Disk Image Forensics Part I - PowerPoint Presentation

Disk Image Forensics Part I “I don’t know how that got on my computer”

Overview Disk Image Forensics Introduction Partitioning and Disk Layout VolumesPartitions and Partition SchemesRAIDSpecial ContainersVirtual Machine Disk ImagesForensic ContainersFile Systems HashingSleuthkitDisk Imaging (Practice Problem)Creating ImagesCopying ImagesHashing

Introduction Types of Storage Media Magnetic Non-volatile (flash)OpticalWhat is a disk image?A bit for bit (full disk) copy of storage media that is independent of the OS that resides on any particular disk or partition

Introduction Why do we create disk images? Ensure that disk information is not inadvertently changed during analysis. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.Disk imaging will capture information invisible to the operating system in use (e.g. hidden partitions, ext3 partitions on a Windows machine, etc.)

Introduction Purposes of Disk Image Forensics Recover Lost Data Acquire ArtifactsPreserve Evidence

A Note On Storage Media Types Magnetic Hard Disks Smallest Addressable unit is a Sector (historically 512 bytes)Significant source of evidenceUnallocated space is usually not overwritten making it possible to recover deleted filesTapesOnce tape archive files have been written an End Of Data marker is also written to the tape. This informs the drive that the end of the tape data has arrived and prevents the drive from reading any further. Any data beyond this point is of interest to the forensic analyst because it may contain data from previous tape writesSpecial equipment is needed to read the extra data

A Note On Storage Media Types Non-Volatile Storage Solid State Drives Data is stored in an array of memory cells, and a layer of abstraction, the Flash Translation Layer (FTL), makes the drive behave as a linear sequence of sectors similar to a hard diskThe memory in SSD/flash drives doesn’t have the same longevity as the magnetic platters in hard disks. Wear leveling - Wear leveling refers to the mechanism used to distribute reads and writes across the drive, ensuring blocks are evenly used during the lifetime of the drive. Over-provisioning - As blocks deteriorate or become unwritable, they’re removed from use by the FTL and replaced with blocks from a pool of reserved (over-provisioned) blocks. These “retired” blocks can be read by removing (desoldering) the physical chips and reading out the memory. Some professional forensic laboratories perform this process, sometimes called chip-off, for various flash-based storage.SSD devices and OSes that support the ATA TRIM command can cause the erasure of unallocated disk blocks in preparation for the next use (SSD blocks must be erased before they can be written to or modified). This reduces the potential recovery of data in unallocated blocks, which are typically a valuable source of evidence on magnetic disks.

A Note On Storage Media Types Non-Volatile Storage USB There small size and large capacity make them an information security riskEncryption is more likely to be an issue for a forensic analyst. Many times USB drives will not be encrypted.Removable Memory CardsThese are more popular now since mobile phones became widespreadUsually have flash storage

A Note On Storage Media Types Optical Storage Media CD Types: CD-ROM, CD-R, CD-RW, other obscure extensionsInformation about detecting piracy from physical characteristics of CDs - http://www.ifpi.org/content/library/manual-of-guidance-chap3-english.pdf May contain filesystemsDVDTypes: DVD-ROM, DVD-Video, DVD-R, DVD-RW, DVD-RAMBlue-rayTypes: BD-ROM, BD-R, BD-RE, BD-XL

A Note On Storage Media Types Interfaces Serial ATA (SATA) - most hard disks, SSDs, and optical drives eSATA - allows you to attach external SATA disksmSATA - smaller form factorM.2 - advanced form factor it can use either AHCI/SATA or NVMHCI/NVME. (If you are imaging this you will need to know which interface/mode it is using)Others: SAS, SCSI(Parallel), Fibre ChannelModesAHCI - Advanced Host Controller Interface. Serial Point 2 Point connection, as opposed to parallelIDE (legacy OS)- IDE mode is the simplest mode. In IDE mode, the hard drive is set to run as an IDE or Parallel ATA (PATA) hard drive. A hard drive in IDE mode has the least available features. In general, a hard drive performs more slowly in IDE mode.

Partitioning and Disk Layout Terms Physical Disk - the physical storage storage disk that can be further classified into logical disks Logical Disk (Drive)- virtual space that is allocated within a drive (Ex. C:\ drive, D:\ drive)Block - A unit storing contiguous data (usually 512 bytes)Logical Block - represents contiguous logical data but may be physically stored across drivesVolume - Set of addressable sectors used for storageCan span multiple devices unlike a partitionPartition - Collection of consecutive sectors on a devicePartition Table - identifies start and end of each partitionCan be falsified (“sigfind” tool can be used to recover missing and deleted partitions)“TestDisk” can be used to recover partitions in case of a corrupted disk or intentional tamperingPartition Scheme - defines how information is structured on a partition and how partitions are structured.Two major schemes MBR (master boot record) and GPT (GUID partition table)

Partitioning and Disk Layout Partition Schemes MBR (master boot record) (DOS partition table) Boot Sector is located at the beginning of the driveOnly works with disks up to 2TB in sizeMax 4 primary partitions Have to create an extended partition to allow more partitions Older OSes may only support this type of schemeGPT (GUID partition table)Every partition has a GUIDPartition size limits dependent on the OS (Windows allows 128)Nearly unlimited number of partitions

Partitioning and Disk Layout Linux disk image creation and management dd - create randomized blobs of data or a blob of data full of zeroes partedCreate partition schemes using mklabelCreate partitions using mkpartmkfs.* Create file systemmount-o loop,offset=<some_offset>or losetup then mount

Partitioning and Disk Layout Linux disk image creation and management man - Read the man pages it might be faster than google Useful files/dev/zero/dev/random/dev/null #for when you don’t want to see your output ;)

Partitioning and Disk Layout RAID - Redundant Array of Independent Disks Becoming more common to see during a forensics investigation Tools exist to acquire and reconstruct RAID arraysGood reference: http://pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html

Partitioning and Disk Layout Common RAID Levels RAID 0 (Striping) - Combines two or more hard drives together and treats them as one large volume. For example, two 250GB drives combined in a RAID 0 configuration creates a single 500GB volume. RAID 0 is used by those wanting the most speed out of two or more drives. RAID 1 (Mirroring) - Mirroring creates an exact duplicate of a disk. Every time you write information to one drive, the exact information is written to the other drive in your mirror. Important files (accounting, financial, personal records) are commonly backed up with a RAID 1.RAID 5 (Parity Striping) - Your data is spread across all the drives in the RAID along with information that will allow your data to be recovered in case of a single drive failure. At least three drives are required for RAID 5.

Special Containers Virtual Machine Disk Images - virtual machines use these to as as disks for a VM. Most common formats are VMDK, VDI, VHD, QCOW2 VMDK - defined using a descriptor file that defines the file(s) that makes up that particular virtual disk, as well as specifications of the “disk” being presented to the virtual machine. A disk is originally formed from the base file (or files in the case where the disk is created as a series of 2-GB split chunks). As users create snapshots of a virtual machine, files containing changes from the base image called delta links are created, and a new descriptor file containing information about the base and delta files is created.AFFLib supports VMDK containers and Sleuthkit will support them as well if built with AFF support

Special Containers Forensic Containers - similar to other image formats but can include things such as internal consistency checking, case information management, compression, and encryption. We can store this kind of information with raw images but with forensics containers it is part of the format

Special Containers EWF/E01 (Expert Witness Format) Used by EnCase forensic suite Not an open standard and it has changed from on release to the nextLibEWF supports all modern variants of image files generated by EnCase in this formatThis format supports compression, split files, and stores case metadata (including an MD5 and SHA1 hash of the acquired image) in a header data structure found in the first segment of the image file. Succeeded by EWF2Read more about the specification: https://github.com/libyal/libewf/blob/master/documentation/Expert%20Witness%20Compression%20Format%20(EWF).asciidoc Creating an EWF image: ewfacquire -c best -t /exam/macbookair /dev/sdf

Special Containers AFF (Advanced Forensic Format) - can be compressed, encrypted, and digitally signed. An interesting feature of the AFF format is that metadata stored in the image file are extensible—arbitrary information relevant to the case can be stored directly in the image file in question. Methods AFF—This is the default format of an AFF container; this is a single image file containing forensic data as well as case metadata.AFD—This format contains metadata in the image, but splits the image file into fixed-size volumes this can be useful when transporting or archiving images via size-limited file systems or media.AFM—This format stores the image file as a single, solid container but stores metadata in an external file.Creating an AFF imageaimage <mounted_folder> /usr/affs/disk1.aff

Special Containers Other Forensic Containers FTK SMART Compressed Containers: SquashFS, AFF, EWFSquashFS - sfsimage -i /dev/sde philips-usb-drive.sfsAdditional Image Acquisition SourcesRemoteConvert raw stream into EWF format : ssh remote-pc "dd if=/dev/sda" | ewfacquirestream -D 16048539022588504422 -t eepc-16048539022588504422

File Systems File System - used to control how data is stored and retrieved. Without a file system we would just have a large body of data with no way to tell where one piece of information begins and ends. It is an abstraction of the underlying data. MANY different file systems exist and is a huge research area within computer science File systems can exist on many different types of storage devices and can even be stored in RAMPurposes (Similar to all abstraction concepts)PortabilitySecurity; the user is not relied on ‒ or even allowed ‒ to access the drive directly.ConvenienceFile - an ordered collection of data blocksAdditional metadata is stored about a file by the file systemDirectory - A data structure containing an organized collection of files and sub-directories

File System Abstraction Model Disk - physical storage device. Usually beyond the scope of an average forensics analyst. More possible with SSDs Volume - created using all or part of one or more disks File System - A file system is laid down on a volume and describes the layout of files and their associated metadata. Items in the file system layer include metadata specific to and solely used for the file system’s operationData Unit - the smallest available freestanding unit of data storage available in a given file system.Metadata - data about dataFile Name - where humans operate. Artifacts available in this layer vary depending on the file system.

File System Abstraction Model Volume Layer Tools- mmls mmstat File System Layer Tools - fsstat Data Unit - blkstat, blkls (useful for extracting unallocated space from a FS), blkcatExample use of blkcat: view hex of a 512 byte block at block number 521 blkcat ubnist1.casper-rw.gen3.aff 521 | xxd Metadata Layer Tools - istat, ils, icat, ifindFind the inode that owns block 28680ifind -d 28680 ubnist1.casper-rw.gen3.affFile Name Layer Tools - fls,ffind, Create a timelinemactime - processes a “bodyfile” to create a timelineils -em ubnist1.casper-rw.gen3.aff > my.bodyfilefls -r -m "/" ubnist1.casper-rw.gen3.aff >> my.bodyfilemactime -b my.bodyfile -d > my.timeline.csv

File Systems - Volume to Disk Comparison Disk Volume 1 Volume 2 Volume 3

Hashing Hash Function- takes a string of any length as input and outputs a fixed-length hash value. Should be computationally hard to reverse a hash function Given an input and its hash, it should be hard to find a different input with the same hash Should be collision resistant

Hashing Popular Hash Functions MD5 Considered compromised but is still useful for forensic purposesSHASHA-1 - In 2005 a method was found for uncovering collisions for SHA-1 within a practical time frame. SHA-2 - SHA-224, SHA-256, SHA-384Replaced by the Keccak algorithm and called SHA-3Other hash functions - RIPEMD, Whirlpool

Linux Calculating a Hash Strings echo -n “hello_world” | sha1sum echo -n “hello_world” | md5sumFilesmd5sum <file_name> (multiple file using *)sha1sum <file_name> (multiple file using *)ImagesSame as a fileDiskdc3dd if=/dev/sde of=image.raw hash=md5 hash=sha1 hash=sha512dcfldd if=/dev/sde of=image.raw conv=noerror,sync hash=md5,sha256ewfacquire -c best -t /exam/macbookair /dev/sdfPiecewise Hashing during acquisition dcfldd if=/dev/sde of=image.raw conv=noerror,sync hashwindow=1M dc3dd if=/dev/sda hof=image.raw ofs=image.000 ofsz=1G hlog=hash.log hash=md5

Linux Calculating a Hash Recursive Hashing Md5deep https://github.com/jessek/hashdeep Follow install instructions and install on SIFT workstationCan be used to find known file hashes on a systemAlso can create hashes recursivelyProve similarity between filesssdeep https://github.com/ssdeep-project/ssdeep The default version on SIFT workstation should be fine

SleuthKit Sleuthkit - suite of file system forensic tools Install from source with AFF and EWF support git clone https://github.com/sleuthkit/sleuthkit.git cd sleuthkitRun libtoolize, aclocal, autoconf, autoheader, automake --add-missing./configure (make sure you see support for afflib and libewf as shown in the screenshot)makesudo make installRun sigfind -V to make sure you have Sleuth Kit version 4.5.0

SleuthKit Tools “mm-”: tools that operate on volumes (aka “media management”) “fs-”: tools that operate on file system structures“blk-”: tools that operate at the data unit (or “block”) layer“i-”: tools that operate at the metadata (or “inode”) layer“f-”: tools that operate at the file name layer“j-”: tools that operate against file system journals“img-”: tools that operate against image files“-stat”: displays general information about the queried item“-ls”: lists the contents of the queried layer“-cat”: dumps/extracts the content of the queried layer

Questions?

Homework Problem Perform and document the following tasks so that they could be repeated by a peer. Create a 2GB (2048MB) Disk Image (block size 512 bytes) call it mydisk.img Create 2 Disk Partitions each 999MB in sizeInstall a NTFS and FAT32 file system (One on one partition and one on the other)Provide the fsstat output for each partitionPerform a piecewise hash of the disk image hashing 512MB at a time using tools we mentioned in class (Use MD5).Copy the Disk Image to mydisk2.img (using dd). With the copy do the following.Perform the piecewise hash you did previously on the copy and record the hashesMount the two partitions in separate foldersCreate a Directory and place a text file containing the string, “I love forensics.\n” within that directory. Name the file “forensics.txt” and the directory “Notes”. Do this on both file systems.Unmount both partitions and then perform a piecewise hash of the disk image hashing 512MB at a time using tools we mentioned in class (use MD5).Record your hashes and finish your documentation. Speculate on why you think a peer might receive different results if they followed your procedure exactly