Collection of Evidence Computer Forensics 152/252

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence  Expectations of Privacy  Stems from the customs of the society.  Is an ethical right.  Is legally protected.  Can be modified or removed by company policy.

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Stated monitoring policy  Removes most legal and ethical problems.  Can explain the reasons behind the policy.  Can be formulated and discuss instead of a reaction in the heat of the moment.  Can be (or its existence can be) advertised on login banners that apply even to intruders through the indirect consent doctrine.

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence  Monitoring and logging:  Results in computer records that are probably business records, which makes it easy to admit them directly into evidence.  If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them.

Evidence Computer Evidence must be  Admissible.  Authentic.  Complete.  Reliable.  Believable and Understandable. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Logging  Its cheap and easy.  Intruders are not always successful in erasing their traces.  Log records become business records and are easier admitted into evidence.  Ideally, logs are on write once, read many devices.  In reality, one can come close to WORM. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Volatility  Volatility: evidence can degrade  Example: Evidence in RAM does not survive a power-off.  Example: network status changes when connections are closed and new ones opened. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Volatility Degrees of Volatility 1. Memory 2. Running processes 3. Network state 4. Permanent Storage Devices Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility  Plan  What evidence are you looking for.  Where can it be found.  How do you get it. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility  Unplug the power-plug (battery)  Destroys volatile evidence.  Preserves completely stored evidence at the point of seizure. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility  Graceful shutdown  Destroys volatile evidence.  Alters system files.  Allows for clean-up software to run.

Reacting to Volatility  Unplug Network Cable  Removes access of an intruder to a system.  Alerts the intruder.  “Dead Man Switch” programs can destroy evidence. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility  Life Examination  Intruder with root privileges can watch.  System tools can be trojaned incl. booby-trapped  Use forensics tools on floppy / CD.  Does not work if system is root-kitted Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Reacting to Volatility  Know the trade-offs.  No good reasons for a graceful shutdown.  If life-investigation, then monitor network first. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Documentation and Chain of Custody  Document each step in a forensics procedure.  Best, if automatically generated.  Use forensically sound tools.  “Two Pair of Eyes” integrity rule for data gathering.  Best: Clear Procedural Policy. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Do Not Alter Evidence Evidence can be easily and inadvertently altered by the forensics procedure:  Use of improper tools like tar that alter file access times.  Trojaned system utilities.  Dead Man Switch  an intruder tool that changes files when the computer is no longer connected to the internet  System Shutdown and Reboot. Thomas Schwarz, S.J. SCU Comp. Eng. 2013

Cloud Computing  Allows hiding evidence successfully since account generation is hidden  Corporate / Organizational Environment:  Prepare for Incidents  Logging of network connections  Install monitoring software on corporate computers in a high security environment

Forensics Duplication Storage Devices

Forensic Duplication  Creating a “mirror image” of a storage device such as a disk drive  “Mirror” is considered bad language since a mirror actually changes dexterity

Forensics Duplicates as Admissible Evidence  Federal Rules of Evidence §1002 requires an original to prove the content of a writing, record, or photograph.  Follows from the best evidence rule: Copying can introduce errors.

Forensics Duplicates as Admissible Evidence  F.R.E. §1001 (3) If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original".

Forensics Duplicates as Admissible Evidence  Federal Rules of Evidence § 1003 A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.

Forensics Duplicates as Admissible Evidence  As familiarity with digital data increases, behavior of the judicial system will increase in rationality.

Reasons for Forensics Duplication  The examination can destroy evidence inadvertently.  The original computer system might only be available for capturing.

Definition of Forensic Duplication Able to produce identical byte stream from duplicate as from the original.

Definitions  Forensic Duplicate: File that contains every bit of information from the source in a raw bitstream format.  Qualified Duplicate: Same as above, but allows embedded metadata or certain types of compression.

Definitions  Restored Image: A forensic duplicate or qualified forensic duplicate restored to another storage medium.  Difficult to do if second hard drive does not have the same geometry as the previous one.

Definitions  Mirror Image created from hardware that does a bit-to-bit copy from one hard drive to another.  Issue with disk and file system metadata such as boot sectors.

Creating a Forensics Duplicate of a Hard Drive  Hardware Mirroring.  Can be done in the field.

Creating a Forensics Duplicate of a Hard Drive  Hardware Imager  Creates forensic duplicate from suspect drive to evidence drive  Sector by Sector Copy  Needs  (Integrated) Write Blocker  Verification of copy  MD5, SHA1 of complete copy  Logging of results  Deal with operation errors  Confusion between suspect and evidence drive

Creating a Forensics Duplicate of a Hard Drive  Current and Future Issues  Large data size  Read errors become more likely  Storage crosses devices  RAID Level 5, 6  Need for acquisition from a life system

Creating a Forensics Duplicate of a Hard Drive Software tools: Unix dd  Tested and proven.  Runs on Unix/Linux/Mac OS X which can recognize almost any hardware.  Free.

Creating a Forensics Duplicate of a Hard Drive Software tools: Encase  Expensive.  Full Suite of Forensics Tools.  Great Market Penetration.  Based on Windows, which can be a problem, since Windows might “discover” a drive connected to the system.

Creating a Forensics Duplicate of a Hard Drive  Software Tools: Safeback  Specialized Imaging Tool.  Uses DOS  Target Drive needs FAT 32.

Creating a Forensics Duplicate of a Hard Drive  FTK  Drive Duplication tool included in the Forensic Tool Kit

Write-blocking  Software or hardware tool that prevents writes to a disk.  Software tools are hard to validate.  All forensics tools need to be validated before use.  Manufacturers offer expert testimony when tools are challenged  Forensics institutes publish test results  Test images at Purdue  Examiners might to do some testing as well.  Publication in peer-reviewed journals increases value of testimony

Write-blocking  Hardware write blocking  Simple device put between the disk and the interface.  Allows acknowledgments of writes to the system on which the drive is mounted, but does not write.  Easy to validate by design and experiment

Write-blocking  Hardware write blocking  Use hardware write blocking devices as a standard means to prevent overwriting evidence when making a forensic duplicate  Keep a variety of hardware blockers around because they do not always work.  (System does not recognize drive).

Equipment Needs  Set of write blockers  Set of cables, converters, …  Forensics portable (usually not laptop) for software acquisition  Hardware duplicator

NIST  Digital Data Acquisition Tool Test Assertions and Test Plan  Digital Data Acquisition Tool Specification  Disk Imaging Specifications  The top-level disk imaging tool requirements are the following:  The tool shall make a bit-stream duplicate or an image of an original disk or partition.  The tool shall not alter the original disk.  The tool shall be able to verify the integrity of a disk image file.  The tool shall log I/O errors.  The tool’s documentation shall be correct.

Solid State Disks Forensics

 Solid State Disks  Fundamental issues:  Storage areas need to be erased before they can be overwritten  The number of write-erase cycles is limited  Common Solution  Flash Translation Layer  Wear leveling  Garbage Collection

Erase Block Solid State Disks Forensics  Data is arranged in pages, which are arranged in erase blocks Page 0 Page 1 Page 2 Page 3 Erase Block Page 4 Page 5 Page 6 Page 7 Erase Block Page 8 Page 9 Page 10 Page 11

Solid State Disks Forensics  Pages are individually read and written  All pages in a block need to be erased

Solid State Disks Forensics  Flash Translation Layer  Address indirection between virtual and physical pages  System presents an image of written and free pages to the interface  System itself allocates pages in different physical locations

Solid State Disks Forensics  Flash Translation Layer  Example: Update page  System reads old page in a memory buffer  Client changes contents and saves  System writes contents in a new page  Updates translation table to remember the physical address of page  Resets valid flag for the old physical page 19874

Solid State Disks Forensics  Flash Translation Layer  Wear Leveling:  System maintains a count of erasures for an erase block  Tries to allocate new pages in erase blocks with low count of erasures

Solid State Disks Forensics  Flash Translation Layer  Garbage Collection  System needs to find space for new data  Needs to erase erase-blocks  If all erase-blocks have valid pages in them:  Find erase-block with few valid pages  Copy valid pages into pages in other erase-blocks and mark the current physical pages invalid  Erase the now empty erase-block  Garbage collection process can begin process of emptying erase blocks in anticipation

Solid State Disks Forensics  Consequences for forensic duplication  There is no good way to access physical pages  The data in empty logical pages can change through garbage collection whenever the SSD is powered on:  Other page was written into the logical page and the page became valid  The logical page was physically relocated and possibly erased  One can no longer prevent changes to the device  One cannot calculate a hash of the contents, then duplicate, then compare the hash