Rapid Forensic Imaging of Large Disks with Sifting Collectors

Transcription

1 DIGITAL FORENSIC RESEARCH CONFERENCE Rapid Forensic Imaging of Large Disks with Sifting Collectors By Jonathan Grier and Golden Richard Presented At The Digital Forensic Research Conference DFRWS 2015 USA Philadelphia, PA (Aug 9 th - 13 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development.

2 Jonathan Grier, Grier Forensics Dr. Golden G. Richard III, University of New Orleans

3

4 Quote Today s Golden Age of computer forensics is quickly coming to an end The growing size of storage devices means that there is frequently insufficient time to create a forensic image investigations are becoming slower Today a 2TB hard drive can be purchased for $120 but takes more than 7 hours to image The leading challenge for digital forensic investigations is that of scale the mere acquisition, extraction and pre-processing of the data sources create a long list of technical problems and long turnaround times. It took two days to consolidate the various target media onto a pair of 2TB drives and thirteen hours to clone and hash each drive using the very latest driveto-drive tools. By far we think the biggest challenge is the sheer volume of data. The existing acquisition methodologies and software tools will not be able to scale as quickly as the datasets which are being acquired. Unfortunately, there are no easy solutions to these problems. new paradigms for these huge datasets will be heroes in the forensics community Police managers must find a way to examine an increasing number of digital devices, each containing an immense volume of data There is an unacceptable backlog waiting for examination. Source Forensics researcher Dr. Simson L. Garfinkel of the Naval Postgraduate School (Garfinkel 2010) Forensics examiner Andrew Case (Case et al. 2008) Forensics attorney Craig Ball, The End of Digital Forensics? (Ball 2011) Robert Botchek, founder and former president of Tableau (Botchek 2008) First Sergeant Charles L. Cohen of the Indiana State Police (Cohen 2007)

5 Which evidence is preserved: Adequate speed Full Disk Imaging Live Forensics & Triage Entire disk Up to ten hours per disk Reports, results, and files the examiner chooses to copy Reproducible Verifiable Duplicates evidence automatically Duplicates at device level Duplicates entire disk Alternate lines of investigation are possible in the future

6

7

8

9

10 Which evidence is preserved: Adequate speed Full Disk Imaging Live Forensics & Triage Sifting Entire disk Up to ten hours per disk Reports, results, and files the examiner chooses to copy Identified sectors & regions Reproducible Verifiable Duplicates evidence automatically Duplicates at device level Duplicates entire disk Alternate lines of investigation are possible in the future?

11

12

13

14

15

16

17 1. Perform a forensic investigation in a fully reproducible manner That is, the procedure must be an effective procedure (using Turing's classic definition: a fully defined procedure, which results in a quantifiable, definite conclusion). 2. Randomize a particular region 3. Repeat the investigation The region is relevant, in the context of this investigation, if and only if, the conclusions differ.

18

19 Expected relevance: The a priori probability measure (between 0 and 1) that an unread region known to have certain properties is relevant, in the context of a particular investigation.

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39 Figure 1: Conventional image SAM file is present Figure 2: Sifted Image SAM file is fully extent. Data matches conventional image.

40

41

42

43

44

45

46

47

48

49

50