Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Methods and Instruments for the new Digital Forensics Environments


Published on

Ph.D. thesis presentation

Published in: Technology
  • Be the first to comment

Methods and Instruments for the new Digital Forensics Environments

  1. 1. Mario Piccinelli Ph.D. Candidate in Computer Sciences University of Brescia, dept. of Information Engineering April 10, 2014
  2. 2. Branch of forensics science that studies the identification, extraction and analysis of digital data for use in a court of law.
  3. 3. In the beginning (from the 80s until now) it was all about (Personal) Computers. They were all (almost) alike, and there were plenty of standard tools.
  4. 4. In the last 5-10 years everything began to store digital data.
  5. 5. Field skills Acquisition Analysis Reporting Evidence handling Use of specific tools ... Theoretical Knowledge Criptography, Filesystems structure, Communication protocols, ...
  6. 6.  iPhone Forensics  eBook Reader Forensics  Voyage Data Recorder Forensics What do these devices have in common? • Modern devices which contain digital data • Their data could be required during an investigation • No consolidated literature about them The rationale behind this thesis is the ever- growing need to perform digital investigations on devices and systems that have not already been studied from this point of view.
  7. 7. What can we find in an iOS device and how can we bring it to a court...
  8. 8. Mobile and tablet worldwide market share of operating system usage for November 2013. Net Market Share collects browser data from a worldwide network of over 40,000 websites. (Credit: Net Market Share)
  9. 9. There is no simple way to extract data from an iOS device. No easy way to access its contents without jailbreaking (which, by the way, we can’t). Encrypted filesystem (HFS+) Not sharing anything with the rest of the World No debug interfaces Easiest way to peek inside the filesystem: the backup system.
  10. 10. Manifest files Everything else... Backup folders (device ID)
  11. 11. Backup files are organized in a hierarchy, the first level of it being the «Domain»: • Media domain: media files, mms attachments, … • Keychain domain: account data and encrypted passwords… • Home domain: data for standard apps (contacts, mail client, calendars, …) • Wireless domain: data about the telephone system (call logs, connection logs, …) • …
  12. 12.  PLIST Files (plain text and binary)  SQLite files  ASCII files  Data files  Media files
  13. 13. Installed applications’ data is stored in «Apps» domain (for third party applications) or «Home» domain (for standard ones). The hierarchy of each application’s folder follows a standard structure. Strong integration with Webkit offline storage.
  14. 14. Sample application data: SMS application
  15. 15. Localization data (prior to iOS 5)
  16. 16. Thumbnails: generated from the media gallery for fast visualization
  17. 17. Address book data (Home domain) Knowing about the data location and structure is the first step. Next step: making it easily usable for the ones who need it.
  18. 18. iPBA2 is a tool developed to:  Study the backup content.  Make it easier to understand for practitioners. Right now it is the only complete open source suite for analysing iOS backup data, and it is used by both researchers and practitioners from all over the world.
  19. 19. Why an eBook reader is not worthless in a forensics context…
  20. 20. • Because is a widely used digital device. • Because it holds digital data. • Because no piece of data can be deemed «worthless» in advance during an investigation. • Because almost any practitioner says it’s worthless… which by the way it’s not. Locard’s exchange principle "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. […]"
  21. 21. Forensics profiling refers to the study and exploitation of traces in order to draw a profile relevant to the investigation about criminal or litigious activities. While traces may not be strictly dedicated to a court use, they may increase knowledge of the subject under investigation.
  22. 22. For our research, we chose a widely available modern device, the PRS-650 by Sony. Of course, many of our results can probably be achieved after further studies also with different devices from different vendors. • E-paper display (6 inches, 800x600). • Resistive touchscreen. • 5 buttons. • Montavista Linux. • 2GB internal flash memory. • Removable SDHC and Memory Stick PRO Duo.
  23. 23.  Books, documents, images, audio files.  Annotations.  Current position of documents.  Bookmarks.  Notes (written and audio).  Dictionary lookups.  Last reading of a document.  Pages read for each document. Everything has a timestamp!
  24. 24. We can access the main storage by USB storage interface For the whole device.. For each document…
  25. 25. Freehand annotations «Thumbnails» folder
  26. 26. For each document: • current position (page) • timestamp of the last access
  27. 27. For each document: • History of the last 100 page turns, with page number and timestamp.
  28. 28. To perform the analysis, we build a Python script which parses cache.xml, media.xml and cacheExt.xml and build a graph of the interactions between the user and the device. The script extracts the timestamps and produces a data file with all the timestamps found, to be plotted on a timeline.
  29. 29. eBook reader usage in a two-months time span. • X axis: time • Y axis: ID of the document involved
  30. 30. Usage of the reader in a ten-minutes span, for a single book. • X axis: time
  31. 31.  Virtually each action performed on the device is logged.  It is possible to build a forensically sound timeline.  The evidence gathered this way could be used in court to: ◦ Draw a behavioural profile of a suspected offender. ◦ Support or deny an alibi. ◦ Provide additional useful information about the owner.
  32. 32. Digital data in a naval accident
  33. 33. So many digital devices!
  34. 34. GPS Ship automation Echo sounder Compass NAPA Radar And much more...
  35. 35. The Voyage Data Recorder (VDR) is a mandatory device for all medium-to-big sized modern ship. Its job is to keep a record of ship data to be used in an accident investigation. • Position, speed, heading • Date and time • Radar plot • Audio from bridge and VHF • Sonar depth • Hull openings (watertight doors, fire doors) • Rudder position, propellers speed • Meteo station data (wind, ...) • Onboard alarms • ...
  36. 36. Data collecting unit An industrial computer which collects all data and temporalily stores it in a magnetic disk. Final Recording Medium A rugged box containing a solid- state memory, designed to survive a catastrophic accident and be recovered for further investigations.
  37. 37. Starting point: the complete copy of the internal disk of the data collecting unit.
  38. 38. Analysis of the disk structure. Partition scheme Mounting the partition Partition content
  39. 39. Analysis of the disk content: the «frame» directory Unknown data files
  40. 40. Extraction of an image from the data file
  41. 41. The same goes for the «NMEA» directory. ∼800 MB of ASCII data in NMEA format
  42. 42. NMEA 0183 is a data exchange protocol used primarily in the navigation field. It is the preferred way to exchange data between navigational aids. • $: starting character. • PREFIX: origin and type of data • First 2 characters: originating device • Other 3 characters: type of sentence • Checksum: 2-digit hex XOR of the whole sentence. NMEA sentence: $PREFIX, data0, data1, …, dataN*CHECKSUM NMEA sentences are standard, but vendors are allowed to add custom ones for specific purposes.
  43. 43. Timestamp: Unix time = 4F 10 88 90 (hex) = 1’326’483’600 (dec) = Jan 13, 2012 @ 19:40:00 UTC = Jan 13, 2012 @ 20:40:00 local time (UTC+1)
  44. 44. Example of standard sentence: $RAZDA,194001.00,13,01,2012,-01,*41  RA: origin (radar)  ZDA: date and time  194001.00: time  13,01,2012: date  -01: difference between local time and UTC  *41: checksum
  45. 45. Example of non standard sentence: $PSWTD,07,C----,*34  P: non-standard prefix  S: vendor (Seanet)  WTD: watertight doors  07: door number  C-----: door status (closed, no warnings)  *34: checksum
  46. 46. Once we were able to recover the raw data, we proceeded to work on it to:  Understand the meaning of the standard and non-standard elements.  Understand the relative importance of each element.  Build tools to parse the data and report the results in a useful format.
  47. 47. Position of the rudders (order and response) before and during the accident.
  48. 48. Evolution of the watertight doors (WTD) status. Why does the last signal we have for door 8 reads ‘O’ (open)?
  49. 49. Trackpilot settings on both the radar stations.
  50. 50. Interactive data replay tool.
  51. 51. Ship position and heading.
  52. 52. Simulation of the impact by position and heading data.
  53. 53. The steps we described are related to this specific VDR model, but they also show a general approach which could probably be applied, with further studies, to any other model and vendor. The analysis of the VDR data is of course easy to perform with closed and proprietary software from the vendor, but we were the first to publish about a forensically sound approach.
  54. 54.