Scribd Logo
Upload

Welcome to Scribd!

  • USING OSS For DIGITAL FORENSIC

    Uploaded by

    MOSC2010
    287 views22 pages
    Branch of forensic science which involves forensic investigation on digital materials

    Original Title

    USING OSS for DIGITAL FORENSIC

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Branch of forensic science which involves forensic investigation on digital materials

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    287 views22 pages

    USING OSS For DIGITAL FORENSIC

    Uploaded by

    MOSC2010
    Branch of forensic science which involves forensic investigation on digital materials

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    SIMULTANEOUS DISK IMAGING

    USING OPEN-SOURCE TOOLS


    FOR DIGITAL FORENSIC

    Presented by:
    IBRAHIM YUSOF
    SAUFI BUKHARI
    WHAT IS DIGITAL FORENSIC?
    • Branch of forensic science which involves forensic
    investigation on digital materials
    • Objectives:
    – Explain current state of a digital artifact (registries,
    storage, documents, packets)
    – Analyze information inside digital artifacts to be used as
    digital evidence
    – Recover deleted or lost information
    – Analyze how the system is being
    compromised
    BASIC STEPS IN DIGITAL FORENSIC
    Identification: identify
    the system that will be
    investigated

    Presentation and Preservation: isolate


    decision: present the and secure the system to
    result of analysis for prevent further damage
    decision making or modification

    Examination and
    Collection: obtain
    analysis: examine digital
    digital evidence using
    evidence to discover
    disk imaging technique
    specific evidence
    WHAT IS DISK IMAGING?
    • Process of duplicating hard disk drive or other
    storage devices sector by sector rather than
    separated files
    • Operates below file-system layer (NTFS,Ext2,Ext3)
    • Preserves the content, structure, and accounting of
    the files
    • Allows compression and archiving of the image file
    to save storage space
    APPLICABLE DISK IMAGING TOOLS
    • Commercial software:
    – AccessData Forensic Tool Kit (FTK) Imager
    – Guidance Software EnCase
    • Open-source software:
    – dd: originally developed for UNIX/LINUX system now available for
    other OS’s such as Windows
    – dcfldd: enhanced version of dd developed by U.S. Department of
    Defense Computer Forensics Lab with integrity verification capability
    – dd_rescue & GNU ddrescue: another enhanced version of dd with
    intelligent error recovery
    – aimage: advanced forensic format (AFF) imaging tool with intelligent
    error recovery, compression and verification
    WHY USE OPEN-SOURCE TOOLS?
    • Advantages:
    – Save cost
    – Can be shared and customized freely

    • Disadvantages:
    – Require expertise to configure and use
    – Most of them do not offer graphical user interface (GUI) to
    ease the user
    • Require execution of raw disk imaging command
    • Example: dcfldd if=/dev/hda of=/media/disk bs=32K
    hash=md5 md5log=/media/disk/md5log.txt
    FORENSIC DISK IMAGING
    • Adopts normal disk imaging functionalities
    • Advanced functionalities:
    – Integrity verification (checksum and hashing)
    – Metadata (details about data) preservation
    – Imaging logs generation
    • Must satisfy digital forensic requirements for disk imaging
    – The tool shall not alter the original
    – The tool shall perform imaging even if there are I/O errors
    – The tool shall compute hash or checksum value and perform
    verification
    – The tool shall produce accurate and correct documentation

    • Drawback: slower imaging process than normal imaging


    THE EFFECTS OF ADVANCED
    FUNCTIONALITIES TO IMAGING SPEED
    Normal

    Normal
    Normal
    Forensic

    Forensic
    WHY USE FORENSIC DISK IMAGING?
    • Prepares the exact duplication of the digital
    evidence for analysis
    • Avoids performing analysis on the original digital
    evidence to prevent damage or modification
    • Allows the original digital evidence to be duplicated
    unlimitedly
    BEST TOOLS FOR FORENSIC DISK IMAGING
    • dcfldd
    – On-fly hashing (hashing is performed during data transfer
    from source to destination)
    – Image verification and splitting
    – Logs generation into external applications

    • aimage
    – Image verification, compression, and archiving
    – Hashing (sha1, md5, sha256)
    – Metadata preservation
    – Logs generation
    HOW TO PERFORM DISK IMAGING?
    • Preparations:
    – Source hard disk or other storage devices attached to the
    target system
    – Destination hard disk (external hard disk) USB attachable
    much larger than the source hard disk size
    – Live CD (Linux): contains disk imaging tool and digital
    forensic analysis utilities
    CONTINUED…
    • Hardware setup:

    Figure 1: Illustration of hardware setup


    CONTINUED…
    • Hands on execution:
    – Execute imaging command in Linux terminal (as shown
    below)

    Figure 2: Sample of dcfldd execution


    SIMULTANEOUS DISK IMAGING
    • Simultaneous disk imaging: multiple disk imaging
    executions done at the same time
    • WHY?
    – Many server computers have more than one hard disks
    – To simplify the job of the user to image multiple hard
    disks
    – Time utilization

    User doesn’t have to wait for the current imaging process


    to complete in order to execute next imaging process
    CONTINUED…
    • HOW?
    – Use existing functionalities of Linux OS which allows
    multiple commands to be executed
    – Examples:
    • command1 & command2;
    • command1 ; command2;
    • PROBLEM: long and complicated command to
    execute
    • SOLUTION: use of graphical user interface (GUI) to
    generate the command automatically
    OUR GRAPHICAL USER INTERFACE (GUI)
    OVERVIEW – (AFF) Imager 1.0.x
    • Based on AIR (Automated Image and Restore) – GUI front-end to
    dd/dc3dd created by Steve Gibson
    • Using Perl/tk programming language
    • Currently developed specifically for Linux (SUSE 10.2)
    • Allows two imaging processes to be executed at once
    • No memorization of long and complicated commands required
    • Collaboration with aimage (AFF disk imaging tool)
    • WHY we chose aimage?

    Its functionalities most meet current digital


    forensic requirements
    Dual source and destination browser

    Imaging options tab: checkbox based

    Start button Stop button


    DIFFERENT MODES OF SIMULTANEOUS DISK
    IMAGING
    • Many to one: multiple source hard disk being imaged and
    stored into one destination hard disk

    Figure 3: Many to one mode illustration


    CONTINUED…
    • Many to many: multiple source hard disk being imaged and
    stored into multiple destination hard disks

    Figure 4: Many to many mode illustration


    MANY TO ONE vs. MANY TO MANY

    Normal mode

    Figure 5: Average imaging rate comparison of simultaneous disk imaging modes


    CONCLUSIONS
    • In forensic disk imaging, integrity and accuracy are
    more important than speed
    • Open-source disk imaging tool can be very reliable
    with additional improvement (e.g.: GUI)
    • The usage of graphical user interface (GUI) simplifies
    the process of imaging significantly
    • Simultaneous imaging (many to many) is another
    way to simplify the imaging process and save
    imaging time
    – Requires additional storage devices to perform best
    THANK YOU FOR YOUR ATTENTION…

    Q&A

    You might also like