Design Document for Implementing a Digital Forensics Laboratory Version.00 Group CNWIS-G4 Department of Computer Science and Engineering University of Moratuwa Project Supervisors: Dr Chandana Gamage Project Members: Kumarage H.D Alles W.M.H.M. Buddhika R.A.P. Wijayapala M.H.V.L.A.
TABLE OF CONTENTS.. INTRODUCTION... 4. WHAT IS FORENSICS?... 4.2 DIGITAL FORENSICS... 4.3 PROPOSED PROJECT... 6 2. SYSTEM DESIGN... 8 2. TARGET ENVIRONMENT... 8 2.2 BASIC COMPONENTS OF THE SYSTEM... 8 2.2. Digital Forensics Framework... 8 2.2.2 Digital Forensics Website... 8 2.2.3 Documentation of forensics analyzing tools and user guides... 8 2.2.4 Policies and procedures... 9 2.2.5 Software Tools... 9 2.3 COMPONENT INTERACTION OF THE SYSTEM... 0 2.3. Website interaction with the user... 0 2.3.2 Forensics analyzer s interaction with the frame work... 2 2.3.3 Modified / created software tools and interaction with the forensics investigator... 6 3. SYSTEM IMPLEMENTATION... 2 3. FRAMEWORK IMPLEMENTATION... 2 3.. Research work... 2 3..2 All in one forensics framework... 2 3..3 Data collection and analysis... 23 3..4 Report generator system... 23 3.2 DARK LAB WEBSITE IMPLEMENTATION... 27 3.3 DOCUMENTATION OF SOFTWARE TOOLS, RULES AND POLICIES... 28 3.4 DEVELOPMENT OF SOFTWARE TOOLS... 30 4. GLOSSARY... 33 2
TABLE OF FIGURES FIGURE - DF LAB WEBSITE USE CASE... FIGURE 2 - FORENSICS FRAMEWORK USE CASE... 3 FIGURE 3 - FORENSICS FRAMEWORK ACTIVITY DIAGRAM... 5 FIGURE 4 - SCALPEL FRONT END USE CASE... 7 FIGURE 5- SCALPEL FRONT END MAIN WINDOW... 8 FIGURE 6 - NEW FILE CARVE PROJECT WINDOW... 8 FIGURE 7 - SELECT FILE TYPES WINDOW... 9 FIGURE 8 - SET OUTPUT DIRECTORY WINDOW... 9 FIGURE 9 - FORENSICS FRAMEWORK... 22 FIGURE 0 - INVESTIGATION SAMPLE REPORT PART-... 24 FIGURE - INVESTIGATION SAMPLE REPORT PART-2... 25 FIGURE 2 - COMPONENT DIAGRAM (FRAMEWORK)... 26 FIGURE 3 - COMPONENT DIAGRAM (WEBSITE)... 28 3
. Introduction. What is Forensics? Forensics can mainly be introduced as the application of a wide range of sciences to answer questions that are of importance to the legal system and the legal process. This may be in relation to a crime or either an event where evidence is needed to obtain a legal perspective. Therefore together with its relevance to the underlying legal system forensics provide a clear and well documented methodology or a framework in which authentication of an object or event is of great importance even from an outside perspective to the legal system. The need for forensics is based on the evidence that is collected for the particular object or event that needs authentication. The evidence is inherently unreliable and nothing is absolutely certain. It is the forensic analysis that through a systematic methodology and framework logically determines the degree of confidence that can be assigned to the relevant object or event. Therefore forensics is basically the art of reaching trusted inferences from a collection of un-trusted sources by the methodological application of scientific reasoning to the evidence. Throughout history forensic methodologies were used to authenticate events from the Eureka legend of Archimedes where density evaluations were used to the first use of a fingerprint by the Arabic merchant Suleiman to modern DNA matching and packet analysis in data networks. Forensics continues to provide the logical reasoning methodologies in analyzing evidence in evaluating the authenticity and the degree of confidence that can be applied to a certain belief..2 Digital Forensics Also known as computer forensics this is the branch of forensics that deals with the analysis of evidence obtained from computers and digital storage mediums. A digital forensics investigation explains the current state of the digital evidence gathered including the specifics of the data contained and the sequence of events that might have 4
occurred in order for the current state to be as it is. The digital evidence might have either been used or aided to commit a physical crime or it executed a digital event that violated a policy or law. An example for the first case is that a suspect might have used the internet and obtained specific information that aided in committing the crime and for the second case a situation where a user gains unauthorized access to a computer system and affects the integrity, confidentiality and the availability of the information or services. Therefore in a digital investigation test hypotheses are developed to answer questions about digital events using scientific methods to analyze digital evidence that can either support or refute hypotheses. Some of the cases where digital forensics is needed within a proper legal framework and methodology can be noted as follows. Analyze computer systems and other digital devices belonging to defendants in criminal activities. Analyze a computer system after an unauthorized break-in. Gain information about how computer systems work for debugging, performance optimization, or reverse engineering. To recover data in the event of a hardware or software failure Comparing the digital forensics process with general physical forensics some main contrasts can be drawn. Physical forensics mainly focuses on identification and individualization of objects through comparison and reasoning. Computer forensics on the other hand focuses on finding the relevant digital evidence and analyzing it. Therefore it has more similarities with a general crime scene investigation than the general physical forensics process. Therefore a digital forensics investigation is a process that uses science and technology to analyze digital objects and develop and test theories which can be validated in a court of law. Hence digital forensics provides the basic methodologies and framework in gathering the digital data and analyzing it to build and test hypotheses pertaining to the event. 5
.3 Proposed Project The increasingly globalized world today is dynamically being shaped on all aspects through the exponential use of technology. What is apparent today is that the core technology force that drives this change is computer and information technology. As Sri Lanka too tends to recognize itself as a major hub in the emerging worldwide markets on information technology there exists an ever growing need to cater to the security aspects of the IT industry in Sri Lanka. Therefore an organization has to be setup that deal with these needs and cater to the security aspects and provide the relevant digital forensics framework and methodologies and act as the frontline in identifying and preventing as well as solving cyber crime. Therefore this project will implement an advanced laboratory environment that can carry out digital forensics investigations in a well organized and efficient manner bound to the underlying legal framework. The following services will be provided mainly through the completion of this project. A consistent and standardized framework for digital forensic investigations Set of standardized digital forensic tools Mechanisms to apply and extend these tools to cater for future technologies Generalized procedure to correctly investigate cyber crime A website to report cyber crime and a report system to analyze the evidence Compile a comprehensive archive on reported attacks and solutions together with relevant methodologies Some of the main requirements for this project in the areas of hardware, software and other performance related aspects can be noted as follows. Interface converters, storage devices, Optical drives, hubs and plug and play Wi- Fi network cards Software tools for mirror imaging, file carving, hashing and memory dumping Tools for TCP scanning, port scanning and wireless network analyzing Operating system log scanning tools Access to relevant information and inter department and Inter-agency Corporation 6
Proper safeguards and access control methodologies Secure storage and reporting framework Therefore the final outcome of this project will define a procedure to be followed in a lab environment including specifications to gather evidence from the affected digital equipment, preserve the original samples of the subject as it is, analyze the obtained evidence accordingly and to make decisions regarding the attack and present them to relevant parties involved. Project work is responsible to define and aggregate hardware and software tools that are required to carry out forensics investigations. Additionally the operational policies of the lab will also be specified to make sure the lab work meets the standards of this field. 7
2. System Design 2. Target Environment The target environment for the digital forensics framework is Windows and Linux. In addition the front end file carving application can carve files irrespective of the file system. 2.2 Basic components of the system Implementation of digital forensics lab delivers several components as the end product. The following section describes about them. 2.2. Digital Forensics Framework This is the main component of the project. Forensics framework is a collection of software tools that helps a forensics investigator to perform required tasks. These include collecting evidence, store, and transfer evidence, analyze evidence, and generate report. 2.2.2 Digital Forensics Website This will include developing a website to help both forensics lab staff and customers. The customers can report a computer crime through website and he can keep track of his case through the website and finally get a full report. 2.2.3 Documentation of forensics analyzing tools and user guides It is not reasonable for someone to assume that the forensics investigator is a highly technical person with all the knowledge to use framework without any trouble or making any mistakes. Therefore documentation of framework, software tools included and proper 8
user guides will be prepared by us. This will help him to quickly get familiar with the framework and process. Following describes what will provide under this component of the project. Documentation paper work User guide paper work and tutorials. 2.2.4 Policies and procedures In addition to the documentation of tools and user guides certain protocols has to be maintained during an investigation. These will help to; Ensure trust between customer and forensics investigator Avoid misusage of sensitive data Avoid lost/ stolen data falls into the wrong hands. Maintain a proper investigation 2.2.5 Software Tools Forensics framework consists of various number of. Software tools to perform different forensics analysis. It is an objective of the project to research and find existing software tools and modify if necessary to match our needs. The number of software tools we may have to modify might increase as with time and up to now we have identified two of such requirements.. Develop a front end GUI application for scalpel file carve tool. 2. Develop an application to analyze an image and identify whether it has been tampered. Please note that these are the currently identified requirements and these might increase with time. 9
2.3 Component interaction of the system This part of the document will describe the interaction of the components with users. Diagrams are provided in required places to give a clear understanding. 2.3. Website interaction with the user DF lab website will be helpful for the customer / victim to report a computer crime. The forensics organization will then let him know the date and time they will come to collect evidence data through the website. The user will also be able to know the status of the case and finally get a report covering the full case. Report generation will be done by the forensics framework and it ll be available to the user (only to him) via the website. A use case diagram for the digital forensics website is given below. 0
{Set required parameters} Report a crime Check the ongoing status Get the Final report Customer Print DF lab Website Figure - DF lab website use case
2.3.2 Forensics analyzer s interaction with the frame work The forensics analyzer plays an important role in collecting, analyzing, and setting up the report for the computer crime scenario. He must make sure that there are no loop holes in the way he performs all these tasks. Otherwise no matter what the report claims the suspect might use them at court for his advantage. To ensure the evidence he collected (basically some clone copy of hard drive) is a - copy of the original he can use hash value comparison of the image and actual data. The framework will be configured so that it ll support the required functionalities. Before starting a case the investigator has to fill some information about the case and people involved. The interaction between the forensics investigator and the framework can be given is a use case diagram as follows, 2
Start a case Choose catogory Collect evidence Secure transfer to remote location Forensics Analyser Analyze Forensics Analyser Generate report Digital Forensics Framework Figure 2 - Forensics framework use case 3
A description of each stage is given below. Starts a case - fill some information about the parties involved and other useful data. Choose category Perform live analysis, network analysis, and offline data analysis. Collect evidence based on chosen category evidence will be collected. E.g. in offline data analysis a clone of the victim s hard drive, in network analysis, traffic received /sent will be collected, etc. Secure transfer If there is no media to carry the evidence or for some reason it s risky to carry sensitive data he might transfer the evidence to forensics lab using an encrypted scheme. Analyze and generate report Analyze the data collected and generate report. A report with raw information will be generated by the framework and then forensic analyzer will make it complete. An activity diagram for the framework interaction with the forensics analyzer is given below. 4
Figure 3 - Forensics framework activity diagram 5
2.3.3 Modified / created software tools and interaction with the forensics investigator. To facilitate the framework s requirement various software tools will be used. Some of them might not be user friendly or some of them might not have GUI versions, etc. In such scenarios these open source tools will be modified to match our needs. Two of the currently identified needs are a front end application for Scalpel file carving software tool and create an Image Analyzer to find whether a digital image is tampered by some middle party. Scalpel file carving tool Scalpel is a powerful file carving tool that can recover deleted data from the empty space of a hard drive. One of the very good features about scalpel is it can recover data irrespective of the underlying file system (FAT, FAT32, NTFS, EX3, etc). But it has a very poor interface for the end user. It has to be run from command line and configuration of the config file has to be configured manually each time which is a hectic task. Therefore a front end GUI application will be developed to make it easier in usage. A use case diagram for the front end application is given below. 6
Start a case {Set parameters} Choose partition Set the file types forensics Analyzer Get restored files Scalpel frontend software tool Figure 4 - Scalpel front end use case 7
The developed application will look like following figures. Main application window Figure 5- Scalpel front end main window User can create new analysis, open previous session and reload, save current session (configuration details only), print report, etc Set Configurations window Figure 6 - New file carve project window Window allows to set options needed like select disk, sector block size, partition, etc 8
Set Configurations window Figure 7 - Select file types window File types needed to be carved can be set here. This will create the config file needed to be fed to the back end scalpel. Set output directory window Figure 8 - Set output directory window User has to set the output directory where the recovered files can be saved. 9
2.4 Design parameters Most of the time forensics investigator deals with highly confidential and sensitive data. Usage of encryption schemes is a must when taking evidence data from place to place as in case of data being stolen, the data have no value. Framework requirements Framework will be tested on test case studies to ensure that original data will not be tampered by any possible way. Forensics investigator s responsibilities He must make sure that NO physical damage to the original data sources will be done and they are handled with extreme care. Since this is not a software or hardware design parameter, documentation on policies will be provided. Next part of this document will describe about the system implementation details. 20
3. System Implementation 3. Framework Implementation Implementation of the digital forensics framework can be divided into several stages in time line. Each of these stages is described below in brief. 3.. Research work Research Areas Live system analysis (completed) Offline analysis (In progress) Network analysis Existing forensics frameworks and their features Purpose To get an understanding of the forensics, identify available tools, get familiar with them, identify what they lack and improve them. Outcome Documentation of research work 3..2 All in one forensics framework This is an important part of the project. When it comes to perform a forensics investigation, first the evidence has to be collected then they should be analyzed and finally a report must be produced. In this whole process collection of evidence and analysis plays 2 different roles. A person who collects evidence may not be the one who analyze them and most importantly the evidence is not analyzed at the very same time it has been collected. Therefore in our framework two separate sections can be identified as Evidence collector s framework Forensics analyzer s framework 2
Evidence collection will include filling up information of the parties involved, acquisition of evidence and secure transfer of data to storage for later analysis. Forensics analysis will include data analysis and report generation. We are following a forensics framework called helix The framework we develop will be similar to the given picture below. Figure 9 - Forensics framework 22
3..3 Data collection and analysis Concerned areas in data collection On site data collection and verify with the client that original data sources has not been tampered by the framework and - copy has been taken of original data. Implementation Verify MD5 hash of the acquired data, original data are the same. (Software tool will be developed to facilitate this) Encryption schemes will be used in data transportation. If this is network transfer from client site to forensics lab, Netcat server and client system will be used with encryption. Else the evidence data will be encrypted so it can be carried by hand without major risk. These encryption systems will be implemented by us. Concerned areas in analysis This includes receive the evidence stored in the lab s ftp server and perform analysis. The framework s analysis part will facilitate this requirement. 3..4 Report generator system Report system generates a report based on the analysis performed. The final report which will be generated by the framework will look similar to this. 23
Figure 0 - Investigation sample report part- 24
Figure - Investigation sample report part-2 Note: This not an actual figure and will be subjected to change depending on the type of analysis performed. 25
This concludes the implementation of Forensics framework. A component diagram for the framework is given below. Figure 2 - Component diagram (Framework) 26
3.2 Dark lab website Implementation Implementation of the dark lab website has already been started and the website is maintained and hosted in one of our project lab computers. As the project proceeds more components will be added. The design stages we discussed for the website are as follows. Stage Start with a simple website and host it. Include project work and important mile stones as the project proceeds. Stage 2 Implementation of authenticity, security features Website database design and implementation Stage 3 Add the other components required Website testing, final modifications and decorations 27
A component diagram for the website is given below. Figure 3 - Component diagram (Website) 3.3 Documentation of software tools, rules and policies Rules and policies documentation In the Dark Lab facility which we use as our digital forensic lab, we already have some standards and regulations and they have been documented as well. We can consider lab is physically secured because it is secure against intrusion, theft, and natural disasters. It also has controlled access methods, access restricted only to persons having valid requirement to enter. Access entries and logs are kept with signing in and signing out of the lab in case of evidence tampering. 28
To standardize all the operating procedures of the Dark Lab we are going to make a document called DARK LAB Digital Forensic Standard Operating Procedures (SOP). In this document we are going to provide detailed step by step procedure to complete each of following sections of digital forensic. Preparation Collection Preservation Analysis Presentation Some of above sections require special data entry forms which are used to fill when doing forensic procedures and evidence handling between parties while keeping chain of custody. We are going to make these forms in editable PDF format since they can be filled whenever needed and otherwise a printout can be taken and fill it by using a pen. This format of the documentation can provide access control in the areas of; Open in read only Open for writing / appending Printing Therefore not everyone who works will have access or write permission to these documents. Software tools documentation In the process of collection, examination, preservation, analysis and reporting of digital evidence lots of software and hardware tools are needed. While using these tools we have to maintain only relevant tools in the facility and all the software tools must be legally licensed. In the lab a wide variety of common software such as Windows, MS office and Linux must be kept so that evidence of every type can be examined. On the other hand wide variety of forensic software should be employed. Those includes all types of 29
acquisition and analyzing software, live response CDs, etc. This will allow us to perform flexible and accurate forensic analysis. We are going to categorize those forensic software and document about them. By using different types of test cases, we can check the accuracy, flexibility, reliability, speed and other performances of forensic software. In live system response scenarios we should be able to collect evidence with the minimum or no change to the victim system so that other evidences are preserved. By comparing test cases with each other we can recognize best live system response software. Then we are going to document about those tools so we can keep track of them and can select best software for the future investigation scenarios. In addition to the software tools, a forensic lab should have been equipped with all kinds of hardware components such as cables, drives, adapters, etc. Because chances are a forensic investigator run into a situation where a particular incident requires retrieving evidence from an older system, probably the investigator doesn t have a adaptor to connect. So maintaining a wide variety of older and newer hardware is essential. In the same manner maintaining a wide variety of storage media (i.e. hard disks, USB drives, zip disks, tape cartridges, floppy disks, etc.) as well as several sizes of hard disk drives is essential for evidence storage. Hardware write blockers are also essential while getting an evidence acquisition. As a forensic investigator team we have to document all the hardware components, their usage, comparison between all similar types of components and their performances; so that we can select perfect hardware components for a particular situation. 3.4 Development of software tools This part of the document describes about the implementation plan for the software tools that will be developed by us. Front end GUI application for Scalpel File Carve Tool We have already begun the implementation of this software tool. The implementation plan is broken down into stages and is given below. 30
Stage Stage 2 Stage 3 Identify the features of existing scalpel software (in progress) Identify the hex values of headers and footers of known file types. (In progress). The software will be developed such that new file types can be easily added to the software. Identify the target environment and choose a programming language platform for implementation. GUI design (pictures are given above in section 2) Stage 4 Code and implementation Test and debug software tool. Stage 5 Integration this with the forensics framework Tampered image recognition software Background and problem definition Since the beginning of 990 s, there has been a rapid growth in using digital multimedia data. Highly increased use of personal computers and Internet access has made the distribution of multimedia data much easier and faster. On the other hand, these digital contents (image, audio, and video) can be easily and illegally copied, tampered, and spread nowadays while the digital technology is highly developed. In the case of digital images, the wide availability of powerful image processing tools such as Photoshop has also made illegal image modifications possible. These tampered images can be used as false evidence for accusing people who didn t commit any crimes. In some cases these types of tampered images have been used for public humiliation of popular people. On the other hand copyright protection and content authentication of digital content has become a thorny problem and critical concern for content owners. Due to above reasons recognition, analysis, and recovery of tampered digital images has become a major concern of digital forensic investigators. So that, 3
Dr.Chandana Gamage, the supervisor of our project group gave us a requirement to provide a software solution for the above problem. As the members of the final year project group for conducting a digital forensic lab, we are considering to develop a software tool to recognize, analyze, and if possible recover tampered digital images. Design and implementation approaches - Image processing solution approach by using edge detection techniques Analyze the whole image bitwise and use header and footer details of the image to find any modifications. Watermarking method - embedding a watermark in the image and use it to recognize whether it is tampered or not and recover the original using it. Perform a spectrum analysis on the image to identify whether its digitally created or natural photograph. 32
4. Glossary CD DF DNA FAT GUI IT MS NTFS PDF SOP TCP USB Compact Disk Digital Forensics Deoxyribonucleic Acid File Allocation Table Graphical User Interface Information Technology Microsoft New Technology File System Portable Document Format Standard Operating Procedures Transmission Control Protocol Universal Serial Bus 33