methods and instruments for the new digital forensics environments
DESCRIPTION
Ph.D. thesis presentationTRANSCRIPT
![Page 1: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/1.jpg)
Methods and Instruments for the New Digital
Forensics EnvironmentsMario Piccinelli
Ph.D. Candidate in Computer SciencesUniversity of Brescia, dept. of Information EngineeringApril 10, 2014
![Page 2: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/2.jpg)
Branch of forensics science that studies the identification, extraction and analysis of digital data for use in a court of law.
Digital Forensics
![Page 3: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/3.jpg)
In the beginning (from the 80s until now) it was all about (Personal) Computers.
They were all (almost) alike, and there were plenty of standard tools.
From Computer Forensics...
![Page 4: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/4.jpg)
In the last 5-10 years everything began to store digital data.
..to Digital Forensics
![Page 5: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/5.jpg)
A variegated World
![Page 6: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/6.jpg)
Digital Forensics in the Wild
Field skillsAcquisition
AnalysisReporting
Evidence handlingUse of specific tools
...
Theoretical
KnowledgeCriptography,
Filesystems structure,Communication
protocols,...
Digital Forensics Research
![Page 7: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/7.jpg)
iPhone Forensics eBook Reader Forensics Voyage Data Recorder Forensics
Research topics
What do these devices have in common?• Modern devices which contain digital data• Their data could be required during an investigation• No consolidated literature about them
The rationale behind this thesis is the ever-growing need to perform digital investigations on devices and systems that have not already been studied from this point of view.
![Page 8: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/8.jpg)
iOS ForensicsWhat can we find in an iOS device and how can we bring it to a court...
![Page 9: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/9.jpg)
iOS Forensics: why?
Mobile and tablet worldwide market share of operating system usage for November 2013. Net Market Share collects browser data from a worldwide network of over 40,000 websites. (Credit: Net Market Share)
![Page 10: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/10.jpg)
There is no simple way to extract data from an iOS device.
iOS Forensics: issues
No easy way to access its contents without jailbreaking (which, by the way, we can’t).
Encrypted filesystem (HFS+)
Not sharing anything with the rest of the World
No debug interfaces
Easiest way to peek inside the filesystem: the backup system.
![Page 11: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/11.jpg)
iOS Backup Feature
![Page 12: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/12.jpg)
iOS Forensics: the backup
Manifest files
Everything else...
Backup folders (device ID)
![Page 13: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/13.jpg)
iOS Forensics: decoding the backup (manifest.mbdb)
![Page 14: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/14.jpg)
iOS Forensics: hierarchyBackup files are organized in a hierarchy, the first level of it being the «Domain»:• Media domain: media files,
mms attachments, …• Keychain domain: account
data and encrypted passwords…
• Home domain: data for standard apps (contacts, mail client, calendars, …)
• Wireless domain: data about the telephone system (call logs, connection logs, …)
• …
![Page 15: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/15.jpg)
PLIST Files (plain text and binary)
SQLite files ASCII files Data files Media files
iOS Forensics: file types
![Page 16: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/16.jpg)
iOS Forensics: apps data
Installed applications’ data is stored in «Apps» domain (for third party applications) or «Home» domain (for standard ones).The hierarchy of each application’s folder follows a standard structure.
Strong integration with Webkit offline
storage.
![Page 17: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/17.jpg)
iOS Forensics: sample dataSample application data: SMS application
![Page 18: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/18.jpg)
iOS Forensics: sample dataLocalization data (prior to iOS 5)
![Page 19: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/19.jpg)
iOS Forensics: sample dataThumbnails: generated from the media gallery for fast visualization
![Page 20: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/20.jpg)
iOS Forensics: sample dataAddress book data (Home domain)
Knowing about the data location and structure is the first step.
Next step: making it easily usable for the ones who need it.
![Page 21: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/21.jpg)
iPBA2 is a tool developed to: Study the backup
content. Make it easier to
understand for practitioners.
iOS Forensics: iPBA2
Right now it is the only complete open source suite for analysing iOS backup data, and it is used by both researchers and practitioners from all over the world.
http://www.ipbackupanalyzer.com
![Page 22: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/22.jpg)
iPBA2 framework plugins
![Page 23: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/23.jpg)
eBook Reader Forensics
Why an eBook reader is not worthless in a forensics context…
![Page 24: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/24.jpg)
eBook Reader Forensics: why?
• Because is a widely used digital device.• Because it holds digital data.• Because no piece of data can be deemed
«worthless» in advance during an investigation.• Because almost any practitioner says it’s
worthless… which by the way it’s not.
Locard’s exchange principle
"Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. […]"
![Page 25: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/25.jpg)
Forensics profiling refers to the study and exploitation of traces in order to draw a profile relevant to the investigation about criminal or litigious activities.
While traces may not be strictly dedicated to a court use, they may increase knowledge of the subject under investigation.
Forensics profiling
![Page 26: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/26.jpg)
eBook Forensics: a sample device
For our research, we chose a widely available modern device, the PRS-650 by Sony.Of course, many of our results can probably be achieved after further studies also with different devices from different vendors.
• E-paper display (6 inches, 800x600).• Resistive touchscreen.• 5 buttons.• Montavista Linux.• 2GB internal flash memory.• Removable SDHC and Memory Stick
PRO Duo.
![Page 27: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/27.jpg)
Books, documents, images, audio files.
Annotations. Current position of documents. Bookmarks. Notes (written and audio). Dictionary lookups. Last reading of a document. Pages read for each document.
eBook Reader Forensics: what’s inside?
Everything has a timestamp!
![Page 28: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/28.jpg)
eBook Forensics: sample data
We can access the main storage by USB storage interface
For the whole device..
For each document…
![Page 29: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/29.jpg)
eBook Forensics: sample dataFreehand annotations
«Thumbnails» folder
![Page 30: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/30.jpg)
eBook Forensics: sample data
For each document:• current position (page)• timestamp of the last access
![Page 31: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/31.jpg)
eBook Forensics: sample data
For each document:• History of the last 100
page turns, with page number and timestamp.
![Page 32: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/32.jpg)
eBook Forensics: collecting dataTo perform the analysis, we build a Python script which parses cache.xml, media.xml and cacheExt.xml and build a graph of the interactions between the user and the device.
The script extracts the timestamps and produces a data file with all the timestamps found, to be plotted on a timeline.
http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler
![Page 33: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/33.jpg)
eBook Forensics: sample results
eBook reader usage in a two-months time span.
• X axis: time• Y axis: ID of the document involved
![Page 34: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/34.jpg)
eBook Forensics: sample results
Usage of the reader in a ten-minutes span, for a single book.
• X axis: time
![Page 35: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/35.jpg)
Virtually each action performed on the device is logged.
It is possible to build a forensically sound timeline.
The evidence gathered this way could be used in court to:◦ Draw a behavioural profile of a suspected
offender.◦ Support or deny an alibi.◦ Provide additional useful information about the
owner.
eBook Forensics: conclusions
![Page 36: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/36.jpg)
Voyage Data Recorder Forensics
Digital data in a naval accident
![Page 37: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/37.jpg)
What does a Computer Forensics expert do on a modern ship?
So many digital devices!
![Page 38: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/38.jpg)
Digital devices at sea
GPSShip automation Echo sounder
Compass NAPARadar
And much more...
![Page 39: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/39.jpg)
Voyage Data RecorderThe Voyage Data Recorder (VDR) is a mandatory device for all medium-to-big sized modern ship. Its job is to keep a record of ship data to be used in an accident investigation.
• Position, speed, heading• Date and time• Radar plot• Audio from bridge and VHF• Sonar depth• Hull openings (watertight doors, fire
doors)• Rudder position, propellers speed• Meteo station data (wind, ...)• Onboard alarms• ...
![Page 40: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/40.jpg)
VDR Forensics: data sources
Data collecting unitAn industrial computer which collects all data and temporalily stores it in a magnetic disk.
Final Recording MediumA rugged box containing a solid-state memory, designed to survive a catastrophic accident and be recovered for further investigations.
![Page 41: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/41.jpg)
VDR Forensics: the Costa Concordia shipwreck case
![Page 42: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/42.jpg)
VDR Forensics
Starting point: the complete copy of the internal disk of the data collecting unit.
No previous knowledge (all proprietary data).
![Page 43: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/43.jpg)
VDR ForensicsAnalysis of the disk structure.
Partition scheme
Mounting the partition
Partition content
![Page 44: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/44.jpg)
VDR ForensicsAnalysis of the disk content: the «frame» directory
Unknown data files
![Page 45: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/45.jpg)
VDR ForensicsExtraction of an image from the data file
![Page 46: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/46.jpg)
VDR Forensics
The same goes for the «NMEA» directory.
∼800 MB of ASCII data in NMEA format
![Page 47: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/47.jpg)
VDR Forensics: NMEA protocolNMEA 0183 is a data exchange protocol used primarily in the navigation field. It is the preferred way to exchange data between navigational aids.
• $: starting character.• PREFIX: origin and type of data
• First 2 characters: originating device• Other 3 characters: type of sentence
• Checksum: 2-digit hex XOR of the whole sentence.
NMEA sentence:
$PREFIX, data0, data1, …, dataN*CHECKSUM
NMEA sentences are standard, but vendors are allowed to add custom ones for specific purposes.
![Page 48: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/48.jpg)
VDR Forensics
Timestamp: Unix time
= 4F 10 88 90 (hex) = 1’326’483’600 (dec) = Jan 13, 2012 @ 19:40:00 UTC= Jan 13, 2012 @ 20:40:00 local time (UTC+1)
![Page 49: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/49.jpg)
VDR Forensics
Example of standard sentence:$RAZDA,194001.00,13,01,2012,-01,*41
RA: origin (radar) ZDA: date and time 194001.00: time 13,01,2012: date -01: difference between local time and UTC *41: checksum
![Page 50: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/50.jpg)
VDR Forensics
Example of non standard sentence:$PSWTD,07,C----,*34
P: non-standard prefix S: vendor (Seanet) WTD: watertight doors 07: door number C-----: door status (closed, no warnings) *34: checksum
![Page 51: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/51.jpg)
Once we were able to recover the raw data, we proceeded to work on it to: Understand the meaning of the standard
and non-standard elements. Understand the relative importance of each
element. Build tools to parse the data and report the
results in a useful format.
VDR Forensics
![Page 52: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/52.jpg)
VDR Forensics: sample data analysis
Position of the rudders (order and response) before and during the accident.
![Page 53: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/53.jpg)
VDR Forensics: sample data analysis
Evolution of the watertight doors (WTD) status.
Why does the last signal we have for door 8 reads ‘O’ (open)?
![Page 54: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/54.jpg)
VDR Forensics: sample data analysis
Trackpilot settings on both the radar stations.
![Page 55: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/55.jpg)
VDR Forensics: sample data analysis
Interactive data replay tool.
![Page 56: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/56.jpg)
VDR Forensics: sample data analysis
Ship position and heading.
![Page 57: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/57.jpg)
VDR Forensics: sample data analysis
Simulation of the impact by position and heading data.
![Page 58: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/58.jpg)
VDR Forensics
The steps we described are related to this specific VDR model, but they also show a general approach which could probably be applied, with further studies, to any other model and vendor.
The analysis of the VDR data is of course easy to perform with closed and proprietary software from the vendor, but we were the first to publish about a forensically sound approach.
![Page 59: Methods and Instruments for the new Digital Forensics Environments](https://reader035.vdocuments.net/reader035/viewer/2022062706/557610d5d8b42a0d5e8b4cfe/html5/thumbnails/59.jpg)
Mario Piccinelli
Methods and Instruments for the New Digital Forensics
Environments
Thanks for listening!
ps: any questions?