A Strategy for Testing Hardware Write Block Devices

Similar documents
Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

Developing a New Digital Forensics Curriculum

Extracting Hidden Messages in Steganographic Images

NIST CFTT: Testing Disk Imaging Tools

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

An Evaluation Platform for Forensic Memory Acquisition Software

Unification of Digital Evidence from Disparate Sources

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

A Functional Reference Model of Passive Network Origin Identification

Monitoring Access to Shared Memory-Mapped Files

Rapid Forensic Imaging of Large Disks with Sifting Collectors

Test Results for Disk Imaging Tools: EnCase 3.20

Fast Indexing Strategies for Robust Image Hashes

Breaking the Performance Wall: The Case for Distributed Digital Forensics

File Fragment Encoding Classification: An Empirical Approach

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Honeynets and Digital Forensics

Hash Based Disk Imaging Using AFF4

A Study of User Data Integrity During Acquisition of Android Devices

Designing Robustness and Resilience in Digital Investigation Laboratories

Automated Identification of Installed Malicious Android Applications

The Normalized Compression Distance as a File Fragment Classifier

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Ranking Algorithms For Digital Forensic String Search Hits

On Criteria for Evaluating Similarity Digest Schemes

Can Digital Evidence Endure the Test of Time?

Information Assurance In A Distributed Forensic Cluster

File Classification Using Sub-Sequence Kernels

Multidimensional Investigation of Source Port 0 Probing

Test Results for Hardware Write Block Device: Tableau T5 Forensic IDE Bridge (USB Interface)

Privacy-Preserving Forensics

KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer

Design Tradeoffs for Developing Fragmented Video Carving Tools

Using Hashing to Improve Volatile Memory Forensic Analysis

Archival Science, Digital Forensics and New Media Art

Disclaimer of Liability: Redistribution Policy:

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Digital Forensics Validation, Performance Verification And Quality Control Checks. Crime Scene/Digital and Multimedia Division

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

A Framework for Attack Patterns Discovery in Honeynet Data

BinComp: A Stratified Approach to Compiler Provenance Attribution

AccessData Imager Release Notes

Test Results for Mobile Device Acquisition Tool: Zdziarski s Method

Digital Forensic Science: Ideas, Gaps and the Future. Dr. Joshua I. James

AccessData Imager Release Notes

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Conformance Requirements Guideline Version 0.1

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

IETF TRUST. Legal Provisions Relating to IETF Documents. Approved November 6, Effective Date: November 10, 2008

Boot Mode Considerations: BIOS vs. UEFI

Test Results for Disk Imaging Tools: dd Provided with FreeBSD 4.4 REPORT. Special JAN. 04

Introduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:

Digital Forensics Lecture 02- Disk Forensics

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

AccessData Imager Release Notes

AccessData Imager Release Notes

A NETWORK PRIMER. An introduction to some fundamental networking concepts and the benefits of using LANtastic.

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Minimum Scheme Requirements to Certify Criminal Justice Restraints Described

Emsi Privacy Shield Policy

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Flash Drive Won T Mount Windows 7 Won't Recognize

Organization of Scientific Area Committees for Forensic Science (OSAC)

Test Results for Disk Imaging Tools: SafeBack 2.18

ANALYSIS AND VALIDATION

Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

TA Document IEEE1394 Interface Implementation Guideline TV Device for Japanese BS/CS Digital Broadcasting System 1.0

Data Breach Response Guide

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Chapter 11: File System Implementation. Objectives

A Road Map for Digital Forensic Research

Bring Your Own Device

10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?

IT Essentials v6.0 Windows 10 Software Labs

Windows 7 Manual Partition Hard Drive During Install Xp

COSC 243. Input / Output. Lecture 13 Input/Output. COSC 243 (Computer Architecture)

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

I/O Systems. Jo, Heeseung

IETF TRUST. Legal Provisions Relating to IETF Documents. February 12, Effective Date: February 15, 2009

TA Document IEEE1394 Interface Implementation Guideline STB Device for Japanese Terrestrial Digital Broadcasting System 1.

ACCEPTABLE USE POLICIES FOR INFORMATION SERVICES COMPUTING RESOURCES

Volume II, Section 5 Table of Contents

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

Discontinuing the Metallic Handcuffs Compliance Testing Program and Request for

I/O Handling. ECE 650 Systems Programming & Engineering Duke University, Spring Based on Operating Systems Concepts, Silberschatz Chapter 13

TotalShredder USB. User s Guide

How To Set New Password In Windows 7 Using Cmd From Guest Account

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

AccessData Imager Release Notes

Oracle Public Sector Revenue Management Self Service

i-disk Shield 2.0 Secure AES Manager User s Manual

Comp 204: Computer Systems and Their Implementation. Lecture 9: Deadlock

Membership Categories and Benefits

Topic: Software Verification, Validation and Testing Software Engineering. Faculty of Computing Universiti Teknologi Malaysia

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

Incident Response Training and Workshop Oct 28, Ralph Durkee Durkee Consulting, Inc.

ON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY

NVDIMM Overview. Technology, Linux, and Xen

F-RESPONSE NOW/UNIVERSAL VALIDATION TESTING REPORT

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE A Strategy for Testing Hardware Write Block Devices By James Lyle Presented At The Digital Forensic Research Conference DFRWS 2006 USA Lafayette, IN (Aug 14 th - 16 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology

DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. DFRSW 14 Aug 2006 HWB Testing Strategy 2

Project Sponsors!NIST/OLES (Program management)!national Institute of Justice (Major funding)!fbi (Additional funding)!department of Defense, DCCI (Equipment and support)!homeland Security (Technical input)!state & Local agencies (Technical input)!internal Revenue, IRS (Technical input) DFRSW 14 Aug 2006 HWB Testing Strategy 3

HWB Protection Goals!Prevent any change to data!allow access to entire user area!preserve the configuration of the drive!may change a drive configuration e.g., To access HPA or DCO DFRSW 14 Aug 2006 HWB Testing Strategy 4

Prohibit Change by!prohibit changes by a malicious program!prohibit accidental change (blunder)!prohibit change by operating system!prohibit damage to a drive!prohibit any changes to a hard drive DFRSW 14 Aug 2006 HWB Testing Strategy 5

Write Block Strategies!Block unsafe commands, allow everything else + Always can read, even if new command introduced - Allows newly introduced write commands!allow safe commands, block everything else + Writes always blocked - Cannot use newly introduced read commands DFRSW 14 Aug 2006 HWB Testing Strategy 6

Need to Know What s Happening Need to Know!Know what cmd sent to blocker by host!know what cmd sent to drive by blocker How to know!hardware bus monitor!send specific command!look for effect of known command DFRSW 14 Aug 2006 HWB Testing Strategy 7

Write Cmds Used by Host/OS Src Count Cmd FreeBSD5.2.1 Boot 196 CA=Write DMA FreeBSD5.2.1 Boot 1 30=WRITE W/ RETRY FreeBSD5.2.1 Shutdown 104 CA=Write DMA RH7.1 Boot 759 CA=Write DMA RH7.1 Login 166 CA=Write DMA RH7.1 Shutdown 297 CA=Write DMA RH9PD.1 Boot 763 CA=Write DMA RH9PD.1 Login 186 CA=Write DMA RH9PD.1 Shutdown 402 CA=Write DMA DFRSW 14 Aug 2006 HWB Testing Strategy 8

Write CMDs Used by Win OS Host/OS Src Count Cmd W98DS3 Boot 55 CA=Write DMA W98DS3 Boot 58 30=WRITE W/ RETRY W98DS3 Login 22 30=WRITE W/ RETRY W98DS3 Shutdown 76 30=WRITE W/ RETRY W98dsbd Boot 10 30=WRITE W/ RETRY W98dsbd Boot 48 CA=Write DMA Win2KPro Boot 424 CA=Write DMA Win2KPro Login 277 CA=Write DMA Win2KPro Shutdown 269 CA=Write DMA Win98SE Boot 65 30=WRITE W/ RETRY Win98SE Shutdown 90 30=WRITE W/ RETRY WinNT4.0 Boot 452 C5=WRITE MULTIPLE WinNT4.0 Login 520 C5=WRITE MULTIPLE WinNT4.0 Shutdown 102 C5=WRITE MULTIPLE WinXPPro Boot 967 CA=Write DMA WinXPPro Shutdown 272 CA=Write DMA DFRSW 14 Aug 2006 HWB Testing Strategy 9

Creating a Specification!Specification (informal) vs Standard (Formal ISO process)!nist does research: tools, vendors, users!nist drafts initial specification!post specification on web for public comment!resolve comments, post final version DFRSW 14 Aug 2006 HWB Testing Strategy 10

Requirements " HWB-RM-01 A HWB shall not, after receiving an operation of any category from the host nor at any time during its operation, transmit any modifying category operation to a protected storage device. " HWB-RM-02 A HWB, after receiving a read category operation from the host, shall return the data requested by the read operation. " HWB-RM-03 A HWB, after receiving an information category operation from the host, shall return a response to the host that shall not modify any access-significant information contained in the response. " HWB-RM-04 Any error condition reported by the storage device to the HWB shall be reported to the host. DFRSW 14 Aug 2006 HWB Testing Strategy 11

Develop Test Assertions!Each test assertion should be a single testable statement (or condition)!pre-condition: establish conditions for the test!action: the operation under test!post-condition: measurement of the results after the operation DFRSW 14 Aug 2006 HWB Testing Strategy 12

Test Assertions HWB-AM-01. The HWB shall not transmit any modifying category operation to the protected storage device. HWB-AM-02. If the host sends a read category operation to the HWB and no error is returned from the protected storage device to the HWB, then the data addressed by the original read operation is returned to the host. HWB-AM-03. If the host sends an information category operation to the HWB and if there is no error on the protected storage device, then any returned accesssignificant information is returned to the host without modification. HWB-AM-04. If the host sends an operation to the HWB and if the operation results in an unresolved error on the protected storage device, then the HWB shall return an error status code to the host. HWB-AM-05. The action that a HWB device takes for any commands not assigned to the modifying, read or information categories is defined by the vendor. DFRSW 14 Aug 2006 HWB Testing Strategy 13

Measuring HWB Conformity to Test Assertions!Detailed -- HWB behavior observed (by hardware monitor) for all commands (defined, undefined, etc)!indirect -- All commands with an observable effect!observational -- Commands issued by common tools observed by hardware monitor!operational -- Pre-test & post-test hash used to detect change to protected drive DFRSW 14 Aug 2006 HWB Testing Strategy 14

Develop Test Cases!A test case is an execution of the tool under test!each test case should be focused on a specific test objective!each test case evaluates a set of test assertions DFRSW 14 Aug 2006 HWB Testing Strategy 15

Write Protect Cases # HWB-01 Identify commands blocked by the HWB. This case uses a protocol analyzer and a general command generator. # HWB-02 Identify modifying commands blocked by the HWB. This case uses a write command generator to try to write a unique message to a unique location for each defined write command. # HWB-03 Identify commands blocked by the HWB while attempting to modify a protected drive with forensic tools. This case uses a protocol analyzer to record the commands generated and blocked by attempting to write to a drive with either a forensic tool or an operating system command. # HWB-04 Attempt to modify a protected drive with forensic tools. This case attempts to write to a drive with either a forensic tool or an operating system command. Any modifications to the protected drive are detected by comparing a pre-test hash of the drive to a post-test hash of the drive. DFRSW 14 Aug 2006 HWB Testing Strategy 16

Read Tests #HWB-05 Identify read commands allowed by the HWB. A read command generator is used to try to read known data from a drive using each defined read command. #HWB-06 Identify read and information commands used by forensic tools and allowed by the HWB. Use a forensic tool to read an entire drive with a protocol analyzer recording the actual commands generated by the forensic tool. #HWB-07 Read a protected drive with forensic tools. Use a forensic tool to read an entire drive. DFRSW 14 Aug 2006 HWB Testing Strategy 17

Info & Error Tests #HWB-08 Identify access significant information unmodified by the HWB. Use a tool to generate a request for drive size and verify that the correct size is reported. #HWB-09 Determine if an error on the protected drive is returned to the host. Generate an error at the drive by attempting to read a sector beyond the end of the drive. DFRSW 14 Aug 2006 HWB Testing Strategy 18

Develop Test Harness!A set of tools or procedures to measure the results of each test assertion!must be under strict version control!must measure the right parameter (validated)!must measure the parameter correctly (verified) DFRSW 14 Aug 2006 HWB Testing Strategy 19

Blocking Device Actions! The device forwards the command to the hard drive.! The blocking device substitutes a different command! The device simulates the command! If a command is blocked, the device may return either success or failure back to the host! Present the drive as a read-only device! May issue commands without a command from the host DFRSW 14 Aug 2006 HWB Testing Strategy 20

Write Commands Issued by OS (Unix) DFRSW 14 Aug 2006 HWB Testing Strategy 21

Write Commands Issued by OS (MS) DFRSW 14 Aug 2006 HWB Testing Strategy 22

Notable Blocker Behaviors!Allow the volatile SET MAX ADDRESS, block if non-volatile!cache the results IDENTIFY DEVICE!Substitute READ DMA for READ MULTIPLE!Allow FORMAT TRACK!Depending on OS version, user might not be able to preview NTFS partition DFRSW 14 Aug 2006 HWB Testing Strategy 23

Contacts Jim Lyle www.cftt.nist.gov cftt@nist.gov Doug White www.nsrl.nist.gov nsrl@nist.gov Barbara Guttman bguttman@nist.gov Sue Ballou, Office of Law Enforcement Stds susan.ballou@nist.gov DFRSW 14 Aug 2006 HWB Testing Strategy 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback