Large Data Analysis. Vincent Urias November 20, 2006 CS 489- Digital Forensics

Transcription

1 Large Data Analysis Vincent Urias November 20, 2006 CS 489- Digital Forensics

2 Topic: Large Data Analysis Executive Summary: As digital media becomes readably accessible and cheaper, the average system size is steadily increases. Because of the increased capabilities of both digital investigators and of cyber criminals, we see two major trends that have been emerging when looking at the cyber crimes like child pornography, identity theft, and computer fraud. First, the types of crimes have become more and more complex. Secondly, the crimes are becoming more expensive to analyze. Because of the plethora and differentiation of cyber cases, the shear volume of cases can range anywhere from gigabytes to terabytes of data. This data is no longer limited to a single computer, rather now we see entire networks that are vulnerable to attack. Because these issues are so important, I am going to discuss several key issues involving large-scale data analysis facing today s world. This document will discuss: The importance of large system analysis to the digital forensics field The current practices to analyze these data sets The technological gaps that exist in the analysis The current research that is being done to address these issues The ways that the current practices can be remedied today The future of this technology Introduction: As computer forensics practitioners, we are seeing a new trend in corporate, personal and private storage devices. Using minimal hardware a run-of-the-mill user could now build a terabyte raid at home with minimal costs. Ten years ago, large data sets were described in the order of hundreds of megabytes and now we see a clear escalation toward the terabyte range. It is our job as forensics examiners to evaluate the repercussions of these data sets on the gathering, analysis, and storage of evidence. No longer will it be possible to get a full bit-stream image of a device this big in under an hour. New techniques, tools, and standards need to be developed in order to cope with these growing trends. We are now at a crossroads in deciding whether we should take full disk images, or like a skilled surgeon, selectively carve out the necessary information; thus raising many legal questions including how to judge whether the information we are gathering is complete, accurate, reliable data. Also there exist other legal issues involving the scope of a warrant and how much data can be extracted and analyzed. In this situation, it now falls to the investigator to identify and collect the evidence rather than a tool or utility. Now we see an imperative shift from science to an art form where the skills and experiences that the investigator dictates how an investigation will unfold. No longer does a boilerplate answer exist, but rather a case-to-case sliding ruler has been developed. 2

3 DF Purpose: As digital investigators, we are now forced to ask ourselves many questions that we didn t have to ask ourselves 3 to 5 years ago regarding the imaging of a home or network computer. Now we are seeing home computers in the terabyte range and corporate networks that can be up to and even greater than 20 terabytes. When thinking about imaging devices of this size, we have to evaluate a couple of things: What will the effects of bring down the system have on the individuals? What are the financial implications of bringing down the system? Can the network support a bit-stream copy of the device? The answers to these questions are now being evaluated in order to decide how an investigation will unfold. In the past, it was possible to image a complete device and run the analysis in under an hour; however, this is no longer the case. We are now in an era where we have to decide whether or not to image over the network or locally. In most traditional forensics settings, it would be common practice to image the complete drive and then take that image back to the lab and use a tool to run a traditional analysis on the image. This would include signature analysis, and searching slack and unallocated space for information. Now when approaching an N-Terabyte system, the investigators will have to deviate from this normal operating procedure. We now have to ask ourselves if we can feasibly image an entire device with 10 terabytes of information. The truth being that we cannot image this device, nor can we run a complete analysis on the device that searches through all slack and unallocated space because the shear amount of time it takes to do so is enormous. We have to calculate the best way of addressing the issue in a timely fashion while balancing all other issues such as accuracy, money and the amount of intrusion we have on a cooperation which is trying to conduct business. State of Practice: It is necessary to preface this section by stating what kind of devices we would be looking to analyze VLDS. There are really no commercial products on the market that have a single disk that could support an n-terabyte system, so there are three storage devices that can support the sizes with relative ease. The most common is a RAID (redundant array of inexpensive disks) based devices. With a single control chip it is possible to create either a hardware or software RAID that has multiple disks linked together in a particular striping configuration. Secondly, there is a SAN (Storage Area Networks). Finally, there is a NAS (Network Attached Storage Devices). Each of these devices has certain characteristics such as proprietary emulation, and hardware specific interfaces that may add a level of complexity that would need to be addressed in a separate paper. [1] The current state of system analysis can best be centralized around the small desktop/workstation environment where the average size would be less than 40 GB. [1] These are comparatively small targets when comparing them to the terabyte sized data sets that we have to analyze now, thereby making large sets seem quite slow in 3

4 comparison. However, right now there is no standard way of approaching a system of this size. Tools There are no tools specifically geared toward the analysis of these systems or toward the preservation of these datasets. There are tools that may be able to support these higher sized drives, but with huge performance drawbacks. Tools such as EnCase Enterprise Edition and ProDiscover have the capability of reconstructing a Windows RAID natively; [1] however, there doesn t seem to be any benchmarks stating how long an acquisition of this size would take. Nevertheless, when non-windows based RAID arrays are present it necessitates another course of action. Specifically, this would involve imaging each disk in the device independently using basic forensic tools such as dd or Netcat, if an investigator were imaging over the network. Here an investigator may choose to write scripts to automate this process, but depending on the size this could still be quite lengthy. Another common way of dealing with VLDS is to extract only the data we want to use. The other possibility is to use tools such as dtsearch and Thunderstone that use advanced indexing algorithms to identify keywords within a VLDS and extract those specific files that meet the necessary criteria. Technical There really are three predominate physical modeling techniques that are available to the user [1]. We are forced to choose between using handled device images (running on a single device at average speeds of 1 GB/Min), field forensic workstations (running on average at 650 MB/Minute), or Ethernet connections (running at full 100-MG duplex speeds can reach the most computers simulations at speeds of 300MB/Minute). Gaps in Technology: There are many gaps in the technology when looking at the analysis of VLDS. First and foremost, there is the lack of standardization in policy, procedure and guidelines. There is no way of walking into a crime scene and determining the correct course of action. Right now, much of the analysis is done by instinct and experience - which is detrimental to new and inexperienced investigators that could potentially follow the wrong approaches and could contaminate the scene, taking far too long to create an analysis thus causing huge financial consequences, and possibly missing pertinent information are only a few problems that can arise from such practices. Second, there are no efficient tools that are specifically geared toward this magnitude of data. There is no efficient way of searching through all the data to return the results that you need. In many real world situations, this could mean the difference between life and death for someone. If one cannot access and retrieve the information in a timely matter, there can be huge impacts on the case, in terms of time, money and even the concentration of effort on a given case. In such cases, all of these efforts could be better utilized in other cases. Third, there is currently no way to preserve the evidence gathered. The likelihood for a smaller police department to have 20 terabytes of storage at their disposal for one case is quite unlikely. Additionally, if all 4

5 the data did somehow get analyzed there is no mechanism for storing the data in an evidence locker other than using DVDs, which would take approximately 30 days to create all 4229 DVD. 1 It would be totally unacceptable to constantly tie up a resource for every day for a month, for a single case. There is no way to support this kind of volume on a daily basis. State of Research: Currently there is limited research being done in this area of digital forensics. The majority of the work is concentrated around increasing the analysis by implementing a distributed systems approach. There are two separate efforts that I can find regarding the implementation of this new system. First, there is the work being done at New Mexico Tech. This approach proposes to create a distributed/cluster framework to analyze VLDS including traditional forensic analysis of the data, file carving, and network analysis all wrapped into an interactive visualized front end. The second implementation is being done at the University of New Orleans. The research being done there suggests that their preliminary solution supports imaging searching, RE searches, stenography detection and other operations via a user interface. Their preliminary results show that there is speedup well in excess of concurrency factors for IO and nearly linear speedup for CPU operations such as steganographic detection. [2] Beyond these two schools there is very little scholarly research that actually implements any advanced analysis techniques. Your ideas on what should be done now: The problem would be best addressed by creating a software suite that is able to analyze the information of data independent of each individual disk, allowing for distributed analysis. Developing this tool would be a huge step in the right direction for providing a framework to analyze these huge data sets. This tool would automate many of the processes that are currently being done by self-created scripts and intuition. Secondly, policy or procedure should be developed to create a solid framework of how to approach these types of problems. Finally, there needs to be some research and validation of partial extraction of digital forensics evidence. Currently there is neither case precedent nor forensic methodology to allow for the selective extraction of files and their introduction into the courts as evidence. If some methodology was adopted and accepted, it could allow for the potential data carving necessary to move through the copious amounts of data present in VLDS and thereby eliminate the need for whole disk imaging. This would save both time and resources. Future of practice/research: It is inevitable to develop a standard way of dealing with VLDS, as they get larger and larger and more visible in day-to-day activities. Once this standard is developed it will 1 The way that this in this case would be roughly 20,000/4.73 (20TB/Size_of_DVD)= 4229 DVD which at an average of 10 minutes to burn a DVD would take (4229*10)/60 = 705 hours or 30 days. 5

6 inevitably show the need for a tool development, which will finally cause our capitalist nature to kick in, and the spawning of a tool. Once the standard is adopted many of the questions that were raised in the paper will have to be analyzed and evaluated before incorporating them in some sort of NIST standard. Some potential research areas that may be explored and or developed include the distributed systems forensic analysis environment in order to adequately cope with the increasing sizes. One of the greatest benefits is the scalability. By using a distributed system, there would be a potential to follow the disk-size growth trends by just increasing the number of nodes or by moving toward a more sophisticated distributed system approach. There is the suggestion of creating a more sophisticated methodology of detecting evidence. [3] Carrier suggests that sifting through much of the images, data files, etc is a manual and time-consuming process. An automated way of detecting and categorizing the types of contraband is quite necessary when thinking about the amount of image and data files that could be in a 20 TB system. If there were some type of advanced algorithm that figured out what kinds of things stood out and fit the set criteria for contraband, it would at least allow for a quick analysis to find if the perpetrator had illicit data in their possession. The manual process for this could take months. Finally, there is a need for the development of a forensically sound approach to gathering live analysis of machines, specifically in the area of gathering cryptographic keys in main memory. [2] Overall, there are a lot of potential ways to improve the current system that need to be evaluated, implemented, and tested in the upcoming years. References [1] Brown, C.L.T., Computer Evidence: Collection and Preservation, Charles River Media, Hingham, MA, [2] Roussev, V. and Richard III, G.G. Next-Generation Digital Forensics. Communications of the ACM, V49,I2,2006 [3] Carrier, B and Spafford, E. Automated digital evidence target definition using outlier analysis and exiting evidence. In Proceedings of the 2005 Digital Forensic Research Workshop 6