Data Forensics

1
Data Forensics

• Damien Leake

2
Definition

• To examine digital media to identify and analyze
  information so that it can be used as evidence in
  court cases
• Involves many data recovery techniques
• Process of salvaging data from damaged, failed,
  corrupted, or inaccessible secondary storage
  media
• Hard drives, USB flash drives, DVDs
• Recovery may be required due to physical damage
  or logical damage to file system
• Digital evidence has to be authentic, reliably
  obtained, and admissible

3
Common Scenarios for Data Recovery

• Operating system failure
• Use LiveCD to copy all files to another disk
• Can be avoided by proper disk partitioning
• Disk-level failure
• Compromised file system or disk partition
• Repair file system, partition table, master boot
  record
• Hard disk recovery one time recovery
• Recovering deleted files
• Often data is not removed, only the references to
  them in the file table

4
Data Reduction During Acquisition

• Ever larger hard drives make collecting data very
  time-consuming
• Data analysis can also take much longer if there
  are large amounts of data
• Known files
• Operating system and application files can often
  be disregarded when looking for documents
• File types
• Many file types can usually be ignored

5
Live Acquisition

• Debate pull the plug or not when finding
  suspects computers
• For minimizes disturbance to stored data
• Against Critical data may be in RAM
• With full disk encryption, files are decrypted on
  the fly, with the decryption key stored in RAM
• Open ports, active processes
• Fully volatile OS Knoppix
• Unsaved documents

6
Examining RAM

• Evidence cannot be recorded on a target machine
  without changing the state
• Logs, temp files, network connections
  opened/closed
• Critical data may be overwritten
• Analysis utilities may need to be loaded onto
  target system
• Usually, ram data is sent to another machine over
  a network connection
• These problems may be avoided if the target
  machine was running on a Virtual Machine

7
Virtual Introspection

• Process by which the state of a VM is observed
  from the Virtual Machine Manager or another VM on
  the system
• No current production tool, but research shows
  promise
• Can allow live system analysis of a VM
• May be possible for it to be undetected by target
  system
• Experienced cyber criminals may have safeguards
  that remove critical data from RAM upon breach
  detection

8
Virtual Introspection for Xen

• Xen is an open source Virtual Machine Manager
• Not as robust as some competitors
• Open source means that researchers can modify the
  VMM should that become necessary
• VIX is a suite of tools currently being developed
  for Xen
• Provides API for getting data from different VMs
• Pauses target machine, acquires data, un-pauses
  machine
• Ensures machine state is not modified

9
Future Work

• Support for multiple OS
• Currently, Linux 2.6 kernel is supported by VIX
• Need Windows and Mac OS support for widespread
  significance
• Analysis of the extent to which VI can be
  detected by the target VM
• Timing analysis, page fault monitoring
• Application of these techniques to VMware and
  other popular VM platforms

10
Database Forensics

• Standard forensics tools tend to be too time
  consuming to run on large databases
• Database tools to search logs are quicker
• Can return a lot of useful information
• But they may alter the database in ways that
  complicate the admissibility of the content in
  court
• New field of study with little literature

11
Mobile Device Forensics

• State of device at time of acquisition
• Password locks
• Remote data deletion
• Variety of operating systems
• Hard to build tools considered industry standard

12
FTK Mobile Phone Examiner

• Most commonly used tool in US
• Simple data acquisition
• Cable. Infrared, Bluetooth
• Does not alter any data on device
• Integration with Forensic Toolkit
• Perform analysis on multiple phones at once
• Reports are automatically court-usable

13
Oxygen Forensic Suite

• Popular tool with European law enforcement
  agencies
• Extracts all possible information
• Phone/SIM card data
• Contact list, caller groups, speed dials
• All calls sent/received/missed
• SMS, calendar events, text notes
• Can tap into LifeBlog and geotagging in Nokia
  Symbian OS phones

14
EnCase Neutrino

• Extension of companys PC forensic software
• Claims to have the only extensively tested signal
  blocking technology
• Data acquisition starts with SIM card first, then
  searches the phone itself
• Easily returns device serial number, cell tower
  location, and manufacturer information

15
Anti-Forensics

• Avoid detection of events
• Disrupt collection of information
• Increase time spent on case

16
Attacking Data

• Data wiping
• Overwrite erased disk space with random data
• Many commercial tools do not do this properly and
  leave some of the original data
• Data hiding
• Encryption
• Using anonymous web storage
• Steganography
• Embedding data into another digital form (images,
  videos)
• Data corruption
• Aims to stop the acquisition of evidentiary data

17
Attacking Forensics Tools

• Aims to make examination results unreliable in
  court
• Manipulate essential information
• Hashes
• Timestamps
• File signatures
• Compression bomb
• Compress data hundreds of times
• Causes analyzing computer to crash trying to
  decompress it

18
Attack the Investigator

• Exhaust investigators time and resources
• Leave large amounts of useless data on hard
  drives
• Cases that take too long are more likely to be
  dropped

19
Summary

• Data forensics attempts to capture and analyze
  data for use in court proceedings
• Techniques involve traditional data recovery
  along with live acquisition of volatile data
• Relatively new field, with more research needed
  for databases, mobile devices, and virtual
  machines
• Analysis techniques will need to evolve as cyber
  criminals develop more sophisticated ways to hide
  their actions