Topic Data carving, as defined by Digital Forensic Research Workshop is the process of

Transcription

1 Chad Cravens 8/25/2006 DF Research Project 1 Data Carving Topic Data carving, as defined by Digital Forensic Research Workshop is the process of extracting a collection of data from a larger data set. Digital Forensics examiners are constantly being challenged to extract and retrieve data hidden in peculiar places and in very interesting ways. This larger data set is a sequence of, what first appears to be, random bits. These bits can be located on an un-partitioned hard drive, inside of an MP3 player, as a file in a valid file system or appended to a file to be hidden as steganography. Since these larger data set files can be rather extensive, if an examiner does not have a quick and efficient manner to extract data, important information regarding a case may go undetected. For this reason it is extremely important that all the data which may be of use in a case be found and presented accordingly. Another major advantage to creating automated methods of data carving is the amount of money saved by saving an examiner time. If an examiner can run a quick tool which can do the same job in less than a second what may take an examiner weeks to do by hand, that examiner can work much more quickly and efficiently, bringing more evidence to light. Data carving means taking whole files which may not be individually marked by the file system (by being stuck and jumbled together) and discerning those files from random or meaningless data. A further refinement can take place by taking meaningful data, such as pictures and legible text, and separating all of the meaningful data from data relevant

2 only to the case. This may help, because a successful extraction from a 1 GB data space may result in thousands, if not millions, of legible files. It would be impractical for an examiner to examine each of those files to determine whether they would be helpful in a case. Executive Summary I have developed a small tool called Data Mole. Data Mole is created in C# in the.net environment and requires the Microsoft.NET 2.0 framework to run. Data Mole will take a file with random bits and bytes of information and will look for valid files such as.jpg,.bmp, text files and.html files. Data Mole comes short when finding a file which may have other data enveloped in the middle of the file. Without the appropriate footers, how do we know where one file ends and begins again? This is an area that is under much research and investigation. DF Purpose From personal experience, I have seen examiners that are faced with junk data appended to the end of JPG files. Steganography tools allow individuals to append any sort of data to the end of a.jpg file. This allows the concealment of data through normal browsing and viewing of the.jpg file. If the junk data is extracted from the JPG and viewed in a hex editor, one starts to notice legible text, JPG headers, Bitmap headers, HTML files and much more. It is possible that these JPGs and Bitmaps may, in return, contain even more steganography and important case evidence. If an examiner does not have an efficient way to carve this data out, that data and evidence will go unnoticed and unused.

3 State of Practice There are currently several tools under development or that have already been developed which serve the purpose of data carving. A list of these more common or well known tools follows: Commercial Products o DataLifter ($335.00) Open-Source Products o Foremost (Free) o Scalpel (Free) Gaps in Technology Many contests are currently being sponsored by organizations and agencies that deal directly with digital forensic research and development. These contests are designed to bring to light ideas that other individuals have on how to address the problems currently being faced in the digital forensics community. The fact that these contests exist is a good sign that there are many areas open for research and many gaps in the technology that exists today. Gaps in technology dealing with data carving currently span many different areas. One of the hottest areas is how to piece a file together that is spanned out across the data space. For example, if a bitmap file is suddenly interrupted by some text, and then that bitmap file is continued, how are we able to analyze those two pieces of the bitmap file and piece them together accordingly to make a complete bitmap file. Another area of interest that I would like to continue in my development of Data Mole is extracting information that is only relevant to the case. An examiner may be confronted

4 with thousands of different files created by successfully carving that data. What types of parameters can an examiner set so that the files of most importance are flagged and presented accordingly? Is there some sort of relevance scale we can assign to those files? State of Research Currently I have developed a tool which will extract some of the more common and easier files from an unknown file. This tool will parse through the file, looking for known file headers. If it recognizes a file header it will then perform further analysis to verify whether or not the found data really is of that type. If the file is verified it will either grab or compute the length of the data, and save the file out accordingly. My Ideas Some of my ideas for the fore-mentioned problems are to allow the examiner to specify words of interest. These words can be names, area codes (for phone numbers), addresses, or different other types of information. Data found with relating information will be flagged and presented to the examiner as critical. These extracted files will then be viewed first, hopefully saving the examiner time and frustration from having to search through the thousands, or millions, of files by hand. Another area of interest for me is to attack these problems using mathematics. We can view the entire data space as a set of 1 s and 0 s {0, 1}. Within this large set we are looking for subsets of 1 s and 0 s that match our criteria. Approaching this problem from a mathematical standpoint using tools such as graphs and sets may prove beneficial to continuing research and development.

5 Future Research Continued development of Data Mole will be realized. I will continue developing data mole so that many more different types of files will be extracted from the data to include executables, video files, Unicode and many others. A second area of research I will focus on as I continue to develop Data Mole is the assembly of related data. The last area of research that Data Mole will have is flagging extracted data which is found to be most relevant to the case. What sets of parameters must be defined and included in the search so that the data relevant to the case is presented first for examination. Overall, the techniques and areas of research described will save the examiner time and the examining institution money. More importantly, the proper research may provide a way to bring more evidence to light, allowing the truth to be exposed when a criminal case is being investigated using digital forensic techniques. Bibliography 1. Digital Forensic Research Workshop DC3 Challenge DataLifter Foremost.