We all face the problem of growing amounts of evidence on a regular basis. Improving raw acquisition speed is one way to limit the impact of this, and Evimetry has been consistently delivering the fastest acquisition speeds bar none since we launched two years ago. Yet we aren’t the only solution claiming to be the “fastest” or have “unparalleled” speeds. Led by a practitioner and forensic scientist, it is in Evimetry’s DNA to value substantiation.
How to analyse AFF4 linux memory images
In my last post I described Evimetry's support remote memory acquisition. In this post I'll give a quick walkthough on setting up Volatility for analysis of those images. I prefer to make a python virtualenv specifically for working with volatility. In this example, I'm using MacOS with brew for my python (the python shipped with MacOS is broken in regard to pip's TLS authentication). Hence the -p argument. mkdir volmem cd volmem virtualenv -p /usr/local/bin/python volmem source volmem/bin/activate Install all the dependencies with the following (the last two aren't strictly necessary, but prevent a load of complaints from Volatility).
How to acquire Linux memory images using without a driver
For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve's LiME is the go-to for many. It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME.
Announcing Evimetry Lab: changing the game for in-lab forensics
When it comes to preserving evidence, DF labs generally fall into two camps. Those that acquire in the field, and those that collect evidence in the field, only later doing acquisition in-lab. Over the last two years, Evimetry's product offerings have been primarily aimed at the former. Practitioners have benefited from the fastest in-field acquisitions, while at the same time enabling meaningful analysis work to occur while waiting for acquisition complete.
Simple Deadboot provisioning and acquisition with Evimetry
We have just shipped two releases of Evimetry: v3.0.7 (in our stable stream) & v3.1.5 (in our pre-release stream). Recent releases bring native Deadboot media creation, and introduce an improved Deadboot Imager UI. Native Deadboot Media Creation. We can now create Evimetry Deadboot USB's directly from the Controller, and for larger drives, use the additional space for evidence storage. With a single hard drive serving both as an Evimetry Deadboot and Evidence Repository, scarce USB ports are freed up on target devices, workflow is simplified, and the number of devices to manage limited.
Native AFF4 read support for X-Ways & Forensic Explorer
In the last two weeks, two of our favourite disk forensic tools integrated native read support for the AFF4 forensic format. Forensic Explorer released v4 of their product, with native AFF4 read support, and X-Ways Forensics released v19.5, which has a plugin API supporting our AFF4 read plugin. This represents a big step forward towards general adoption of the next-generation image format. Background Evimetry's filesystem bridge provides a straightforward and efficient way of consuming AFF4 images from any commercial forensic tool, and results in faster analysis & processing than E01's.
AWS EC2 Cloud Storage Acquisition with Evimetry
You have been tasked with forensic acquisition of 6 servers in the AWS cloud, with a total of 2TB of storage. How do you do it? This post will describe the method I applied in a recent case, where we collect the storage, acquired it into forensic images, and pulled down the images into our custody overnight. While I will be describing how I did it using Evimetry, the method is easily translatable to other tools.
Updated slides: Accelerating your forensic & incident response workflow
Late last year I had the pleasure of attending the F3 conference in Gloucestershire, UK. It is quite unlike any other digital forensics conference I have ever been to; a community run, practitioner focused, 2 day conference situated in a stately manor in the English countryside. I can thoroughly recommend it. I had the opportunity to present an updated version of my presentation: "Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging".
Call for participation - AFF4 Working Group meeting at DFRWS 2017 USA
The Advanced Forensic Format 4 Working Group (AFF4 WG) is calling for interested parties to join the second working group meeting, to be co-located at the DFRWS Conference 2017, in Austin, TX. Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. The AFF4 WG has recently released v1.0 of the AFF4 Standard, including canonical images, specification, and open source libraries for implementers.
Compiling Sleuth Kit with AFF4 support on MacOS
We recently contributed patches to the Sleuth Kit to read AFF4 images. While we are waiting for those to be pulled into the main distribution, the following recipe should suffice for compiling a stand alone copy on MacOS. Dependencies The following dependencies are needed to compile libAFF4 on OSX. I use MacPorts, and the corresponding packages i needed to install are: ossp-uuid zlib snappy raptor2 google-glog pcrexx * tclap (missing *.
Evimetry v3 Released: Remote volatile memory support
We recently released Evimetry 3, the newest release of our revolutionary approach to forensic acquisition and analysis. Whats new? The big news is that we now support remote volatile memory acquisition. This means that in addition to being able to acquire remote disks, you can now acquire the volatile memory of live Windows, MacOS, and Linux hosts. We primarily support Windows XP and above (x86 and x64) and OSX Mountain Lion and above (x64).
Sleuth Kit support for the AFF4 Standard v1.0 Released
I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last weekthe AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) . Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence.
Introducing Evimetry Community Edition
Evimetry Community Edition provides a subset of the Evimetry system for free. The purpose of this is to grow the AFF4 ecosystem, firstly by providing a pain free path for Evimetry licensees to provide AFF4 images to non-licensees. Secondly, we wanted to provide practitioners, researchers and educators a freely available implementation of the AFF4 standard v1.0 which can be used to gain familiarity with the format. Schatz Forensic, the creators of Evimetry, drove the standardisation effort behind the AFF4 Standard v1.
AFF4 Standard v1.0 Released
Today marks the release of the Advanced Forensic Format 4 (AFF4) Standard v1.0. Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 8 years and 4 scientifically peer reviewed papers.
AFF4: The new standard in forensic imaging and why you should care
At this year's Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit. While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.
Accelerating forensic and incident response workflow: AusCERT 2016 Slides
Existing forensic image formats are a bottleneck in the multi-core era: The slides from my recent presentation on accelerating forensic & incident response workflow at the AusCERT 2016 Conference. This summarises the research behind Evimetry Wirespeed. Accelerating forensic and incident response workflow: the case for a new standard in forensic imagingxn--AusCERT2016 from Bradley Schatz
Live Partial Acquisition with Evimetry Wirespeed and EnCase
The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk. An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness).
Introducing Evimetry: digital forensics at wire speed
Digital forensics is full of waiting. Waiting for acquisitions to complete. Waiting for images to process. Waiting for flights and waiting in data centres. We set out to remove this wait. In November 2014, Schatz Forensic quietly opened a beta program for a new forensic tool aimed at speeding forensic workflow. The innovative system accelerates acquisition and processing of evidence and closes the gap between acquisition and analysis. A long beta program has allowed us to listen to our testers, and target the pain points in their forensic process.
Follow up paper on the AFF4 evidence container to be presented at 6th IFIP WG 11.9 International Conference on Digital Forensics
I posted earlier about a new forensic container format being created by myself, Michael Cohen, and Simson Garfinkel. A paper describing the work was presented at DFRWS 2009 by Michael. Michael and I have recently extended and refined the container format to support describing the provenance of information and data, and more accurate description of evidence characteristics. A paper describing this work, titled “Refining the AFF4 evidence container for provenance and accurate data representation”, has been accepted for presentation at the 6th Annual IFIP WG 11.
Paper on new evidence container format accepted for presentation at DFRWS2009
Michael Cohen, Simson Garfinkel and I have been collaborating recently on the development of a new digital evidence storage container format. Today we have had notification that a paper detailing the research behind this development has been accepted at the 2009 Digital Forensics Research Workshop, to be held in Montreal Canada. The title of the paper is “Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workﬂow”.