Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee Strand Jæger.

Published byEugene Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee Strand Jæger."— Presentation transcript:

1

2 Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee Strand Jæger

3 The Whonix Open Source operating system, Released in 2012 Based on the Tor network and «vanilla» Debian GNU/Linux Designed to be used with virtualization software 15/05/2015Timmi Lee Strand Jæger3

4 Whonix images Workstation Connected to the gateway Security by isolation Tor artefacts – xchat, torchat, gpg encryption, bitcoin software etc. Gateway Routing all internet traffic through Tor Not recommended to use for anything else than a gateway Not recommended to be used for anything else then a gateway 15/05/2015Timmi Lee Strand Jæger4

5 Aim and objective Researching the forensics challenges connected to the Whonix OS by mapping out the forensics artifacts Will focus primarily on the evidence files in the operating system 15/05/2015Timmi Lee Strand Jæger5

6 Tools and software National Institute of Standards and Technology Computer Forensics Tool Testing(NIST CFTT) Forensics ToolKit 5 FTK Imager Virtual Box KFF – Known File Filter 15/05/2015Timmi Lee Strand Jæger6

7 15/05/2015Timmi Lee Strand Jæger7 Forensics methodology

8 Analysis results Software artefacts Tor Browser Metadata Anonymisation Kit GTK RecordMyDesktop Xchat TorChat OpenPGP Debian artefacts File Download Program Execution File Opening and creation Deleted Files Account Usage 15/05/2015Timmi Lee Strand Jæger8

9 Web browser Tor Browser Security modified No data written outside the bundle directory home/user/tor- browser/browser/TorBrowse r/Data No cache in deleted files Ice Weasel Limited security modifications Very similar to the Firefox Browser Only recommended to use to download the tor browser Stores cache, browser data Able to recover browser data 15/05/2015Timmi Lee Strand Jæger9

10 Preinstalled utilities Metadata Anonymisation Toolkit Designed to delete all metadata for files Prevent anonymity leaks from metadata file /home/user/.local/share/recently- used.xbel log Creates a copy of the original file without metadata GTK RecordMyDesktop Desktop Session Recorder Create video files in several formats, settings outlined in the /home/user/.gtk- recordmydesktop - Sound settings - Cursor - Full Shots – on or off - Filename - Number of Channels - Sound Device - Video Quality - Audio Quality - Working Directory 15/05/2015Timmi Lee Strand Jæger10

11 Communication Xchat Open chat communication program, unregistered and registered users Logging off by default Research recovered chat history from scrollback logs /home/user/.xchat2/scrollback /OFTC/#ChannelName Generates random UserID TorChat Chatting program with similar features as MSN Routed through the Tor network Users have unique IDs Connections listed in in /home/user/.torchat/buddy- list.txt A log of the conversations were recovered from /home/user/.torchat/userID.log 15/05/2015Timmi Lee Strand Jæger11

12 Encryption OpenPGP Open Source GPG encryption program FTK able to find exported/import keys stored in the file system Password protected Encrypted files requires key and password Decrypted files are stored decrypted 15/05/2015Timmi Lee Strand Jæger12

13 Debian foundation artifacts File download Same structure as the Debian Linux; /home/user/, /home/user/Desktop Hidden folder in /. Program files in /usr, /usr/bin for binary files; found 1325 files – 448 after KFF Program execution /var/log/auth.log Mar 10 18:03:27 host sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/pip install /home/user/.bash_history /var/log/dpkg.log 15/05/2015Timmi Lee Strand Jæger13

14 File system File opening and creation MAC – Modified, Accessed Created Time set to UTC Recently used file log in /home/user/recently-used.xbel Bash history log /home/user/.bash_history Deleted files Deleted 3 files, all recovered in unallocated space Approx. 30 hours use gave 7696 deleted files, 734 were html and jpeg files. /tmp & /var/tmp Recovered Cache from Iceweasel 15/05/2015Timmi Lee Strand Jæger14

15 Account usage Traditional Linux utmp(current login state), wtmp(all logins and logouts) and btmp(failed logins) files. Virtual Box has a function called «save current state». Variety of log files such as the /var/log/auth.log, /var/log/timesanitycheck.log, root/.bash_history, program logs and logs in /var/log is going to show an history of the user being active. Remember that time is set to UTC by default everytime Whonix is booted up 15/05/2015Timmi Lee Strand Jæger15

16 Account usage 15/05/2015Timmi Lee Strand Jæger16

17 The way forward Creating a guideline for future forensics investigations Researching how the Tor network affects evidence Research what Linux packages that reveals privacy in Whonix This research will need future updates 15/05/2015Timmi Lee Strand Jæger17

18 Summary Traditional Debian artifacts All artifacts generated from a Linux Debian OS can be generated in Whonix Encryption recommended on host system Tor browser stores browser data temporarily in RAM Chat history from Xchat can be recovered 15/05/2015Timmi Lee Strand Jæger18

19 15/05/2015Timmi Lee Strand Jæger19 Questions ? Contact: timmilee@hotmail.com

Download ppt "Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee Strand Jæger."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
OC RIMS Cyber Safety & Security Incident Response.

OC RIMS Cyber Safety & Security Incident Response.
Technology Requirements for Online Testing Online Training Module for the Smarter Balanced Assessment.

Technology Requirements for Online Testing Online Training Module for the Smarter Balanced Assessment.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Computer Software.

Computer Software.
Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

Similar presentations

Ads by Google