Apr 082013

In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer systems, or from a computer network with multiple clients, triage analysis may be used.

The current challenges to conducting on-scene investigations is that each system must be booted and examined in turn, many investigation processes are not automated, multiple boot media may be needed, and there is no centralized point where results can be stored. All of these challenges can make the on-scene investigation process very time consuming if the network consists of hundreds of computers divided over several floors. Prior works had a number of foundational benefits, but still had a number of limitations that did not fit our needs. The approach taken in this work was to redesign an open source, forensically sound PXE environment that meets the following conditions:

  • Clients are able to boot a “forensic” file-system using DHCP, PXE and TFTP
  • Client–server based model: the client and server can communicate with each other
  • Network storage between clients and server, to serve files and store search results
  • Keyword searching in ASCII and UNICODE
  • File hashing and comparing with a centralized hash database
  • Clients are accessible through the server via SSH
  • Client’s local hard disk drives are accessible as a local disk on the server through ATA Over Ethernet (AoE)

This approach is adopted, not to conduct a full digital forensic investigation on-scene, but to conduct digital forensic triage. Triage is a medical term defined as:

A process for sorting injured people into groups based on their need for or likely benefit from immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at disaster sites when limited medical resources must be allocated (Triage, n.d.).

To derive the definition of digital forensic triage, we apply the medical definition specifically to computer forensics, resulting in:

A process of sorting computer systems into groups, based on the amount of relevant information or evidence found on these computer systems (Koopmans, 2010).

Based on this definition, the goal of the solution is not explicitly for exhibit exclusion purposes, but to sort analyzed systems by likely relevance.

The result is a client-server based solution for automation of basic digital forensic investigation processes on many clients over a network (Figure 1).

Automated Network Triage

A Triage server is placed on a network (preferably a network physically separate to the suspect’s network), and clients (suspect computers) are booted into a live environment via PXE or boot disk. They connect to the Triage server, load data and analysis scripts, and begin to conduct analysis on the suspect machine’s connected hard drives automatically. All results are reported back to the Traige server, and any suspicious hits can be investigated remotely using a verity of standard digital forensic investigation tools.

Works cited:

  1. Triage. In: Dorland’s medical dictionary for health consumers; n.d.
  2. Koopmans M. The art of triage with (g)PXE. Dublin: University College Dublin; 2010. p.51

For more information, please see:

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 1–9. doi:10.1016/j.diin.2013.03.002

Feb 272013

The concept of signatures is used in many fields, normally for the detection of some sort of pattern. For example, antivirus and network intrusion detection systems sometimes implement signature matching to attempt to differentiate legitimate code or network traffic from malicious data. The principle of these systems that that within a given set of data, malicious data will have some recognizable pattern. If malicious code, for example, has a pattern that is different in some way to non-malicious data, then the malicious data may be able to be differentiated with signature-based methods. In terms of malware, however, signature based methods are becoming less effective as malicious software gains the ability to alter or hide malicious patterns. For example, polymorphic or encrypted code.

This work suggests that signature based methods may also be used to detect patterns or user actions of a digital system. This is based on the principle that computer systems are interactive. This means that when a user interacts with the system, the system is immediately updated. In this work, we analyzed a user’s actions in relation to timestamp updates on the system.

During experimentation, we found that timestamps on a system may be updated for many different reasons. Our work, however, determined that there are at least three major timestamp update patterns given a user action. We define these as Core, Supporting and Shared timestamp update patterns.

Core timestamps are timestamps that are updated each time, and only when, the user action is executed.

Supporting timestamps are timestamps that are updated sometimes, and only when, the user action is executed.

Shared timestamps are timestamps that are shared between multiple user actions. So, for example, the timestamps of a single file might be updated by two different user actions. With shared timestamps it is impossible to determine which action updated the timestamp without more information.

By categorizing timestamps into these three primary categories, we can construct timestamp signatures to detect if and when a user action must have happened. For example, since only one action can update Core timestamps, the time value of the timestamp is approximately the time in which the user action must have taken place.

The same can be said for Supporting timestamps, but we would expect Supporting timestamps values to be at or before the last instance of the user action.

Using this categorization system, and finding associations of timestamps to user actions, user actions in the past can be reconstructed just by using readily available meta-data in a computer system.

For more information, please see our article on this topic:

James, J., P. Gladyshev, and Y. Zhu. (2011) “Signature Based Detection of User Events for Post-Mortem Forensic Analysis”. Digital Forensics and Cyber Crime: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Volume 53, pp 96-109. Springer. [PDF][arXiv:1302.2395]

Oct 032012

Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012

Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges faced by digital forensic practitioners. The second part of the talk explored investigative difficulties posed by cloud computing. A possible approach to dealing with some of these difficulties based on the I-STRIDE model was outlined.

Aug 122010

This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10 respondents). The key findings of the survey are given, with a link to the full document provided.

Key observations:

  • Every country has a different definition of digital crime
  • Every country has different laws relating to digital crime
  • INTERPOL fights international crime by managing resources between countries
  • INTERPOL provides facilitation rather than direct operational capabilities
    • ‘Outsource’ operational needs from member countries

Requirements for Digital Forensic Tools

Out of 30 surveys submitted, 10 were returned. Along with these surveys, informal discussions with practitioners were conducted.

Through the survey and discussions it was found that three primary factors investigators are taken into account when purchasing forensic software:

  1. Feature set
  2. Cost
  3. Ease of use

Cost was found to be a common complaint, and a major concern for almost every practitioner spoken to. However, the most expensive forensic software, Encase, was the primary software chosen by 80% of the organizations. FTK, X-Ways Forensic, and miscellaneous tools were also used, but not nearly as often.

The average percentage of cases in which only the chosen primary software was used is 77.9%. Which suggests that the cost of more expensive software is justified if it can handle the majority of needs the investigator may have. It appears that Encase does, in fact, meet the majority of requirements of the investigator, however, there is still approximately 20% of the cases in which an investigator would need additional features.

This 20% is covered by various secondary software, with FTK being the secondary software of choice. WinHex, Password Recovery/Decryption, Automated Analysis tools, and various Linux-based tools were also used.

The majority of the time an investigator is looking at user documents. Internet traces, passwords and log analysis are a close second.

The group also indicated that they would be more likely to buy a plug-in to their current software-set than to buy a third-party stand alone software. Fitting into their current workflow is a topic of importance.

Timelines of user actions are important to investigators. Some investigators indicated that a timeline of user activities would be useful in up to 70% of their cases.

Also interesting is that currently only 31% of cases involve Windows Registry Analysis. This low number was not shown to correlate with knowledge of the Windows Registry. Responders who claimed to be “very familiar” or “expert” in Windows Registry analysis, employed it just as often as those who were only “somewhat familiar”.

Finally the types of evidence investigators are seeing still consist primarily of Windows computers (87%) with Linux a far second (7%) and Mac last (6%). Of the Windows machines, Windows XP is still the most common OS (58%) with Vista (28%) and Windows 7 (4%) growing, but still not the majority.

For more information and the raw data, please see:
James, J.I. (2009) “Survey of Evidence and Forensic Tool Usage in Digital Investigations”. University College Dublin. [PDF]