A Short Introduction to Digital and File System Forensics

(1)

Antonio Barili – Digital Forensics Lab Dept. of Industrial and Information Engineering University of Pavia (Italy)

[email protected]

Digital Forensics A Short Introduction to Digital and File System Forensics

“Every contact leaves a trace”

(2)

Exchange of Information

Exchange of Matter

Digital Forensics

The uncovering and examinaton of artifacts with evidentiary value located on all kind of electronic devices

(3)

The Challenges of Digital Forensics • Data authenticity and volatility • Data scale

• Data variety

The Purposes of Digital Forensics

• Find evidence of crimes that took place in the

real world (e.g. stalking, murder)

• Find evidence of crimes that inherently involved

(4)

Why is Digital Forensics so powerful ?

• Computer system store a vast amount of information • Intentionally (documents, databases, log files) • Unintentionally (partially erased documents and

other artifacts)

• Computer systems are windows into the past !!!

What makes Digital Evidence different from traditional forms of evidence

• Witnesses can testify in Courts

• Traditional documents may be directly evaluated by

judges and jurors

• Digital Evidence needs and expert witness to be

(5)

Useful byproducts of Digital Forensics • Data recovery

• Auditing and incident response

• Security testing of hardware and services

Digital Forensics Procedures and methods • Legal issues

• Technical issues

• The bound is not what is technically possible, but

(6)

The Digital Forensics Model (RFC 3227 / 2002) • Identification • Acquisition • Preservation • Analysis • Presentation Digital Forensics A Short Introduction to Digital and File System Forensics

The Digital Forensics Model - Acquisition • Physical images (disk images)

• Logical images (documents and files)

• Live data capture (memory dumps)

(7)

Example - File System Forensic

dd if=/dev/sdb of=/temp/image.raw

Forensic image formats: RAW (DD), EWF; AFF

Example - File System Forensics

(8)

Example - File System Forensics – DEMO • TEST00 – FORMATTED AND WIPED • TEST01 – JPEG IMAGE ALLOCATED • TEST02 – JPEG IMAGE DELETED • TEST03 – FORMATTED (NOT WIPED) Example - File System Forensics

(9)

Volume metadata (MBR, GPT ...)

File System metadata (FAT, MFT, indexes, logfiles ...) File metadata (file headers, EXIF codes ...)

File content

Preserving information integrity • Document any operation

(10)

Evaluating Digital Evidences – The Daubert Standard

a. Empirical testing: whether the theory or technique is falsifiable, refutable, and/or testable

b. Whether it has been subjected to peer review and publication

c. The known or potential error rate

d. The existence and maintenance of standards and controls concerning its operation

e. The degree to which the theory and technique is generally accepted by a relevant scientific community

Evaluating Digital Evidences – FRE 702

702. TESTIMONY BY EXPERT WITNESSES

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b) The testimony is based on sufficient facts or data;

(c) The testimony is the product of reliable principles and methods; and (d) The expert has reliably applied the principles and methods to the facts

(11)

A GPS Navigation Device was imaged, all strings longer than 8 chars (ascii or unicode) were carved from the image using sysinternals string.exe

Note: carving requires the image to be mounted as a RAW (uncompressed) file

Friends, Romans, countrymen, lend me your ears I come to bury Caesar, not to praise him.

The evil that men do lives after them

One final question:

(12)

References

[1] Garfinkel, S. L., “Digital forensics,” Am. Sci., vol. 101, no. 5, pp. 370–377, 2013.

[2] Carrier, B., “File system forensic analysis,” Addison-Wesley, 2005.