Download Data Foresensics

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Big data wikipedia, lookup

Data Protection Act, 2012 wikipedia, lookup

Data model wikipedia, lookup

Data center wikipedia, lookup

Forecasting wikipedia, lookup

Database model wikipedia, lookup

Data vault modeling wikipedia, lookup

Data analysis wikipedia, lookup

Disk formatting wikipedia, lookup

Information privacy law wikipedia, lookup

3D optical data storage wikipedia, lookup

Business intelligence wikipedia, lookup

Damien Leake
 To examine digital media to identify and analyze
information so that it can be used as evidence in court
 Involves many data recovery techniques
 Process of salvaging data from damaged, failed,
corrupted, or inaccessible secondary storage media
Hard drives, USB flash drives, DVDs
 Recovery may be required due to physical damage or
logical damage to file system
 Digital evidence has to be authentic, reliably obtained,
and admissible
Common Scenarios for
Data Recovery
 Operating system failure
 Use LiveCD to copy all files to another disk
 Can be avoided by proper disk partitioning
 Disk-level failure
 Compromised file system or disk partition
 Repair file system, partition table, master boot record
 Hard disk recovery – one time recovery
 Recovering deleted files
 Often data is not removed, only the references to them
in the file table
Data Reduction During Acquisition
 Ever larger hard drives make collecting data very time-
 Data analysis can also take much longer if there are
large amounts of data
 Known files
 Operating system and application files can often be
disregarded when looking for documents
 File types
 Many file types can usually be ignored
Live Acquisition
 Debate: pull the plug or not when finding suspect’s
 For: minimizes disturbance to stored data
 Against: Critical data may be in RAM
 With full disk encryption, files are decrypted on the fly,
with the decryption key stored in RAM
 Open ports, active processes
 Fully volatile OS: Knoppix
 Unsaved documents
Examining RAM
 Evidence cannot be recorded on a target machine
without changing the state
 Logs, temp files, network connections opened/closed
 Critical data may be overwritten
 Analysis utilities may need to be loaded onto target
 Usually, ram data is sent to another machine over a
network connection
 These problems may be avoided if the target machine
was running on a Virtual Machine
Virtual Introspection
 Process by which the state of a VM is observed from the
Virtual Machine Manager or another VM on the system
 No current production tool, but research shows promise
 Can allow live system analysis of a VM
 May be possible for it to be undetected by target system
 Experienced cyber criminals may have safeguards that
remove critical data from RAM upon breach detection
Virtual Introspection for Xen
 Xen is an open source Virtual Machine Manager
 Not as robust as some competitors
 Open source means that researchers can modify the
VMM should that become necessary
 VIX is a suite of tools currently being developed for Xen
 Provides API for getting data from different VMs
 Pauses target machine, acquires data, un-pauses
 Ensures machine state is not modified
Future Work
 Support for multiple OS
 Currently, Linux 2.6 kernel is supported by VIX
 Need Windows and Mac OS support for widespread
 Analysis of the extent to which VI can be detected by
the target VM
 Timing analysis, page fault monitoring
 Application of these techniques to VMware and other
popular VM platforms
Database Forensics
 Standard forensics tools tend to be too time
consuming to run on large databases
 Database tools to search logs are quicker
 Can return a lot of useful information
 But they may alter the database in ways that complicate
the admissibility of the content in court
 New field of study with little literature
Mobile Device Forensics
 State of device at time of acquisition
 Password locks
 Remote data deletion
 Variety of operating systems
 Hard to build tools considered industry standard
FTK Mobile Phone Examiner
 Most commonly used tool in US
 Simple data acquisition
 Cable. Infrared, Bluetooth
 Does not alter any data on device
 Integration with Forensic Toolkit
 Perform analysis on multiple phones at once
 Reports are automatically court-usable
Oxygen Forensic Suite
 Popular tool with European law enforcement agencies
 Extracts all possible information
 Phone/SIM card data
 Contact list, caller groups, speed dials
 All calls sent/received/missed
 SMS, calendar events, text notes
 Can tap into LifeBlog and geotagging in Nokia
Symbian OS phones
EnCase Neutrino
 Extension of company’s PC forensic software
 Claims to have the only extensively tested signal
blocking technology
 Data acquisition starts with SIM card first, then
searches the phone itself
 Easily returns device serial number, cell tower location,
and manufacturer information
 Avoid detection of events
 Disrupt collection of information
 Increase time spent on case
Attacking Data
 Data wiping
 Overwrite erased disk space with random data
 Many commercial tools do not do this properly and leave
some of the original data
 Data hiding
 Encryption
 Using anonymous web storage
 Steganography
Embedding data into another digital form (images, videos)
 Data corruption
 Aims to stop the acquisition of evidentiary data
Attacking Forensics Tools
 Aims to make examination results unreliable in court
 Manipulate essential information
 Hashes
 Timestamps
 File signatures
 Compression bomb
 Compress data hundreds of times
 Causes analyzing computer to crash trying to
decompress it
Attack the Investigator
 Exhaust investigator’s time and resources
Leave large amounts of useless data on hard drives
 Cases that take too long are more likely to be dropped
 Data forensics attempts to capture and analyze data for
use in court proceedings
 Techniques involve traditional data recovery along
with live acquisition of volatile data
 Relatively new field, with more research needed for
databases, mobile devices, and virtual machines
 Analysis techniques will need to evolve as cyber
criminals develop more sophisticated ways to hide
their actions