Research in Next-Generation Digital ForensicsDigital Forensics Research GroupDigital ForensicsExamples of Digital EvidenceFacts (or: Why Digital Forensics?)Facts (2)Privacy Through Media MutilationDigital Forensics Process“Traditional” Digital ForensicsTraditional: Where’s the evidence?But Evidence is Also…Next Generation: NeedsNext Generation: UNOFile Carving: Basic IdeaFile Carving: FragmentationSlide 16File Carving: Damaged FilesFile Carving: Doing a Better JobFile Carving: Block SniffingBetter Software: File Carving: ScalpelSlide 21Some Scalpel Results (2)OS Support for Digital ForensicsFUSE (Filesystem in User Space)In-Place File CarvingBetter AuditingBetter Auditing (2)Bluepipe: On the Spot Digital ForensicsSlide 29Distributed Digital ForensicsSlide 31Distributed Digital Forensics (2)Distributed Digital Forensics (3)Beowulf [RIP], Slayer of Computer Criminals…DDF: Results (1)DDF: Results (2)DDF: To Do ListDDF: To Do (2)Current: Live ForensicsConclusion: Lots of Work To DoConclusion (2)Random Bedside Reading…Presentation available:Research in Next-Generation Digital ForensicsGolden G. Richard III, Ph.D.Associate ProfessorDept. of Computer Science [email protected]://www.cs.uno.edu/~goldenDigital Forensics Research Group•Fall 2006:–Thursdays @ 1pm in NSSAL (Math 322)•Primary Collaborators:–Vassil Roussev [UNO CS]–Vico Marziale [UNO Ph.D. student]–Frank Adelstein [ATC-NY]Digital ForensicsDefinition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.” Devices include computers, PDAs, cellular phones, videogame consoles, copy machines, printers, …Examples of Digital Evidence•Threatening emails•Documents (e.g., in places they shouldn’t be)•Suicide notes•Bomb-making diagrams•Malicious Software–Viruses–Worms–…•Child pornography (contraband)•Evidence that network connections were made between machines•Cell phone SMS messagesFacts (or: Why Digital Forensics?)•Deleted files aren’t securely deleted–Recover deleted file + when it was deleted!•Renaming files to avoid detection is pointless•Formatting disks doesn’t delete much data•Web-based email can be (partially) recovered directly from a computer•Files transferred over a network can be reassembled and used as evidenceFacts (2)•Uninstalling applications is much more difficult than it might appear…•“Volatile” data hangs around for a long time (even across reboots)•Remnants from previously executed applications•Using encryption properly is difficult, because data isn’t useful unless decrypted•Anti-forensics (privacy-enhancing) software is mostly broken•“Big” magnets (generally) don’t work•Media mutilation (except in the extreme) doesn’t work•Basic enabler: Data is very hard to killPrivacy Through Media Mutilationdegausserororforensically-securefile deletion software(but make sure it works!)orDigital Forensics Process•Identification of potential digital evidence–Where might the evidence be?–Which devices did the suspect use?•Preservation and copying of evidence–On the crime scene…–First, stabilize evidence…prevent loss and contamination–If possible, make identical copies of evidence for examination•Careful examination of evidence•Presentation –“The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore ‘HITLIST.DOC’…”–“The suspect attempted to hide the Microsoft Word document ‘HITLIST.DOC’ but I was able to recover it without tampering with the file contents.”•Legal: Balance of need to investigate vs. privacy“Traditional” Digital Forensics•Pull the plug•“Image” (make bit-perfect copies) of hard drives, floppies, USB keys, etc.•Use forensics software to analyze copies of drives•Investigator typically uses a single computer to perform investigation in the lab•Present results to client, to officer-in-charge, courtTraditional: Where’s the evidence?•Undeleted files, expect some names to be incorrect•Deleted files•Windows registry•Print spool files•Hibernation files•Temp files (all those .TMP files!)•Slack space•Swap files•Browser caches•Alternate or “hidden” partitions•On a variety of removable media (floppies, ZIP, Jazz, tapes, …)But Evidence is Also…•In RAM•“In” the network•On machine-critical machines–Can’t turn off without severe disruption–Can’t turn them ALL off just to see!•On huge storage devices–1TB server: image entire machine and drag it back to the lab to see if it’s interesting?–10TB?Next Generation: Needs•Broad:–Better design, better software•Yes, some of it is engineering (and hacking)•Someone has to do it–Better vision, application of ‘real’ CS to problems•More specific:–Need for speed–Machine correlation–Machine profiling–Better auditing of investigative process–On-the-spot forensics: Triage–Live forensics–Network forensics–Specific tools for detection and remediation of malware–Phishing investigation–…Next Generation: UNO•Better file carving•Forensic-aware OS components•In-place file carving •Forensic accountability•On-the-spot forensics•Distributed digital forensicsFile Carving: Basic Ideaone clusterone sectorheader, e.g., 0x474946e8e761(GIF)unrelated disk blocks interesting filefooter, e.g., 0x003B(GIF)“milestones”or “anti-milestones”File Carving: Fragmentationheader, e.g., 0x474946e8e761(GIF)footer, e.g., 0x003B(GIF)“milestones”or “anti-milestones”File Carving: Fragmentationheader, e.g., 0x474946e8e761(GIF)footer, e.g., 0x003B(GIF)File Carving: Damaged Filesheader, e.g., 0x474946e8e761(GIF)“milestones”or “anti-milestones”No footerFile Carving: Doing a Better Job•Better design •Faster•Distributed implementation•More flexible description of file types•Automatic generation of type descriptions–Patterns–Rule sets•Multiple-pass carving–Carve, “remove” validated files from block list, re-carve, hope that some fragmented files coalesce•Block-sniffingFile Carving: Block Sniffingheader, e.g., 0x474946e8e761(GIF)Do these blocks “smell” right?• N-gram analysis• entropy tests• parsingBetter Software: File Carving: Scalpel•Two-pass design•Minimizes:–Reads–Seeks–Writes–Data copying–Memory usage•Doesn’t yet incorporate all of the carving wizardry we
View Full Document
Unlocking...