Slideshare.net (beta)

Slide 2: Agenda  Who we are and what we do and bla bla bla  Gap analysis, based upon survey and user experience between the current state of the art in forensic analysis and Autopsy.  PTK: an interesting potential alternative  Project Roadmap 2

Slide 3: Who we are  The speaker: Former Italian Police Officer, now faculty university of Milano at Crema o DFRWS, IJDI (elsevier) and SADFE Technical Commitee o Founder and Ceo of the IRItaly Project (University of Milano) and DFLabs Italy  The IRItaly Project o 10 people between undergraduate, post graduate and research students o Focused on research and development in Incident Response and Digital Forensics since 2002 o Supported by DFLabs Data Security (www.dflabs.com) 3

Slide 4: Gap analysis  The IRItaly Team Examinated the usability and the performance of the Autopsy Forensic browser, with particular reference to: o Usability and “friendship” of the interface o Time required to perform a single operation/task o Lack of features/need of improvement 4

Slide 5: Autopsy: the “limits” (1)  The current interface is a bit outdated  It is not easy to use nor frendly 5

Slide 6: Autopsy: the “limits” (2)  The case management section is a bit too complex. It can be simplified 6

Slide 7: Autopsy: the “limits” (3)  File activity timeline not that functional and is also a bit difficult to consult 7

Slide 8: Autopsy: the “limits” (4)  There is not an effective bookmark facility: o “notes” are the only way to include informations and comments. o Anyway, the note management system is not effectively structured. o There is no dedicated function for report generation and/or exporting.  Unless an external plug in is used, there is no “Gallery” feature in the “analysis” zone, to visualize and manage the graphical evidences. 8

Slide 9: Autopsy: the “limits” (5)  Case export and sharing: may be difficult in case more investigators need to work at the same case from different machines. For instance: o Exporting a case to a second forensic workstation. o Performing a backup of a case and/or copying it/duplicating it to reduce the workload. Main consequence: lack of syncronization between the several duplicated copies. 9

Slide 10: An alternative: PTK  A new advanced interface for “The Sleuth Kit”  Improved Usability  Ajax Based  Dynamic web application with a centralized database. Now more investigators will be able to better work on the same case simultaneously. o Preliminar indexing phase , and case features shared between multiple investigators. o The preliminary tests conducted did not highlighted any potential problem.  Many browser are supported. 10

Slide 11: Login interface 11

Slide 12: Preliminary indexing (1)  String extraction (Ascii & Unicode) from the space: o Allocated o Unallocated o Slack (NTFS and FAT)  Identification of the know(n) good and the know(n) bad.  File content type o File Signature analysis o File extension Mismatch o File categorization (graphics, documents, executables etc...) 12

Slide 13: Preliminary indexing (2)  Metadata and hash generation of the files present on the disc  Timeline generation  File carving (Lazarus, Foremost, Scalpel) o The results of the preliminary operations are stored into the database for a better and faster interrogation/inquiry o The remanent features (i.e: file and directory export) can be executed on user demand, directly on the disk image) 13

Slide 14: Concurrent work in PTK  PTK uses a centralized database for the case management; thus, more investigators can work on the same case from different machines and simultaneously, after the preliminary operations  The PTK DBMS of backend take charge of the concurrency management  With reference to the selected operations: o Simultaneous access to the same case o Sequential access to the same case (lock) 14

Slide 15: Roles and Tasks ADMINISTRATOR INVESTIGATOR NEW CASE CREATION CASE REMOVAL CASE LOCKING DISPLAY CASE INFORMATIONS ADDING NEW IMAGE IMAGE REMOVAL DISPLAY IMAGE INFORMATIONS IMAGE ANALYSIS INTEGRITY CHECK BOOKMARK GENERATION 15

Slide 16: Concurrent work under PTK (1) Administrator may add new cases and select the related investigator who will be able to get access to them. 16

Slide 17: Concurrent work under PTK (2) More investigators are able to work at the same case simultaneously 17

Slide 18: Concurrent work under PTK (3) Administrator activates the Lock to CASE1 18

Slide 19: Concurrent work under PTK (4) Now, only the Administrator can get access to CASE1, while the case itself is locked to the others. 19

Slide 20: Autopsy: Cases and host Mgt  the number of page (more than 10) required to manage cases and host is too high.  It is not possible to delete (from the interface) the case and the host which are closed/old 20

Slide 21: PTK: managing cases (1)  With PTK the page number has been reduced. Now, depending on the role, it is possible to do (from a single page): o case creation o case information visualization o case deletion o linking the investigators to a particular case o defining the indexing options  There is no more separation between cases and hosts: images are directly linked to cases. 21

Slide 22: PTK: managing cases (2) 22

Slide 23: PTK: case details 23

Slide 24: Autopsy: managing disk images  High page number to manage host related disk images.  it is not possible to delete the disk images from the interface. 24

Slide 25: PTK: managing disk images (1)  PTK drastically reduced the pages necessary to manage the disk images and the related partitions. From a single page is now possible (depending from the roles): o adding a new disk image to a case o visualizing the informations related to an image o deleting a disk image o choosing different operations that might be done on a particular disk image 25

Slide 26: PTK: managing disk images (2) 26

Slide 27: PTK: adding new evidences 27

Slide 28: PTK: info-zone (1) We added a new info-zone able to recap infos about cases, host, disk images and investigators. With the info-zone users will have a valid instrument to control operations and fastly navigating inside the cases. 28

Slide 29: PTK: info-zone (2)  case name  image name 29

Slide 30: PTK: info-zone (3)  investigator name  Logout  access to the settings of PTK 30

Slide 31: PTK: data integrity  It is now possible to verify the integrity of the disk images and the files, via MD5 e SHA1 o in Autopsy only MD5 was available.  Fast access from every page to the integrity check functions 31

Slide 32: PTK: timezone  Timezone is now applicable from a template list BEFORE (Autopsy) AFTER (PTK) 32

Slide 33: PTK: file browsing  Before a manual insertion of the path was needed  Now, with PTK it is not needed anymore BEFORE (Autopsy) AFTER (PTK) 33

Slide 34: PTK: investigators (1)  The investigator is associated to the application user.  Now you don’t need it to repeat the operation every time. BEFORE (Autopsy) AFTER (PTK) 34

Slide 35: PTK: investigators (2) 35

Slide 36: PTK: description field  We added a field called “description” to cases and images  With Autopsy the description was possible just with the hosts. 36

Slide 37: PTK: analysis (1)  PTK introduced several new features, useful for the analysis: o Tree view with listing of directory and file. o Tabbed browsing to visualize the content of the files o File bookmarking system o Image gallery 37

Slide 38: PTK: analysis (2)  We added some features to the existing ones: o File analysis o Keyword search o File type o Image details o Meta data o Data unit o Gallery o Bookmark 38

Slide 39: PTK: file analysis (1) 39

Slide 40: PTK: file analysis (2) 40

Slide 41: PTK: gallery 41

Slide 42: PTK: image details 42

Slide 43: PTK: some considerations  PTK is a forensic analysis interface, it is not strictly devoted to incident response  Its scope is helping small groups of investigators to reach the goal with reduced budget  It does not substitute commercial products, it can help for adequate size cases  Can be furtherly enhanced with the concurrent engineering and development participation 43

Slide 44: PTK: LAMP based application (1)  It is a web application based upon LAMP: Linux + Apache + MySql + PHP  It is easy to integrate and develop.  Easy to access from different browsers and operating systems.  Confidentiality is supported by the use of SSL and other security measures 44

Slide 45: PTK: LAMP based application (2) 45

Slide 46: Autopsy: data storage Autopsy stores the data into the File System  Low security level, since the sensitive data are on the file system and cannot be actually protected.  Low data access efficiency: each time the investigator get access to the files a parsing of the files where the infos are archived is required  The synchronization can only be manual and difficult to perform 46

Slide 47: PTK: Data Storage PTK introduce a MySql database  User passwords are encrypted  Enhanced db protection  Data access is faster and easier  The sensitive infos are not in the file system anymore  Concurrent examination, more investigators on the same db 47

Slide 48: PTK: log activity  All the operations can be logged, thanks to a logging subsystem: o Timestamp o IP client o Username o Action performed • The administrator can also view the log via his interface. 48

Slide 49: PTK: why Ajax? It is not just cutest but also more effective  More dynamic  More usable  The page loads are reduced rather than Autopsy  Better application performances 49

Slide 50: PTK: Security in Ajax (1) NB: PTK is a web application for workgroup use. It must be used according to the forensics fundamentals (the lab network must be separated by the rest of the world). furthermore, during the PTK development, several programming counter measure have been adopted, to guarantee the right protection against the potential threats 50

Slide 51: PTK: Security in Ajax (2)  XSS prevention: o the user does not pass thru pages which show GET variables o “middle pages” which use GET variables, employ such variables to create SQL query, not for html code generation o the variables were checked against “dangerous characters” o every single user input is sceened (parsed) and secured. 51

Slide 52: PTK: Security in Ajax (3)  SQL Injection prevention: o user input control/verification o addiction of escape sequences to the special characters present in the SQL instruction strings  Ajax Bridging prevention: o PTK does not use Ajax Bridging o No Javascript code import from external sites o No external components required (no contacts with any external untrusted source) 52

Slide 53: PTK: further developments  Timeline improvement  Better reporting features o TXT, PDF, HTML, XML  Advanced bookmark management  Hash set management o Creation, import and modification of the hashsets o Windows artifact o Browser history, recycled bin  Recursive export of folders or part of the case 53

Slide 54: PTK: Project Timeline  The core is ready and being tested by our developers  March 30 the alpha test will start, volunteers needed  May 1 the beta test will start volunteers needed  Sept 1 the tool will be released 54

Slide 55: PTK: Project Management  How you can help? o Test test test, and give structured feedback o Develop specific parts of the software o Code review IRItaly/DFLabs team will finally approve and include the code into the updates The software will be free. More infos : http://ptk.dflabs.com 55

Slide 56: Questions? 56

Slide 57: Thanks Dario V Forte, CFE, CISM The IRItaly Project at University of Milano www.dflabs.com Dario.forte@dflabs.com 57