Design and Implementation of a Live-analysis Digital Forensic System

Transcription

1 Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com Chung-Huang Yang Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan chyang@computer.org Tae-Nam Ahn Security Engineering Research Center Hannam University, Korea taenamahn@hotmail.com ABSTRACT As the popularity of the internet continues growing, not only change our life, but also change the way of crime. Number of crime by computer as tools, place or target, cases of such offenders increases these days, fact to the crime of computer case traditional investigators have been unable to complete the admissibility of evidence. To solve this problem, we must collect the evidence by digital forensics tools and analysis the digital data, or recover the damaged data. In this research, we use the open source digital forensics tools base on Linux and want to make sure the stability of software then prove the evidence what we have. To avoid the data loss due to the shutdown of machines, we use the Liveanalysis to collect data and design the Live DVD/USB to make image file and analysis the image. We use the MD5 and SHA-1 code to identity the file before the final report and ensure the reliability of forensic evidence on court. Keywords Digital Forensics, Digital Evidences, Live-analysis, Live DVD/USB 1. INTRODUCTION Internet is the most popular application in modern society. It brings a lot of convenience of communication to human. On the other hand, due to its rapid development, lacking of proper regulations, Internet happened to be crime breeding. The most serious problem of Internet is Cybercrime. January-June 2008 of crimes of computer in Taiwan published by National Police Agency [12], Ministry of The Interior, 4,981 of Internet Fraud, 2,023 of Infringement of Computer Usage, 1,871 of Prevention and Punishment of Sex-Trade Act, 1,340 of Copyright Act and 1,131of Obscenity, that show the seriousness of computer crimes. But that have extremely distinct difference between in computer criminal offense and traditional crime action, so the investigator inquiring into computer crime must have the aid of the computer forensics knowledge and technology in the computer forensic field. Digital evidence is not physically and it was storage on the media. It has the following characteristics [4]: (1) easily to copy or modify, (2) difficult to confirm the source and integrity, (3) cannot directly to understand its contents, etc. During an investigation, the procedures must according to the International Organization of Computer Evidence proposed The Good Practice Guide for Computer-Based Evidence in order to have legal effect of digital evidence in 1999 [8]. 2. RELATED WORKS In this paper focus on the digital evidence collect and recover from electronic media, and accented the identity of source of evidences. The following we will describe the details of the digital forensic Digital Forensics Digital forensics is the science of obtaining, preserving and documenting evidence from electronic media, such as tablet PC, server, digital camera, PDA, fax machine, ipod, smart phone and various memory storage devices [17]. Generally, the purpose for digital forensic is designed to investigate the evidence and it applications include computer intrusion, unauthorized access, child pornography, etc. Fundamentals of Computer Forensics analysis process as falling into three distinct areas acquisition, analysis and Presentation [2]. The list below briefs those procedures: Acquisition Phase: This phase is focus on the obtaining the states of systems that have storage devices and all the digital data for later analysis. We usually used the forensic tools to image the disk. Analysis phase: Identification of the evidences we have collected, which include file types, contexts of directory and rescue data for find the related between evidence and incident. Presentation Phase: Documentation of analyze of data for assist the prosecutors to reference.

2 At present, the mining and analysis of evidence can not be completed manually. We must depend on the forensics tools such as EnCase and Forensic Toolkit (FTK) [7]. Most of them are commercial software. It is expensive for the small enterprises or individual. In this research, we used the open source tools to design and implement our system Digital Evidence Digital evidence is stored in computer can play a major role in a wide range of crimes, including murder, rape, computer intrusions, espionage, and child pornography in proof of a fact about what did or did not happen [3, 17]. Digital information is fragile in that it can be easily modified, duplicated, restored or destroyed, etc [10]. The course of the investigation, the investigator should assure that digital evidence is not modified without proper authorization [9]. The typical goal of an investigation is to collect evidence using generally acceptable methods in order to make the evidence is accepted and admitted on the court. The final report must include [17]: (1) Where the evidence was stored? (2) Who had obtained to the evidence? (3) What had been done to the evidence? Any step in the process must be carefully recorded in order to prove the electronic records were not altered in the investigation procedure Forensic Tools All digital evidence must be analyzed to determine the type of information that is stored upon it. In this point, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include [5, 17]: FTK, EnCase [7], SMART, PyFlag and The Sleuth Kit, etc. Table 1. Comparison of Digital Forensic Tools Encase FTK TSK Traditional Simple Chinese Chinese English Must receive professional Ease of use Ease of use training Language User Create image file Calculated of Hash value Support Support Support MD5 MD5 Cost Expensive Expensive Advantage Graphical disk information Classification the digital evidence MD5 and SHA-1 Open source software Support many of evidence search Encase FTK TSK techniques such as file contest, keyword, metadata, etc Live-Analysis Digital forensics is separated into Live-analysis and the Dead-analysis [6], which to identify the computer whether or not to boot. Currently, many research of digital forensic use the Dead-analysis but the way may lose the data due to showdown of machine or removal the plug. For forensic analysis, the collection of volatile information is very important such as Hardware information, Installed software packages or Process state, etc [13].Since gathering evidence on the target can affect other evidence on the target, a set to get maximize the quality of the evidence, which include Running known good binaries, Hashing all evidence and Gathering data in order of volatility [1] Live DVD/USB Live CD is a kind of operation system distribution which can be booting from a read-only medium (such as a CD-ROM) without installing into hard disk [11]. Usually, we named this operation system depending on what media it stores. Consequently, it is named LiveDVD because its media is DVD-ROM, and so does LiveUSB. Currently, there are many Live CD released such as KNOPPIX [15], Fedora LiveCD [14], Tux2live [16], etc. We setup our system into LiveDVD/USB so that it becomes portable, and easily deploys even moving to different environment (such as Windows or Linux, etc). 3. SYSTEM ARCHITECTURE In this study, we classify of the victim machine, one for the computer system is still functioning, while another has been shut down or can not reboot. We write a script program and storage on the USB. If the system is still running then implement the Live-analysis with the script program, which to collect the volatile information of system and then those generated files will store into the USB disk automatically. We show the results with Tkinter and Xdioalog. If the computer is turned off, we must reboot the machine by Live DVD/USB and make the image file of disk. The LiveDVD/USB contains the image file producer-air (Automated Image and Restore), a computer forensics program-tsk, program of graphical -Autopsy, etc. (system forensics process in Figure 1).

3 Start Does the computer boot? Yes Using Live-analysis to collect the volatile data. No Using Live DVD/USB to run the Dead-analysis. Shutdown Figure 2. Live-analysis Menu Imaged disk Analysis Report Figure 1. System forensics process 4. IMPLEMENTATION 4.1. Live-Analysis If the machine is still active when arrived at the crime scene, we should collect the volatile information of victim of system rapidly, include which the TCP and UDP ports are opened, user login history, what services are activated currently, etc. Those information of volatile may disappear from your computer after the shut down. At this point, we collected the system state by Live-analysis. The system uses selfdeveloped script program to collect volatile information, and Graphical to the forensic results for facilitate analysis, to reduce barriers to operate. In this study, we collect volatile information of system by our script program. We show the results by using the Tkinter and Xdialog. The figure 2 shows the Live-analysis Menu. Figure 3. Basic information of system Figure 3 shows the state of system currently, which include kernel version, CPU information, hostname, date and time, partitions. Figure 4. MD5 and SHA-1 Figure 4 shows the MD5 value and SHA-1 value of all we obtained data.

4 4.2. Dead-Analysis We reboot victim system by LiveDVD/USB to execute the digital forensics, we called Dead-analysis. Since the way base on the LiveDVD/USB, so the state of the computer will not be altered. In this paper, we designed the LiveDVD/USB by remastersys and unetbootin, which include AIR (Automated Image and Restore) to create an image file of disk, Chinese locale support on TSK we made and Autopsy, etc. In this paper, the operation of Dead-analysis, first we create an image of disk by AIR as shown figure 5 then import the image file into TSK and Autopsy as shown figure 6, finally present the forensic result by using Web browser as shown figure DISCUSSION Table 2. Comparison of Digital Forensic Tools with Our System Encase FTK Helix Our system Live-analysis X X X Create filesystem image Verify hash value for image Support FAT16/32 Support NTFS Support EXT 2/3 Keyword Search Recover files Support for Traditional X X X Chinese Low Cost X X X Figure 5. AIR Figure 5 shows the AIR to make an image file while computing and identifying of the MD5 value. Figure 6. TSK and Autopsy Figure 6 shows the analyze of the image of disk by TSK and Autopsy, which provide several analysis functions, which include file content, Keyword, Metadata, file type, etc. Figure 6 is an example analyze for file content, which shows the deleted file name, create time, file size, etc. It can recover the files of have been deleted. 6. CONCLUSIONS In recent years, there are more and more cases of computer crime, the term hacking is no longer news. Therefore, the investigator how to collect any information of computer after an incident is becoming an important issue. The mostly of the digital forensics software are commercial version, cost is so high, and just support English version which obstacle to use. In this paper, this study is based on the open source software to reduce cost and we revised autopsy s graphic into the Traditional Chinese. We created a Live DVD/USB for analyzing Microsoft and Unix/Linux file systems (Dead analysis). Additionally, we collected the volatile information of system by using Live-analysis, which avoid lost the data due to showdown of machine. 7. ACKNOWLEDGMENTS This work was supported in part by research grants (NSC E MY3) from the National Science Council of Taiwan. 8. REFERENCES [1] F. Adelstein, Live forensics: diagnosing your system without killing it first, Communications of the ACM, Vol.49, No.2, February DOI= [2] J. Bates, Fundamentals of computer forensics, Information Security Technical Report, Elsevier, 1998.DOI=doi: /S (98)80040-X

5 [3] E. Casey, T. Larson, and M. M. Ferraro, Digital Evidence and Computer Crime, Elsevier Science & Technology Books, December [4] E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computer and the Inter, Academic Press, 2000, pp TW&lr=&id=Xo8GMt_AbQsC&oi=fnd&pg=PR7&dq= Digital+Evidence+and+Computer+Crime,+Elsevier+Sci ence+%26+technology+books,+december+2003.&ots =-XR8GW-2PE&sig=APk6XBvljEUrq7aIL0ZY2- VHRqc#v=onepage&q=&f=false [5] B. Carrier, Performing an autopsy examination on FFS and EXT2FS partition images: An introduction to TCTUTILs and the Autopsy Forensic Browser, SANSFIRE, July n_autopsy_examination_on_ffs_ pdf [6] B. Carrier, TSK & Autopsy. April [7] L. Garber, EnCase: A Case Study in Computer-Forensic Technology, IEEE Computer Magazine, January [8] IOCE, p_exam_digit_tech.html, April [9] C. E. Landwehr, Computer security, International Journal of Information Security, 2001, pp j/ [10] S. Mocas, Building theoretical underpinnings for digital forensics research, Digital Investigation, Elsevier, 2004.DOI= doi: /j.diin [11] C. Negus, Live Linux CDs: Building and Customizing Bootable, Prentice Hall PTR, [12] NII, isecurity. April [13] C. Pogue, C. Altheide and T. Haverkos, UNIX and Linux Forensic Analysis DVD Toolkit, Syngress Publishing, [14] R. Petersen, Fedora Core 7 & Red Hat Enterprise Linux, McGraw-Hill Professional, [15] K. Rankin, Knoppix hacks, O Reilly, [16] Tux2live. April [17] L. Volonino, R. Anzaldua, J. Godwin and G. C. Kessle, Computer Forensics: Principles and Practice, Prentice Hall, 2006.