Agenda Who we are and what we do and bla bla bla Gap analysis , based upon survey and user experience between the current state of the art in forensic analysis and Autopsy. PTK : an interesting potential alternative Project Roadmap

Who we are and what we do and bla bla bla

Gap analysis , based upon survey and user experience between the current state of the art in forensic analysis and Autopsy.

PTK : an interesting potential alternative

Project Roadmap

The speaker: Former Italian Police Officer, now faculty university of Milano at Crema DFRWS, IJDI (elsevier) and SADFE Technical Commitee Founder and Ceo of the IRItaly Project (University of Milano) and DFLabs Italy The IRItaly Project 10 people between undergraduate, post graduate and research students Focused on research and development in Incident Response and Digital Forensics since 2002 Supported by DFLabs Data Security (www.dflabs.com)‏ Who we are

The speaker: Former Italian Police Officer, now faculty university of Milano at Crema

DFRWS, IJDI (elsevier) and SADFE Technical Commitee

Founder and Ceo of the IRItaly Project (University of Milano) and DFLabs Italy

The IRItaly Project

10 people between undergraduate, post graduate and research students

Focused on research and development in Incident Response and Digital Forensics since 2002

Supported by DFLabs Data Security (www.dflabs.com)‏

The IRItaly Team Examinated the usability and the performance of the Autopsy Forensic browser, with particular reference to: Usability and “friendship” of the interface Time required to perform a single operation/task Lack of features/need of improvement Gap analysis

The IRItaly Team Examinated the usability and the performance of the Autopsy Forensic browser, with particular reference to:

Usability and “friendship” of the interface

Time required to perform a single operation/task

Lack of features/need of improvement

The current interface is a bit outdated It is not easy to use nor frendly Autopsy: the “limits” (1)‏

The current interface is a bit outdated

It is not easy to use nor frendly

The case management section is a bit too complex. It can be simplified Autopsy: the “limits” (2)‏

The case management section is a bit too complex. It can be simplified

File activity timeline not that functional and is also a bit difficult to consult Autopsy: the “limits” (3)‏

File activity timeline not that functional and is also a bit difficult to consult

There is not an effective bookmark facility: “ notes” are the only way to include informations and comments. Anyway, the note management system is not effectively structured. There is no dedicated function for report generation and/or exporting. Unless an external plug in is used, there is no “ Gallery ” feature in the “analysis” zone, to visualize and manage the graphical evidences. Autopsy: the “limits” (4)‏

There is not an effective bookmark facility:

“ notes” are the only way to include informations and comments.

Anyway, the note management system is not effectively structured.

There is no dedicated function for report generation and/or exporting.

Unless an external plug in is used, there is no “ Gallery ” feature in the “analysis” zone, to visualize and manage the graphical evidences.

Case export and sharing: may be difficult in case more investigators need to work at the same case from different machines. For instance: Exporting a case to a second forensic workstation. Performing a backup of a case and/or copying it/duplicating it to reduce the workload. Main consequence: lack of syncronization between the several duplicated copies. Autopsy: the “limits” (5)‏

Case export and sharing: may be difficult in case more investigators need to work at the same case from different machines. For instance:

Exporting a case to a second forensic workstation.

Performing a backup of a case and/or copying it/duplicating it to reduce the workload.

Main consequence: lack of syncronization between the several duplicated copies.

A new advanced interface for “The Sleuth Kit” Improved Usability Ajax Based Dynamic web application with a centralized database . Now more investigators will be able to better work on the same case simultaneously. Preliminar indexing phase , and case features shared between multiple investigators. The preliminary tests conducted did not highlighted any potential problem. Many browser are supported. An alternative: PTK ‏

A new advanced interface for “The Sleuth Kit”

Improved Usability

Ajax Based

Dynamic web application with a centralized database . Now more investigators will be able to better work on the same case simultaneously.

Preliminar indexing phase , and case features shared between multiple investigators.

The preliminary tests conducted did not highlighted any potential problem.

Many browser are supported.

Login interface ‏

String extraction (Ascii & Unicode) from the space: Allocated Unallocated Slack (NTFS and FAT)‏ Identification of the know(n) good and the know(n) bad . File content type File Signature analysis File extension Mismatch File categorization (graphics, documents, executables etc...) ‏ Preliminary indexing (1)‏

String extraction (Ascii & Unicode) from the space:

Allocated

Unallocated

Slack (NTFS and FAT)‏

Identification of the know(n) good and the know(n) bad .

File content type

File Signature analysis

File extension Mismatch

File categorization (graphics, documents, executables etc...) ‏

Metadata and hash generation of the files present on the disc Timeline generation File carving (Lazarus, Foremost, Scalpel)‏ The results of the preliminary operations are stored into the database for a better and faster interrogation/inquiry The remanent features (i.e: file and directory export) can be executed on user demand, directly on the disk image)‏ Preliminary indexing (2)‏

Metadata and hash generation of the files present on the disc

Timeline generation

File carving (Lazarus, Foremost, Scalpel)‏

The results of the preliminary operations are stored into the database for a better and faster interrogation/inquiry

The remanent features (i.e: file and directory export) can be executed on user demand, directly on the disk image)‏

PTK uses a centralized database for the case management; thus, more investigators can work on the same case from different machines and simultaneously , after the preliminary operations The PTK DBMS of backend take charge of the concurrency management With reference to the selected operations: Simultaneous access to the same case Sequential access to the same case (lock)‏ Concurrent work in PTK ‏

PTK uses a centralized database for the case management; thus, more investigators can work on the same case from different machines and simultaneously , after the preliminary operations

The PTK DBMS of backend take charge of the concurrency management

With reference to the selected operations:

Simultaneous access to the same case

Sequential access to the same case (lock)‏

Roles and Tasks ‏ ADMINISTRATOR INVESTIGATOR NEW CASE CREATION CASE REMOVAL CASE LOCKING DISPLAY CASE INFORMATIONS ADDING NEW IMAGE IMAGE REMOVAL DISPLAY IMAGE INFORMATIONS IMAGE ANALYSIS INTEGRITY CHECK BOOKMARK GENERATION

Administrator may add new cases and select the related investigator who will be able to get access to them. Concurrent work under PTK (1)

More investigators are able to work at the same case simultaneously Concurrent work under PTK (2)

Administrator activates the Lock to CASE1 Concurrent work under PTK (3)

Now, only the Administrator can get access to CASE1, while the case itself is locked to the others. Concurrent work under PTK (4)

the number of page (more than 10) required to manage cases and host is too high. It is not possible to delete (from the interface) the case and the host which are closed/old Autopsy: Cases and host Mgt

the number of page (more than 10) required to manage cases and host is too high.

It is not possible to delete (from the interface) the case and the host which are closed/old

With PTK the page number has been reduced. Now, depending on the role, it is possible to do (from a single page): case creation case information visualization case deletion linking the investigators to a particular case defining the indexing options There is no more separation between cases and hosts: images are directly linked to cases. PTK: managing cases (1)

With PTK the page number has been reduced. Now, depending on the role, it is possible to do (from a single page):

case creation

case information visualization

case deletion

linking the investigators to a particular case

defining the indexing options

There is no more separation between cases and hosts: images are directly linked to cases.

PTK: managing cases (2)

PTK: case details

High page number to manage host related disk images. it is not possible to delete the disk images from the interface. Autopsy: managing disk images

High page number to manage host related disk images.

it is not possible to delete the disk images from the interface.

PTK drastically reduced the pages necessary to manage the disk images and the related partitions. From a single page is now possible (depending from the roles): adding a new disk image to a case visualizing the informations related to an image deleting a disk image choosing different operations that might be done on a particular disk image PTK: managing disk images (1)‏

PTK drastically reduced the pages necessary to manage the disk images and the related partitions. From a single page is now possible (depending from the roles):

adding a new disk image to a case

visualizing the informations related to an image

deleting a disk image

choosing different operations that might be done on a particular disk image

PTK: managing disk images (2)‏

PTK: adding new evidences

We added a new info-zone able to recap infos about cases , host , disk images and investigators . With the info-zone users will have a valid instrument to control operations and fastly navigating inside the cases. PTK: info-zone (1)

case name image name PTK: info-zone (2)

case name

image name

investigator name Logout access to the settings of PTK PTK: info-zone (3)

investigator name

Logout

access to the settings of PTK

It is now possible to verify the integrity of the disk images and the files, via MD5 e SHA1 in Autopsy only MD5 was available. Fast access from every page to the integrity check functions PTK: data integrity

It is now possible to verify the integrity of the disk images and the files, via MD5 e SHA1

in Autopsy only MD5 was available.

Fast access from every page to the integrity check functions

Timezone is now applicable from a template list BEFORE (Autopsy) AFTER (PTK) PTK: timezone

Timezone is now applicable from a template list

Before a manual insertion of the path was needed Now, with PTK it is not needed anymore PTK: file browsing BEFORE (Autopsy) AFTER (PTK)

Before a manual insertion of the path was needed

Now, with PTK it is not needed anymore

The investigator is associated to the application user. Now you don’t need it to repeat the operation every time. PTK: investigators (1) BEFORE (Autopsy) AFTER (PTK)

The investigator is associated to the application user.

Now you don’t need it to repeat the operation every time.

PTK: investigators (2) ‏

We added a field called “ description ” to cases and images With Autopsy the description was possible just with the hosts. PTK: description field‏

We added a field called “ description ” to cases and images

With Autopsy the description was possible just with the hosts.

PTK introduced several new features, useful for the analysis: Tree view with listing of directory and file. Tabbed browsing to visualize the content of the files File bookmarking system Image gallery PTK: analysis (1)

PTK introduced several new features, useful for the analysis:

Tree view with listing of directory and file.

Tabbed browsing to visualize the content of the files

File bookmarking system

Image gallery

We added some features to the existing ones: File analysis Keyword search File type Image details Meta data Data unit Gallery Bookmark PTK: analysis (2)

We added some features to the existing ones:

File analysis

Keyword search

File type

Image details

Meta data

Data unit

Gallery

Bookmark

PTK: file analysis (1) ‏

PTK: file analysis (2) ‏

PTK: gallery

PTK: image details

PTK is a forensic analysis interface, it is not strictly devoted to incident response Its scope is helping small groups of investigators to reach the goal with reduced budget It does not substitute commercial products, it can help for adequate size cases Can be furtherly enhanced with the concurrent engineering and development participation PTK: some considerations

PTK is a forensic analysis interface, it is not strictly devoted to incident response

Its scope is helping small groups of investigators to reach the goal with reduced budget

It does not substitute commercial products, it can help for adequate size cases

Can be furtherly enhanced with the concurrent engineering and development participation

It is a web application based upon LAMP: Linux + Apache + MySql + PHP It is easy to integrate and develop. Easy to access from different browsers and operating systems. Confidentiality is supported by the use of SSL and other security measures PTK: LAMP based application (1) ‏

It is a web application based upon LAMP: Linux + Apache + MySql + PHP

It is easy to integrate and develop.

Easy to access from different browsers and operating systems.

Confidentiality is supported by the use of SSL and other security measures

PTK: LAMP based application (2) ‏

Autopsy stores the data into the File System Low security level, since the sensitive data are on the file system and cannot be actually protected. Low data access efficiency: each time the investigator get access to the files a parsing of the files where the infos are archived is required The synchronization can only be manual and difficult to perform Autopsy: data storage

Autopsy stores the data into the File System

Low security level, since the sensitive data are on the file system and cannot be actually protected.

Low data access efficiency: each time the investigator get access to the files a parsing of the files where the infos are archived is required

The synchronization can only be manual and difficult to perform

PTK introduce a MySql database User passwords are encrypted Enhanced db protection Data access is faster and easier The sensitive infos are not in the file system anymore Concurrent examination, more investigators on the same db PTK: Data Storage

PTK introduce a MySql database

User passwords are encrypted

Enhanced db protection

Data access is faster and easier

The sensitive infos are not in the file system anymore

Concurrent examination, more investigators on the same db

All the operations can be logged, thanks to a logging subsystem: Timestamp IP client Username Action performed The administrator can also view the log via his interface. PTK: log activity

All the operations can be logged, thanks to a logging subsystem:

Timestamp

IP client

Username

Action performed

The administrator can also view the log via his interface.

It is not just cutest but also more effective More dynamic More usable The page loads are reduced rather than Autopsy Better application performances PTK: why Ajax?

It is not just cutest but also more effective

More dynamic

More usable

The page loads are reduced rather than Autopsy

Better application performances

NB: PTK is a web application for workgroup use. It must be used according to the forensics fundamentals ( the lab network must be separated by the rest of the world ). furthermore, during the PTK development, several programming counter measure have been adopted, to guarantee the right protection against the potential threats PTK: Security in Ajax (1)‏

XSS prevention : the user does not pass thru pages which show GET variables “ middle pages” which use GET variables, employ such variables to create SQL query, not for html code generation the variables were checked against “dangerous characters” every single user input is sceened (parsed) and secured. PTK: Security in Ajax (2)‏

XSS prevention :

the user does not pass thru pages which show GET variables

“ middle pages” which use GET variables, employ such variables to create SQL query, not for html code generation

the variables were checked against “dangerous characters”

every single user input is sceened (parsed) and secured.

SQL Injection prevention : user input control/verification addiction of escape sequences to the special characters present in the SQL instruction strings Ajax Bridging prevention : PTK does not use Ajax Bridging No Javascript code import from external sites No external components required (no contacts with any external untrusted source) PTK: Security in Ajax (3)‏

SQL Injection prevention :

user input control/verification

addiction of escape sequences to the special characters present in the SQL instruction strings

Ajax Bridging prevention :

PTK does not use Ajax Bridging

No Javascript code import from external sites

No external components required (no contacts with any external untrusted source)

Timeline improvement Better reporting features TXT, PDF, HTML, XML Advanced bookmark management Hash set management Creation, import and modification of the hashsets Windows artifact Browser history, recycled bin Recursive export of folders or part of the case PTK: further developments ‏

Timeline improvement

Better reporting features

TXT, PDF, HTML, XML

Advanced bookmark management

Hash set management

Creation, import and modification of the hashsets

Windows artifact

Browser history, recycled bin

Recursive export of folders or part of the case

The core is ready and being tested by our developers March 30 the alpha test will start , volunteers needed May 1 the beta test will start volunteers needed Sept 1 the tool will be released PTK: Project Timeline ‏

The core is ready and being tested by our developers

March 30 the alpha test will start , volunteers needed

May 1 the beta test will start volunteers needed

Sept 1 the tool will be released

How you can help? Test test test, and give structured feedback Develop specific parts of the software Code review IRItaly/DFLabs team will finally approve and include the code into the updates The software will be free. More infos : http://ptk.dflabs.com PTK: Project Management

How you can help?

Test test test, and give structured feedback

Develop specific parts of the software

Code review

IRItaly/DFLabs team will finally approve and include the code into the updates

The software will be free.

More infos : http://ptk.dflabs.com

Questions?

Dario V Forte, CFE, CISM The IRItaly Project at University of Milano www.dflabs.com [email_address] Thanks