Category: Storage Forensics
We all face the problem of growing amounts of evidence on a regular basis. Improving raw acquisition speed is one way to limit the impact of this, and Evimetry has been consistently delivering the fastest acquisition speeds bar none since we launched two years ago. Yet we aren’t the only solution claiming to be the “fastest” or have “unparalleled” speeds. Led by a practitioner and forensic scientist, it is in Evimetry’s DNA to value substantiation.
Announcing Evimetry Lab: changing the game for in-lab forensics
When it comes to preserving evidence, DF labs generally fall into two camps. Those that acquire in the field, and those that collect evidence in the field, only later doing acquisition in-lab. Over the last two years, Evimetry's product offerings have been primarily aimed at the former. Practitioners have benefited from the fastest in-field acquisitions, while at the same time enabling meaningful analysis work to occur while waiting for acquisition complete.
Simple Deadboot provisioning and acquisition with Evimetry
We have just shipped two releases of Evimetry: v3.0.7 (in our stable stream) & v3.1.5 (in our pre-release stream). Recent releases bring native Deadboot media creation, and introduce an improved Deadboot Imager UI. Native Deadboot Media Creation. We can now create Evimetry Deadboot USB's directly from the Controller, and for larger drives, use the additional space for evidence storage. With a single hard drive serving both as an Evimetry Deadboot and Evidence Repository, scarce USB ports are freed up on target devices, workflow is simplified, and the number of devices to manage limited.
Native AFF4 read support for X-Ways & Forensic Explorer
In the last two weeks, two of our favourite disk forensic tools integrated native read support for the AFF4 forensic format. Forensic Explorer released v4 of their product, with native AFF4 read support, and X-Ways Forensics released v19.5, which has a plugin API supporting our AFF4 read plugin. This represents a big step forward towards general adoption of the next-generation image format. Background Evimetry's filesystem bridge provides a straightforward and efficient way of consuming AFF4 images from any commercial forensic tool, and results in faster analysis & processing than E01's.
AWS EC2 Cloud Storage Acquisition with Evimetry
You have been tasked with forensic acquisition of 6 servers in the AWS cloud, with a total of 2TB of storage. How do you do it? This post will describe the method I applied in a recent case, where we collect the storage, acquired it into forensic images, and pulled down the images into our custody overnight. While I will be describing how I did it using Evimetry, the method is easily translatable to other tools.
Updated slides: Accelerating your forensic & incident response workflow
Late last year I had the pleasure of attending the F3 conference in Gloucestershire, UK. It is quite unlike any other digital forensics conference I have ever been to; a community run, practitioner focused, 2 day conference situated in a stately manor in the English countryside. I can thoroughly recommend it. I had the opportunity to present an updated version of my presentation: "Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging".
Call for participation - AFF4 Working Group meeting at DFRWS 2017 USA
The Advanced Forensic Format 4 Working Group (AFF4 WG) is calling for interested parties to join the second working group meeting, to be co-located at the DFRWS Conference 2017, in Austin, TX. Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. The AFF4 WG has recently released v1.0 of the AFF4 Standard, including canonical images, specification, and open source libraries for implementers.
Compiling Sleuth Kit with AFF4 support on MacOS
We recently contributed patches to the Sleuth Kit to read AFF4 images. While we are waiting for those to be pulled into the main distribution, the following recipe should suffice for compiling a stand alone copy on MacOS. Dependencies The following dependencies are needed to compile libAFF4 on OSX. I use MacPorts, and the corresponding packages i needed to install are: ossp-uuid zlib snappy raptor2 google-glog pcrexx * tclap (missing *.
Sleuth Kit support for the AFF4 Standard v1.0 Released
I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last weekthe AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) . Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence.
Introducing Evimetry Community Edition
Evimetry Community Edition provides a subset of the Evimetry system for free. The purpose of this is to grow the AFF4 ecosystem, firstly by providing a pain free path for Evimetry licensees to provide AFF4 images to non-licensees. Secondly, we wanted to provide practitioners, researchers and educators a freely available implementation of the AFF4 standard v1.0 which can be used to gain familiarity with the format. Schatz Forensic, the creators of Evimetry, drove the standardisation effort behind the AFF4 Standard v1.
AFF4 Standard v1.0 Released
Today marks the release of the Advanced Forensic Format 4 (AFF4) Standard v1.0. Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 8 years and 4 scientifically peer reviewed papers.
AFF4: The new standard in forensic imaging and why you should care
At this year's Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit. While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.
Accelerating forensic and incident response workflow: AusCERT 2016 Slides
Existing forensic image formats are a bottleneck in the multi-core era: The slides from my recent presentation on accelerating forensic & incident response workflow at the AusCERT 2016 Conference. This summarises the research behind Evimetry Wirespeed. Accelerating forensic and incident response workflow: the case for a new standard in forensic imagingxn--AusCERT2016 from Bradley Schatz
Live Partial Acquisition with Evimetry Wirespeed and EnCase
The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk. An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness).
Introducing Evimetry: digital forensics at wire speed
Digital forensics is full of waiting. Waiting for acquisitions to complete. Waiting for images to process. Waiting for flights and waiting in data centres. We set out to remove this wait. In November 2014, Schatz Forensic quietly opened a beta program for a new forensic tool aimed at speeding forensic workflow. The innovative system accelerates acquisition and processing of evidence and closes the gap between acquisition and analysis. A long beta program has allowed us to listen to our testers, and target the pain points in their forensic process.
Zone Identifier Internals
The “Zone.Identifier” file is a common artefact observed when undertaking forensic examinations of Windows systems. More correctly, this isn’t a file. Rather, it is an Alternate Data Stream (ADS), attached to content downloaded from the internet by Internet Explorer. The stream’s purpose: to record the source of the file so that judgements about its level of trust can later on be made by the Windows OS, particularly when running downloaded executable files.
libewf Java bindings released
As a part of the AFF4 work I have been involved in, I recently created a set of java bindings for libewf. If you want read access to the block content or metadataof EnCase compatible forensic images from the java programming language then this is for you. They are currently tested on the windows platform (x86). UNIX and x64 support should be trivial. They are now included in the libewf repository as libewf-java.
Mounting EWF’s on windows with freely available tools
Harlan recently posted a small reference to mounting EWF’s on windows machines using freely available utilities. David Loveall has produced a script called proxy_ewf.py which will do the heavy lifting of mounting EWF's via imdisk. It is not straightforward to get working so I have copied the instructions originally provided by David Loveall and further expanded on them below. Extract the Windows mount_ewf files into a directory. I used the current mount_ewf_windows-20091123.
Follow up paper on the AFF4 evidence container to be presented at 6th IFIP WG 11.9 International Conference on Digital Forensics
I posted earlier about a new forensic container format being created by myself, Michael Cohen, and Simson Garfinkel. A paper describing the work was presented at DFRWS 2009 by Michael. Michael and I have recently extended and refined the container format to support describing the provenance of information and data, and more accurate description of evidence characteristics. A paper describing this work, titled “Refining the AFF4 evidence container for provenance and accurate data representation”, has been accepted for presentation at the 6th Annual IFIP WG 11.
Macintosh Forensic Acquisition
Recently the Mac OS X Forensics site has been amassing a wealth of information on acquiring and analysing Macintosh OS X computers. Additionally, the “Inside the Core” podcast has made a strong start at presenting similar and related content as a podcast. Both teams deserve congratulations and encouragement for their contributions. One problem that I have observed with acquiring Macs is a particular problem with some Apple keyboards that have a brushed aluminium appearance.
Paper on new evidence container format accepted for presentation at DFRWS2009
Michael Cohen, Simson Garfinkel and I have been collaborating recently on the development of a new digital evidence storage container format. Today we have had notification that a paper detailing the research behind this development has been accepted at the 2009 Digital Forensics Research Workshop, to be held in Montreal Canada. The title of the paper is “Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workﬂow”.
dd2vmdk relocated into the cloud
A while ago I wrote a tool to convert flat disk images (which we commonly call dd images) to VMWare .vmdk disk images (the original blog post on the tool, called dd2vmdk is posted here). I have in the mean time ceased development of it, but despite its relatively archaic nature, some still find it of use. Today I relocated hosting of it to Google's new cloud web application service, Google App Engine.
libewf has relocated
This won't be news to many, but I came across a colleague today who didn't realise that the libewf project has moved home to sourceforge. Libewf is the only open source implementation of the Expert Witness Format (EWF) file format, which is the de facto standard for storage of forensic disk images. This open source implementation contains numerous utilities, including a faster than LinEn, UNIX based, command line EWF acquisition program, ewfacquire, and a command line validation utility called ewfverify.
New tool – CERT/CMU Live View
I am in Lafayette, Indiana this week at DFRWS2006. A gent from CERT was present and demonstrating an excellet tool called "Live View" which, from first impressions to be a p2v GUI that automates running dd images in vmware. It appears that the features of it are far beyond what dd2vmdk does in some respects: you appear to point it at an image upon which it: * generates a vmware vmdk
tool – pasco2
I am off to the DFRWS 2006 conference in a week or so to present my paper "A correlation method for establishing provenance of timestamps in digital evidence". In this paper I describe some research I have performed in characterising where the behaviour of computer clocks differs from the ideal. A second theme of the paper is the identification of methods of correlating commonly found evidence to establish provenance of timestamps.
dd2vmdk – dd Image to VMWare Virtual Disk converter
While performing the last set of investigations, I have produced a simple web based application for automating the conversion of dd images into VMWare Virtual Disks. I have called this tool dd2vmdk - it is accessable at http://www.bschatz.org/2006/p2v/index.html Currently the tool carves up the image into a virtual disk composed of a number of files, where partitions are contained individual files. The next version of the tool will support directly modifying the partition table and NTFS boot record in-situ within the image file.
P2V – Will the 2K MBR boot up a non cylinder aligned partition?
I left my last post unsure whether of not a PC can boot into a partition that is not aligned with the beginning of a cylinder boundary. I devised a quick test, employing the same image that I have been using for the last two posts. In this case, I left the partition table unmodified, but went into the NTFS boot record and adjusted its conception of the hard drive to reflect the Virtual Drive's geometry.
P2V – hard drive geometry problems
I have been trying to convert a physical Windows 2000 server running on SCSI RAID to run inside a virtual machine. Given my interest in digital evidence, I was interested in achieving the conversion (which is popuarly referred to as Physical To Virtual or P2V conversion) from first principles. A while ago I came across the Windows Dynamic Disk partitioning scheme (also called Dynamic Disk or LDM). It's support under linux is slowly gaining momentum, but still remains a bugbear for manipulating disks.
MACtimes oddness on CDROM filesystems
I have been looking at the MACtimes of files stored on CDROM's recently. One thing that particulary struck me was the access time (the A in MAC) of files on a cdrom... F:burntestdir /ta * Volume in drive F is My Disc Volume Serial Number is 8181-A540 Directory of F:burntest 01/01/1601 10:00 AM . 01/01/1601 10:00 AM ' .. 01/01/1601 10:00 AM 34,304 LDM.doc 01/01/1601 10:00 AM 1,267 mailheaders.txt 2 File(s) 35,571 bytes 2 Dir(s) 0 bytes free Did I reset the access time when I burned it?