Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee...

Timmi Lee Strand Jæger 2

Forensics Challenges with the Whonix OS

15/05/2015

Presented by Timmi Lee Strand Jæger


The Whonix

• Open Source operating system, Released in 2012

• Based on the Tor network and «vanilla» Debian GNU/Linux

• Designed to be used with virtualization software

15/05/2015


Whonix images

• Workstation• Connected to the gateway• Security by isolation• Tor artefacts – xchat, torchat,

gpg encryption, bitcoin software etc.

• Gateway• Routing all internet traffic

through Tor• Not recommended to use for

anything else than a gateway• Not recommended to be used

for anything else then a gateway

15/05/2015


Aim and objective

• Researching the forensics challenges connected to the Whonix OS by mapping out the forensics artifacts

• Will focus primarily on the evidence files in the operating system

15/05/2015


Tools and software

• National Institute of Standards and Technology Computer Forensics Tool Testing(NIST CFTT)

• Forensics ToolKit 5• FTK Imager

• Virtual Box

• KFF – Known File Filter

15/05/2015

Timmi Lee Strand Jæger 715/05/2015

Forensics methodology


Analysis results

• Software artefacts • Tor Browser• Metadata Anonymisation Kit• GTK RecordMyDesktop• Xchat• TorChat• OpenPGP

• Debian artefacts• File Download• Program Execution• File Opening and creation• Deleted Files• Account Usage

15/05/2015


Web browser

Tor Browser• Security modified• No data written outside the

bundle directory• home/user/tor-browser/

browser/TorBrowser/Data • No cache in deleted files

Ice Weasel• Limited security

modifications• Very similar to the Firefox

Browser• Only recommended to use to

download the tor browser• Stores cache, browser data• Able to recover browser data

15/05/2015


Preinstalled utilities

• Metadata Anonymisation Toolkit

• Designed to delete all metadata for files

• Prevent anonymity leaks from metadata

• file /home/user/.local/share/recently-used.xbel log

• <bookmark href="file:///home/user/Selection_003.png" added="2015-03-10T14:23:27Z" modified="2015-03-10T14:23:27Z" visited="2015-03-10T14:23:27Z">

• Creates a copy of the original file without metadata

• GTK RecordMyDesktop• Desktop Session Recorder

• Create video files in several formats, settings outlined in the /home/user/.gtk-recordmydesktop

- Sound settings- Cursor- Full Shots – on or off- Filename - Number of Channels- Sound Device- Video Quality- Audio Quality - Working Directory

15/05/2015


Communication

Xchat• Open chat communication

program, unregistered and registered users

• Logging off by default• Research recovered chat history

from scrollback logs• /home/user/.xchat2/

scrollback/OFTC/#ChannelName• Generates random UserID

TorChat• Chatting program with similar

features as MSN• Routed through the Tor network• Users have unique IDs• Connections listed in in

/home/user/.torchat/buddy-list.txt

• A log of the conversations were recovered from /home/user/.torchat/userID.log

15/05/2015


Encryption

• OpenPGP

• Open Source GPG encryption program

• FTK able to find exported/import keys stored in the file system

• Password protected

• Encrypted files requires key and password

• Decrypted files are stored decrypted

15/05/2015


Debian foundation artifacts

File download• Same structure as the Debian

Linux; /home/user/, /home/user/Desktop

• Hidden folder in /.• Program files in /usr , /usr/bin for

binary files; found 1325 files – 448 after KFF

Program execution• /var/log/auth.log

Mar 10 18:03:27 host sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/pip install

• /home/user/.bash_history • /var/log/dpkg.log

15/05/2015


File system

File opening and creation• MAC – Modified, Accessed

Created• Time set to UTC • Recently used file log in

/home/user/recently-used.xbel• Bash history log

/home/user/.bash_history

Deleted files• Deleted 3 files, all recovered in

unallocated space• Approx. 30 hours use gave 7696

deleted files, 734 were html and jpeg files.

• /tmp & /var/tmp• Recovered Cache from Iceweasel

15/05/2015


Account usage

• Traditional Linux utmp(current login state), wtmp(all logins and logouts) and btmp(failed logins) files.

• Virtual Box has a function called «save current state».

• Variety of log files such as the /var/log/auth.log, /var/log/timesanitycheck.log, root/.bash_history, program logs and logs in /var/log is going to show an history of the user being active.

• Remember that time is set to UTC by default everytime Whonix is booted up

15/05/2015


Account usage

15/05/2015


The way forward

• Creating a guideline for future forensics investigations

• Researching how the Tor network affects evidence

• Research what Linux packages that reveals privacy in Whonix

• This research will need future updates

15/05/2015


Summary

• Traditional Debian artifacts

• All artifacts generated from a Linux Debian OS can be generated in Whonix

• Encryption recommended on host system

• Tor browser stores browser data temporarily in RAM

• Chat history from Xchat can be recovered

15/05/2015

1915/05/2015 Timmi Lee Strand Jæger

Questions?

Contact: [email protected]

Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee...

Documents

Transcript of Forensics Challenges with the Whonix OS 15/05/2015Timmi Lee Strand Jæger2 Presented by Timmi Lee...