Feb 122016
 

Cybercrime has been a growing concern for the past two decades. What used to be the responsibility of specialist national police has become routine work for regional and district police. Unfortunately, funding for law enforcement agencies is not growing as fast as the amount of digital evidence.

In this paper, we present a forensic platform that is tailored for cost effectiveness, extensibility, and ease of use. The software for this platform is open source and can be deployed on practically all commercially available hardware devices such as standard desktop motherboards or embedded systems such as Raspberry Pi and Gizmosphere’s Gizmo board. A novel user interface was designed and implemented, based on Morphological Analysis.

The full paper was published in Vol 10, No 4 of the Journal of Digital Forensics, Security and Law.

A demo of the user interface that was developed for this project.

The PDF of this journal publication is available to download.

Introduction

The process of acquiring images of hard disks is a well documented and usually straight forward task for a forensic investigator. Still, taking forensically sound images of hard disks is an essential step during investigations involving computer systems.

This paper details a system that provides the same functionality as current forensic hardware at a fraction of the cost. While this platform is presented as a write blocker and imaging device, it is designed to be extended and enhanced. Several example developments are detailed in this paper. This project is an attempt to facilitate the building of forensic devices and to enable forensic investigators to add their own functionality and personalisations.

The novel user interface for this platform is based on ideas from Morphological Analysis. This responsive web user interface provides a clean and informed way of presenting forensic tasks to a user.

Commercial Forensic Devices

Based on our research, current forensic platforms are expensive, some costing thousands of Euro. While this cost is perfectly reasonable for some organisations and departments, it can be an issue for others.

FIREBrick System

The FIREBrick Project is an open embedded system based on Linux that, in its most basic form, provides write-blocking functionality and provides forensically sound copies of hard disks. The system can be built using almost any motherboard.

The FIREBrick  operating system is a minimal customised Linux distribution. As this device is Linux based, developers can easily develop and enhance the platform using the wide array of available Linux software.

To date, the FIREBrick Project has received interest from the computer forensic community. Several investigators and many students from around the world have developed new functionality for the platform. In particular, a number of new features were developed by M.Sc. students from the Digital Investigation and Forensic Computing programme in University College Dublin.

Hardware

The FIREBrick is constructed using common, cost-effective, commercially available hardware. Configurations of Raspberry Pi, Gizmosphere’s Gizmo have been built. The desktop computer based device requires the following hardware:

  • Motherboard (any form factor)
  • RAM
  • Case and power supply

Customised Forensic Device

As the system is open source, it can be tailored for a specific requirement or specific law enforcement agency. Smaller, less powerful hardware could be used and powered by a battery, or a more computationally powerful system could be built that would be larger and less portable.

Stand Alone Device

To demonstrate the configurable nature of the platform, the FIREBrick can be configured as a stand alone device, not requiring a host system to operate. This configuration might be suitable for investigators that do not wish to carry around a lot of equipment. An LCD screen can be connected to the FIREBrick and a simple menu presented to the user.

1

Figure 1. LCD screen FIREBrick device

This mini-ITX device is shown in Figure 1.

Going further with this minimalist concept, a FIREBrick can be configured to automatically begin imaging a disk as soon as the disk is connected to the system, providing an audio alert from the speaker on the motherboard when imaging is complete. An example of this configuration is shown in Figure 2.

These examples have been constructed and are currently being used by forensic investigators. The approximate cost of building a minimalist FIREBrick device is shown below:

  • Mini-ITX Motherboard €70
  • 2Gb RAM €10
  • Case & power supply €20
    Total €100
2

Figure 2. Minimalistic FIREBrick device.

 

Extensible Platform

The FIREBrick is based on Linux, thus any Linux compatible software is available to FIREBrick. Tools such as The Sleuth Kit, Android Debug Bridge and Photorec have been used with the FIREBrick. One such configuration of the FIREBrick platform added a WiFi device allowing a user to connect via any WiFi compatible device. Another configuration performed write-blocking over iSCSI, where the user connected to the FIREBrick via an Ethernet cable.

Mobile Device Acquisition

As the Android Debug Bridge software is available to the FIREBrick, it can be configured to acquire information from mobile devices such as phones and tablets. While mobile data acquisition is feasible and has been built, it requires further development to support a wider range of makes and models of mobile devices.

Purpose Built Devices

Another configuration of the FIREBrick is a network packet capture and analysis device. The FIREBrick uses TCPDUMP and can be connected to a target network to capture network packets. These packets could be analysed for information gathering, threat detection purposes et cetera.

Scripting

Scripting is a powerful way of querying and analysing large data sets. In terms of scripting functionality, FIREBrick has been build and tested with Node.js and with Python. Again, the concept with this platform is to allow developers to add their preferred scripting languages to the platform.

Software

Operating System

The FIREBrick operating system (FIREBrick OS) is a custom Linux distribution built from the ground up using Buildroot. The FIREBrick OS may be written to the motherboard BIOS, configured as a boot disk, configured as a boot USB key, or via PXE booting. It is a lightweight OS, unlike other Linux based forensic distributions, it comes with a very minimal set of software packages and comes without superfluous libraries. This has benefits in terms of speed, maintainability and security.

The FIREBrick OS may be deployed on many hardware platforms. One example is deploying the OS on a desktop motherboard, where the OS is flashed onto the BIOS. This requires no boot device and the system will never boot from evidential drives. Also, this allows the system to run very quickly and boot almost instantly. There are downsides of this approach, such as, the OS size is limited to the size of the BIOS which is usually relatively small (typically 32Mb). However, a minimal system with write-blocking and imaging capability can easily fit into the BIOS of a desktop motherboard.

Write Blocking Functionality

Capture

Figure 3. Typical FIREBrick deployment.

Figure 3 shows a typical configuration of a FIREBrick system. The user views and interacts with the target device via an iSCSI initiator, this iSCSI target is read-only and hence the evidential drive cannot be altered in any way. Utilising iSCSI provides remote access to the FIREBrick device. From the prospective of the FIREBrick OS, the target drive is never mounted and data is never written to the drive. The user can also control the FIREBrick using the web user interface (WUI). The write-blocking functionality is iSCSI in this case, however the system can be configured to write-block via a Firewire or via USB with supplemental hardware.
Imaging utilises the DCFLDD dcfldd package, a modified version of GNU dd, used frequently by forensic investigators.

Morphological Analysis

Morphological Analysis (MA) is a powerful problem-structuring and problem-solving technique created by Fritz Zwicky. MA works by analysing a problem space, arranging it into tabular form and identifying inconsistencies. Ritchey extended MA using software to aid in the process.

Morphological Analysis User Interface (MAUI)

UIModel

Figure 4. The MAUI interface.

selectedCapture

Figure 5. MAUI after selecting “Capture” from “Task”.

This novel user interface, based on MA, was designed to facilitate ease of use and provide a way of guiding the user through tasks. The user interface for one configuration of a FIREBrick can be seen to provide an intuitive and helpful way of performing forensic tasks that is quite different to regular menu-driven user interfaces. The web user interface is shown in Figure 4.

This interface provides a way of presenting forensics tasks, of grading them, and of accessing each task in an uncluttered fashion. To explain how MA is used as a user interface, we shall consider a simple example. A SATA disk taken from a computer is to be imaged. Figure 5 shows the interface after a user selected Capture from Task.

UIDisk

Figure 7. SATA disk imaging task.

We can see here that the value of Saved Image from Data Source is unavailable. This is the case because the two values are inconsistent.

Figure 6 shows each parameter compared with every other parameter. This facilitates the identification of inconsistent pairs of values.
This information would not be available to the user as it is hard-coded into the interface and represents the logic driving the interface. We can see that Capture and Saved Image are identified as inconsistent (highlighted in Figure 6). This is so because a saved image cannot be captured, a saved image is already captured. Similarly, View and Off are inconsistent. A system cannot be viewed that has been turned off for a reasonable amount of time.

At this point, Computer from Data Source, Disk from Data Location and Off from System State are selected. Now the impact on the system would be shown. Once None in System Impact is selected, the task is initiated. The penultimate step can be seen in Figure 7. Parameter values can be chosen in any order. However, all parameters must have a value chosen in order to initiate a task. Once all values are selected, a confirmation dialog box will be displayed.

Using MA as an interface presents forensic tasks to the user, but also provides more information about the tasks to the user. In our example, it allows the user to see the level of system impact the selected task has on the target system. In this example we saw that there was an impact of None, as the disk was taken from the computer and nothing will be written to the disk.

UICCA

Figure 6. Identified inconsistent forensic tasks.

MAUI is arranged in a way to show the full spectrum of tasks available to the user in an uncluttered and transparent way. There are no nested menus and no extra options as all available tasks are presented to the user. This compact interface is also suitable for mobile devices that have limited screen sizes.

Results

In this paper we have detailed a forensic platform that provides the same functionality as commercial forensic devices, at a fraction of the cost. This platform is presented as both a hardware and software platform, the software is similar in some ways to forensic Linux distributions such as SANS Investigative Forensic Toolkit or CAINE, however the FIREBrick OS is built from the ground up. The software only contains what is absolutely necessary to provide forensic functionality. As such, the FIREBrick software is well suited for use with embedded hardware.

Performance

As the choice of hardware for the FIREBrick device is open-ended, performance can vary quite substantially. For the FIREBrick device in Figure 1, speeds of 5GB/min were obtained while imaging a Kingston SSDNOW SERIES V100 SSD drive. Throughput would increase for faster SSD drives and would decrease for slower platter-based drives. The specifications for commercial forensic imaging devices detail speeds ranging from 4GB up to 15GB. These figures have not been verified by the authors of this paper.

User Interface

The MAUI user interface designed for this project is based on principles from Morphological Analysis. This novel user interface provides a clean and informed way of presenting forensic tasks to a user.

Extensibility

One of the overall goals of the FIREBrick project is to encourage developers to extend the functionality of the platform. Areas of computer forensics such as mobile device acquisition, computer network analysis and file carving could benefit from having an open, stable, extensible device.

Apr 082013
 

In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer systems, or from a computer network with multiple clients, triage analysis may be used.

The current challenges to conducting on-scene investigations is that each system must be booted and examined in turn, many investigation processes are not automated, multiple boot media may be needed, and there is no centralized point where results can be stored. All of these challenges can make the on-scene investigation process very time consuming if the network consists of hundreds of computers divided over several floors. Prior works had a number of foundational benefits, but still had a number of limitations that did not fit our needs. The approach taken in this work was to redesign an open source, forensically sound PXE environment that meets the following conditions:

  • Clients are able to boot a “forensic” file-system using DHCP, PXE and TFTP
  • Client–server based model: the client and server can communicate with each other
  • Network storage between clients and server, to serve files and store search results
  • Keyword searching in ASCII and UNICODE
  • File hashing and comparing with a centralized hash database
  • Clients are accessible through the server via SSH
  • Client’s local hard disk drives are accessible as a local disk on the server through ATA Over Ethernet (AoE)

This approach is adopted, not to conduct a full digital forensic investigation on-scene, but to conduct digital forensic triage. Triage is a medical term defined as:

A process for sorting injured people into groups based on their need for or likely benefit from immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at disaster sites when limited medical resources must be allocated (Triage, n.d.).

To derive the definition of digital forensic triage, we apply the medical definition specifically to computer forensics, resulting in:

A process of sorting computer systems into groups, based on the amount of relevant information or evidence found on these computer systems (Koopmans, 2010).

Based on this definition, the goal of the solution is not explicitly for exhibit exclusion purposes, but to sort analyzed systems by likely relevance.

The result is a client-server based solution for automation of basic digital forensic investigation processes on many clients over a network (Figure 1).

Automated Network Triage

A Triage server is placed on a network (preferably a network physically separate to the suspect’s network), and clients (suspect computers) are booted into a live environment via PXE or boot disk. They connect to the Triage server, load data and analysis scripts, and begin to conduct analysis on the suspect machine’s connected hard drives automatically. All results are reported back to the Traige server, and any suspicious hits can be investigated remotely using a verity of standard digital forensic investigation tools.

Works cited:

  1. Triage. In: Dorland’s medical dictionary for health consumers; n.d.
  2. Koopmans M. The art of triage with (g)PXE. Dublin: University College Dublin; 2010. p.51

For more information, please see:

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 1–9. doi:10.1016/j.diin.2013.03.002

Mar 192013
 

Earlier this year, researchers from the Digital Forensic Investigation Research Group had a chapter published in the book “Cybercrime and Cloud Forensics: Applications for Investigation Processes“.  There were contributions from authors discussing practical as well as theoretical aspects of digital crime, investigation, side channel attacks, law, international cooperation, and the future of crime and Cloud computing environments.

Lock KeyDigitalFIRE specifically focused on how Cloud computing is likely to affect current digital forensic investigators. Instead of assuming that Cloud environments will completely revolutionize the way crime and digital investigations are conducted, we assessed Cloud environments in terms of current digital investigation models. Indeed, new challenges to investigations were found to exist when considering Cloud service models, but many of these challenges stem from increased connectivity and less control. In terms of technology, some challenges exist in Cloud environments that were previously not as common; however, Cloud environments also potentially bring a number of benefits for digital investigators that may ultimately make some types of investigations on Cloud environments easier than on stand-alone systems.

Our chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts are established, we begin to examine Cloud computing security-related questions; specifically how past security challenges are inherited or solved by cloud computing models, as well as new security challenges that are unique to Cloud environments. Next, an analysis is given of the challenges and opportunities Cloud computing brings to digital forensic investigations. Finally, the Integrated Digital Investigation Process model is used as a guide to illustrate considerations and challenges during an investigation involving cloud environments.

James JI, Shosha AF, Gladyshev P. (2013). Digital Forensic Investigation and Cloud Computing. In K. Ruan (Ed.), Cybercrime and Cloud Forensics: Applications for Investigation Processes (pp. 1-41). Hershey, PA: IGI Global. doi:10.4018/978-1-4666-2662-1.ch001 [LINK][PDF]

Oct 042012
 

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices. Modern forensic literature and tools do not reflect these changes – hence this post.

WindowsRegistryForensics.zip

 

 

Jul 212011
 

From December 7th 2010 to December 12th 2010 a survey on Digital Investigation Process and Accuracy was conducted in an attempt to determine the current state of digital investigations, the process of examination (examination phases), and how those examinations are being verified as accurate. An online survey was created in English, and consisted of 10 questions. Two groups were solicited: a control group from the University College Dublin (UCD) Forensic Computing and Cybercrime Investigation (FCCCI) MSc Programme, and members of the Forensic Focus online community. The control group consisted of known digital forensic investigators, of which four replies were received. The second group consisted of anonymous replies from the Forensic Focus online community. Forensic Focus is a publicly accessible online forum and information site on the topic of computer forensics that primarily uses the English language. 28 replies were received from this community, making 32 replies in total. The average responses from the control group were consistent with the average responses from the Forensic Focus community. For the analysis in this paper, all responses will be considered together.

 

James, J.I. and P. Gladyshev. (2011) “2010 Report of digital forensic standards, processes and accuracy measurement.” Retrieved from http://articles.forensicfocus.com/2011/07/21/2010-report-of-digital-forensic-standards-processes-and-accuracy-measurement/ [PDF]

Aug 122010
 

This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10 respondents). The key findings of the survey are given, with a link to the full document provided.

Key observations:

  • Every country has a different definition of digital crime
  • Every country has different laws relating to digital crime
  • INTERPOL fights international crime by managing resources between countries
  • INTERPOL provides facilitation rather than direct operational capabilities
    • ‘Outsource’ operational needs from member countries

Requirements for Digital Forensic Tools

Out of 30 surveys submitted, 10 were returned. Along with these surveys, informal discussions with practitioners were conducted.

Through the survey and discussions it was found that three primary factors investigators are taken into account when purchasing forensic software:

  1. Feature set
  2. Cost
  3. Ease of use

Cost was found to be a common complaint, and a major concern for almost every practitioner spoken to. However, the most expensive forensic software, Encase, was the primary software chosen by 80% of the organizations. FTK, X-Ways Forensic, and miscellaneous tools were also used, but not nearly as often.

The average percentage of cases in which only the chosen primary software was used is 77.9%. Which suggests that the cost of more expensive software is justified if it can handle the majority of needs the investigator may have. It appears that Encase does, in fact, meet the majority of requirements of the investigator, however, there is still approximately 20% of the cases in which an investigator would need additional features.

This 20% is covered by various secondary software, with FTK being the secondary software of choice. WinHex, Password Recovery/Decryption, Automated Analysis tools, and various Linux-based tools were also used.

The majority of the time an investigator is looking at user documents. Internet traces, passwords and log analysis are a close second.

The group also indicated that they would be more likely to buy a plug-in to their current software-set than to buy a third-party stand alone software. Fitting into their current workflow is a topic of importance.

Timelines of user actions are important to investigators. Some investigators indicated that a timeline of user activities would be useful in up to 70% of their cases.

Also interesting is that currently only 31% of cases involve Windows Registry Analysis. This low number was not shown to correlate with knowledge of the Windows Registry. Responders who claimed to be “very familiar” or “expert” in Windows Registry analysis, employed it just as often as those who were only “somewhat familiar”.

Finally the types of evidence investigators are seeing still consist primarily of Windows computers (87%) with Linux a far second (7%) and Mac last (6%). Of the Windows machines, Windows XP is still the most common OS (58%) with Vista (28%) and Windows 7 (4%) growing, but still not the majority.

For more information and the raw data, please see:
James, J.I. (2009) “Survey of Evidence and Forensic Tool Usage in Digital Investigations”. University College Dublin. [PDF]