Pattern Recognition and Applications Lab
Universitàdi Cagliari, Italia
Dipartimento di Ingegneria Elettrica
ed Elettronica
Computer Forensics
Ing. Davide Ariu
May 29th, 2018
http://pralab.diee.unica.it
Definition
“Digital forensics, also known as computer and network forensics, has many definitions. Generally, it is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way.”**
NIST - Guide to Integrating Forensic Techniques into Incident Response
http://pralab.diee.unica.it
“Digital forensics, also known as computer and network forensics… “
The variety of names used to refer to this discipline depends on the variety of deviceswhich might be subject to analysis
Laptop, Desktop, ServerNetwork Devices (e.g. Router, Switch)Smartphones, Tablets, Mobile PhonesRemovable Devices (External Hard Drives, Usb sticks, Memory Cards, Mouses with internal memory… )MP3 Players, …Console (Nintendo Switch/(3)DS/Wii, Sony Playstation(s), Microsoft Xbox)Wearable (e.g. Smart-watch, Activity Trackers, Smart Glasses, …)Internet of Things, … Medical Devices, Printers, Videorecorder…
Any device able to store information might be subject to forensic analysis
Devices subject to analysis
http://pralab.diee.unica.it
Vuxis M100
http://pralab.diee.unica.it
Vuxis M100
http://pralab.diee.unica.it
IoT & Smart Devices
http://pralab.diee.unica.it
The four steps“…application of science to the identification, collection, examination, and analysis of data…”
Collectionidentifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.
ExaminationForensically processing collected data using a combination of automated and manualmethods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
Analyzinganalyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performingthe collection and examination.
Reportingreporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identifiedvulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.
NIST - Guide to Integrating Forensic Techniques into Incident Response
http://pralab.diee.unica.it
Preserving Data Integrity
“while preserving the integrity of the information and maintaining a strictchain of custody for the data”Preserving data-integrity
Principle: Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons special precautions shouldbe taken to preserve this type of evidence. Failure to do so may render it unus- able or lead to an inaccurate conclusion. “La prova permette al giudice di ricostruire correttamente e dimostrare i fatti affermati dalle parti nel corso del processo” (Computer Forensics, A. Ghirardini, G. Faggioli)
Chain of custodyBefore the analyst begins to collect any data, a decision should be made […] on the need to collect and preserve evidence in a way that supports its use in future legal or internaldisciplinary proceedings. [..] a clearly defined chain of custody should be followed to avoidallegations of mishandling or tampering of evidence. This involves keeping a log of everyperson who had physical custody of the evidence, documenting the actions that theyperformed on the evidence and at what time, storing the evidence in a secure location whenit is not being used, making a copy of the evidence and performing examination and analysis using only the copied evidence, and verifying the integrity of the original and copied evidence.
http://pralab.diee.unica.it
SeizureNot always possible:
Large systems (e.g. rackmount servers)
Systems which can not be turned off (e.g. SCADA/Industrial Control Systems)
Network traffic or volatile data (e.g. RAM data)
Duplication. It is the most typical situation. It consists in making a forensic copy of the device and in usingit for data extraction and analysis
Interception.Data can be acquired while it is flowing from one system to anohther. Data is not read from the device where it is stored, but instead it is intercepted during transmission.
In any case, the first problem the investigator must face is to identify the devices where information relevant to the investigation can be found.
*Computer Forensics, A. Ghirardini, G. Faggioli
Three ways of acquiring forensics data
http://pralab.diee.unica.it
It is of utmost importance, before to start with the analysis, to establish if it isor it is not repeatable, as not repeatable analysis are typically subject to a different discipline.
E.g. The Italian Code of Criminal ProcedureL’Art. 359 c.p.p. (Consulenti tecnici del P.M.) prevede che il P.M., quando procede ad accertamenti, rilievi segnaletici, descrittivi o fotografici e ad ogni altra operazione tecnica per cui sono necessarie specifiche competenze, può nominare e avvalersi di consulenti, che non possono rifiutare la loro opera.
L’Art. 360 c.p.p. (Accertamenti Tecnici Non Ripetibili) prevede che, quando gli accertamenti previsti dall’artt. 359 riguardano persone, cose o luoghi il cui stato è soggetto a modificazione, il P.M. avvisa, senza ritardo, la persona sottoposta alle indagini, la persona offesa dal reato e i difensori del giorno, dell’ora e del luogo fissati per il conferimento dell’incarico e della facoltà di nominare consulenti tecnici.
Not repeatable analysis
http://pralab.diee.unica.it
Layers of analysis based on the design of digitaldata
*B. Carrier – File System Forensic Analysis, Wiley
http://pralab.diee.unica.it
Process of analyzing data at the physical level to the application level
*B. Carrier – File System Forensic Analysis, Wiley
http://pralab.diee.unica.it
Hard Disk Geometry
Each track is divided into sectors, which is the smallest addressable storageunit in the hard disk and is typically 512 bytes.
Each sector is uniquely identified by:The plat number
The track number
The sector number
http://pralab.diee.unica.it
Volumes and Partitioning
While analysing storage devices, it must be considered that requirements of the operating system and of the applications usually make the physical specsdiffering from the logical ones.
Examples:I have a large storage device (1TB), and want data stored in a volume separated from the operating system and the applications
A 250GB Volume is created for OS and Applications
A 750GB Volume is created for Data
I want a virtual volume of size larger than that of the single devices within my availabilityEs. RAID
http://pralab.diee.unica.it
Volumes and Partitioning
Volume.Is a set of addressable sectors which the operating system or the applications might use to store data.
It is not necessary that sectors are physically located in adjacent areas of the same physicaldevice.
A volume might be obtained from merging smaller physical devices
http://pralab.diee.unica.it
Volumes and Partitioning
Partition.Is a collection of consecutive sectors on a Volume.
Why to partition a Volume:Some file system have not the capability to handle large volumes
UNIX systems typically use separate partitions for OS and data in order to minimize the damagein case of corrupted file system
Dual boot
mmls (Sleuth Kit) allows to inspect the partitions table
http://pralab.diee.unica.it
File System
File System.Allows to organise and to store data on a volume through a hierarchy of files and directories.
Allows to separate the physical managament of the data on the disk from their logicalorganisation (files and directory) which is managed by the OS, applications, and users.
Allows to manage file names, creation,deletion, and modification.
Allows to associate meta-data to the files:Size
Date and time of creation, last modification, and last access
Permissions
http://pralab.diee.unica.it
From the previous slides, it emerges that a possible way to analyse an hard drive is as follows:
To make a copy of the supportPhysical copy
Logical copy
To analyse every single partition
Within each partition, to analyse both the file system and the files
Evidence acquisition and analysis
http://pralab.diee.unica.it
Preserving data integrityThe first step must always consist into making a copy of the digital support, in order to freezethe evidence it might contain
Several problems might arise from working directly on the original dataThe content of the device might result altered (either accidentally or not)
An HDD connected to an Operating System receives automatically data from the first one for the simple fact of being connected
Whenever a file is open, the last access data is automatically modified
Human error
Risk to damage the supportEven if the support is apparently healty, the analysis might result somehow stressful for the device which might somehow result damaged
If the support alredy is in a bad/critical condition, such probability is of course higher.
Human error
Acquiring Digital Evidence
http://pralab.diee.unica.it
Acquiring Digital Evidence
It is a best practice:To make a copy of the device proofing which is 100% identical to the original
Hash/checksum (e.g. md5sum, sha256sum) on both the source and the copy
Guymager (http://guymager.sourceforge.net, free) or commercial alternatives (FTK Imager, EnCase Imager) allow to calculate the hash while making the copy
Save time!!!
To make a copy of the copyHash check
To work on the copy of the copy
http://pralab.diee.unica.it
Before to start – Pictures & Video
http://pralab.diee.unica.it
Making a forensic copy
Any writing from the computer/device used for the analysis on the supportmust be prevented
Even a simple connection through the USB port without any reading is able to change the content of the disk
E.g. the OS creates hidden files useful to make the preview of the contents faster (e.g. Thumbs.db on Windows or .DS_Store on OsX)
This changes the hash
Write Blockers must be usedHardware (e.g. Tableau - Guidance Software).
Software (Linux distros with auto-mount disabled)CAINE - http://caine-live.net
DEFT - http://deftlinux.net
http://pralab.diee.unica.it
Finding Disks and Partitions
On UNIX machines the list of the disks and of the volumes can be obtainedtyping
fdisk –l*
Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 testine, 63 settori/tracce, 30401 cilindri, totale 488397168 settori Unità = settori di 1 * 512 = 512 byte Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Identificativo disco: 0x42224222Dispositivo Boot Start End Blocks Id
System /dev/sda1 63 9439231 4719584+ 82 Linux swap / Solaris /dev/sda2 * 944622047391532 18972656+ 83 Linux /dev/sda3 47391750 145693484 49150867+ 83 Linux /dev/sda4 145693485 488392064 171349290 83 Linux
*richiede privilegi di amministrazione
http://pralab.diee.unica.it
Bitstream copyOnce the disk or the partitions to copy have been identified, is it possible to start with a bit-to-bit copy
UNIX systems natively provide a command which can be used for suchpurpose: dd
It allows to save the copy onto an image file
It allows to clone one device onto another (which size must be >=)
Examples:Image file
dd if=/dev/hda of=/mnt/sda/disco.dd bs=512 conv=noerror, sync
Disk Cloningdd if=/dev/hda of=/dev/hdb
Zeroing an hard drivedd if=/dev/zero of=/dev/hdb
Checksum must be always verifiedExample. md5sum /dev/hda and md5sum /mnt/sda/disco.dd shall produce the same result.
http://pralab.diee.unica.it
Image Creation Tools
http://pralab.diee.unica.it
Issues - 1
RAIDBoth HW & SW
As a first step is usually useful to make a physical copy of every single device
Then, is also useful to create an image of the whole volume, which is of course much easier to analyse
If we have available a RAID controller (e.g. on the seized machine) we can eventually use it to rebuild the volume
Otherwise, we can use software utilities, such as the mdadm* available on UNIX systems
Issues with RAID systemsSize of the Volume
Non standard RAID implementation
Encrypted volumesMandatory: get the key!!!
Recommendation: think twice before to power off a machine!!
*https://raid.wiki.kernel.org/index.php/RAID_setup
http://pralab.diee.unica.it
A real case: WD Share Space
http://pralab.diee.unica.it
A real case: WD Share Space
http://pralab.diee.unica.it
Issues - 2Solid State Hard Drives
Forensically speaking, they are significantly different from traditional magnetic hard drives*
Organized in pages of 2KiB o 4KiBAnyway presented to the OS as divided in chunks of 512 bytes
Rewriting a specific block doesn’t necessarily means to rewrite the same page on the flash device
A sector of a magnetic hard drive can be re-written millions of times
A page of a SSD device can be re-written approximately 10,000 times
For this reason, SSD disk controllers implement algorithms which allow distributing writingsand thus uniform performance degradation
A page can not be overwritten only. It must be first deleted before being re-usedAs soon as a file is deleted, a controller manages to remove the corresponding pages, so thatthey are immediately available for a new writing
Pages capacity is typically 25% higher than that available with the operating system
Encryption
*http://www.forensicswiki.org/wiki/Solid_State_Drive_(SSD)_Forensicshttp://belkasoft.com/en/ssd-2014
http://pralab.diee.unica.it
Issues - 3
http://pralab.diee.unica.it
Device Analysis
Once we have copied the device, we have two options to analyse it:Physical Analysis.
Tries to recover data from the whole hard drive, without considering the file system and thuswithout any logical organisation
Keyword Search; File carving; Partition Tables; Unallocated space
Cons:Information is not organised data might be allocated in not-adjacent sectors
Time consuming (su un disco da 2TB ci sono 4 miliardi di settori…)
Not a starting point. Typically follows a Logical Analysis
Logical Analysis.Much more convenient if the file system is not corrupted.
Allows to work directly on files instead that on blocksKeyword search is much more efficient
Leverages applications to read proprietary file formats
http://pralab.diee.unica.it
File Carving
File Carving is a search technique which leverages on file contents instead of using meta-data
Metadata is provided by the File-System, which is ignored during carving
Typically, carving is based on the analysis of file headers and footers :For every file type a header/footer pair is defined
Header and Footers are sequences of bytes which makes possible to immediately recognise the file type
E.g. JPEG has header FF D8 and footer FF D9 (hexadecimal)
The carving tools looks for the file header
Once it finds it, also analyses the following sectors, looking for the footer. If it finds it, the file isrecovered.
Issue. Fragmentation.
Carving variantsHeader is searched only at the begin of the sector
Embedded files are not recovered
Statistical Carving, SmartCarvingThe content of the block is analysed to check whether it is similar to that of the close ones
http://pralab.diee.unica.it
The kind of evidence sought heavily depends on the specific case
Searches which are frequently made are *:Keyword (e.g. Autopsy, EnCase)
Deleted files
File categories, names, directories
Carving (frequently used tools are Foremost, Photorec, Scalpel)
Carving within Thumbs.db files
Browser History
Installed Applications
Virtual Machines
Cracking of protected files/applications
Files in proprietary formatsStarting from the hard drive image, it is useful to create a virtualise environment and to leverage the installed applications
*N. Bassetti, Indagini Digitali
Finding the evidence
http://pralab.diee.unica.it
A single professional profile. Multiple Roles.
CTConsulente Tecnico, per esempio del PM, nel Penale.
CTPConsulente tecnico di parte, nel Penale e nel Civile.
CTUConsulente tecnico del Giudice nel Civile
PERITOConsulente tecnico del Giudice nel Penale.
Ausiliario Polizia GiudiziariaArt. 348 comma IV°: “La Polizia Giudiziaria, quando, di propria iniziativa o a seguito di delega del Pubblico Ministero, compie atti od operazioni che richiedono specifiche competenze tecniche, può avvalersi di persone idonee le quali non possono rifiutare la propria opera.”
Come sancito dalla Corte di Cassazione, “Qualsiasi atto compiuto dall’Ausiliario di P.G. nelle sue funzioni, è da considerarsi un atto stesso della Polizia Giudiziaria”, esso assume la qualifica di Pubblico Ufficiale ed opera sotto la direzione ed il controllo della P.G.
http://pralab.diee.unica.it
Example #1. Procedere – con accertamenti di natura ripetibile – all’esame dell’hard disk in sequestro, al fine di accertare:
Corretto funzionamento tecnico ed accessibilità dell’apparecchio
Rilevazione dei dati in esso contenuti con particolare riferimento ai file video
Eventuale recupero di dati rimossi dall’apparecchio
Example #2. … previo esame del materiale informatico in sequestro (personal computer e altri dispositivi elettronici meglio elencati nei verbali di sequestro), provvedere alia duplicazione di tutti i dati, informazioni, programmi e/o sistemi informatici ("memorizzati" nei reperti in sequestro) su adeguati supporti mediante una procedura che assicuri la conformità della copia all'originale e la sua immodificabilità.
Forensic Inspections - Examples
http://pralab.diee.unica.it
Forensic Inspections - Examples
Example #3. .. ricercare nel materiale informatico sequestrato ogni elemento concernete la vicenda […] in particolare vorrà individuare sequenza numeriche e/o alfanumeriche riconducibili a […]; l’esistenza di documenti contabili […]; messaggi e chat tra i soggetti coinvolti nell'indagine in corso […]"
Example #4. …accertare il contenuto, la provenienza, la datazione ed ogni altro particolare profilo descrittivo (anche mediante predisposizione di immagini fotografiche) dei files in esso contenuti e di interesse ai fini di indagine […] e se le caratteristiche dei files (e la data di creazione degli stessi) siano stati alterati o modificati e, comunque, se di alterazioni si possano rilevare tracce.
http://pralab.diee.unica.it
Final Reporting
La relazione finale (da consegnare ad esempio al PM se CT/CTP o al giudice se CTU) è un documento che deve presentare e riassumere:
Le attività svolte
I risultati ottenuti
E’ importante:Che la relazione sia leggibile e ragionevolmente comprensibile anche da un personale non tecnico
Voi siete degli elettronici-informatici
Il giudice, l’avvocato, il PM, hanno una formazione giuridica
Pertanto:E’ importante usare la massima proprietà di linguaggio
Spiegando in linguaggio accessibile ad un pubblico non tecnico i concetti meno chiari (e fornendo riferimenti bibliografici, possibilmente fonti autorevoli).
Usando, ovunque esista una traduzione accettabile, vocaboli italiani.
Una relazione non comprensibile può risultare inutile o portare a delle conclusioni errate
http://pralab.diee.unica.it
Final Reporting
Possibile struttura di una relazioneIntroduzione. Spiega in che contesto l’attività è stata svolta, quali sono le persone che hanno partecipato all’analisi e fornisce i riferimenti al procedimento.
Descrizione del quesito. E’ sufficiente riportare il quesito così come da verbale conferimento incarico.
Descrizione del materiale sottoposto ad analisi.E’ utile riassumere le caratteristiche del materiale che hanno un impatto concreto sulla scelta delle modalità di intervento più appropriata.
Vengono spesso allegate fotografie del materiale sottoposto ad analisi, in cui si evidenziano ad esempio modello e numero di serie.
Metodologie e Procedure di intervento. Descrivere gli strumenti Hardware e Software utilizzati e le procedure attuate.
Gli strumenti e le procedure devono essere scelti coerentemente con le caratteristiche dei dispositivi e con il quesito al quale si deve rispondere.
Risultati. Rispetto a ciascuno dei punti del quesito, è necessario illustrare che cosa le procedure di intervento messe in atto abbiano consentito di appurare.
Conclusioni. Riassumono sinteticamente i risultati più rilevanti, in relazione alle domande poste nel quesito.
Non siete voi il giudice, siete dei periti. Nel formulare le conclusioni, è opportuno mantenere una posizione neutra.
http://pralab.diee.unica.it
Open Source Distros
http://pralab.diee.unica.it
References
http://linuxleo.com
http://forensicswiki.org
http://www.cfitaly.net
http://deftlinux.net
http://caine-live.net
http://santoku-linux.com
http://pralab.diee.unica.it
Hands-On
1. Si acquisisca la penna USB utilizzando il comando ddsi utilizzi l'opzione bs=512 per specificare la dimensione del settore e l'opzioneconv=noerror,sync per consentire al comando di procedere anche nel caso in cui si verifichiuna condizione di errore durante la copia
2. Attraverso l'utilizzo di una funzione di hash, si verifichi che il contenuto del file immagine corrisponde esattamente a quello della penna
3. Utilizzando il comando fdisk si ispezioni la tabella delle partizioni dellapenna USB e del file acquisito.
Suggerimento: si utilizzi l'opzione –l
4. Utilizzando Foremost e Photorec (presenti nella Partizione 2 della penna) sieffettui il carving della penna, recuperando da queste eventuali file precedentemente cancellati
5. Utilizzando il comando mount, si monti da riga di comando almeno una dellepartizioni presenti nell'immagine del disco
Suggerimento: si utilizzi il comando losetup /dev/loop0 pendrive.dd -o OFFSET per creare un disco virtuale da montare successivamente tramite l'utilizzo di mount