The full paper was published\u00a0in Vol 10, No 4<\/a> of the Journal\u00a0of Digital Forensics, Security and Law<\/a>.<\/p>\n A demo of the user interface that was developed for this project<\/a>.<\/p>\n The PDF of this journal publication<\/a> is available to download.<\/p>\n The process of acquiring images of hard disks is a well documented and usually straight forward task for a forensic investigator. Still, taking forensically sound images of hard disks is an essential step during investigations involving computer systems.<\/p>\n This paper details a system that provides the same functionality as current forensic hardware at a fraction of the cost. While this platform is presented as a write blocker and imaging device, it is designed to be extended and enhanced. Several example developments are detailed in this paper. This project is an attempt to facilitate the building of forensic devices and to enable forensic investigators to add their own functionality and personalisations.<\/p>\n The novel user interface for this platform is based on ideas from Morphological Analysis<\/em>. This responsive web user interface provides a clean and informed way of presenting forensic tasks to a user.<\/p>\n Based on our research, current forensic platforms are expensive, some costing thousands of Euro. While this cost is perfectly reasonable for some organisations and departments, it can be an issue for others.<\/p>\n The FIREBrick\u00a0<\/em>Project<\/a> is an open embedded system based on Linux<\/em> that, in its most basic form, provides write-blocking functionality and provides forensically sound copies of hard disks. The system can be built using almost any motherboard.<\/p>\n The FIREBrick\u00a0<\/em> operating system is a minimal customised Linux<\/em> distribution. As this device is Linux<\/em> based, developers can easily develop and enhance the platform using the wide array of available Linux<\/em> software.<\/p>\n To date, the FIREBrick<\/em> Project has received interest from the computer forensic community. Several investigators and many students from around the world have developed new functionality for the platform. In particular, a number of new features were developed by M.Sc. students from the Digital Investigation and Forensic Computing<\/em> programme in University College Dublin.<\/p>\n The FIREBrick is constructed using common, cost-effective, commercially available hardware. Configurations of Raspberry Pi<\/em>, Gizmosphere’s Gizmo<\/em> have been built. The desktop computer based device requires the following hardware:<\/p>\n As the system is open source, it can be tailored for a specific requirement or specific law enforcement agency. Smaller, less powerful hardware could be used and powered by a battery, or a more computationally powerful system could be built that would be larger and less portable.<\/p>\n To demonstrate the configurable nature of the platform, the FIREBrick<\/em> can be configured as a stand alone device, not requiring a host system to operate. This configuration might be suitable for investigators that do not wish to carry around a lot of equipment. An LCD screen can be connected to the FIREBrick<\/em> and a simple menu presented to the user.<\/p>\n This mini-ITX<\/em> device is shown in Figure 1.<\/p>\n Going further with this minimalist concept, a FIREBrick<\/em> can be configured to automatically begin imaging a disk as soon as the disk is connected to the system, providing an audio alert from the speaker on the motherboard when imaging is complete. An example of this configuration is shown in Figure 2.<\/p>\n These examples have been constructed and are currently being used by forensic investigators. The approximate cost of building a minimalist FIREBrick<\/em> device is shown below:<\/p>\n <\/p>\n The FIREBrick\u00a0<\/em>is based on Linux, thus any Linux<\/em> compatible software is available to FIREBrick<\/em>. Tools such as The Sleuth Kit<\/em>, Android Debug Bridge<\/em> and Photorec<\/em> have been used with the FIREBrick<\/em>. One such configuration of the FIREBrick<\/em> platform added a WiFi device allowing a user to connect via any WiFi compatible device. Another configuration performed write-blocking over iSCSI<\/em>, where the user connected to the FIREBrick<\/em> via an Ethernet cable.<\/p>\n As the Android Debug Bridge<\/em> software is available to the FIREBrick<\/em>, it can be configured to acquire information from mobile devices such as phones and tablets. While mobile data acquisition is feasible and has been built, it requires further development to support a wider range of makes and models of mobile devices.<\/p>\n Another configuration of the FIREBrick<\/em> is a network packet capture and analysis device. The FIREBrick<\/em> uses TCPDUMP<\/em> and can be connected to a target network to capture network packets. These packets could be analysed for information gathering, threat detection purposes et cetera.<\/p>\n Scripting is a powerful way of querying and analysing large data sets. In terms of scripting functionality, FIREBrick<\/em> has been build and tested with Node.js<\/em> and with Python<\/em>. Again, the concept with this platform is to allow developers to add their preferred scripting languages to the platform.<\/p>\n The FIREBrick<\/em> operating system (FIREBrick<\/em> OS) is a custom Linux<\/em> distribution built from the ground up using Buildroot<\/em>. The FIREBrick<\/em> OS may be written to the motherboard BIOS, configured as a boot disk, configured as a boot USB<\/em> key, or via PXE<\/em> booting. It is a lightweight OS, unlike other Linux<\/em> based forensic distributions, it comes with a very minimal set of software packages and comes without superfluous libraries. This has benefits in terms of speed, maintainability and security.<\/p>\n The FIREBrick<\/em> OS may be deployed on many hardware platforms. One example is deploying the OS on a desktop motherboard, where the OS is flashed onto the BIOS. This requires no boot device and the system will never boot from evidential drives. Also, this allows the system to run very quickly and boot almost instantly. There are downsides of this approach, such as, the OS size is limited to the size of the BIOS which is usually relatively small (typically 32Mb). However, a minimal system with write-blocking and imaging capability can easily fit into the BIOS of a desktop motherboard.<\/p>\n Figure 3 shows a typical configuration of a FIREBrick<\/em> system. The user views and interacts with the target device via an iSCSI initiator, this iSCSI target is read-only and hence the evidential drive cannot be altered in any way. Utilising iSCSI<\/em> provides remote access to the FIREBrick<\/em> device. From the prospective of the FIREBrick<\/em> OS, the target drive is never mounted and data is never written to the drive. The user can also control the FIREBrick<\/em> using the web user interface (WUI). The write-blocking functionality is iSCSI<\/em> in this case, however the system can be configured to write-block via a Firewire<\/em> or via USB<\/em> with supplemental hardware. Morphological Analysis<\/em> (MA) is a powerful problem-structuring and problem-solving technique created by Fritz Zwicky. MA works by analysing a problem space, arranging it into tabular form and identifying inconsistencies. Ritchey extended MA using software to aid in the process.<\/p>\n This novel user interface, based on MA, was designed to facilitate ease of use and provide a way of guiding the user through tasks. The user interface for one configuration of a FIREBrick<\/em> can be seen to provide an intuitive and helpful way of performing forensic tasks that is quite different to regular menu-driven user interfaces. The web user interface is shown in Figure\u00a04.<\/p>\n This interface provides a way of presenting forensics tasks, of grading them, and of accessing each task in an uncluttered fashion. To explain how MA is used as a user interface, we shall consider a simple example. A SATA<\/em> disk taken from\u00a0a computer is to be imaged. Figure 5\u00a0shows the interface after a user selected Capture from Task.<\/p>\n We can see here that the value of Saved Image from Data Source is unavailable. This is the case because the two values are inconsistent.<\/p>\n Figure 6\u00a0shows each parameter compared with every other parameter. This facilitates the identification of inconsistent pairs of values. At this point, Computer<\/em> from Data Source<\/em>, Disk<\/em> from Data Location<\/em> and Off<\/em> from System State<\/em> are selected. Now the impact on the system would be shown. Once None<\/em> in System<\/em> Impact<\/em> is selected, the task is initiated. The penultimate step can be seen in Figure 7. Parameter values can be chosen in any order. However, all parameters must have a value chosen in order to initiate a task. Once all values are selected, a confirmation dialog box will be displayed.<\/p>\n Using MA as an interface presents forensic tasks to the user, but also provides more information about the tasks to the user. In our example, it allows the user to see the level of system impact the selected task has on the target system. In this example we saw that there was an impact of None, as the disk was taken from the computer and nothing will be written to the disk.<\/p>\n MAUI<\/em> is arranged in a way to show the full spectrum of tasks available to the user in an uncluttered\u00a0and transparent way. There are no nested menus and no extra options as all available tasks are presented to the user. This compact interface is also suitable for mobile devices that have limited screen sizes.<\/p>\n In this paper we have detailed a forensic platform that provides the same functionality as commercial forensic devices, at a fraction of the cost. This platform is presented as both a hardware and software platform, the software is similar in some ways to forensic Linux<\/em> distributions such as SANS Investigative Forensic Toolkit or CAINE<\/em>, however the FIREBrick<\/em> OS is built from the ground up. The software only contains what is absolutely necessary to provide forensic functionality. As such, the FIREBrick<\/em> software is well suited for use with embedded hardware.<\/p>\n As the choice of hardware for the FIREBrick<\/em> device is open-ended, performance can vary quite substantially. For the FIREBrick<\/em> device in Figure 1, speeds of 5GB\/min were obtained while imaging a Kingston SSDNOW SERIES V100<\/em>\u00a0SSD drive. Throughput would increase for faster SSD drives and would decrease for slower platter-based drives. The specifications for commercial forensic imaging devices detail speeds ranging from 4GB up to 15GB. These figures have not been verified by the authors of this paper.<\/p>\nIntroduction<\/h1>\n
Commercial Forensic Devices<\/h2>\n
FIREBrick\u00a0<\/em>System<\/h3>\n
Hardware<\/h1>\n
\n
Customised Forensic Device<\/h2>\n
Stand Alone Device<\/h2>\n
![\"1\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/1.png\")
<\/a>\n
\nTotal\u00a0\u20ac100<\/strong><\/li>\n<\/ul>\n![\"2\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/2.png\")
Extensible Platform<\/h2>\n
Mobile Device Acquisition<\/h3>\n
Purpose Built Devices<\/h3>\n
Scripting<\/h3>\n
Software<\/h1>\n
Operating System<\/h2>\n
Write Blocking Functionality<\/h3>\n
![\"Capture\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/Capture.jpg\")
\nImaging utilises the DCFLDD<\/em> dcfldd package, a modified version of GNU<\/em> dd, used frequently by forensic investigators.<\/p>\nMorphological Analysis<\/h3>\n
Morphological Analysis User Interface (MAUI<\/a>)<\/h3>\n
![\"UIModel\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/UIModel.png\")
![\"selectedCapture\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/selectedCapture.jpg\")
![\"UIDisk\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/UIDisk.png\")
\nThis information would not be available to the user as it is hard-coded into the interface and represents the logic driving the interface. We can see that Capture<\/em> and Saved Image<\/em> are identified as inconsistent (highlighted in Figure 6). This is so because a saved image cannot be captured, a saved image is already captured. Similarly, View<\/em> and Off<\/em> are inconsistent. A system cannot be viewed that has been turned off for a reasonable amount of time.<\/p>\n![\"UICCA\"](\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2016\/02\/UICCA.png\")
<\/a>Results<\/h1>\n
Performance<\/h2>\n
User Interface<\/h2>\n