Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Transcription

1 Live View A New View On Forensic Imaging Matthiew Morin Champlain College

2 Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View. This analysis will include an introduction to the program, a demonstration and description of the functionality of the program and finally the benefits of this program and how it will have a future impact on the digital forensics industry. This paper will also include a brief overview of past and current forensic imaging techniques and how they compare with the use of Live View to conduct a forensic analysis of a system. The concept of virtualization of computer systems has been around for a number of years now, but it has been quickly gaining popularity throughout various computer-related industries. In many industries virtualization can help reduce energy costs and save space, however virtualization is able to support an entirely different role in the forensic field. Running a computer system in a virtual environment can be extremely beneficial from a forensic perspective, mainly because the system can be easily isolated from many variables as well as easily restored to a previous state. Live View takes the convenience and efficiency of virtualization and takes it one step further by allowing current forensic imaging tools and practices to interface with a virtual environment, such as one found in VMware. Live View allows for a raw disk image or a physical disk to be converted to a virtual image and accessed through VMware just as if the system was actually running, all without modifying any of the data found on the disk or image.

3 Morin 2 Acknowledgments This paper is a product of research and testing scenarios; however, it may also act as an introduction and guide to the Live View software. For the scope of this paper, the only operating system that was tested and analyzed was Microsoft Windows XP Service Pack 2; however, Live View supports versions of Microsoft Windows 98 to Microsoft Windows Server 2008; this also includes the Microsoft Server operating systems. The Live View version used during the research for this paper was 0.7b, the most current version at the time of research. The imaging software used was FTK Imager Version and the version of VMware used was Version 7.0. The Microsoft Windows XP machine was configured as a VMware machine in order to keep the size of the forensic image low to reduce the amount of time needed to create the initial image. In addition, the machine was imaged in a live environment; however, no changes were documented, as there was to be no forensic analysis of the machine. The image was only used to verify that Live View would convert a raw disk image to a virtual machine.

4 Morin 3 Disk Imaging Perhaps one of the most important steps in the process of digital forensics is the process of data mirroring, more commonly known as disk imaging. While all of the steps in the forensic process need to function together to correctly conduct a forensic investigation, the process of disk imagining acts as the most pivotal role in the entire process. There are many ways to define disk imagining; however, a few widely accepted definitions have emerged as the field of digital forensics has grown. Jim Bates, the Technical Director of Computer Forensics Ltd, defines disk imaging as; An image of the whole disk [copied]. This [is] regardless of any software on the disk and the important point [is] that the complete content of the disk [is] copied including the location of the data. Disk imaging takes a sector-by-sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered. It does not necessarily need the same geometry as the original as long as arrangements are made to simulate the geometry if it becomes necessary to boot into the acquired image (Saudi 3). It is the process of disk imaging that allows a forensic investigator to view the contents of a storage media or computer without altering the original data in anyway. The process of disk imaging can be described in three general steps. The first step is to first acquire the original storage media, this storage media can be any number of pieces of evidence that are acquired from a secure crime scene. The storage media can be a Compact Disk (CD), a USB flash drive, an internal hard drive or any other hardware that can be used to store digital data. The next step in the process is to create an image of the storage media. At this step, the forensic investigator can approach the imaging process in one of two ways; the investigator can create a bit-for-bit copy or the investigator can create a bit-stream copy of the original storage media. The details of these two options will be discussed at a later point in this paper. Additionally at this stage, the forensic investigator should also choose the proper storage media that will contain the forensic image. When deciding this, the investigator should take into account the size of the image file, the time needed to image the file and the duration of the investigation. The third and final step of the disk imaging process is to verify the image of the original storage media. In this step the forensic investigator will compare the encrypted hash values of both the original storage media and the newly created image. In addition, the

5 Morin 4 investigator will also verify the chain of custody. The phrase chain of custody refers to the accurate auditing and control of original evidence material that could potentially be used for legal purposes there should be accurate logs tracking the movement and possession of evidence material at all times (Gast). As aforementioned, there are two options that the forensic investigator must decide upon when creating a forensic image. The investigator must decide between the use of a bit-for-bit image of the original data or a bit-stream image of the original data. It is important to note that while the ways in which these images are created differ slightly from one another, they are both acceptable methods as defined by the National Institute of Standards and Technology (NIST). The first option, a bit-for-bit image, is perhaps the most ideal way to create an image of the storage media. A bit-for-bit image is an exact clone of the original storage media, the tool used to forensically image the storage media duplicates each individual bit and creates a file of raw data commonly known as a dd image. This form of image is commonly used for any time of storage media as well as for computers that were not found powered off at the crime scene. The second option, the bit-stream image, requires a different process of imaging. Instead of duplicating the original storage media bit-for-bit, it duplicates the original storage media cylinder-by-cylinder or sectorby-sector. While both of these methods provide an exact clone of the storage media, the bitstream image, commonly known as a live image, is used to image a computer system that is powered on at the crime scene. This form of imaging becomes extremely useful when the storage media or system that needs to be imaged cannot be powered off or taken offline.

6 Morin 5 While there are many ways to simply copy files on computer systems; however, tools used to create a forensic image of a disk must meet specific requirements that have been adopted by NIST. The required features of a forensic imaging tool. (NIST) These requirements are created to help establish a standard of forensic imaging tools within the digital forensic field. These requirements aim to ensure that forensic tools on the market are both technically and legally unflawed. They also ensure that forensic tools that are released are able to obtain as much data as possible to aid the investigative and analytics of the acquired data.

7 Morin 6 Concerns and Issues As the practice of digital forensics continues to grow throughout the industry, many professionals and individuals are gaining a deeper understanding of how a computer system operates and how the process of forensic imaging applies to the investigation; however, there are still issues and concerns about the forensic imaging process. One of the most pressing and important issues to address in regards to the forensic imaging process is the integrity and validity of the cloned image. [The main concern with a] disk imaging tool is whether it produces a copy that is exactly the same as the original. Users scare that if they use disk imaging tools, it might alter the layout of the copy in computer forensics, priority and emphasis are on accuracy and evidential integrity and security it is essential to have a forensically sound copy from original evidence (Saudi 4). It is possible for much of the digital data collected from a crime scene to be dangerously volatile, in which the data could easily become corrupt or altered. As such, NIST and other leading forensic organizations have created strict guidelines for a forensic investigation, which must be adhered to at all times. Not only do these guidelines ensure that the evidence stays secure and unaltered but they also ensure that the investigation is legally flawless. As the field of digital forensics has progressed over the past few years, there have been many advances in the techniques and tools used to protect the security and integrity of data acquired from a crime scene. These new tools and practices are constantly being reviewed and revised as new technologies are developed and current technologies and methods are being adapted to fulfill the needs of the forensic investigators. One such example of a tool on the forefront of the digital forensics field is the forensic tool Live View.

8 Morin 7 Live View In short, Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk, [allowing] the forensic examiner to boot up the image (Live View). The Live View program features a simple and intuitive interface that accomplishes a vital technical task. The program can be extremely useful to a forensic investigator as it allows them to run the computer system that is being examined exactly as it existed when it was imaged. The examiner is able to do all this without ever altering the forensic image. This unprecedented access is granted by a unique file that Live View generates when the VMware virtual machine is created from the image. When the VMware virtual machine is powered on, all of the changes that are made to the virtual machine are written to a temporary cover file. VMware interprets this file as part of the original image and as a result, no information is changed, written to or deleted from the forensic image. If the forensic investigator needs to revert back to the original image, they need only to clear the cover file generated by Live View. Additionally, Live View includes many other benefits and functionality to a forensic investigator; Live View is not only able to create a virtual machine from a dd image, such as one created by a bit-for-bit clone but it is also able to create a virtual machine from a physical disk image, such as one created from a bit-stream clone. In addition to an array of image options, Live View is also able to complete many technical tasks dealing with hardware compatibility and boot sectors. Some of these [tasks] include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; created a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk (Live View). Live View features a clean and intuitive interface that provides all of the necessary configuration options to ensure that the virtual machine is successfully created and the forensic image is in no way altered.

9 Morin 8 The Main Live View Window The main Live View window presents all of the configuration options needed to create a virtual machine from the forensic image. Live View allows the investigator to manually set the amount of Random Access Memory (RAM) used on the virtual machine; this option helps mimic the original system as closely as possible. The system time option allows the examiner to set the time of the virtual machine to any desired time. This option is particularly important as it can thwart any attempts of an attack triggered by the system time reaching a certain point; this attack is commonly known as a time bomb attack. Live View is also equipped with an operating system automatic detection feature; this feature detects the operating system present on the forensic image and creates the virtual machine based on that detection. Additionally the investigator can manually select the operating system to install on the virtual machine.

10 Morin 9 The next feature allows the investigator to select the source of the image; this can be either a raw dd image or an image on a physical disk. The next option prompts the investigator for the output location of the VMware virtual machine files, this location can be anywhere on the host system or the network that it is connected to. The final option allows the investigator to create the virtual machine files and launch the virtual machine or just create the virtual machine files and choose to launch it later. The final step is to click the Start button. When the start button is clicked the investigator is prompted with this dialogue box: Live View Read-Only Setting Dialogue Box This prompted option provides an additional layer of security in addition to the cover file. In the unlikely case that the forensic image would be accessed, this option will make writing or changing the forensic image impossible, although, all changes are written to the cover file above the virtual machine so it is unlikely that the forensic image would ever be accessed.

11 Morin 10 After the virtual machine configuration options are properly set, Live View will commence the creation of the VMware virtual machine. The box entitled Messages at the lower part of the main Live View window displays the current configuration step as well as any errors that occurred during the creation of the virtual machine. Live View Message Window Once Live View has successfully created the virtual machine configuration files, it will automatically launch the VMware application and power on the created virtual machine

12 Morin 11 One of the most useful and intriguing features of the Live View program is its ability to easily revert back to the original state of the forensic image that the virtual machine was created from. When a forensic investigator configures a virtual machine using Live View, the program searches the host system for other instances of virtual machines created with that forensic image and prompts the investigator with the options to continue working with the virtual machine or to start over. Previously Launched Image Dialogue Box The Continue option will launch the last instance of a virtual machine created with that image from the point it was terminated. The Start Over option will clear the cover file that the changes were written to, giving the forensic investigator a new, unaltered instance of the forensic image.

13 Morin 12 Comparison As mentioned earlier in this paper, the tool set used to conduct a digital forensic investigation using a virtual environment is limited and very specific. There are only a few tools available that can create a virtual machine out of an acquired forensic image and maintain a precise level of data integrity. In terms of comparison to the functionality of Live View, there are two tools in particular that are worth mentioning: Mount Image Pro and Virtual Forensic Computing (VFC), both developed by Get Data Software Development Company. Mount Image Pro is not specifically a virtual environment in that it does not create a virtual machine that can be started and examined; rather, it mounts a forensic image as a readable disk on the host machine. With an image mounted in such away, the host operating system is able to interact with it as if it were a secondary disk physically attached to the computer. This technique provides many advantages for a forensic examiner; for example, the examiner could browse through the file structure looking for any suspiciously named files and retrieve them from the image. Additionally, other forensic tools and programs can be run pointed toward the mounted image; such programs can include virus and malware scanners and file recovery tools. Similar to Live View, Mount Image Pro is able to mount a full array of file types including Encase images, DD images as well as virtual machine files such as VMware and Microsoft Virtual PC. Additional functionality comes from the ability to mount a Redundant Array of Independent Disks (RAID) configuration, to display unallocated disk space and to show deleted files present within the forensic image. Of course, Mount Image Pro is able to provide this functionality while still maintaining the complete integrity of the data; however, the ability to run tools against and examine the file structure at a fairly basic level is the upper limit of functionality that the program can provide. In order to create an environment comparable to Live View the VFC program must work in conjunction with Mount Image Pro. Additionally, Mount Image Pro is a commercial piece of software developed and distributed exclusively by Get Data Software Development Company. As a result of this, it is necessary to pay a fee to obtain a license to use the program; this also

14 Morin 13 means that the source code of Mount Image Pro is not readily available and cannot be accessed or modified. As mentioned above; two programs, Mount Image Pro and VFC, must be used to create an environment that is comparable to Live View. The second component, VFC, is the software that interprets the mounted image and creates a virtual machine file from that data. VFC is a quick and responsive program that can start an image that has been mounted by Mount Image Pro utilizing VMware. Just as with Live View, the forensic data remains completely unaltered and allows the examiner to change various settings about the virtual machine to create an optimal investigation environment. In addition to many features similar to Live View, VFC offers a few extra features that can greatly increase the efficiency of a forensic investigation. One such feature is the ability to overwrite the password of a user account on the virtual machine. This saves a large amount of time as it eliminates the need for the investigator to get the password from the suspect or spend the time cracking the password with a third-party program. However, similar to Mount Image Pro, VFC requires a commercial licensed that is purchased through Get Data and it does not have its source code readily available. Taking all of these facts into consideration, it is apparent that both Live View and Get Data s two programs are reputable platforms from which to conduct a forensic investigation. When determining what set of software to use, there are a few important points to remember; first, Live View is an open source program licensed under the GNU Public License. This means that Live View s source code can be examined and tweaked by members of the professional community to provide further enhancements to the program; additionally, Live View is available at no cost to the user. Second, VFC contains an extra set of features over Live View that may be desirable to some forensic investigators. Such features can overcome some of the most difficult problems encountered during a forensic investigation. Finally, Live View is able to run without any supporting software, with the exception of Java and VMware. VFC requires Mount Image Pro to even begin examining a forensic image; both of which have to be activated with a commercial license.

15 Morin 14 Conclusion There has been much skepticism and caution taken around the forensic imaging process, as it is crucial to ensure that no evidence is destroyed or modified in the collection and analysis of the evidence. As the digital forensics field continues to grow and the demand for digital forensic investigations increases, forensic investigators are forced to find more efficient and secure ways of collecting and analyzing the data involved with the investigation. One such tool that is at the forefront of forensic analysis is the program Live View. This tool allows a forensic investigator to create a VMware virtual machine from a forensic image and access the image without ever changing any data in the forensic image, providing the investigator with unprecedented access to the image.

16 Morin 15 Definitions Digital Forensics: A sub-division of forensic science, also known as computer and network forensics, is considered to be the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a string chain of custody for the data. Disk image: A virtual representation of a real disk drive. Forensic Science: is generally defined as the application of science to the law. Host Machine: The physical computer hardware and operating system that a virtual machine is run on. Master Boot Record (MBR): The data found at the beginning of a storage device that initiates the startup process of a computer system. Random Access Memory (RAM): A piece of computer hardware that is responsible for temporarily storing data that is to be quickly accessed by other hardware components. Redundant Array of Independent Disks (RAID): A configuration of two or more disks that stores data across all disks present in the array. This configuration can be used to perform quicker read and write times as well as to create a redundant set of data. Storage Media: Any form of electronic device that can contain or store electronic data. Storage Media is a general term for a large variety of devices which include, but are not limited to: hard drives, USB storage devices, CD-ROMs, DVD-ROMs, Floppy Disks, etc. The National Institute of Standards and Technology (NIST): The NIST is a federal technology agency that works with industry to develop and apply technology, measurements and standards.

17 Morin 16 Virtual Machine: A simulated environment created by virtualization. Virtualization: The simulation of the software and/or hardware upon which other software runs. This simulated environment is called a virtual machine (VM).

18 Morin 17 Works Cited Brown, Christopher L. T. "Imaging Methodologies." Computer Evidence: Collection and Preservation. 2nd ed. Boston, MA: Charles River Media/Cengage Learning, Print. Digital Data Acquisition Tool Specification. Tech. National Institute of Standards and DDA-Require.pdf>. Gast, Ty. "Forensic Data Handling." Forensic Data Handling. Cybertrust, Inc. Web. 10 Dec < Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. "Guide to Integrating Forensic Techniques into Incident Response." Nist.gov. The National Institute of Standards and Technology, Aug Web. 21 July < Mamoun, Sitalakshmi Venkatraman, and Paul Watters. "Effective Digital Forensic Analysis of the NTFS Disk Image." UbiCC Journal 4.3 (2009). Ubiquitous Computing and Communication Journal. UbiCC, Web. 10 Dec < "Mount Image Pro V5 - Forensic Software (Released May 2012)." Computer Forensics Software: Mount EnCase Images and DD Images. Get Data Software Development Company, n.d. Web. 26 July < Technology, 4 Oct Web. 10 Dec < Saudi, Madihah Mohd. An Overview of Disk Imaging Tool in Computer Forensics. Tech. System Administration, Networking, and Security Institute, Web. 10 Dec <

19 Morin 18 Scarfone, Karen, Murugiah Souppaya, and Paul Hoffman. "Guide to Security for Full Virtualization Technologies." Nist.gov. The National Institute of Standards and Technology, Jan Web. 21 July < "Virtual Forensic Computing (VFC): Boot Mounted EnCase Images." Virtual Forensic Computing. Use VFC to Boot EnCase or DD Forensic Evidence Files. Get Data Software Development Company, n.d. Web. 01 Aug <