Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.

Slides:



Advertisements
Similar presentations
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Advertisements

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Write Blocking CSC 485/585.
Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006.
Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
The ATA/IDE Interface Can we write a character-mode device driver for the hard disk?
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Computer & Network Forensics
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Week:#14 Windows Recovery
Operating Systems.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Capturing Computer Evidence Extracting Information.
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
By Donald Wood CSS 350. Overview Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. Imaging.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
Digital Crime Scene Investigative Process
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
How Hardware and Software Work Together
IST 222 Introduction to Operating Systems Fall, 2004.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
Mobile Device Data Population for Tool Testing Rick Ayers.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
File-System Management
Chapter Objectives In this chapter, you will learn:
Chapter 5 EnCase Concepts.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Digital Forensics Dr. Bhavani Thuraisingham
Presentation transcript:

Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008

Agora, Seattle2 DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. March 28, 2008

Agora, Seattle3 Outline Overview of computer forensics at NIST Quirks uncovered – Write Blocking – Acquisition to an image file – Restoration from an image file – Other Questions and answers March 28, 2008

Agora, Seattle4 Where is CFTT? US government, executive branch Department of Commerce (DOC) National Institute of Standards and Technology (NIST) Information Technology Lab (ITL) Software Diagnostics and Conformance Testing Division (SDCT) Computer Forensics: Tool Testing Project (CFTT) Also, the Office of Law Enforcement Standards (OLES) at NIST provides project input March 28, 2008

Agora, Seattle5 Goals of CF at NIST/ITL Establish methodology for testing computer forensic tools (CFTT) Provide international standard reference data that tool makers and investigators can use in investigations (NSRL, CFReDS) March 28, 2008

Agora, Seattle6 Project Sponsors (aka Steering Committee) National Institute of Justice (Major funding) FBI (Additional funding) Department of Defense, DCCI (Equipment and support) Homeland Security (Technical input) State & Local agencies (Technical input) Internal Revenue, IRS (Technical input) NIST/OLES (Program management) March 28, 2008

Agora, Seattle7 Other Related Projects at NIST NSRL -- Hash (MD5, SHA1) file signature data base, updated 4 times a year (Doug White, John Tebbutt, Ben Long) PDAs and Cell Phones, NIST (Rick Ayers) SAMATE -- Software Assurance Metrics and Tool Evaluation (Paul E. Black) CFReDS -- Computer Forensics Reference Data Sets (Jim Lyle) March 28, 2008

Agora, Seattle8 Forensic Tool Features … are like a Swiss army knife – Blade knife for cutting – Punch for making holes – Scissors for cutting paper – Cork screw for opening Chianti Forensic tools can do one or more of … – Image a disk (digital data acquisition) – Search for strings – Recover deleted files March 28, 2008

Agora, Seattle9 Testing a Swiss Army Knife How should tools with a variable set of features be tested? All together or by features? Test by feature has a set of tests for each feature: acquisition, searching, recovery Examples: EnCase acquisition, iLook string search, FTK file recovery March 28, 2008

Agora, Seattle10 Good News Forensic tools tested work Problems found are minor – Usually something is omitted – Nothing incriminating is created Investigators should be aware of the quirks March 28, 2008

Agora, Seattle11 Write Blocking Goal: Prevent changes to a protected drive Host interacts with a drive by a command set through an interface – Read – Write – Control & info March 28, 2008

Agora, Seattle12 Int 13 Extended Write DOS Interrupt 13 has three write cmds – Write (original write cmd) – Write long – Extended write (added later for large drives) Early write blocker versions only block write & write long March 28, 2008

Agora, Seattle13 Blocking read commands Hardware write block devices … – Capture cmds sent from a host on a bus – Send cmds to a protected device – Return data to a host Some devices may … – Substitute a different cmd – Cache results and not issue cmd to device. If the protected device is reconfigured to report a different size, a cached size is reported incorrectly – Block some read cmds March 28, 2008

Agora, Seattle14 Allow Reads vs Block Writes Block unsafe commands, allow everything else +Always can read, even if new command introduced - Allows newly introduced write commands Allow safe commands, block everything else +Writes always blocked - Cannot use newly introduced read commands March 28, 2008

Agora, Seattle15 Source Acquisition Tool acquires either – entire drive (physical drive) – partition (logical drive) Evaluate the acquisition by either … – Hash of data acquired – Compare source to a restore March 28, 2008

Agora, Seattle16 Core Acquisition Requirements All visible sectors are acquired All hidden sectors are acquired All acquired sectors are accurately acquired Benign fill of faulty sectors Error conditions March 28, 2008

Agora, Seattle17 Hard Drive Organization sector track cylinder March 28, 2008

Hard Drive Organization Basic unit is a 512 byte sector 63 sectors are grouped as a track A set of tracks are grouped as a cylinder Sectors are addressed as: Cylinder/track/sector Cylinders start at 0, Tracks start at 0, but Sectors start at 1 March 28, 2008Agora, Seattle18

Agora, Seattle19 Odd Sectors Use dd to acquire either a physical or logical drive with an odd sector count and the last sector is omitted. Occurs in the 2.4 kernel and earlier. The current 2.6 kernel does not have the problem. March 28, 2008

Agora, Seattle20 BIOS Lies DOS based acquisition via BIOS interface Some BIOSs group several physical cylinders together into a logical cylinder There may be a fractional logical cylinder left over. In addition, some BIOSs may underreport the number of logical cylinders by 1 cylinder March 28, 2008

Agora, Seattle21 More BIOS Lies Say a drive has 4003 physical cylinders but the BIOS groups 4 cylinders into one logical cylinder. The BIOS reports 1000 logical cylinders (4000 physical cylinders). Some tools acquire 1000 logical cylinders and miss the last 3 physical cylinders. If the BIOS underreports the size, some tools fail to adjust and acquire only 999 logical (3996 physical sectors). March 28, 2008

More BIOS Lies Actual geometry: 3,309/16/63 – 63x16 sectors/cylinder (1,008) – 3,335,472 total sectors 3,335,472x512 bytes BIOS wants cylinder count < 1024 BIOS reports geometry as: 826/64/63 – 63x16 sectors/cylinder (4,032) – 3,330,432 total sectors March 28, 2008Agora, Seattle22

Agora, Seattle23 Restoring an Image Testing the accuracy of a restore … Compare the original source sector by sector to the restored image March 28, 2008

Agora, Seattle24 Missing Sectors on Restore Restore an image of an IBM-DTLA with sectors to an identical drive the results are … Sectors Compared Sectors Differ Diffs range Also the partition table gives 255 heads/cylinder and 63 sectors/track. That gives 16,065 (63*255) sectors/cylinder Note that 40,188,960 mod 16,065 is … 10,395 March 28, 2008

Next Quirk, Starting with Answer AAAAABBBBBCCCCCDDDDDEEEEE March 28, 2008Agora, Seattle25 AAAAABBBBBCCCCCBBBBB A 27,744,120 sectors B7 sectors C57 sectors D7 sectors E1 sector Image an NTFS partition of 27,744,192 sectors

Agora, Seattle26 NTFS Partition Restore Setup NTFS partition – MD5: 92b27b30bee8b0ffba8c660fa1590d49 – 27,744,192 sectors – Each sector filled with sector LBA & disk ID Acquire partition – Total Sectors:27,744,191 – 494A6ED8A827AD9B5403E0CC Rehash (minus last sector) -- still no match March 28, 2008

Agora, Seattle27 More NTFS Restore image to NTFS partition Compare to original – Sectors differ: 47 Restore was in Windows XP … Restore again, unpower drive, no system shutdown. Compare to original – Sectors differ: 8 – Diffs range: 27,744,184-27,744,191 March 28, 2008

Agora, Seattle28 NTFS Resolution Examine the eight sectors – Last sector not imaged – Other seven are a second copy of seven sectors starting at offset 27,744, Know this because each sector is tagged with LBA Verification: Acquisition hash: 494a6ed8a827ad9b5403e0cc xena:/Users/jimmy root# dd bs=512 if=/dev/disk2s11 of=~jimmy/nt.dd xena.local(1009)==> dd if=nt.dd bs=512 skip= count=7 of=end.dd xena.local(1012)==> dd if=nt.dd bs=512 count= of=chunk.dd xena.local(1013)==> cat chunk.dd end.dd | md5 494a6ed8a827ad9b5403e0cc xena.local(1022)==> md5 nt.dd MD5 (nt.dd) = 92b27b30bee8b0ffba8c660fa1590d49 March 28, 2008

Agora, Seattle29 Faulty Sector Behaviors Some sectors adjacent to faulty sector missed – ATA interface: 8 sector window – USB interface: variable size window < 64 – FW interface: variable, but different from USB Missed sectors filled with unknown data Image file gets out of sync March 28, 2008

8/15/07DFRWS Imaging a Drive with Faulty Sectors Acquire all sectors that are not faulty, identify all faulty sectors, and in the image file replace the faulty sector content with benign fill.

8/15/07DFRWS Reliably Faulty Drives A set of known consistently faulty sectors. Can be imaged repeatedly with the same set of sectors reporting failure. Set of three reliably faulty drives: – MAX1 (54 faulty sectors) – MAX2 (398 faulty sectors) – WD (22 faulty sectors)

8/15/07DFRWS Basic Imaging Tools DCCIdd V 2.0 DCFLdd V dd on Helix with Linux kernel dd on FreeBSD V 5.5 IXimager V 2.0 February 1, 2006

8/15/07DFRWS Methodology 1. Create a reference drive identical to the faulty drive, but with no faulty sectors. 2. Clone the faulty drive with an imaging tool. 3. Compare the clone to the reference drive.

8/15/07DFRWS Results for Drive MAX1 ToolBusreadable sectors missed IXimagerFW0 Helix ddFW5034 DCFLddFW5034 DCCIddATA306 FreeBSD ddFW0 The missed sectors were misidentified as faulty and filled with zeros.

8/15/07DFRWS DCCIdd ATA Interface Look at first difference between the clone and reference drive. The first difference is a run of 8 sectors, all zeros, on the clone (10,069, ,069,095). First faulty sector at address 10,069,095. DCCIdd misidentifies seven sectors as faulty on messages to stderr.

8/15/07DFRWS More Runs (ATA Interface) Next four runs … Bad SectorRun StartRun End All runs included at least on faulty sector. All runs were 8 sectors long.

8/15/07DFRWS DCFLdd, dd & Firewire Some sectors around a faulty sector misidentified as faulty and imaged as zeros. Unlike ATA, the length of the run of misidentified sectors including the faulty sector varied. First five run lengths: 168, 216, 72, 248, 112. Note: all are a multiple of 8. Faulty sector was always in last group of 8.

8/15/07DFRWS Results: Sectors Missed For IXimager and FreeBSD dd all the run lengths are one (no readable sectors missed). For imaging directly to the ATA interface with dd based tools the run length for a single isolated faulty sector was eight sectors (with seven sectors misidentified as faulty). For imaging with dd over the Firewire interface, the run lengths associated with a single, isolated faulty sector were a multiple of eight sectors (also with readable sectors misidentified as faulty).

8/15/07DFRWS Results: Fill Content IXimager filled the sectors with the string: ILookImager_Bad_Sector_No_Data All the tools running in the Linux environment filled the sectors with zeros (NULL bytes). The sectors created by dd running in FreeBSD contained data from an undetermined source.

Agora, Seattle40 Other Quirks Hash Quirks – Screen hash differ from log file – Multiple hashes: SHA ok, MD5 wrong; hardware dependent March 28, 2008

Agora, Seattle41 Contacts Jim LyleDoug White Sue Ballou, Office of Law Enforcement Standards Steering Committee Rep. For State/Local Law Enforcement March 28, 2008

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.