1

Antonio Barili – Digital Forensics Lab Dept. of Industrial and Information Engineering University of Pavia (Italy)

antonio.barili@unipv.it

Digital Forensics

A Short Introduction to Digital and File System Forensics

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 2

Edmond Locard

(1877-1966)

“Every contact leaves a trace”

Victim

Culprit

Scene

2

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 3

Exchange of Energy

Exchange of Information

Exchange of Matter

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 4

Digital Forensics

The uncovering and examinaton of artifacts with evidentiary value located on all kind of electronic devices

3

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 5

The Challenges of Digital Forensics

• Data authenticity and volatility

• Data scale

• Data variety

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 6

The Purposes of Digital Forensics

• Find evidence of crimes that took place in the real world (e.g. stalking, murder)

• Find evidence of crimes that inherently involved a computer system (e.g. hacking)

4

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 7

Why is Digital Forensics so powerful ?

• Computer system store a vast amount of information

• Intentionally (documents, databases, log files)

• Unintentionally (partially erased documents and other artifacts)

• Computer systems are windows into the past !!!

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 8

What makes Digital Evidence different from traditional forms of evidence

• Witnesses can testify in Courts

• Traditional documents may be directly evaluated by judges and jurors

• Digital Evidence needs and expert witness to be translated into meaningful evidence to the Court

5

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 9

Useful byproducts of Digital Forensics

• Data recovery

• Auditing and incident response

• Security testing of hardware and services

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 10

Digital Forensics Procedures and methods

• Legal issues

• Technical issues

• The bound is not what is technically possible, but what is cost-effective for a particular case

6

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 11

The Digital Forensics Model (RFC 3227 / 2002)

• Identification

• Acquisition

• Preservation

• Analysis

• Presentation

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 12

The Digital Forensics Model - Acquisition

• Physical images (disk images)

• Logical images (documents and files)

• Live data capture (memory dumps)

• Network data capture (logfiles, packet capture)

7

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 13

Example - File System Forensic

dd if=/dev/sdb of=/temp/image.raw

Forensic image formats: RAW (DD), EWF; AFF

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 14

Example - File System Forensics

dd if=/dev/sdb of=/temp/image.raw

Write Blockers preserve original evidence from tampering

8

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 15

Example - File System Forensics

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 16

Example - File System Forensics – DEMO

• TEST00 – FORMATTED AND WIPED

• TEST01 – JPEG IMAGE ALLOCATED

• TEST02 – JPEG IMAGE DELETED

• TEST03 – FORMATTED (NOT WIPED)

Example - File System Forensics

9

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 17

Example - File System Forensics

Volume metadata (MBR, GPT ...)

File System metadata (FAT, MFT, indexes, logfiles ...)

File metadata (file headers, EXIF codes ...)

File content

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 18

Example - File System Forensics

Preserving information integrity

• Document any operation

• Chain of custody

• Hashing

10

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 19

Evaluating Digital Evidences – The Daubert Standard

a. Empirical testing: whether the theory or technique is falsifiable, refutable, and/or testable

b. Whether it has been subjected to peer review and publication

c. The known or potential error rate

d. The existence and maintenance of standards and controls concerning its operation

e. The degree to which the theory and technique is generally accepted by a relevant scientific community

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 20

Evaluating Digital Evidences – FRE 702

702. TESTIMONY BY EXPERT WITNESSES

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b) The testimony is based on sufficient facts or data;

(c) The testimony is the product of reliable principles and methods; and

(d) The expert has reliably applied the principles and methods to the facts of the case.

11

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 21

A GPS Navigation Device was imaged, all strings longer than 8 chars (ascii or unicode) were carved from the image using sysinternals string.exe

Note: carving requires the image to be mounted as a RAW (uncompressed) file

Example - File System Forensics

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 22

Friends, Romans, countrymen, lend me your ears

I come to bury Caesar, not to praise him.

The evil that men do lives after them

The good is oft interred with their bones

… FaceBook was yet to come !

One final question:

Is digital evidence that much fragile ?

12

Digital Forensics A Short Introduction to Digital and File System Forensics

© 2015 - Università degli Studi di Pavia - Antonio Barili 23

References

[1] Garfinkel, S. L., “Digital forensics,” Am. Sci., vol. 101, no. 5, pp. 370–377, 2013.

[2] Carrier, B., “File system forensic analysis,” Addison-Wesley, 2005.

© 2015 - Università degli Studi di Pavia - Antonio Barili 24

Thank You !