Secure Digital Life #68
Recorded on June, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Ticket Sales are open for Social Engineering RI Conference. Saturday, June 6th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register!
- How do you feel about User and Entity Behavior Analytics? What about your SEIM? Check out Logrhythm's webcast on June 14th at 3:00pm-4:00pm.
Topic: Digital Forensics
- Due to requests from some viewers we are talking about digital forensics today.
- What is forensics anyway?
- Typically, it refers to the acquisition, preservation, and interpretation of evidence.
- That means it could be just about anything from gun casings to fingernail clippings, etc.
- In the case of digital forensics, this term was starting to be used in the the late 90's to describe evidence which was in some sort of digital media like a recording or picture. The problem was this evidence had no provenance at that time and was treated as hearsay. This was due to the question "could this be modified or created in some way".
This led to a lot of questions about how to recover evidence from digital devices and how to preserve it such that you could maintain the integrity of the evidence for court.
Back in 1999, Dan Farmer and Wietse Venema released some tools for class called the Coroners Toolkit (http://www.porcupine.org/forensics/tct.html) which were tools for recovering files from unix based storage devices and that eventually led to Sleuthkit (Brian Carrier) https://www.sleuthkit.org/
Which is a "suite" of tools that is based in open source tools and the TCT tools. Autopsy provides the front end for TSK and today can be used pretty much on any type of media. To my knowledge it is free for you to use. Check it out.
So, how does digital forensics work?
- There are really three main pieces of DF that are done: acquisition, analysis, and preservation.
- Acquisition means that when a device is "seized" (and that can mean a lot of different things) but basically it means that for whatever reason, I now have your device. Let's say it's your laptop.
- Acquisition means then that I need to create a stable, static, digital duplicate that can be analyzed since it's not a good idea to fool around with original evidence unles you have to do so.
- There are all kinds of products out there to "image" digital media of all sorts. Cell phones, hard drives, ssd drives, memory, cameras, flash cards, you name it, you can image it.
- Typical imaging means using "write blockers" to prevent and ensure that nothing gets written to the evidence while it is being duplicated.
- Another piece of this is that "copying" or "ghosting" is NOT the same thing as a forensic image. A forensic image needs to copy every single bit from 0 to FFFFFFFFFFFFFFFF or whatever the last bit is. That means that things that are deleted, things that are partially overwritten, etc. all can still remain there. Copies just move the live files, not the dead stuff.
- So, once you have that image, you can start to analyze it.
- Example of deleted file
- When most file systems "delete" something, the file system uses a map of the drive so let's that there is file called foo.txt and it is stored on the hard drive at offset AF. In the map, the file system remembers that the beginning of foo.txt is at AF so you might see something like
foo.txt AF 1024
- indicating that it's 1024 bytes long. So, in a perfect world, you would just point to AF and start reading until you had read 1024 bytes. When the file is deleted, instead of taking all the time to go out on the drive and "erase" that 1024 bytes, let's just change the name in the table to FFfoo.txt which indicates to the file system that the file is "deleted". That means that 1024 bytes at AF is free to be used by something else. Now, if something else uses that space, the file may be partially erased. So if a new thing is written that is 512 bytes the table may look like
FFfoo.txt AF 1024
bar.txt AF 512
- So, that other 512 bytes is still laying there (and the whole thing may still be laying there if nothing has used it).
- Another process may just be looking for files of types. Files have headers in them so that applications can easily identify them. Some operating systems use extensions (like .docx) to identify a file type but even a docx has a header that indicates that it is an office file. Scanning for headers can find files that are hidden, deleted, or obsfucated (changing .docx doesn't change the type but might confuse the operating system).
- So, if someone is trying to hide their pictures of kittens and the change the extensions from .jpg to .txt. That would work. The file would have txt as an extension and a jpg reader might not open it but if you look at the raw file data you would still see that JFIF header so you could see there was a jpg file there.
- Typically, as forensicators, we look for the smoking guns (inculpatory evidence) first and as such, a lot of forensics may just be cataloging things that are there. Not hidden, not obsfucated, or anything.
- Take an example of a shooting. If someone uses their cell phone to video the shooting, forensics would be needed to acquire the video, the "metadata" about the video which would validate it. This may be the date, time, geotag, etc. so that a "fake video" could be discerned from a real one. This may simply be a matter of being an "expert" and presenting the findings to the court.
- Other cases can be more complicated. People can lie, obfuscate, contrive, and destroy evidence so sometimes forensics extends into recovering material that has been damaged.
(tell the story of BigDaddy)
- Likewise, it may expand such that you need more than one machine to recover all the story (tell the naked fish man story).
- DF can even extend into validating or corroborating information that has been presented. Did the GPS show that you had actually been to NJ that night you said you never left your apartment?
- Today, DF can be done on literally any device that has digital components. Phones, GPS, cars, drones, doorbells, you name it can contain evidence that may need to be used in a case.
- Preservation means taking that evidence and storing it such that it is persistent and that it will be identical to the original.
- Tools: Besides Sleuthkit there are many commercial tools (which are often very expensive) that are used both in specific (password crackers) or general (FTK) ways. FTK (accessdata.com) and Encase (guidancesoftware.com) are two of the oldest commercial products. Xways (x-ways.net) is another that I like a lot that is cheaper (note they don't do academic discounts though so unfortunately, we never get to use it at school). All these tools have features to image, recover files, analyze data, etc. Some of them have storage tools as well for managing preservation.
- But, despite all the sexy things like password cracking and steganography, a lot of this is just hard work (tell the story of the perverted Comptroller).
- Digital forensics is a standard part of both criminal and civil cases today and can be an exciting career. Certifications like CCE (isfce.com) or GCFA (sans.org) can give you more insight into the field or document your ability to conduct an examination. Most CC and universities have courses in Digital forensics (or whole degrees).