1
Antonio Barili – Digital Forensics Lab Dept. of Industrial and Information Engineering University of Pavia (Italy)
Digital Forensics
A Short Introduction to Digital and File System Forensics
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 2
Edmond Locard
(1877-1966)
“Every contact leaves a trace”
Victim
Culprit
Scene
2
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 3
Exchange of Energy
Exchange of Information
Exchange of Matter
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 4
Digital Forensics
The uncovering and examinaton of artifacts with evidentiary value located on all kind of electronic devices
3
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 5
The Challenges of Digital Forensics
• Data authenticity and volatility
• Data scale
• Data variety
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 6
The Purposes of Digital Forensics
• Find evidence of crimes that took place in the real world (e.g. stalking, murder)
• Find evidence of crimes that inherently involved a computer system (e.g. hacking)
4
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 7
Why is Digital Forensics so powerful ?
• Computer system store a vast amount of information
• Intentionally (documents, databases, log files)
• Unintentionally (partially erased documents and other artifacts)
• Computer systems are windows into the past !!!
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 8
What makes Digital Evidence different from traditional forms of evidence
• Witnesses can testify in Courts
• Traditional documents may be directly evaluated by judges and jurors
• Digital Evidence needs and expert witness to be translated into meaningful evidence to the Court
5
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 9
Useful byproducts of Digital Forensics
• Data recovery
• Auditing and incident response
• Security testing of hardware and services
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 10
Digital Forensics Procedures and methods
• Legal issues
• Technical issues
• The bound is not what is technically possible, but what is cost-effective for a particular case
6
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 11
The Digital Forensics Model (RFC 3227 / 2002)
• Identification
• Acquisition
• Preservation
• Analysis
• Presentation
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 12
The Digital Forensics Model - Acquisition
• Physical images (disk images)
• Logical images (documents and files)
• Live data capture (memory dumps)
• Network data capture (logfiles, packet capture)
7
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 13
Example - File System Forensic
dd if=/dev/sdb of=/temp/image.raw
Forensic image formats: RAW (DD), EWF; AFF
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 14
Example - File System Forensics
dd if=/dev/sdb of=/temp/image.raw
Write Blockers preserve original evidence from tampering
8
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 15
Example - File System Forensics
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 16
Example - File System Forensics – DEMO
• TEST00 – FORMATTED AND WIPED
• TEST01 – JPEG IMAGE ALLOCATED
• TEST02 – JPEG IMAGE DELETED
• TEST03 – FORMATTED (NOT WIPED)
Example - File System Forensics
9
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 17
Example - File System Forensics
Volume metadata (MBR, GPT ...)
File System metadata (FAT, MFT, indexes, logfiles ...)
File metadata (file headers, EXIF codes ...)
File content
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 18
Example - File System Forensics
Preserving information integrity
• Document any operation
• Chain of custody
• Hashing
10
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 19
Evaluating Digital Evidences – The Daubert Standard
a. Empirical testing: whether the theory or technique is falsifiable, refutable, and/or testable
b. Whether it has been subjected to peer review and publication
c. The known or potential error rate
d. The existence and maintenance of standards and controls concerning its operation
e. The degree to which the theory and technique is generally accepted by a relevant scientific community
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 20
Evaluating Digital Evidences – FRE 702
702. TESTIMONY BY EXPERT WITNESSES
A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
(a) The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) The testimony is based on sufficient facts or data;
(c) The testimony is the product of reliable principles and methods; and
(d) The expert has reliably applied the principles and methods to the facts of the case.
11
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 21
A GPS Navigation Device was imaged, all strings longer than 8 chars (ascii or unicode) were carved from the image using sysinternals string.exe
Note: carving requires the image to be mounted as a RAW (uncompressed) file
Example - File System Forensics
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 22
Friends, Romans, countrymen, lend me your ears
I come to bury Caesar, not to praise him.
The evil that men do lives after them
The good is oft interred with their bones
… FaceBook was yet to come !
One final question:
Is digital evidence that much fragile ?
12
Digital Forensics A Short Introduction to Digital and File System Forensics
© 2015 - Università degli Studi di Pavia - Antonio Barili 23
References
[1] Garfinkel, S. L., “Digital forensics,” Am. Sci., vol. 101, no. 5, pp. 370–377, 2013.
[2] Carrier, B., “File system forensic analysis,” Addison-Wesley, 2005.
© 2015 - Università degli Studi di Pavia - Antonio Barili 24
Thank You !
Top Related