Selective and Intelligent Imaging Using Digital Evidence Bags.
-
Upload
christiana-ramsey -
Category
Documents
-
view
214 -
download
2
Transcript of Selective and Intelligent Imaging Using Digital Evidence Bags.
![Page 1: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/1.jpg)
Selective and Intelligent Imaging Using Digital Evidence Bags
![Page 2: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/2.jpg)
Bit-Stream imaging
Bit-by-bit copy from source drive to a forensic image
Small drives
• Effective
• Quick
Large drives
• Resource-consuming
• Time-consuming
Source Image
![Page 3: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/3.jpg)
Bit-Stream imaging
May not be best to implement all the time
More useful imaging:
• Specify information to include
• Sort relevant data
Keep the process simple, but more effective than simple bit-stream imaging
![Page 4: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/4.jpg)
Selective Imaging
Improvement on bit-stream imaging
Decides what content to include in the image based on some criteria
• File type (pictures, email logs, etc)
• Creation date
Used for multiple reasons
• Large drive
• Infeasible to make complete image
• Legal requirements
![Page 5: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/5.jpg)
Selective Imaging
Manual
• Forensic investigator arbitrarily decides what files to include in the image
• File browser is used to navigate the file system
• Image is created based on the selections
Multiple types of selective imaging
Different modes of operation for each
File.doc
![Page 6: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/6.jpg)
Selective Imaging
Semi-Automatic
• Forensic investigator uses categories of information or other criteria to decide what files to includeo File extensiono Signatureo Hash
• Imager includes files satisfying the criteria
Image
.JPG
.DOC
.DOC Criteria
![Page 7: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/7.jpg)
Selective Imaging
Automatic
• Forensic investigator specifies source drive and destination target for the image
• Imaging application collects the relevant evidence
• Uses configuration files to decide what information to include
• Configuration files defined before run time (usually specific to the case)
SourceDrive
Image Destination
Imager Config.
![Page 8: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/8.jpg)
Selective Imaging
Imaging options can get very complex
No way of keeping track of where the data came from originally
Data origin includes:
• Physical sector location (data runs)
• Logical cluster location (start of volume + offset)
• Folder location (path from root folder)
?
Data
![Page 9: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/9.jpg)
Intelligent Imaging
Another way to improve on bit-stream imaging
Capture knowledge of domain experts to use in an intelligent system
Nontechnical users can acquire and analyze an image
• Choose the case type
• Imager acquires relevant information
• Based expert knowledge of the case type
Intelligent Imager
![Page 10: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/10.jpg)
Intelligent Imaging
Meant to alert investigator of information categories outside initial line of inquiry
Not supposed to decide what to capture in the image
Difficulties:
• How do you get the expert knowledge?
• How do you know nothing is missing?
![Page 11: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/11.jpg)
Imaging Problems
Selective and intelligent imaging offer more options than bit-stream imaging
However, no current (2006) tool implements selective or intelligent imaging while recording origin of information
No method records how an examiner or imager decided what to acquire
• Manual mode?
• Categories of information?
• Signatures?
![Page 12: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/12.jpg)
DEBs
Selective and intelligent imagers can produce Digital Evidence Bags (DEBs)
Universal container for digital information
• Supports any source drive
• Data origin recorded, maintained
• Encapsulated (DEBs inside DEBs)
![Page 13: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/13.jpg)
DEBs
A homogenous DEB is produced even if there are:
• Different drive sources
• Different imagers
• Device-specific imagers
Analysis and examination applications would be compatible with DEBs, independent of drive source
![Page 14: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/14.jpg)
DEBs
![Page 15: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/15.jpg)
DEBs
Source drives
• Drives with information to capture
![Page 16: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/16.jpg)
DEBs
Selective/Intelligent Imager
• Imager application
• Acquires relevant information from source drives
![Page 17: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/17.jpg)
DEBs
Category Definition File & Imager Configuration File
• Additional information for imager decisions
![Page 18: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/18.jpg)
DEBs
Digital Evidence Bag
• Produced by Selective/Intelligent Imager from source drives
• Contains captured information
![Page 19: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/19.jpg)
DEBs
Dynamic creation
Imager able to create a DEB regardless of mode of operation
• Manual
• Semi-Automatic
• Automatic
Mode of operation also recorded in the DEB
![Page 20: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/20.jpg)
DEBs
DEB components:
• .tag files
• .index files
• .bag files
Evidence Unit (EU):
• .index + .bag files
![Page 21: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/21.jpg)
DEBs
.tag files
Plaintext file with sections
.tag sections:
• [DEB Header]
• [Evidence Units]
• [DEB Footer]
• [TCB]
![Page 22: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/22.jpg)
[DEB Header]
Contains metadata about the DEB and Index Format
DEBs
![Page 23: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/23.jpg)
DEBs
[DEB Header]
Metadata:
• Investigator(s)
• Creation timestamp
• Description of evidenceo What evidence was collectedo Where evidence was collectedo When evidence was collected
![Page 24: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/24.jpg)
DEBs
[DEB Header]
Index Format specifies the default content sequence of DEB .index files
Defines layout of information in an .index file
.index files are defined by meta-tags that store information captured from a device
![Page 25: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/25.jpg)
DEBs
.index file meta-tags categories:
• Labelso File name/path (F), origin description (P), file attributes (Fa), command
(C)
• Timestampso Last modified (Tmod), accessed (Tacc), created (Tcrea)
• Numerico Physical sector (PS), Logical cluster number (LCN), file logical size
(Fls), file physical size (Fps)
• Integrityo MD5 hash (Hmd5), SHA hash (Hsha)
Index Format : F LCN PS Fa Tacc Tmod Tcre Fla Fps Hmd5
![Page 26: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/26.jpg)
DEBs
[Evidence Units]
Records all EU's created in the DEB and their content type
EU integrity hashes:
• .index file hash
• .bag file hash
Format:
EU = ##
IndexHash = <Hash>
BagHash = <Hash>
ContentType = <Type>
![Page 27: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/27.jpg)
DEBs
[Evidence Units]
The content of the first EU (Evidence Unit 0) is reserved for case notes and metadata about the case:
• Imager used to create DEBo Version numbero Integrity hasho Configuration fileo Capture criteria
• Additional informationo Photoso Text
![Page 28: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/28.jpg)
DEBs
[Evidence Units]
The content of the rest of the EUs are defined by the examiner
Based on:
• Case requirements
• Configuration of imager tool
![Page 29: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/29.jpg)
DEBs
[Evidence Units]
Content types:
• ContentType-Sig=<File signatures>
• ContentType-Ext=<File extensions>
• ContentType-Cat=<Category type>
• ContentType-Manual=<label>o Manually selected contents
• ContentType-CLI=<label>o Contents from command line
![Page 30: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/30.jpg)
DEBs
[DEB Footer]
Records the number of EUs in a DEB, includes the .tag file integrity hash
![Page 31: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/31.jpg)
DEBs
[TCB]
Tag continuity blocks (not pictured)
• Appended at the end of the DEB .tag file whenever accessed or analyzed
• Records application function, signature, and timestamp of access
![Page 32: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/32.jpg)
DEBs
.index files
Contains metadata about information contained in the DEB Evidence Unit
Uses meta-tags to organize metadata
![Page 33: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/33.jpg)
DEBs
.bag files
Concatenation of imager-generated binary information
• Referenced by each entry in the corresponding index file
![Page 34: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/34.jpg)
DEBs
![Page 35: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/35.jpg)
The Ultimate Test
Ultimate test for any imager and container that does not generate or store standard bit-stream images:
• Imaging method and container must store enough information about the origin of data captured so that when the information is restored it is identical to what would have been acquired with bit-stream imaging
To do this you must have application able to process DEB .index file physical data location in ascending order, generate hash over .bag contents
This would generate an image with the same contents as a bit-stream image
![Page 36: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/36.jpg)
Conclusion
Many options exist for selective capturing of information
The container in which the captured information is stored is also important in order to ensure:
• Defined structure
• Unhindered examination
We can better understand the selective approach by following the techniques described
![Page 37: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/37.jpg)
References
• http://www.dfrws.org/2006/proceedings/8-Turner.pdf
![Page 38: Selective and Intelligent Imaging Using Digital Evidence Bags.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bf951a28abf838c90a1d/html5/thumbnails/38.jpg)
THANK YOU