Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #10 Forensics Tools and Standards September 23, 2009
Outline Review Forensics Tools Standards File Systems (Unix, Linux) Reference: Chapters 7 and 8 of Textbook http://www.cftt.nist.gov/NISTIR_7490.pdf
Review Part 2: Lecture #8: Windows File System and Forensics Lecture #9: Forensics Tools
Forensics Tools Hardware Forensics Tools Range from single purpose components (e.g., devices) to complete systems (forensics workstations) Software Forensics Tools Analysis tools such ProDiscover and EnCase
Functions of Forensics Tools Acquisition Validation and Discrimination Extraction Reconstruction Reporting Comparison of some forensics tools are given on page 277 of Textbook (ProDiscover, AccessData, EnCase)
Functions of Forensics Tools - 2 Acquisition Tools for data acquisition Physical data copy, logical data copy, data acquiring format, GUI acquisition Validation and Discrimination Integrity of the data, Also includes hashing, filtering, analyzing file headers Extraction Recovery task Data viewing, Keyword searching, Decompressing Reconstruction Reporting
Functions of Forensics Tools - 3 Reconstruction Recreate the crime scene (suspect drive) Disk to disk copy, Image to disk copy, etc. Reporting Reporting generation tools help the examiner the prepare report Also helps to log reports
Software Tools Command line forensics tools Unix/Linux forensics tools SMART, Helix, Autopsy and Sleuth Kit GUI Forensics Tools Visualizing the data is important to understand the data
Hardware Tools Forensics workstations How to build a workstation What are the components How are the workstations connected in a lab How can distributed forensics be carried out Write Blockers Write blocker devoices to protect evidence disks (see the discussion in Chapter 4 under data acquisition)
Validating Forensics Tools NIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standards) Establish categories for forensics tools, Identify forensics category requirements, Develop test assertions Identify test cases Establish test method Report test results NIST (National Institute of Standards and Technology) is coming up with standards for validation (will be discussed under standards Chapter 7 discusses validation protocols as well as some examination protocols
NIST Standards There are three digital forensics projects at the National Institute of Standards and Technology (NIST). These projects are supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology Office of Law Enforcement Standards (OLES) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. These projects are the following: • National Software Reference Library (NSRL) • Computer Forensic Tool Testing (CFTT) • Computer Forensic Reference Data Sets (CFReDS)
NSRL The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) including hashes of known files created when software is installed on a computer. The law enforcement community approached NIST requesting a software library and signature database that meets four criteria: • The organizations involved in the implementation of the file profiles must be unbiased and neutral. • Control over the quality of data provided by the database must be maintained. • A repository of original software must be made available from which data can be reproduced. • The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.
NSRL The primary focus of the NSRL is to aid computer forensics examiners in their investigations of computer systems. The majority of stakeholders are in federal, state and local law enforcement in the United States and internationally. These organizations typically use the NSRL data to aid in criminal investigations.
CFTT The goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. After a test methodology is developed it is posted to the web.
CFReDS The Computer Forensic Reference Data Sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS has documented contents, such as target search strings seeded in known locations, investigators can compare the results of searches for the target strings with the known placement of the strings. Investigators can use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations.
CFReDS In addition to test images, the CFReDS site contains resources to aid in creating test images. These creation aids are in the form of interesting data files, useful software tools and procedures for specific tasks. The CFReDS web site is http://www.cfreds.nist.gov.
International Standards The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross- disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Macintosh Operating System (MAC OS X) Early MAC OS used HFS (Hierarchical file system) OS X uses HFS+ (optional) and also supports Unix File System OS 9 supports Volumes. Volume can be all or part of the storage media for hard disks Newer MACs booted can be booted from CD, DVD, Firewire drive. Older systems booted from hard drive Some forensics tools special for OS X. Some other Windows tools can also be used
Unix/Linux Operating System Everything is a file including disk drives, monitors, tape drives, network interface cards, etc. Unix has four components for its file system Boot block, superblock, Inode, data block Block is smallest disk allocation Boot clock has bootstrap code, superblock has system information, Inode is assignee to every file allocation unit., data blocks store directories and files Forensic examiner must understand the boot process of the operating system Disk partitions in Unix/Linus is very different from Windows. In Unix/Linux partitions are labeled as paths.
Summary of Lectures 8 and 9 Overview of File Systems Examples: Windows, MAC, Unix/Linux Three important concepts a forensics examiner should know: The boot process, the file system, and the disk structures/partitions Tools exist for each of the operating systems Standards are emerging for conducting a forensics examination Need more standards for data formats, processes, metadata etc .
References Reference: Chapters 7 and 8 of Textbook http://www.cftt.nist.gov/NISTIR_7490.pdf