selective and intelligent imaging using digital evidence bags
TRANSCRIPT
Selective and Intelligent Imaging Using Digital Evidence Bags
Bit-Stream imaging
Bit-by-bit copy from source drive to a forensic image
Small drives
• Effective
• Quick
Large drives
• Resource-consuming
• Time-consuming
Source Image
Bit-Stream imaging
May not be best to implement all the time
More useful imaging:
• Specify information to include
• Sort relevant data
Keep the process simple, but more effective than simple bit-stream imaging
Selective Imaging
Improvement on bit-stream imaging
Decides what content to include in the image based on some criteria
• File type (pictures, email logs, etc)
• Creation date
Used for multiple reasons
• Large drive
• Infeasible to make complete image
• Legal requirements
Selective Imaging
Manual
• Forensic investigator arbitrarily decides what files to include in the image
• File browser is used to navigate the file system
• Image is created based on the selections
Multiple types of selective imaging
Different modes of operation for each
File.doc
Selective Imaging
Semi-Automatic
• Forensic investigator uses categories of information or other criteria to decide what files to includeo File extensiono Signatureo Hash
• Imager includes files satisfying the criteria
Image
.JPG
.DOC
.DOC Criteria
Selective Imaging
Automatic
• Forensic investigator specifies source drive and destination target for the image
• Imaging application collects the relevant evidence
• Uses configuration files to decide what information to include
• Configuration files defined before run time (usually specific to the case)
SourceDrive
Image Destination
Imager Config.
Selective Imaging
Imaging options can get very complex
No way of keeping track of where the data came from originally
Data origin includes:
• Physical sector location (data runs)
• Logical cluster location (start of volume + offset)
• Folder location (path from root folder)
?
Data
Intelligent Imaging
Another way to improve on bit-stream imaging
Capture knowledge of domain experts to use in an intelligent system
Nontechnical users can acquire and analyze an image
• Choose the case type
• Imager acquires relevant information
• Based expert knowledge of the case type
Intelligent Imager
Intelligent Imaging
Meant to alert investigator of information categories outside initial line of inquiry
Not supposed to decide what to capture in the image
Difficulties:
• How do you get the expert knowledge?
• How do you know nothing is missing?
Imaging Problems
Selective and intelligent imaging offer more options than bit-stream imaging
However, no current (2006) tool implements selective or intelligent imaging while recording origin of information
No method records how an examiner or imager decided what to acquire
• Manual mode?
• Categories of information?
• Signatures?
DEBs
Selective and intelligent imagers can produce Digital Evidence Bags (DEBs)
Universal container for digital information
• Supports any source drive
• Data origin recorded, maintained
• Encapsulated (DEBs inside DEBs)
DEBs
A homogenous DEB is produced even if there are:
• Different drive sources
• Different imagers
• Device-specific imagers
Analysis and examination applications would be compatible with DEBs, independent of drive source
DEBs
DEBs
Source drives
• Drives with information to capture
DEBs
Selective/Intelligent Imager
• Imager application
• Acquires relevant information from source drives
DEBs
Category Definition File & Imager Configuration File
• Additional information for imager decisions
DEBs
Digital Evidence Bag
• Produced by Selective/Intelligent Imager from source drives
• Contains captured information
DEBs
Dynamic creation
Imager able to create a DEB regardless of mode of operation
• Manual
• Semi-Automatic
• Automatic
Mode of operation also recorded in the DEB
DEBs
DEB components:
• .tag files
• .index files
• .bag files
Evidence Unit (EU):
• .index + .bag files
DEBs
.tag files
Plaintext file with sections
.tag sections:
• [DEB Header]
• [Evidence Units]
• [DEB Footer]
• [TCB]
[DEB Header]
Contains metadata about the DEB and Index Format
DEBs
DEBs
[DEB Header]
Metadata:
• Investigator(s)
• Creation timestamp
• Description of evidenceo What evidence was collectedo Where evidence was collectedo When evidence was collected
DEBs
[DEB Header]
Index Format specifies the default content sequence of DEB .index files
Defines layout of information in an .index file
.index files are defined by meta-tags that store information captured from a device
DEBs
.index file meta-tags categories:
• Labelso File name/path (F), origin description (P), file attributes (Fa), command
(C)
• Timestampso Last modified (Tmod), accessed (Tacc), created (Tcrea)
• Numerico Physical sector (PS), Logical cluster number (LCN), file logical size
(Fls), file physical size (Fps)
• Integrityo MD5 hash (Hmd5), SHA hash (Hsha)
Index Format : F LCN PS Fa Tacc Tmod Tcre Fla Fps Hmd5
DEBs
[Evidence Units]
Records all EU's created in the DEB and their content type
EU integrity hashes:
• .index file hash
• .bag file hash
Format:
EU = ##
IndexHash = <Hash>
BagHash = <Hash>
ContentType = <Type>
DEBs
[Evidence Units]
The content of the first EU (Evidence Unit 0) is reserved for case notes and metadata about the case:
• Imager used to create DEBo Version numbero Integrity hasho Configuration fileo Capture criteria
• Additional informationo Photoso Text
DEBs
[Evidence Units]
The content of the rest of the EUs are defined by the examiner
Based on:
• Case requirements
• Configuration of imager tool
DEBs
[Evidence Units]
Content types:
• ContentType-Sig=<File signatures>
• ContentType-Ext=<File extensions>
• ContentType-Cat=<Category type>
• ContentType-Manual=<label>o Manually selected contents
• ContentType-CLI=<label>o Contents from command line
DEBs
[DEB Footer]
Records the number of EUs in a DEB, includes the .tag file integrity hash
DEBs
[TCB]
Tag continuity blocks (not pictured)
• Appended at the end of the DEB .tag file whenever accessed or analyzed
• Records application function, signature, and timestamp of access
DEBs
.index files
Contains metadata about information contained in the DEB Evidence Unit
Uses meta-tags to organize metadata
DEBs
.bag files
Concatenation of imager-generated binary information
• Referenced by each entry in the corresponding index file
DEBs
The Ultimate Test
Ultimate test for any imager and container that does not generate or store standard bit-stream images:
• Imaging method and container must store enough information about the origin of data captured so that when the information is restored it is identical to what would have been acquired with bit-stream imaging
To do this you must have application able to process DEB .index file physical data location in ascending order, generate hash over .bag contents
This would generate an image with the same contents as a bit-stream image
Conclusion
Many options exist for selective capturing of information
The container in which the captured information is stored is also important in order to ensure:
• Defined structure
• Unhindered examination
We can better understand the selective approach by following the techniques described
References
• http://www.dfrws.org/2006/proceedings/8-Turner.pdf
THANK YOU