the copy should have the same hash value. Instructor: Right. Student: So I think you will need to do physical copy bit-by-bit to get the same hash value here and there. Instructor: Right. That's true. That's true. That is true. Let's see. So, there are a few different ways to wipe the digital media to make sure that they're ready, and, well that says "no residual data," but generally it'll be all zeros or all ones, is what they'll end up with. So there is residual data in the sense that you'll have either zeros or ones all written on there. So EnCase and FTK Imager, I believe, has it as well. DD will allow you to do it. I don't know if anybody's heard of DBAN before-- Darik's Boot and Nuke, I think it's called. It's also another piece of software that allows you to do the-- you can tell it, "Seven times I want you to wipe ones and zeros off of it," or whatever, to make it forensically sound like this. And if volatile data is collected from the live host, format-- and this is-- when I first read this, I was like, "Oh, is it something different?" But essentially you need the same type of
Page 5 of 14
hard drive and the file system dealing with that particular operating system, if it's Windows or Linux or Mac, in order to be able to access that live data as well, making the copy. Because obviously it's that system that it's reading it from, that operating system that it's reading it from. So for volatile as well, in other words, you'll definitely need to make sure that it's got the correct file system to be used. Student: Because there's artifacts kind of left on disk, when you're doing a DD, you can't get that stuff that was left on the original disk, per se, can you? I mean, if it's a byte that wasn't overwritten, but you know how sometimes to really truly overwrite a byte you have to overwrite it-- Instructor: However many times, right? Student: Yeah. I mean, there's still ways for them to get stuff that was deleted off the original disk, but the copies not going to have that artifacts, would it? Student: Like say you had a pornographic image on your disk and you wrote it over twice with something else. The image, I guess, with some tools you would be able to dig down and read something that was there before, but I think a DD copy-- if a byte's been overwritten of that image--
Page 6 of 14
Instructor: Oh, so it'll assume it's a zero because it was told it's a zero type of thing, right, is what you're saying? And it won't go deeper into the-- Student: There's still I guess magnetic artifacts. Instructor: So some remnants there that if you have the right tools for being able to read that magnetic piece then you might be able to. Student: Recover deleted files. Instructor: Yeah, I would say that that's correct then, would be that you would not be able to get that-- you're right-- from something like a DD, because all it's doing is, "Oh, it says it's a zero. I'm not going to look deeper or have anything to read the magnetism that's there to say, 'Oh, a while back it was actually a one,'" or something like that. I think that's correct. Student: Question on that. Instructor: Yes? Student: Would solid state be any different? Instructor: So yes, solid state is different. The flash memory that is used, a lot of systems now-- and for those of you not familiar with solid state disks or drives, or even the thumb drives actually use that kind of memory-- those have a finite usage. That means it can be turned to ones and
Page 7 of 14
zeros only so many times and eventually it becomes to the point where it won't hold what you told it to be. It won't maintain the one or the zero or whatever it is. So what they've discovered is that since you have however many-- right? If you have a 1-gigabyte stick or 8-gigabyte stick, originally most operating systems would put the memory in a particular spot and continue to use that spot, and only if you filled it completely up would it actually use the last-- the end of the stick or the end of that memory. And so what they've done is they've come up with a way to-- what do they call it? Like level balancing, where you try to use each of those pieces of flash memory approximately the same amount. So if you started with-- and I don't know how to show this-- if you started with this piece of memory and then you use it a few times, the operating system now, with the driver, it's supposed to start figuring out that, "We should probably start using this section now," and then eventually spreading it all over the place. So it'll use it once or twice in one section, and then everything will end up being once or twice used-- that's obviously an oversimplification-- but it'll use it all in a pretty even manner. And so for a forensic copy-- and hashing, unfortunately, when you use flash media like that, and with the level- balancing like that, you will get a different hash, depending on what's been done to it, because it'll go and make a one that was way over here
Page 8 of 14
way over here because it's supposed to use up the one that hasn't been used yet type of thing. So there is a difference and it will change based on that. Student: How do virtual machines impact any of this? Instructor: So, my understanding is-- we just had-- our company just had an incident that we went and helped an organization with, and their main infrastructure is virtual machine based. So their hosts and their servers for the most part are riding in the VMware chassis. The person I work with who is an Air Force OSI-- previous Air Force OSI agent-- Office of Special Investigations, basically-- they're kind of like the FBI of the Air Force, if you will. He mentioned that all they really had to do was take a snapshot of that particular drive, or that system, and that was considered forensically sound, as long as you took it the right way and removed it properly and all that. But basically taking a snapshot of the virtual machine. Everybody understand what the question was? Get that? Okay. I just wanted to make sure we didn't miss it. Yes? Student: All right, so a little bit of a better question-- probably still not a good one yet. So the hot cache would not go-- so the operating system, you'll have a flash, maybe you'll have some spinning disk too, and then you can have some hot cache, where basically the data
Page 9 of 14
doesn't go back into that spinning disk or flash. So would that make a difference? Instructor: So cache in general is thought of as volatile memory. Right? The cache-- I'm not familiar specifically with what you're saying is hot cache, but the cache on a CPU-- right?-- is next to the register, which are the actual areas in the CPU where the zeros and ones are used in the ALU-- if you're familiar with CPUs, the Arithmetic Logic Unit. That's where the zeros and ones actually get loaded into the CPU and they do those interactions. They add or subtract or whatever it is. Besides those, the cache is the nearest thing to memory, if you will, that is used, and that is considered volatile memory. So as soon as power-- I mean, and that actually changes on-- how should I say it? Very often that stuff changes because as soon as it's done with a certain calculation, it no longer needs those values, so it brings in other values that it needs for fast calculations and it throws it in the hot cache or cache area so it can use it real quick. So if you're trying to get that, I am not familiar with stuff that can get off of CPU. Does anybody here have any experience with anything pulling off the CPU cache type of thing versus--? Because memory's one thing, right? That level is relatively-- there's a refresh cycle, right? They call it dynamic RAM, and that gigahertz number that they give you is the refresh rate. That means that it has
Page 10 of 14
to be energized in such a way that the one and the zero, whatever it's supposed to read, continues to read that way. So there's stuff there, electrical signals, so to speak, that it can grab. I'm not sure exactly how cache is stored like on a CPU and how to access that. I don't know if somebody here does. But essentially it's considered highly volatile, I guess, is what you-- because it changes so rapidly. I mean, really, like nanosecond type of speeds that gets changed. So you're probably-- the effects that we're looking for when we talk about incidents and digital forensics is not at the level of-- you're not trying to catch them switching a one to a zero on the processor, right? We're trying to catch them doing it on the network or on a box, in a file, or something like that, perhaps, or loading something. Although it's part of the whole thing-- and we'll talk a little bit more about volatile memory and the order in which you should be pulling stuff off, if you have a time limit, what sorts of things you should be pulling off first. Volatile memory is on the top of that list because if the power should shift, change, you get a brownout, blackout, whatever it is, you lose that-- right?-- as soon as it happens. So it is relevant, but for the most part that level of it is probably just a little too deep into the actual-- the numbers for that. Yes? Student: So when we were talking about SSDs and hashes changing on them, from a forensic standpoint, if
Page 11 of 14
you're only reading off of the hard drive, the files shouldn't be changing or moving on there. Therefore the hash of the solid state drive should stay the same during your investigation as long as the hard drive is not being used anymore. Instructor: Right. Right. Right. Student: So I wanted to make sure that that wasn't a misconception, that you can't get a hash in forensics evidence on a solid state hard drive. Instructor: True. True. Student: Just don't use it anymore, otherwise it will change. Instructor: Right. I'm sorry. I'm glad you brought that up. Yeah, that's correct. I did not mean to imply that you couldn't use it, but if you do-- if you go in for just a file or just a certain number of files or folders and you power it up and it starts doing some stuff on it, now that original hash that you took of it before you powered it on will now change based on the fact that it'll be using other flash memory pieces that weren't used before. So now if you do try to do the hash, you will get a different value. Student: Which is why we always work off the copies. Instructor: Right. Right. Exactly. Perfect. Perfect.
Page 12 of 14
File system compatible with the analysis system-- that's pretty straightforward.
Preparation of Tools and Equipment
12Digital Forensics Preparation 12
Do not wait until notified of compromise to prepare!
Have basic tools and equipment ready in advance.
Have adequate target media forensically prepared (wiped and formatted).
Place tools onto prepared media and use one media device per machine imaged.
Preparation of Tools and Equipment
**012 Don't wait till the actual compromise. Get the tools ready. Be ready. Have enough of it ready, and have it wiped and formatted. And then place the tools on the media. A lot of times the speed of getting to the location will be affected if you're having to do all this preparation work right when it kicks off.
Page 13 of 14
Notices
Notices
© 2016 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Page 14 of 14
