Table of Contents for
Practical Forensic Imaging

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Practical Forensic Imaging by Bruce Nikkel Published by No Starch Press, 2016
  2. Practical Forensic Imaging
  3. Practical Forensic Imaging
  4. Practical Forensic Imaging
  5. Practical Forensic Imaging
  6. Practical Forensic Imaging
  7. Practical Forensic Imaging
  8. Practical Forensic Imaging
  9. Practical Forensic Imaging
  10. Practical Forensic Imaging
  11. Practical Forensic Imaging
  12. Practical Forensic Imaging
  13. Practical Forensic Imaging
  14. Practical Forensic Imaging
  15. Practical Forensic Imaging
  16. Practical Forensic Imaging
  17. Practical Forensic Imaging
  18. Practical Forensic Imaging
  19. Practical Forensic Imaging
  20. Practical Forensic Imaging
  21. Practical Forensic Imaging
  22. Practical Forensic Imaging
  23. Practical Forensic Imaging
  24. Practical Forensic Imaging
  25. Practical Forensic Imaging
  26. Practical Forensic Imaging

0
DIGITAL FORENSICS OVERVIEW

image

Some historical background about the field of digital forensics leading up to the present day helps to explain how the field evolved and provides additional context for some of the problems and challenges faced by professionals in the forensics industry.

Digital Forensics History

Here, I discuss the development of modern digital forensics as a scientific discipline.

Pre-Y2K

The history of digital forensics is short compared to that of other scientific disciplines. The earliest computer-related forensics work began during the 1980s, when practitioners were almost exclusively from law enforcement or military organizations. During the 1980s, the growth of home computers and dial-up BBS services triggered early interest in computer forensics within law enforcement communities. In 1984, the FBI developed a pioneering program to analyze computer evidence. In addition, the increase in abuse and internet-based attacks led to the creation of the Computer Emergency Response Team (CERT) in 1988. CERT was formed by the Defense Advanced Research Projects Agency (DARPA) and is located at Carnegie Mellon University in Pittsburgh.

The 1990s saw major growth in internet access, and personal computers in the home became commonplace. During this time, computer forensics was a major topic among law enforcement agencies. In 1993, the FBI hosted the first of multiple international conferences on computer evidence for law enforcement, and in 1995, the International Organization of Computer Evidence (IOCE) was formed and began making recommendations for standards. The concept of “computer crime” had become a reality, not just in the United States but internationally. In 1999, the Association of Chief Police Officers (ACPO) created a good practice guide for UK law enforcement personnel who handled computer-based evidence. Also during the late 1990s, the first open source forensic software, The Coroner’s Toolkit, was created by Dan Farmer and Wietse Venema.

2000–2010

After the turn of the millennium, a number of factors increased demand for digital forensics. The tragedy of September 11, 2001, had a tremendous impact on how the world viewed security and incident response. The Enron and Anderson accounting scandals led to the creation of the Sarbanes-Oxley Act in the United States, designed to protect investors by improving the accuracy and reliability of corporate disclosures. This act required organizations to have formal incident response and investigation processes, typically including some form of digital forensics or evidence collection capability. The growth of intellectual property (IP) concerns also had an impact on civilian organizations. Internet fraud, phishing, and other IP- and brand-related incidents created further demand for investigation and evidence gathering. Peer-to-peer file sharing (starting with Napster), along with the arrival of digital copyright legislation in the form of the Digital Millennium Copyright Act (DMCA), led to increased demand for investigating digital copyright violation.

Since 2000, the digital forensics community has made great strides in transforming itself into a scientific discipline. The 2001 DFRWS Conference provided important definitions and challenges for the forensic community, and it defined digital forensics as follows:

The use of scientifically derived and proved methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.1

While the forensics community defined its scope and goal of becoming a recognized scientific research field, practitioner-level standards, guidelines, and best-practice procedures were also being formalized. The Scientific Working Group on Digital Evidence (SWGDE) specified definitions and standards, including the requirement of Standard Operating Procedures (SOPs) for law enforcement. The 2000 IOCE Conference in France worked toward formalizing procedures for law enforcement practitioners through guidelines and checklists. The 13th INTERPOL Forensic Science Symposium, also in France, outlined the requirements of groups involved in digital forensics and specified a comprehensive set of standards and principles for government and law enforcement. The US Department of Justice published a detailed first responders’ guide for law enforcement (US DOJ Electronic Crime Scene Investigation: A Guide for First Responders) and NIST’s Computer Forensics Tool Testing project (CFTT) wrote the first Disk Imaging Tool Specification.

During this decade several peer reviewed academic journals were introduced to publish the increasing body of knowledge. The International Journal of Digital Evidence (IJDE) was created in 2002 (and ceased in 2007), and Digital Investigation: The International Journal of Digital Forensics & Incident Response was created in 2004.

2010–Present

In the years since 2010, a number of events have shifted the focus toward investigating and collecting evidence from cyber attacks and data breaches.

WikiLeaks (http://www.wikileaks.org/) began publishing leaked material from the US military, including videos and diplomatic cables. Anonymous gained notoriety for distributed denial-of-service (DDoS) attacks and other hacktivist activity. LulzSec compromised and leaked data from HBGary Federal and other firms.

The investigation of Advanced Persistent Threat (APT) malware became a major topic in the industry. The extent of government espionage using malware against other governments and private industry was made public. The Stuxnet worm targeting SCADA systems, in particular, control systems in the Iranian nuclear program, was discovered. Mandiant published its investigation of APT1, the Cyber Warfare unit of the Chinese Army. Edward Snowden leaked a vast repository of documents revealing the extent of NSA hacking. The release of data from the Italian company HackingTeam revealed the professional exploit market being sold to governments, law enforcement agencies, and private sector companies.

Major data breaches became a concern for private sector companies as credit card and other data was stolen from Sony, Target, JPMorgan Chase, Anthem, and others. The global banking industry faced a major increase in banking malware (Zeus, Sinowal/Torpig, SpyEye, Gozi, Dyre, Dridex, and others), which successfully targeted banking clients for the purpose of financial fraud. More recently, attacks involving ransoms have become popular (Ransomware, DDoS for Bitcoin, and so on).

This diverse array of hacking, attacks, and abuse has broadened the focus of digital forensics to include areas of network traffic capture and analysis and the live system memory acquisition of infected systems.

Forensic Acquisition Trends and Challenges

The field of digital forensics is constantly transforming due to changes and advances in technology and criminality. In this section, I discuss recent challenges, trends, and changes that are affecting traditional forensic acquisition of storage media.

Shift in Size, Location, and Complexity of Evidence

The most obvious change affecting forensic image acquisition is disk capacity. As of this writing, consumer hard disks can store 10TB of data. The availability of easy-to-use RAID appliances has pushed logical disk capacity to even greater sizes. These large disk capacities challenge traditional forensic lab acquisition processes.

Another challenge is the multitude of storage devices that are found at crime scenes or involved in incidents. What used to be a single computer for a household has become a colorful array of computers, laptops, tablets, mobile phones, external disks, USB thumb drives, memory cards, CDs and DVDs, and other devices that store significant amounts of data. The challenge is actually finding and seizing all the relevant storage media, as well as acquiring images in a manner that makes everything simultaneously accessible to forensic analysis tools.

The shifting location of evidence into the cloud also creates a number of challenges. In some cases, only cached copies of data might remain on end user devices, with the bulk of the data residing with cloud service providers. Collecting this data can be complicated for law enforcement if it resides outside a legal jurisdiction, and difficult for private organizations when outsourced cloud providers have no forensic support provisions in their service contract.

The Internet of Things is a fast-growing trend that is poised to challenge the forensics community as well. The multitude of little internet-enabled electronic gadgets (health monitors, clocks, environmental displays, security camera devices, and so on) typically don’t contain large amounts of storage. But they might contain useful telemetry data, such as timestamps, location and movement data, environmental conditions, and so forth. Identifying and accessing this data will eventually become a standard part of forensic evidence collection.

Arguably, the most difficult challenge facing forensic investigators today is the trend toward proprietary, locked-down devices. Personal computer architectures and disk devices have historically been open and well documented, allowing for the creation of standard forensic tools to access the data. However, the increased use of proprietary software and hardware makes this innovation difficult. This is especially problematic in the mobile device space, where devices may need to be jail broken (effectively hacked into) before lower-level filesystem block access is possible.

Multijurisdictional Aspects

The international nature of crime on the internet is another challenge facing forensic investigators. Consider a company in country A that is targeted by an attacker in country B who uses relaying proxies in country C to compromise infrastructure via an outsourcing partner in country D and exfiltrates the stolen data to a drop zone in country E. In this scenario, five different countries are involved, meaning the potential coordination of five different law enforcement agencies, engaging at least five different companies, across five different legal jurisdictions. This multiple-country scenario is not unusual today; in fact, it is rather common.

Industry, Academia, and Law Enforcement Collaboration

The increasingly complex and advanced nature of criminal activity on the internet has fostered increased cooperation and collaboration to gather intelligence and evidence and to coordinate investigations.

This collaboration among competing industry peers can be viewed as fighting a common enemy (the banking industry against banking malware, the ISP industry against DDoS and spam, and so on). Such collaboration has also crossed private and public sector boundaries: law enforcement agencies work together with industry partners to combat criminal activity in public-private partnerships (PPPs). This multifaceted cooperation creates opportunities to identify, collect, and transfer digital evidence. The challenge here is ensuring that private partners understand the nature of digital evidence and are able to satisfy the standards expected of law enforcement in the public sector. This will increase the likelihood of successful prosecution based on evidence collected by the private sector.

A third group that is collaborating with industry and law enforcement is the academic research community. This community typically consists of university forensic labs and security research departments that delve into the theoretical and highly technical aspects of computer crime and forensics. These researchers are able to spend time analyzing problems and gaining insight into new criminal methods and forensic techniques. In some cases, they’re able to lend support to law enforcement where the standard forensic tools are not able to extract or analyze the evidence needed. The academic groups must also understand the needs and expectations of managing and preserving digital evidence.

Principles of Postmortem Computer Forensics

The principles of digital forensics as a scientific discipline are influenced by a number of factors, including formally defined standards, peer-reviewed research, industry regulation, and best practices.

Digital Forensic Standards

Standards for the collection and preservation of traditional physical evidence have depended heavily on the local legal jurisdiction. In contrast, digital evidence collection has matured in an international setting and interconnected environment with multiple jurisdictions contributing to the research and the development of standards. Typically hardware, software, file formats, network protocols, and other technologies are the same across the globe. For this reason, standards and processes for collecting digital evidence are more aligned across jurisdictions. A good example is the use of write blockers for attaching disks to imaging machines, a practice that is accepted nearly everywhere worldwide.

Several formal standards bodies exist that define the standards of forensic acquisition. The US National Institute of Standards and Technology (NIST) provides the Computer Forensic Tool Testing (CFTT) program. Its goal is stated here:

The goal of the Computer Forensic Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.

Although NIST is a US-centric organization, many of its standards are adopted internationally or at least influence the standards bodies in other countries.

The International Organization for Standardization (ISO) also provides a number of standards pertaining to digital evidence. Relevant to forensic acquisition are the ISO Guidelines for identification, collection, acquisition, and preservation of digital evidence:

ISO/IEC 27037:2012 provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value.

It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

Individual police forces may have their own standards that outline the evidence collection process. For example, in the United Kingdom, the Association of Chief Police Officers (ACPO) provides the ACPO Good Practice Guide for Digital Evidence. The guide states:

This best practice guide has been produced by the ACPO Crime Business Area and was originally approved by ACPO Cabinet in December 2007. The purpose of this document is to provide guidance not only to assist law enforcement but for all that assists in investigating cyber security incidents and crime. It will be updated according to legislative and policy changes and re-published as required.

This document references a number of other standards and documents put forth by ACPO and others.

The US Department of Justice maintains Electronic Crime Scene Investigation: A Guide for First Responders. The introduction to the guide states:

This guide is intended to assist State and local law enforcement and other first responders who may be responsible for preserving an electronic crime scene and for recognizing, collecting, and safeguarding digital evidence.

A number of other international organizations contribute to the development of standards through the creation of forensic working groups, committees, and communities.

Peer-Reviewed Research

Another source of digital forensic standards and methods is peer-reviewed research and academic conferences. These resources put forward the latest advances and techniques in the digital forensics research community. Basing forensic work on peer-reviewed scientific research is especially important with newer methods and technologies because they may be untested in courts.

Several international academic research communities exist and contribute to the body of knowledge. The most prominent research journal in the field of forensics is Digital Investigation: The International Journal of Digital Forensics & Incident Response, which has been publishing academic research from the field for more than a decade. The stated aims and scope are described as follows:

The Journal of Digital Investigation covers cutting edge developments in digital forensics and incident response from around the globe. This widely referenced publication helps digital investigators remain current on new technologies, useful tools, relevant research, investigative techniques, and methods for handling security breaches. Practitioners in corporate, criminal and military settings use this journal to share their knowledge and experiences, including current challenges and lessons learned in the following areas:

Peer-reviewed research: New approaches to dealing with challenges in digital investigations, including applied research into analyzing specific technologies, and application of computer science to address problems encountered in digital forensics and incident response.

Practitioner reports: Investigative case studies and reports describing how practitioners are dealing with emerging challenges in the field, including improved methods for conducting effective digital investigations. . . .

The leading digital forensics academic research conference is the Digital Forensics Research WorkShop (DFRWS). This conference began in 2001 and has remained US based, although in 2014, a separate European event was created. The stated purpose of DFRWS is as follows:2

• Attract new perspectives and foster exchange of ideas to advance digital forensic science

• Promote scholarly discussion related to digital forensic research and its application

• Involve experienced analysts and examiners from law enforcement, military, and civilian sectors to focus research on practitioner requirements, multiple investigative environments, and real world usability

• Define core technologies that form a focus for useful research and development

• Foster the discovery, explanation, and presentation of conclusive, persuasive evidence that will meet the heightened scrutiny of the courts and other decision-makers in civilian and military environments

• Establish and expand a common lexicon so the community speaks the same language

• Engage in regular debate and collaborative activity to ensure a sharp focus, high interest, and efficacy

• Maintain a dynamic community of experts from academia and practice

• Increase scientific rigor in digital forensic science

• Inspire the next generation to invent novel solutions

Full disclosure: I am an editor for Digital Investigation and participate in the organizing committee of DFRWS Europe.

Industry Regulations and Best Practice

Industry-specific regulations may place additional requirements (or restrictions) on the collection of digital evidence.

In the private sector, industry standards and best practice are developed by various organizations and industry groups. For example, the Information Assurance Advisory Council (IAAC) provides the Directors and Corporate Advisors’ Guide to Digital Investigations and Evidence.

Other sources include standards and processes mandated by legal and regulatory bodies, for example, the requirements for evidence collection capability in the US Sarbanes-Oxley legislation.

Some digital evidence requirements might depend on the industry. For example, healthcare regulations in a region may specify requirements for data protection and include various forensic response and evidence collection processes in the event of a breach. Telecom providers may have regulations covering log retention and law enforcement access to infrastructure communications. Banking regulators also specify requirements and standards for digital evidence. A good example is the Monetary Authority of Singapore (MAS), which provides detailed standards for the banking community in areas such as security and incident response (http://www.mas.gov.sg/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/technology-risk.aspx).

With the recent increase in cyber attacks targeting different sectors (finance, health, and so on), regulatory bodies may play a larger role in influencing and defining standards for evidence collection in the future.

Principles Used in This Book

This book focuses on forensic tasks that the private and public sectors have in common. The examples begin with a simplified forensic acquisition, and further examples demonstrate additional features and capabilities of the acquisition process. This includes preserving evidence using cryptographic hashing and signing, logging, performance, error handling, and securing an acquired image. I also explain several techniques for imaging over a network, as well as special topics, such as magnetic tapes and RAID systems.

To perform a forensic acquisition, there are several prerequisites:

• The subject drive is attached and recognized by the Linux kernel.

• Write blocking is established.

• The subject drive has been positively identified and documented.

• Full access to the device is possible (HPA, DCO, and ATA security are disabled).

• Time and storage capacity are available to perform the acquisition.

The forensic acquisition process and tools testing are well documented within the digital forensics community, and certain requirements are expected. A useful resource is the CFTT Program instituted by NIST. The top-level forensic-imaging requirements from NIST include the following:

• The tool shall make a bitstream duplicate or an image of an original disk or partition.

• The tool shall not alter the original disk.

• The tool shall log I/O errors.

• The tool’s documentation shall be correct.

These principles, described in a paper published by NIST,3 provide a foundation for the rest of the book. They exist to ensure that evidence integrity is preserved, and tampering is either prevented or detected.

Some research has challenged views that a complete acquisition can be achieved given the restrictions and limitations of the ATA interface used to access the physical disk.4 A theoretically complete acquisition includes all sectors on magnetic disks and memory beneath the flash translation layer of SSDs and flash drives, and it now extends to the locked-down mobile devices that can’t be imaged with traditional block device methods. It is becoming increasingly difficult to achieve “complete” acquisition of all physical storage of a device. For mobile devices, the forensics community has already made the distinction between physical and logical acquisition, with the latter referring to the copying of files and data rather than the imaging of drive sectors.

For the examples you’ll see in this book, forensic completeness is considered to be acquiring areas of a disk that can be reliably and repeatably accessed with publicly available software tools using published interface specifications. Areas of a disk that are accessible only through nonpublic vendor proprietary tools (in-house diagnostics, development tools, and so on) or by using hardware disassembly (chip desoldering, head assembly replacement, disk platter removal, and so on) are not within the scope of this book.

This has been a brief introduction to the field of digital forensics. Chapter 1 continues with an introduction to storage media technologies and the interfaces used to attach them to an acquisition host.