Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Accelerating your forensic & incident
response workflow:
the case for a new standard in forensic
imaging
Dr. Bradley Schat...
© 2016 Schatz Forensic
The volume problem increases the
latency between evidence identification
and useful findings
Identi...
© 2016 Schatz Forensic
Pick one of the below
You can’t have both
Latency
Completeness Physical Acquisition
Triage
You pres...
© 2016 Schatz Forensic
How can we reduce latency?
While maximising completeness
Latency
Completeness Physical Acquisition
...
© 2016 Schatz Forensic
Current forensic image formats are
now a bottleneck
• Deflate compression is inefficient
• Linear h...
© 2016 Schatz Forensic
The Advanced Forensic Format v4
(AFF4) image format is the solution
• Scalable to GB/s IO & multi-c...
What’s stopping me increasing I/O
throughput?
Background
© 2016 Schatz Forensic
Forensic Imaging v1.0: Raw
Linear bitstream copy + linear bitstream hash
$ dd if=/dev/hda bs=4k con...
© 2016 Schatz Forensic
Forensic Imaging v1.0: Raw
MD5
Source Hard Drive
ACMECo.C1.D1.raw
ACMECo.C1.D1.raw.txt
# Linear Bit...
© 2016 Schatz Forensic
What affects throughput in
acquisition?
Target
Storage
Interconnect Hash Filesystem Interconnect
Ev...
© 2016 Schatz Forensic
I/O throughput in Acquisition is a
systems problem
Target
Storage
Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic
I/O throughput in Acquisition is a
systems problem
Target
Storage
Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic
I/O throughput in Acquisition is a
systems problem
Target
Storage
Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic
I/O throughput in Acquisition is a
systems problem
Target
Storage
Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic
Not all bridges are made equal
Manuf. Source Dest Form factor Year
purchased
MB/s
Orico USB3 SATA 3...
© 2016 Schatz Forensic
Take Away #1
Faster destination IO is important, but
beware choice of bridge
• Not an issue if imag...
© 2016 Schatz Forensic
Example: Forensic Duplicator
1TB Seagate Target
Target
Storage
Interconnect Hash Filesystem Interco...
© 2016 Schatz Forensic
Bare Metal (LiveCD) Ancient
Workstation Acquisition
Target
Storage
Interconnect Hash Filesystem Int...
© 2016 Schatz Forensic
Bare Metal (LiveCD) Ancient
Workstation Acquisition
Target
Storage
Interconnect Hash Filesystem Int...
© 2016 Schatz Forensic
Take Away #2
Plan your acquisitions to maximise
throughput
• Relocate image for verification
• Add ...
© 2016 Schatz Forensic
Bare Metal (LiveCD) Example:
Caveat User Space Filesystem
Target
Storage
Interconnect Hash Filesyst...
© 2016 Schatz Forensic
Is your forensic liveCD slowing you
down?
$ ntfs-3g /dev/sdd1 /mnt
$ time sh –c “time dd if=/dev/ze...
© 2016 Schatz Forensic
Take Away #3
NTFS may be a convenient destination
filesystem, but is it costing time?
• Use a kerne...
© 2016 Schatz Forensic
Forensic Imaging v2.0: EWF
Original design
Source Hard Drive
MD5
Deflate
ACMECo.C1.D1.e01
Source Ha...
© 2016 Schatz Forensic
The deflate algorithm is a significant
bottleneck
Target
Storage
Interconnect Hash Compress Filesys...
© 2016 Schatz Forensic
FTK Imager EWF Acquisition
1TB Seagate 75% full, 4 core i5-750
Target
Storage
Interconnect Hash Com...
© 2016 Schatz Forensic
Forensic Imaging v2.1: Threaded EWF
Guymager (2008), X-Ways, recent ewfacquire
MD5
Deflate DeflateD...
© 2016 Schatz Forensic
Lacklustre throughput reports (2013)
• Practitioner reports
– Low 100’s MB/s [Zimmerman 2013]
• Res...
© 2016 Schatz Forensic
Threaded EWF Acquisition
240GB Intel 730 SSD 50% full, Core 2
Duo (Lenovo X200 circa 2009)
Target
S...
Our approach to increasing I/O
throughput
© 2016 Schatz Forensic
Scale to 8-core i7 & uncontended IO?
Threaded EWF is CPU bound
Target
Storage
Interconnect Hash Com...
© 2016 Schatz Forensic
How about using a faster compression
algorithm?
Target
Storage
Interconnect Hash Compress Interconn...
© 2016 Schatz Forensic
Forensic Imaging v4.0: AFF4 (2009)
• ZIP64 based container
• Storage virtualization
• Open source
i...
© 2016 Schatz Forensic
AFF4: Storage Virtualisation
ACMECo.S1.RAID0.af4
ACMECo.S1.D1.af4 # Linear Bitstream Hash
ACMECo.S1...
© 2016 Schatz Forensic
AFF4: Storage Virtualisation
ACMECo.S1.RAID0.af4
ACMECo.S1.D1.af4 # Linear Bitstream Hash
ACMECo.S1...
© 2016 Schatz Forensic
AFF4: Storage Virtualisation
ACMECo.S1.RAID0.af4
ACMECo.S1.D1.af4 # Linear Bitstream Hash
ACMECo.S1...
© 2016 Schatz Forensic
Linear bitstream hashing isn’t parallelizable.
Max. rate ~600 MB/s on current gen. CPU’s
Target
Sto...
© 2016 Schatz Forensic
Our solution: Block based hashing.
Hash
Compress CompressCompress
Source Hard Drive
Hash Hash
Block...
Test standard composition
Stored block size –v- LBA address
Windows 8.1
10.2G
Govdocs1 (1-
75,1-40) 59.8G
/dev/random
38.4...
Block based hashing beats linear stream hashing with
low powered multicore CPU’s
Dual core i5-3337U 1.8GHz
Sparse data
Max...
© 2016 Schatz Forensic
Block hashing shifts the bottleneck from
from CPU to I/O
Target
Storage
Interconnect Hash Compress ...
How can we take advantage of these
speeds?
© 2016 Schatz Forensic
Block hashing shifts the bottleneck from
from CPU to I/O
Target
Storage
Interconnect Hash Compress ...
© 2016 Schatz Forensic
Idea: can we aggregate output I/O?
Use 2x USB3 drives?
Target
Storage
Interconnect Hash Compress Fi...
© 2016 Schatz Forensic
AFF4 Striping
ACMECo.S1.D1.2.af4
ACMECo.S1.D1.1.af4
Virtual Storage Stream (Map)
Disk 1
Disk 2
Sour...
© 2016 Schatz Forensic
AFF4 Striping
ACMECo.S1.D1.2.af4
ACMECo.S1.D1.1.af4
Virtual Storage Stream (Map)
Disk 1
Disk 2
A co...
Test standard composition
Stored block size –v- LBA address
Windows 8.1
10.2G
Govdocs1 (1-
75,1-40) 59.8G
/dev/random
38.4...
Multiple output channels increases throughput
Especially for uncompressible data
High entropy
data
© 2016 Schatz Forensic
Multi-destination throughput is even
higher for current generation drives
1TB NVMe (Core i7-4578U, ...
© 2016 Schatz Forensic
Multi-destination throughput is even
higher for current generation drives
1TB NVMe (Core i7-4578U, ...
© 2016 Schatz Forensic
Multi-destination throughput is even
higher for current generation drives
512GB Samsung 850 NVMe w/...
How can we analyse while we acquire?
© 2016 Schatz Forensic
How can we reduce latency?
While maximising completeness
Latency
Completeness Physical Acquisition
...
© 2016 Schatz Forensic
Idea: Start with a non-linear partial
image and add from there
Entire disk
All allocated
Interactiv...
© 2016 Schatz Forensic
Acquire and access in parallel?
dd + iSCSI access to target
MD5
Source Hard Drive
ACMECo.C1.D1.raw
...
© 2016 Schatz Forensic
Acquire and access in parallel?
dd + iSCSI access to target
MD5
Source Hard Drive
ACMECo.C1.D1.raw
...
© 2016 Schatz Forensic
Acquire and access in parallel?
dd + iSCSI access to target
MD5
Source Hard Drive
ACMECo.C1.D1.raw
...
© 2016 Schatz Forensic
Raw Image : Non-linear acquisition via
sparse raw file, driven by live analysis?
Source Hard Drive
...
© 2016 Schatz Forensic
Forensic Imaging v4.1: AFF4 (2010)
• Non-linear acquisition
• Hash based imaging
(deduplication)
© 2016 Schatz Forensic
Partial, non-linear, block based hashing
Hash
Compress CompressCompress
ACMECo.C1.D1.af4
Volume Met...
© 2016 Schatz Forensic
Forensic Imaging v4.2: AFF4 (2015)
• Partial acquisition
– Represent what we didn’t
acquire vs. wha...
© 2016 Schatz Forensic
Partial, non-linear, block based hashing
ACMECo.C1.D1.af4ACMECo.C1.D1.af4
Block Hashes
Compressed B...
© 2016 Schatz Forensic
Evimetry & AFF4
Non-linear, partial physical acquisition driven by live
analysis
Source Hard DriveS...
© 2016 Schatz Forensic
Partial acquisition brings reproducibility
and elasticity to IR and triage
Target
Storage
Interconn...
How can I work with AFF4 images?
© 2016 Schatz Forensic
Why adopt this?
My toolset doesn't support AFF4.
• Wait for support from vendors?
– In progress
• C...
© 2016 Schatz Forensic
Virtual FS Emulation of AFF4
containers as emulated raw images
© 2016 Schatz Forensic
Emulated Raw is faster than native
EWF.
X-Ways processing task X-Ways Native EWF X-Ways w/ Evimetry...
How does this affect workflow?
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
Single Threaded
EWF?
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
Multi Threaded
EWF
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
AFF4
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
AFF4: Copies in half
the tim...
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
AFF4: Verification
completes...
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
AFF4: Filesystem
search in a...
© 2016 Schatz Forensic
Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge
AFF4 & EWF around
the same t...
Will the courts accept the AFF4 format?
© 2016 Schatz Forensic
Courts accept expert evidence
Is it reliable?
• Is the expert reliable?
• Is the underlying theory ...
Adoption
Who is using AFF4?
© 2016 Schatz Forensic
AFF4 is used in the following
© 2016 Schatz Forensic
Near Future
• Evimetry Community Edition
– Free creation, conversion & consumption of AFF4 images (...
More information
© 2016 Schatz Forensic
More information
Implementations
• https://evimetry.com/
• https://github.com/google/aff4
• http://...
Conclusion
© 2016 Schatz Forensic
Conclusion
• Optimising forensic workflow is a systems
problem
• Existing forensic formats are a bo...
Contact
Hard disk head by amckgill
Footprints by kimba
Dr Bradley Schatz
https://evimetry.com/
bradley@evimetry.com
Upcoming SlideShare
Loading in …5
×

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - HTCIA 2016

1,039 views

Published on

Today’s forensic processes are mired by practices carried over from a pre-networked world. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine the role of existing forensic imaging formats in creating such an environment, and examine how an improved forensic image format (the AFF4 forensic container format) enables practitioners to perform forensic analysis without the delays imposed by current approaches.

Published in: Data & Analytics
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - HTCIA 2016

  1. 1. Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging Dr. Bradley Schatz Director, Schatz Forensic v1.2 - HTCIA Conference 2016 © Schatz Forensic 2016
  2. 2. © 2016 Schatz Forensic The volume problem increases the latency between evidence identification and useful findings Identify Acquire Analyse Reporting Latency
  3. 3. © 2016 Schatz Forensic Pick one of the below You can’t have both Latency Completeness Physical Acquisition Triage You preserve everything but analysis will have to wait Near immediate results at the expense of potentially missing evidence Live forensics
  4. 4. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  5. 5. © 2016 Schatz Forensic Current forensic image formats are now a bottleneck • Deflate compression is inefficient • Linear hashing does not scale to multi-core • Copying blocks of zero filled sectors is a waste of time • Linear images prevent efficient out of order acquisition
  6. 6. © 2016 Schatz Forensic The Advanced Forensic Format v4 (AFF4) image format is the solution • Scalable to GB/s IO & multi-core • Enable forensically reproducible partial non- linear images (reproducible triage) • Scientifically peer reviewed (ref Daubert) • Unencumbered, open specification • Open source implementations
  7. 7. What’s stopping me increasing I/O throughput? Background
  8. 8. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw Linear bitstream copy + linear bitstream hash $ dd if=/dev/hda bs=4k conv=sync,noerror | tee C1.D1.raw | md5sum > C1.D1.md5.txt
  9. 9. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
  10. 10. © 2016 Schatz Forensic What affects throughput in acquisition? Target Storage Interconnect Hash Filesystem Interconnect Evidence storage
  11. 11. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s Samsung 850 NVMe 1.5 – 2.5 GB/s
  12. 12. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Average Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  13. 13. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Interconnect Gb/s Actual Gb/s Max MB/s Max GB/m PCIe / NVMe / Thunderbolt > 1000 > 60 SATA3 / SAS 6G 6 4.8 600 36 USB3 5 4 500 30 Gigabit Ethernet 1 ~100 USB2 .48 .38 48 2.9
  14. 14. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Interconnect Gb/s Actual Gb/s Max MB/s Max GB/m PCIe / NVMe / Thunderbolt > 1000 > 60 SATA3 / SAS 6 4.8 600 36 USB3 5 4 500 30 Gigabit Ethernet 1 ~100 USB2 .48 .38 48 2.9 Can we practically achieve this?
  15. 15. © 2016 Schatz Forensic Not all bridges are made equal Manuf. Source Dest Form factor Year purchased MB/s Orico USB3 SATA 3.5” slide dock 2014 219 Orico USB3 SATA 2.5” enclosure 2016 247 Orico USB3 SATA 3.5” dual dock 2016 402 Kanex Thunderbolt eSATA Cable 2015 213 Nexstar USB3 SATA 3.5” dock 2014 189 Nexstar USB3 eSATA Cable 2016 249 Probox USB3 SATA Bridge 2016 416* Samsung T3 USB3 integrated SSD 2016 400 Testing tool: BlackMagicDesign Disk Speed Test Destination disk: Samsung 850 Pro SSD * Fails under heavy load
  16. 16. © 2016 Schatz Forensic Take Away #1 Faster destination IO is important, but beware choice of bridge • Not an issue if imaging to spinning disk <200MB/s • Raw SATA & SAS IO fastest (duplicators) • SSD/RAID speed levels require decent bridges • Thunderbolt and UASP promising – more testing needed
  17. 17. © 2016 Schatz Forensic Example: Forensic Duplicator 1TB Seagate Target Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 93.6MB/s SAS 6G 600MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 93.6MB/s = 2h 58m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 4h 21m SAS 6G 600MB/s
  18. 18. © 2016 Schatz Forensic Bare Metal (LiveCD) Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 45MB/s = 6h 10m TOTAL = 12h 20m
  19. 19. © 2016 Schatz Forensic Bare Metal (LiveCD) Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 7h 33m After copy, verify image on device with faster interconnect
  20. 20. © 2016 Schatz Forensic Take Away #2 Plan your acquisitions to maximise throughput • Relocate image for verification • Add a USB3 expresscard / PCIe card • Pull disks from slower machines and go bare metal (live CD) on faster ones • Use GigE (100Mb/s) instead of USB2
  21. 21. © 2016 Schatz Forensic Bare Metal (LiveCD) Example: Caveat User Space Filesystem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 200MB/s USB3 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 100MB/s = 2h 46m Verification 1TB @ 100MB/s = 2h 46m TOTAL = 5h 22m NTFS-3g 100MB/s SAS 6G 600MB/s
  22. 22. © 2016 Schatz Forensic Is your forensic liveCD slowing you down? $ ntfs-3g /dev/sdd1 /mnt $ time sh –c “time dd if=/dev/zero of=/mnt/zeros bs=512k count=20k ; sync” 104s 102MB/s $ mount –t ntfs-3g –o max_read=131072,big_writes /dev/sdd1/ /mnt $ time sh –c “time dd if=/dev/zero of=/mnt/zeros bs=512k count=20k ; sync” 33s 318 MB/s Destination: Samsung T3 USB3 SSD
  23. 23. © 2016 Schatz Forensic Take Away #3 NTFS may be a convenient destination filesystem, but is it costing time? • Use a kernel based FS implementation • -or- • Tune the filesystem if it is a user space variant
  24. 24. © 2016 Schatz Forensic Forensic Imaging v2.0: EWF Original design Source Hard Drive MD5 Deflate ACMECo.C1.D1.e01 Source Hard Drive # Linear BitStream Hash Linear Compressed Block Stream
  25. 25. © 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 439 Low entropy 259 IO bound *Single core of quad core i7-4770 3.4Ghz measured with gzip
  26. 26. © 2016 Schatz Forensic FTK Imager EWF Acquisition 1TB Seagate 75% full, 4 core i5-750 Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s SATA3 600MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 67.8MB/s = 4h 06m Verification 1TB @ 106MB/s = 2h 36m TOTAL = 6h 42m Deflate 67.8 MB/s
  27. 27. © 2016 Schatz Forensic Forensic Imaging v2.1: Threaded EWF Guymager (2008), X-Ways, recent ewfacquire MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
  28. 28. © 2016 Schatz Forensic Lacklustre throughput reports (2013) • Practitioner reports – Low 100’s MB/s [Zimmerman 2013] • Research publications – FastDD <= 110 MB/s [Bertasi & Zago 2013] • Our experience – Low powered CPU’s give low throughtput
  29. 29. © 2016 Schatz Forensic Threaded EWF Acquisition 240GB Intel 730 SSD 50% full, Core 2 Duo (Lenovo X200 circa 2009) Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1SATA3 Intel 730 SSD ~500MB/s USB3 500MB/s SATA3 Samsung 840 EVO SSD ~500MB/s Acquisition 240GB @ 91MB/s = 40m 21s Deflate 45 MB/s per core SATA2 300MB/s
  30. 30. Our approach to increasing I/O throughput
  31. 31. © 2016 Schatz Forensic Scale to 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Intel 720 SSD ~500MB/s SATA3 600MB/s SATA3 Samsung 850 EVO Pro ~500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
  32. 32. © 2016 Schatz Forensic How about using a faster compression algorithm? Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable) 1,400 LZO (ZFS) 1,540
  33. 33. © 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Open source implementation & specification
  34. 34. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
  35. 35. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Storage virtualisation
  36. 36. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Inter –container referencing
  37. 37. © 2016 Schatz Forensic Linear bitstream hashing isn’t parallelizable. Max. rate ~600 MB/s on current gen. CPU’s Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  38. 38. © 2016 Schatz Forensic Our solution: Block based hashing. Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
  39. 39. Test standard composition Stored block size –v- LBA address Windows 8.1 10.2G Govdocs1 (1- 75,1-40) 59.8G /dev/random 38.4G Empty space (zeros)
  40. 40. Block based hashing beats linear stream hashing with low powered multicore CPU’s Dual core i5-3337U 1.8GHz Sparse data Max CPU hash throughput Sparse data Read I/O limited
  41. 41. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 730 SSD 500MB/s 4x SATA3 2.4GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
  42. 42. How can we take advantage of these speeds?
  43. 43. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 4x SATA3 2.4GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min) Realistic? More likely USB3 or 1GbE
  44. 44. © 2016 Schatz Forensic Idea: can we aggregate output I/O? Use 2x USB3 drives? Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 2x USB3 1GB/s 2x SATA3 2TB 400MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz
  45. 45. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 Source blocks striped over multiple containers on multiple output disks
  46. 46. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 A copy of the map is stored in each container.
  47. 47. Test standard composition Stored block size –v- LBA address Windows 8.1 10.2G Govdocs1 (1- 75,1-40) 59.8G /dev/random 38.4G Empty space (zeros)
  48. 48. Multiple output channels increases throughput Especially for uncompressible data High entropy data
  49. 49. © 2016 Schatz Forensic Multi-destination throughput is even higher for current generation drives 1TB NVMe (Core i7-4578U, 2 Cores) Macbook Pro A1502 (Evimetry 2.1.0) Acquisition technique Acquire + Verify Evimetry Wirespeed 0:52:04 Xways + WinFE 2:48:00 Macquisition EWF 7:08:38
  50. 50. © 2016 Schatz Forensic Multi-destination throughput is even higher for current generation drives 1TB NVMe (Core i7-4578U, 2 Cores) Macbook Pro A1502 (Evimetry 2.2.0a) Acquisition technique Acquire + Verify Evimetry Wirespeed 0:52:04 Xways + WinFE 2:48:00 Macquisition EWF 7:08:38
  51. 51. © 2016 Schatz Forensic Multi-destination throughput is even higher for current generation drives 512GB Samsung 850 NVMe w/ 4 core i5 (Evimetry 2.2.0a) Acquisition technique Acquire + Verify Evimetry Wirespeed 0:52:04 Xways + WinFE 2:48:00 Macquisition EWF 7:08:38
  52. 52. How can we analyse while we acquire?
  53. 53. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  54. 54. © 2016 Schatz Forensic Idea: Start with a non-linear partial image and add from there Entire disk All allocated Interactive analysis artifacts High value files Volume & FS Metadata, Memory Analysis
  55. 55. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools
  56. 56. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Access is contended. Poor interactive performance (lag )
  57. 57. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Early termination may not have a complete filesystem
  58. 58. © 2016 Schatz Forensic Raw Image : Non-linear acquisition via sparse raw file, driven by live analysis? Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI How do you generate a hash over a non-linear image? * X-Ways does similar, only not remote
  59. 59. © 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
  60. 60. © 2016 Schatz Forensic Partial, non-linear, block based hashing Hash Compress CompressCompress ACMECo.C1.D1.af4 Volume Metadata Filesystem Metadata Sparse Data File Content Unknown Hash Hash Block Hashes Compressed Block Stream # Block Hashes Hash Virtual Block Stream (Map) Source Hard Drive
  61. 61. © 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Partial acquisition – Represent what we didn’t acquire vs. what we couldn’t acquire • Block based hashing
  62. 62. © 2016 Schatz Forensic Partial, non-linear, block based hashing ACMECo.C1.D1.af4ACMECo.C1.D1.af4 Block Hashes Compressed Block Stream ## Virtual Block Stream (Map) Linear Block Hash Map Hash Block Hashes Hash ## ##
  63. 63. © 2016 Schatz Forensic Evimetry & AFF4 Non-linear, partial physical acquisition driven by live analysis Source Hard DriveSource Hard Drive ACMECo.C1.D1.af4ACMECo.C1.D1.af4 Block Hashes Compressed Block Stream ## Block Hashes Hash Virtual Block Stream (Map) I/O Planning & Scheduling Acquisition Virtual Disk File categories Blocks
  64. 64. © 2016 Schatz Forensic Partial acquisition brings reproducibility and elasticity to IR and triage Target Storage Interconnect Hash Compress Network Evidence storage SHA1 600 MB/s/core SATA3 Spinning disk 200MB/s 1GbE 100MB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Partial IR acquisition 21.9GiB @ 102MiB/s = 3m 39s Volume metadata, filesystem metadata, 16G pagefile, Registries, Logs, Link files, Jump lists, WMI CIM Repo, Prefetch, USN Journal, $Logfile, Scheduler artefacts
  65. 65. How can I work with AFF4 images?
  66. 66. © 2016 Schatz Forensic Why adopt this? My toolset doesn't support AFF4. • Wait for support from vendors? – In progress • Convert AFF4 to EWF on fast workstation – Can be done in roughly the same time it takes to simply copy (only compress low entropy blocks) • Emulate Raw image in the filesystem
  67. 67. © 2016 Schatz Forensic Virtual FS Emulation of AFF4 containers as emulated raw images
  68. 68. © 2016 Schatz Forensic Emulated Raw is faster than native EWF. X-Ways processing task X-Ways Native EWF X-Ways w/ Evimetry FS Bridge Verify 0:42:00 0:08:00 FS Data Recovery 0:03:35 0:03:20 Hashing & header validation 1:59:03 1:05:25 Carving unallocated 0:41:00 0:44:00 Total 3:25:43 2:02:09 Image: 1TB Macbook Pro i7, processed on 8 core i7 w/ RAID
  69. 69. How does this affect workflow?
  70. 70. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge
  71. 71. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Single Threaded EWF?
  72. 72. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Multi Threaded EWF
  73. 73. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4
  74. 74. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Copies in half the time due to striped acquisition over 2 x 200 MB/s spinning disks. EWF: I/O bound on single 200MB/s disk
  75. 75. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Verification completes in 8m. I/O bound by RAID. EWF: CPU bound
  76. 76. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Filesystem search in around ½ time. EWF: CPU bound?
  77. 77. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4 & EWF around the same throughput.
  78. 78. Will the courts accept the AFF4 format?
  79. 79. © 2016 Schatz Forensic Courts accept expert evidence Is it reliable? • Is the expert reliable? • Is the underlying theory reliable? – Reliable by way of the application of Scientific methods (eg. Daubert) – 4 scientifically peer reviewed papers, unrefuted • Are the methods implementing the theory reliable? – Tool testing (as always, the expert’s ultimate responsibility)
  80. 80. Adoption Who is using AFF4?
  81. 81. © 2016 Schatz Forensic AFF4 is used in the following
  82. 82. © 2016 Schatz Forensic Near Future • Evimetry Community Edition – Free creation, conversion & consumption of AFF4 images (Windows) • AFF4 Standardisation Effort (AFF4 Working Group) – Bradley Schatz (Evimetry), Michael Cohen (Google) chairing – Open source implementation and specification in progress – Blackbag recently joined • Sleuthkit/Autopsy – Support planned • Open Source Digital Forensic Conference 2016 – AFF4 status update
  83. 83. More information
  84. 84. © 2016 Schatz Forensic More information Implementations • https://evimetry.com/ • https://github.com/google/aff4 • http://www.rekall-forensic.com/docs/Tools/ • https://github.com/google/grr Ongoing specification and papers • http://www.aff4.org/ • http://dfrws.org/2009/proceedings/p57-cohen.pdf • http://dfrws.org/2010/proceedings/2010-314.pdf • http://dfrws.org/2015/proceedings/DFRWS2015-16.pdf
  85. 85. Conclusion
  86. 86. © 2016 Schatz Forensic Conclusion • Optimising forensic workflow is a systems problem • Existing forensic formats are a bottleneck for todays systems • Existing forensic image formats are generally incompatible with triage and reproducible live analysis • The Advanced Forensic Format 4 solves the above
  87. 87. Contact Hard disk head by amckgill Footprints by kimba Dr Bradley Schatz https://evimetry.com/ bradley@evimetry.com

×