1. André Årnes Tlf: 9166006 andre.arnes@hig.no
IMT 3551/4012 Digital Forensics Course Overview and Lecture 1 Fall 2010
André Årnes
Tlf:

2. Document Revision V1.0: 23.10.2007 V1.1: 24.10.2007 V1.2: 21.10.2008
Main changes in 2010:
Minor revisions to lecture 1
2 new curriculum papers
10 new project descriptions
Lab uses Ubuntu instead of Helix
Main changes in course in 2009:
Updated curriculum papers and project assignments
Provide example exams (2007,2008)
Main changes in course in 2008:
Will include material on network data as digital evidence
Volunteer lab hand-ins after each lab exercise
More detailed project assignments provided
Provide example exam (2007)
This course was referred to as IMT 3711 Digital Forensic Science in 2007.

3. Agenda Course overview Lecture Objectives Lectures and exams
Paper presentations
Project work
Curriculum
Lecture
Introduction to digital forensics
Practical lab work

4. Course Overview

5. Course Objectives What is digital forensics?
Central principles and methodology rather than standardized procedures
Methods for
Evidence acquisition
Analysis
Reporting

6. Focus and Disclaimer Feedback is most welcome – all the time 
We will focus on the fundamental principles of digital forensics, as well as the practical side of the field.
Practical work will focus on analysis and reconstructions in virtual environments.
Consider the consequences of all experiments and don’t do anything unethical (or illegal!). Also, don’t trust unknown software – run untrusted software in isolated environments.
The course will give examples of tools (mostly open source), but the general principles and methodologies apply to any forensic tool.

7. Course Overview (Preliminary)
Lecture 1, Introduction, , Room K113 + A115
Chapters 1, Appendix B
Lecture 2, File system analysis, , Room K113 + A115
Chapters 2, 3, 4, 7, Appendix A
Lecture 3, Live and remote forensics, , Room A126 + A115
Chapters 5, 8
Lecture 4, Evidence analysis, , Room K113 + A115
Chapter 6
Lecture 5, Selected topics and review, , Room K113 + A115
Short project presentations
Project Deadline: 23:59 on Friday
Written Exam:
Project deadline?

8. Project Work Requirements
Assignments are marked and count 50% of mark (see course information)
Groups of 3 to 5 persons
Report can include theoretical and/or experimental work.
IMT 3551 Groups:
Standard project report
IMT 4021 Groups:
Academic paper format

9. Project Requirements (cont’d)
Document all assertions, back up claims and results, provide academic references, document experimental setup and focus on evidence integrity and forensic soundness.
Plagiarism is not accepted – ask if you have questions regarding quotations and citations.

10. Project Work Choose ONE of the following (or propose a new topic):
Acquiring evidence in the cloud: Perform a theoretical evaluation of acquiring evidence from a cloud service (e.g., Amazon EC2) and perform experiments as a proof-of-concept.
iPad Forensics: Forensic analysis of the iPad (you need an iPad). Perform experiments and perform a forensic analysis of the evidence.
Internet Explorer 9 (beta): Perform experiments and a forensic analysis of the evidence.
Log2timeline and Simile: Perform experiments, extract the timeline using log2timeline and visualize the results using SIMILE.
Android Forensics: Perform experiments using and Android phone and/or Android SDK to evaluate the availability and authenticity of evidence in Android.
Processing massive amounts of data: Perform a theoretical study of approaches to handle massive amounts of data in digital forensics cases. Present the results as a comparative study to benchmark the methods based on typical us cases.
Database forensics: Perform a survey and experiments of state of the art tools for database forensics, based on, e.g., PostgreSQL or Oracle DB.
Evidence authenticity: Evaluate security requirements and a security architecture for managing evidence and preserving evidence integrity and chain of custory. Consider vulnerabilities in popular hash algorithms (e.g., MD5) .
Computational forensics: Evaluate computational methods to identify and analyse digital evidence (e.g., fuzzy search, statistical sampling).
Rights Management: Forensic analysis of commercial grade rights management systems, e.g., Microsoft Rights Management System or Oracle Information Rights Management
If the experiments include malware analysis, note that the testbed has to be properly isolated to protect the network from unwanted side effects and malware infection. If the experiments include unknown software, note that the testbed has to be properly isolated, in the same manner as above.
Tool-testing assigment can also be solved through a comparative analysis involving two or more tools.

11. Project Recommendations
We request that all experiments (if possible) are performed in a sterilized environment and that the data set is preserved and handed in or made available online. We will use this as a data set for training and research in digital forensics.
We appreciate innovation in experimental environments. Amazon cloud, and are possible options. Remember to not do malware experiments in the cloud (!)
Faculty at the forensics lab will nominate suitable papers for scientific publication. One IMT3551 group is 2010!

12. What to cover in this course?
Internet investigations?
Network forensics?
Device forensics?
Video/audio/image forensics?
Reverse engineering?
Criminal investigations?
Law and judicial issues?
This is a large and complex field, and we can not cover everything.

13. Curriculum I
Dan Farmer and Wietse Venema, ”Forensic Discovery”, Addison-Wesley,
Material covered in class
The text book is available on-line in full.
This text book focuses on Linux forensics using the Coroners Toolkit. In addition, we will cover the FAT and NTFS file systems, and we will use several tools that are not covered in the book.

14. Curriculum II – Presented Papers
Five curriculum papers will be presented in class and will be part of the course curriculum. The papers may change depending on your feedback, but the curriculum will be finalized by next class.
Curriculum papers:
Carrier, Brian, ”An event-based digital forensic investigation framework”, DFRWS, 2005.
Casey, ”Error, Uncertainty, and Loss in Digital Evidence”, International Journal of Digital Evidence, 2002.
Gutmann, Peter, ”Secure Delection of Data from Magnetic and Solid-State Memory”, USENiX 1996
Vrizlynn Thing, Kian-Yong Ng, and Ee-Chien Chang, ”Live Memory Forensics of Mobile Phones”, DFRWS 2010
Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields, ”Forensic Investigation of Peer-to-Peer File Sharing Network”, DFRWS 2010
These papers will be presented by student groups in class. The papers are available on Fronter and on-line.

15. Presentations Lecture Group Paper 2 3 4 5 All Project
Each group presents one paper during lecture 2, 3 and 4. Each presentation will be ~ minutes
The project will be presented at the last lecture day. Each presentation will be short (~10 minutes)
Plan may change depending on number of students.

16. Some Useful References
Brian Carrier, ”File System Forensic Analysis”, Addison Wesley, 2005
Keith J. Jones, Richard Bejtlich, Curtis W. Rose, ”Real Digital Forensics – Computer Security and Incident Response”, Addison Wesley, 2006
Inger Marie Sunde, ”Lov og rett i Cyberspace”, Fagbokforlaget, 2006
US DOJ, ”NIJ Special Report on Forensic Examination of Digital Evidence: A Guide for Law Enforcement”
ACPO, ”Good Practice Guide for Computer Based Electronic Evidence”
Årnes, Haas, Vigna, and Kemmerer, ”Digital Forensic Reconstruction and the Virtual Security Testbed ViSe”, Journal in Computer Virology, 2007.
The Honeynet Project; in particular Scan of the month and forensic challenges
Gladychev and Patel, ”Finite state machine approach to digital event reconstruction”, Digital Investigation 1, 2004.
DOJ, ”NIJ Special Report on Investigations Involving the Internet and Computer Networks” (pages 1-27, excluding ”legal considerations”)
There is a lot of useful material on the web, and several other good text books. There are also conferences and journals that are dedicated to the areas of digital forensics and investigations.
Digital forensics is taught as a separate 6-day course by SANS, and there are extensive training courses available by software vendors (such as Guidance Encase and AccessData FTK).
See also Gutmann, Peter, ”Data Remanence in Semiconductor Devices”, 10th USENIX Security Symposium,
US DOJ = US Department of Justice
ACPO = Association of Chief Police Officers
[4]

17. Internet Bank Fraud

18. Transaction Agents

19. Before we get started … Choose groups (on blackboard)
Choose Project number (or propose a project)
Choose Paper to present (talk to me if all 5 are taken)
Talk to me if you’re doing an MSc on digital/computational forensics
Break!

20. Introduction to Digital Forensics
Lecture 1
Introduction to Digital Forensics

21. Terminology and Basic Principles

22. Forensic Science
The application of science and technology to investigate and establish facts of interest to criminal or civil courts of law. For example:
DNA analysis
Trace evidence analysis
Firearms ballistics
Implies the use of scientific methodology to collect and analyse evidence. For example:
Statistics
Logical reasoning
Experiments
References:
The Use of Statistics in Forensic Science by C. G. G. Aitken (Author), David A. Stoney (Author)

23. Some Terminology Digital Forensics Digital Investigations
Computer Forensics
Network Forensics
Internet Investigations
Computational Forensics

24. Investigation Process
Identification: Verification of event
Collection: Evidence collection and acquisition
Examination: Preparation and examination
Analysis: Using scientific methods
Reporting: Documentation and presentation
This is refered to as the ”investigation process” and is the standard procedure used in this course. You will find other variations in the literature.
Identification: Verification of event
Collection: Evidence collection and acquisition
Examination: Preparation and examination
Analysis: Using scientific methods
Reporting: Documentation and presentation
Examples:
- Examination: unzipping zip files, recovering unallocated data, etc.
- Analysis: intellectual property theft, e.g., accusations of reusing a stolen codebase

25. Digital Evidence
We define digital evidence as any digital data that contains reliable information that supports or refutes a hypothesis about an incident.
Evidence dynamics is described to be any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent.
Definitions adopted from:
Chisum and Turvey: Evidence dynamics: Locards exchange principle and crime reconstruction. Journal of Behavioral profiling 1, 2000.
Carrier and Spafford: Defining event reconstruction of digital crime scenes. Journal of Forensic Sciences 49 (2004).
Carrier: An event-based digital forensic investigation framework. In Digital Forensic Research Workshop
Examples of evidence dynamics:
A file in an NTFS file system running on a Windows XP operating system
An unallocated cluster in the same environment as above (overwrite, wipe, desegmentations, etc.)

26. Evidence Integrity
Evidence integrity refers to the preservation of the evidence in its original form. This is a requirement that is valid both for the original evidence and the image.
Write-blockers ensure that the evidence is not accidentally or intentionally changed
Hardware
Software
In some cases, evidence has to be changed during acquisition, see discussion of OOV below.
Mounting image read-only is a form of software write-blocker in Linux.

27. Digital Fingerprints
Purpose is to prove that evidence and image are identical – using cryptographic hash algorithms
Input is a bit stream (e.g., file/partition/disk) and output is a unique hash (file signature)
We use cryptographic hash algorithms (e.g., MD5, SHA1, SHA256). These are non-reversible and it is mathematically infeasible to find two different files that create the same hash.
Discussion topic: how can cryptographic hashes be used for proving evidence integrity? What systems/procedures have to be in place?
Some tools:
md5sum <filename>
md5deep <directory>

28. Chain of Custody
Chain of custody refers to the documentation of evidence acquisition, control, analysis and disposition of physical and electronic evidence.
The documentation can include paper trails, laboratory information management systems, photographies, etc.
Mechanisms:
Timestamps and hash values
Checklists and notes
Reports
Also referred to as chain of evidence.

29. Forensic Soundness
The term forensically sound methods and tools usually refers to the fact that the methods and tools adhere to best practice and legal requirements.
A typical interpretation:
Source data is not altered in any way
Every bit is copied, incl. empty and unavailable space
No data is added to the image.
Discussion topics:
Is this term useful for forensic practionioners?
How does this apply to different jurisdictions?

30. Order of Volatility (OOV)
Collect the most volatile data first – this increases the possibility to capture data about the incident in question.
BUT: As you capture data in one part of the computer, you’re changing data in another
The Heisenberg Principle of data gathering and system analysis: It’s not simply difficult to gather all the information on a computer, it is essentially impossible.
See text book Section 1.3, Appendix B.
Discussion points:
OOV vs forensic soundness
OOV vs evidence integrity
OOV vs chain-of-custody

31. Order of Volatility: Expected life time of data
Type of data
Life span
Registers, peripheral mem, cache, etc.
Nanoseconds
Main memory
Ten nanoseconds
Network state
Milliseconds
Running processes
Seconds
Disk
Minutes
Floppies, backup media, etc.
Years
CD-ROMs, DVDs, printouts, etc
Decades
textbook p.6

32. Dual-tool Verification
Verification of analysis results by independently performing analysis on two or more distinct forensic tools.
The purpose of this principle is to identify human and software errors in order to assure repeatability of results.
The tools should ideally be produced by different organizations/ programmers.
Discussion topic: Is this practical/necessary?

33. ACPO Principles (ACPO p. 6)
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and to be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same results.
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Discussion:
Principle 1 and 2 – changing vs loosing evidence, see ch 1.3 in textbook.
Principle 3 – how to implement an audit trail?
ACPO = Association of Chief Police Officers

34. Users and applications
Abstraction Layers
Users and applications
File system
Hardware
Sleuth Kit Abstraction Layers:
File system layer tools
Data layer tools
Metadata layer tools
Human interface layer
Journal layer
Media management layer
Disk layer
”Are you really looking at traces of what happened on a macine, or are you looking at something that the intruder wants you to believe?” (textbook Sec 1.5)
”Destroying information turns out to be surprisingly difficult.” (Gutmann 1996, 2001)
Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs.
Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages, or process ID numbers.
Farmer and Venema p. 9:
Users and applications
File system
Hardware
Sleuth Kit Abstraction Layers:
File system layer tools
Data layer tools
Metadata layer tools
Human interface layer
Journal layer
Media management layer
Disk layer
Farmer and Venema p. 9:

35. Analysis Unusual activity stands out, e.g.:
Location in file system
Timestamps (most files are rarely used)
Fossilization of deleted data
Turing test of computer forensic analysis
Digital archaeology vs. geology
”Are you really looking at traces of what happened on a macine, or are you looking at something that the intruder wants you to believe?” (textbook Sec 1.5)
”Destroying information turns out to be surprisingly difficult.” (Gutmann 1996, 2001)
Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs.
Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages, or process ID numbers.

36. Virtualization
Virtualization can be used to perform dynamic testing of evidence and to perform forensic reconstruction experiments. Images of seized evidence can be booted in virtual environments for dynamic analysis.
It is possible to detect the presence of the virtualization environment. This is seen in malware and in proof of concept code (e.g., ”red pill”).
Be careful to isolate the testbed properly, in particular if you suspect that you are dealing with malware!
Risks:
The analysis may report incorrect results
The analysis environment may be compromised
“The red pill is a small piece of code that, when run on a virtual machine, is able to determine if it is running in a virtual system or a real, physical system. It does this by detecting if the operating system is under the control of a hypervisor, the monitoring process that enables virtualization.” [
“The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica.” [

37. Crime Scene Reconstructions
Method to determine the most probable hypothesis or sequence of events by applying the scientific method to interpret the events that surround the commission of a crime.
State problem,
form a hypothesis,
collect data,
test hypotheses,
follow up on promising hypotheses,
draw conclusions supported by admissible evidence.
O’Connor, T: Introduction to crime reconstruction. Lecture Notes for Criminal Investigation (2004) North Carolina Wesleyan College.

38. Digital Reconstructions
Digital crime scene reconstructions can be tested experimentally in testbeds:
physical,
virtual, or
simulated.

39. Investigation Process
Identification: Verification of event
Collection: Evidence collection and acquisition
Examination: Preparation and examination
Analysis: Using scientific methods
Reporting: Documentation and presentation
Evidence integrity & Chain of Custody
This is refered to as the ”investigation process” and is the standard procedure used in this course. You will find other variations in the literature.
Examples:
- Examination: unzipping zip files, recovering unallocated data, etc.
- Analysis: intellectual property theft, e.g., accusations of reusing a stolen codebase

40. Our First Toolkit

41. Acquisition Tools
Acquisition tools are tools for imaging or copying evidence
Focus should always be on preserving evidence integrity. The integrity should be verified after acquisition through the use of hash algorithms.
DD and DCFLDD examples:
dd if=/dev/hda of=/mnt/evidence/hda.dd
dcfldd if=/dev/hda of=/mnt/evidence/hda.dd
Commercial tool examples:
Encase
FTK Imager Lite
Note that DCFLDD is an extension of DD for forensic acquisition. It supports hashing, verification, logging, and more.

42. The Coroners Toolkit (TCT)
A collection of forensic utilities written by Wietse Venema and Dan Farmer. Released in 2000 on the authors’ web sites.
The toolkit contains tools for post-mortem analysis of compromised systems.
It includes, e.g.:
Grave-robber: data gathering tool
Unrm and lazarus: data recovery tools
Mactime: orders files and directories chronologically according to timestamps

43. Sleuthkit and Autopsy
Sleuthkit is built on TCT, supports both Unix and Windows platforms, and contains 27 specialized command line tools.
Autopsy is an integrated graphical user interface for Sleuthkit. It supports acquisition, analysis, as well as case management, evidence integrity verification, and logging.
Autopsy documentation:

44. Ubuntu 10.04 Boot CD to install and run Ubuntu
Forensic tools easily installed:
sudo apt-get install tct
sudo apt-get install sleuthkit
sudo apt-get install autopsy
sudo autopsy

45. Helix Boot CD for incident response and digital forensics by e-Fense
Contains many tools, e.g.:
Autopsy, TCT, SleuthKit, foremost
Wireshark, TCPdump
ClamAV, F-prot, chkrootkit
and more …
No longer free / open source
A Helix manual is available.

46. Virtualization Tools We need a tool for running virtual hosts:
Mount and analyse image off-line
Snapshots freeze system states and are useful for event chain analysis
Some examples
VMware Workstation – most used tool for forensics
Amazon EC2 – Virtualization in the cloud (not free)
Virtualbox – free version available
Xen – free version available
Virtual PC – free version available
Parallels – for MAC
- Virtualbox is freely available and supports snapshots and virtual networking, but not the ”full clone” feature of VMware.
- VMware Workstation has useful features such as: snapshots, full cloning, virtual networking, etc. You can evaluate VMware Workstation for 30 days on your home computer.

47. VMware and VMware Snapshots
VMware emulates a PC and runs virtual guest operating systems such as Windows XP and Linux.
Through the use of VMware snaphots, one can make a tree of system configurations that are based on a common root system (base image).
One can easily revert to a snapshot and make a new branch with a new configuration.
The ”full clone” function can be used to write a full disk image for analysis based on a snapshot.
VMware images can be opened directly in Encase.

48. The snapshot manager is used to revert to snapshots and create full clones.

49. Snapshots can be used to analyse event chains as shown in this state diagram. Legend:

50. Summary Basic Principles Our First Toolkit Forensic Science
Methodology
Digital Evidence
Evidence Integrity
Crypographic hashes
Chain of Custody
Order of Volatility
Layers of abstraction
Reconstructions
Virtualization
ACPO
Our First Toolkit
DD and DCFLDD
TCT
Sleuthkit
Autopsy
Ubuntu
VMware

51. Lab 1

52. Rules of the Lab Excercises
The labs are fairly open and you are free to select both environment and tools. There is no mandatory hand-in or grading of the lab.
The lab exercises do require some Linux and virtualization literacy – work together in teams!
Use the lab time to discuss project work and discuss drafts.

53. Objectives Objectives: Get familiar with Tools ”Evidence”
Laboratory environment
Forensic tools
Tools
VMware (or Amazon EC2 or other virtualization tool)
Ubuntu (or Helix)
”Evidence”
Honeynet Scan of the Month 24 and 26
Take detailed notes and remember
Evidence integrity
Chain of custody

54. Tasks Install vmware workstation on your laptop
Install Ubuntu as a virtual machine and install tct, sleuthkit, and autopsy
Read the Scan of the Month 24 challenge and the police report
Boot Ubuntu in VMware
Image evidence
Virtually mount floppy image for ”Scan24” in VMware
Use DD or DCFLDD to image evidence to file
Verify image hash using md5sum command.
Analyse image
Using Autopsy
You can mount the image read-only and use standard linux tools
Report findings in your notes
Document chain of custody, evidence integrity
Detailed notes of settings, actions, etc.
Screenshots are useful
Optional
Continue the analysis with the Scan26 floppy image.
Send report to teacher by for feedback and evaluation (not graded)
Note – the floppy image should be write-protected in Linux
#Make an evidence directory
mkdir evidence
# Image the floppy drive, verify and write protect image
dcfldd if=/dev/fd0 of=evidence/fd0.img # Check documentation for details on dcfldd
md5sum /dev/fd0 # This can be done automatically with dcfldd
md5sum evidence/fd0.img
#Write protect evidence
chmod 444 evidence/fd0.img
# Analysis tools
# Hex editor
ghex2 evidence/fd0.img
# Autopsy
sudo autopsy