SIMULTANEOUS DISK IMAGING USING OPEN-SOURCE TOOLS FOR DIGITAL FORENSIC

Presented by:

IBRAHIM YUSOF SAUFI BUKHARI

WHAT IS DIGITAL FORENSIC?
• Branch of forensic science which involves forensic investigation on digital materials • Objectives:
– Explain current state of a digital artifact (registries, storage, documents, packets) – Analyze information inside digital artifacts to be used as digital evidence – Recover deleted or lost information – Analyze how the system is being compromised

BASIC STEPS IN DIGITAL FORENSIC
Identification: identify the system that will be investigated

Presentation and decision: present the result of analysis for decision making

Preservation: isolate and secure the system to prevent further damage or modification

Examination and analysis: examine digital evidence to discover specific evidence

Collection: obtain digital evidence using disk imaging technique

WHAT IS DISK IMAGING?
• Process of duplicating hard disk drive or other storage devices sector by sector rather than separated files • Operates below file-system layer (NTFS,Ext2,Ext3) • Preserves the content, structure, and accounting of the files • Allows compression and archiving of the image file to save storage space

APPLICABLE DISK IMAGING TOOLS
• Commercial software:
– AccessData Forensic Tool Kit (FTK) Imager – Guidance Software EnCase
– dd: originally developed for UNIX/LINUX system now available for other OS’s such as Windows – dcfldd: enhanced version of dd developed by U.S. Department of Defense Computer Forensics Lab with integrity verification capability – dd_rescue & GNU ddrescue: another enhanced version of dd with intelligent error recovery – aimage: advanced forensic format (AFF) imaging tool with intelligent error recovery, compression and verification

• Open-source software:

WHY USE OPEN-SOURCE TOOLS?
• Advantages:
– Save cost – Can be shared and customized freely

• Disadvantages:

– Require expertise to configure and use – Most of them do not offer graphical user interface (GUI) to ease the user • Require execution of raw disk imaging command • Example: dcfldd if=/dev/hda of=/media/disk bs=32K
hash=md5 md5log=/media/disk/md5log.txt

FORENSIC DISK IMAGING
• Adopts normal disk imaging functionalities • Advanced functionalities:
– Integrity verification (checksum and hashing) – Metadata (details about data) preservation – Imaging logs generation – The tool shall not alter the original – The tool shall perform imaging even if there are I/O errors – The tool shall compute hash or checksum value and perform verification – The tool shall produce accurate and correct documentation

• Must satisfy digital forensic requirements for disk imaging

• Drawback: slower imaging process than normal imaging

THE EFFECTS OF ADVANCED FUNCTIONALITIES TO IMAGING SPEED

Normal

Forensic

Normal

Normal

Forensic

WHY USE FORENSIC DISK IMAGING?
• Prepares the exact duplication of the digital evidence for analysis • Avoids performing analysis on the original digital evidence to prevent damage or modification • Allows the original digital evidence to be duplicated unlimitedly

BEST TOOLS FOR FORENSIC DISK IMAGING
• dcfldd
– On-fly hashing (hashing is performed during data transfer from source to destination) – Image verification and splitting – Logs generation into external applications

• aimage
– – – – Image verification, compression, and archiving Hashing (sha1, md5, sha256) Metadata preservation Logs generation

HOW TO PERFORM DISK IMAGING?
• Preparations:
– Source hard disk or other storage devices attached to the target system – Destination hard disk (external hard disk) USB attachable much larger than the source hard disk size – Live CD (Linux): contains disk imaging tool and digital forensic analysis utilities

CONTINUED…
• Hardware setup:

Figure 1: Illustration of hardware setup

CONTINUED…
• Hands on execution:
– Execute imaging command in Linux terminal (as shown below)

Figure 2: Sample of dcfldd execution

SIMULTANEOUS DISK IMAGING
• Simultaneous disk imaging: multiple disk imaging executions done at the same time • WHY?
– Many server computers have more than one hard disks – To simplify the job of the user to image multiple hard disks – Time utilization User doesn’t have to wait for the current imaging process to complete in order to execute next imaging process

CONTINUED…
• HOW?
– Use existing functionalities of Linux OS which allows multiple commands to be executed – Examples: • command1 & command2; • command1 ; command2;

• PROBLEM: long and complicated command to execute • SOLUTION: use of graphical user interface (GUI) to generate the command automatically

OUR GRAPHICAL USER INTERFACE (GUI) OVERVIEW – (AFF) Imager 1.0.x
• Based on AIR (Automated Image and Restore) – GUI front-end to dd/dc3dd created by Steve Gibson • Using Perl/tk programming language • Currently developed specifically for Linux (SUSE 10.2) • Allows two imaging processes to be executed at once • No memorization of long and complicated commands required • Collaboration with aimage (AFF disk imaging tool) • WHY we chose aimage?

Its functionalities most meet current digital forensic requirements

Dual source and destination browser

Imaging options tab: checkbox based

Start button

Stop button

DIFFERENT MODES OF SIMULTANEOUS DISK IMAGING
• Many to one: multiple source hard disk being imaged and stored into one destination hard disk

Figure 3: Many to one mode illustration

CONTINUED…
• Many to many: multiple source hard disk being imaged and stored into multiple destination hard disks

Figure 4: Many to many mode illustration

MANY TO ONE vs. MANY TO MANY

Normal mode

Figure 5: Average imaging rate comparison of simultaneous disk imaging modes

CONCLUSIONS
• In forensic disk imaging, integrity and accuracy are more important than speed • Open-source disk imaging tool can be very reliable with additional improvement (e.g.: GUI) • The usage of graphical user interface (GUI) simplifies the process of imaging significantly • Simultaneous imaging (many to many) is another way to simplify the imaging process and save imaging time
– Requires additional storage devices to perform best

THANK YOU FOR YOUR ATTENTION…

Q&A

Sign up to vote on this title
UsefulNot useful