Design and Implementation of a Live-analysis Digital Forensic System



Similar documents
Design and Implementation of a Cloud Digital Forensic Laboratory

Design and Implementation of Forensic Systems for Android Devices based on Cloud Computing

Where is computer forensics used?

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

MSc Computer Security and Forensics. Examinations for / Semester 1

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Digital Forensics Tutorials Acquiring an Image with FTK Imager

EC-Council Ethical Hacking and Countermeasures

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Course Title: Computer Forensic Specialist: Data and Image Files

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

Open Source and Incident Response

Computer Forensic Capabilities

Computing forensics: a live analysis

Open Source Digital Forensics Tools

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Scene of the Cybercrime Second Edition. Michael Cross

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Computer Forensic Tools. Stefan Hager

Getting Physical with the Digital Investigation Process

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Digital Forensics. Larry Daniel

CSI Crime Scene Investigations

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Guide to Computer Forensics and Investigations, Second Edition

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Design and Implementation of Forensic System in Android Smart Phone

An Insight View of Digital Forensics

Incident Response and Forensics

An overview of IT Security Forensics

Chapter 4. Operating Systems and File Management

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Acronis Backup & Recovery 10 Workstation. Installation Guide

Cloning Utility for VersaView Industrial Computers

PARALLELS SERVER BARE METAL 5.0 README

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

The Impact of U3 Devices on Forensic Analysis

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Chapter 7 Securing Information Systems

Incident Response and Computer Forensics

Guide to Computer Forensics and Investigations, Second Edition

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Digital Forensics & e-discovery Services

COMPREHENSIVE STUDY OF DIGITAL FORENSICS

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

Useful Computer Forensics Tools Updated: Jun 10, 2003

Digital Forensics & e-discovery Services

CDFE Certified Digital Forensics Examiner (CFED Replacement)

Guide to Computer Forensics and Investigations, Second Edition

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Analyzing Huge Data Sets in Forensic Investigations

ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Introduction. IMF Conference September 2008

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Copyright by Parallels Holdings, Ltd. All rights reserved.

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Freeware Live Forensics tools evaluation and operation tips

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Linux in Law Enforcement

Computer Hacking Forensic Investigator v8

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

COWLEY COLLEGE & Area Vocational Technical School

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

Ten Deadly Sins of Computer Forensics

NEW IMPROVEMENT IN DIGITAL FORENSIC STANDARD OPERATING PROCEDURE (SOP)

PARALLELS SERVER 4 BARE METAL README

Computer Forensics. Securing and Analysing Digital Information

Live System Forensics

SSD Guru. Installation and User Guide. Software Version 1.4

Robotics Core School 1

Digital Forensic Tool for Decision Making in Computer Security Domain

Chapter 2 Array Configuration [SATA Setup Utility] This chapter explains array configurations using this array controller.

Digital Forensic Techniques

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

EXPLORING LINUX KERNEL: THE EASY WAY!

Digital Forensics for Attorneys Overview of Digital Forensics

Information Technologies and Fraud

Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics

2.5" XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (X Series) 1.

Forensics on the Windows Platform, Part Two

LOCKING DOWN LOG FILES: ENHANCING NETWORK SECURITY BY PROTECTING LOG FILES

What is Digital Forensics?

Unix/Linux Forensics 1

HP Backup and Recovery Manager

Transcription:

Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com Chung-Huang Yang Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan chyang@computer.org Tae-Nam Ahn Security Engineering Research Center Hannam University, Korea taenamahn@hotmail.com ABSTRACT As the popularity of the internet continues growing, not only change our life, but also change the way of crime. Number of crime by computer as tools, place or target, cases of such offenders increases these days, fact to the crime of computer case traditional investigators have been unable to complete the admissibility of evidence. To solve this problem, we must collect the evidence by digital forensics tools and analysis the digital data, or recover the damaged data. In this research, we use the open source digital forensics tools base on Linux and want to make sure the stability of software then prove the evidence what we have. To avoid the data loss due to the shutdown of machines, we use the Liveanalysis to collect data and design the Live DVD/USB to make image file and analysis the image. We use the MD5 and SHA-1 code to identity the file before the final report and ensure the reliability of forensic evidence on court. Keywords Digital Forensics, Digital Evidences, Live-analysis, Live DVD/USB 1. INTRODUCTION Internet is the most popular application in modern society. It brings a lot of convenience of communication to human. On the other hand, due to its rapid development, lacking of proper regulations, Internet happened to be crime breeding. The most serious problem of Internet is Cybercrime. January-June 2008 of crimes of computer in Taiwan published by National Police Agency [12], Ministry of The Interior, 4,981 of Internet Fraud, 2,023 of Infringement of Computer Usage, 1,871 of Prevention and Punishment of Sex-Trade Act, 1,340 of Copyright Act and 1,131of Obscenity, that show the seriousness of computer crimes. But that have extremely distinct difference between in computer criminal offense and traditional crime action, so the investigator inquiring into computer crime must have the aid of the computer forensics knowledge and technology in the computer forensic field. Digital evidence is not physically and it was storage on the media. It has the following characteristics [4]: (1) easily to copy or modify, (2) difficult to confirm the source and integrity, (3) cannot directly to understand its contents, etc. During an investigation, the procedures must according to the International Organization of Computer Evidence proposed The Good Practice Guide for Computer-Based Evidence in order to have legal effect of digital evidence in 1999 [8]. 2. RELATED WORKS In this paper focus on the digital evidence collect and recover from electronic media, and accented the identity of source of evidences. The following we will describe the details of the digital forensic. 2.1. Digital Forensics Digital forensics is the science of obtaining, preserving and documenting evidence from electronic media, such as tablet PC, server, digital camera, PDA, fax machine, ipod, smart phone and various memory storage devices [17]. Generally, the purpose for digital forensic is designed to investigate the evidence and it applications include computer intrusion, unauthorized access, child pornography, etc. Fundamentals of Computer Forensics analysis process as falling into three distinct areas acquisition, analysis and Presentation [2]. The list below briefs those procedures: Acquisition Phase: This phase is focus on the obtaining the states of systems that have storage devices and all the digital data for later analysis. We usually used the forensic tools to image the disk. Analysis phase: Identification of the evidences we have collected, which include file types, contexts of directory and rescue data for find the related between evidence and incident. Presentation Phase: Documentation of analyze of data for assist the prosecutors to reference.

At present, the mining and analysis of evidence can not be completed manually. We must depend on the forensics tools such as EnCase and Forensic Toolkit (FTK) [7]. Most of them are commercial software. It is expensive for the small enterprises or individual. In this research, we used the open source tools to design and implement our system. 2.2. Digital Evidence Digital evidence is stored in computer can play a major role in a wide range of crimes, including murder, rape, computer intrusions, espionage, and child pornography in proof of a fact about what did or did not happen [3, 17]. Digital information is fragile in that it can be easily modified, duplicated, restored or destroyed, etc [10]. The course of the investigation, the investigator should assure that digital evidence is not modified without proper authorization [9]. The typical goal of an investigation is to collect evidence using generally acceptable methods in order to make the evidence is accepted and admitted on the court. The final report must include [17]: (1) Where the evidence was stored? (2) Who had obtained to the evidence? (3) What had been done to the evidence? Any step in the process must be carefully recorded in order to prove the electronic records were not altered in the investigation procedure. 2.3. Forensic Tools All digital evidence must be analyzed to determine the type of information that is stored upon it. In this point, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include [5, 17]: FTK, EnCase [7], SMART, PyFlag and The Sleuth Kit, etc. Table 1. Comparison of Digital Forensic Tools Encase FTK TSK Traditional Simple Chinese Chinese English Must receive professional Ease of use Ease of use training Language User Create image file Calculated of Hash value Support Support Support MD5 MD5 Cost Expensive Expensive Advantage Graphical disk information Classification the digital evidence MD5 and SHA-1 Open source software Support many of evidence search Encase FTK TSK techniques such as file contest, keyword, metadata, etc. 2.4. Live-Analysis Digital forensics is separated into Live-analysis and the Dead-analysis [6], which to identify the computer whether or not to boot. Currently, many research of digital forensic use the Dead-analysis but the way may lose the data due to showdown of machine or removal the plug. For forensic analysis, the collection of volatile information is very important such as Hardware information, Installed software packages or Process state, etc [13].Since gathering evidence on the target can affect other evidence on the target, a set to get maximize the quality of the evidence, which include Running known good binaries, Hashing all evidence and Gathering data in order of volatility [1]. 2.5. Live DVD/USB Live CD is a kind of operation system distribution which can be booting from a read-only medium (such as a CD-ROM) without installing into hard disk [11]. Usually, we named this operation system depending on what media it stores. Consequently, it is named LiveDVD because its media is DVD-ROM, and so does LiveUSB. Currently, there are many Live CD released such as KNOPPIX [15], Fedora LiveCD [14], Tux2live [16], etc. We setup our system into LiveDVD/USB so that it becomes portable, and easily deploys even moving to different environment (such as Windows or Linux, etc). 3. SYSTEM ARCHITECTURE In this study, we classify of the victim machine, one for the computer system is still functioning, while another has been shut down or can not reboot. We write a script program and storage on the USB. If the system is still running then implement the Live-analysis with the script program, which to collect the volatile information of system and then those generated files will store into the USB disk automatically. We show the results with Tkinter and Xdioalog. If the computer is turned off, we must reboot the machine by Live DVD/USB and make the image file of disk. The LiveDVD/USB contains the image file producer-air (Automated Image and Restore), a computer forensics program-tsk, program of graphical -Autopsy, etc. (system forensics process in Figure 1).

Start Does the computer boot? Yes Using Live-analysis to collect the volatile data. No Using Live DVD/USB to run the Dead-analysis. Shutdown Figure 2. Live-analysis Menu Imaged disk Analysis Report Figure 1. System forensics process 4. IMPLEMENTATION 4.1. Live-Analysis If the machine is still active when arrived at the crime scene, we should collect the volatile information of victim of system rapidly, include which the TCP and UDP ports are opened, user login history, what services are activated currently, etc. Those information of volatile may disappear from your computer after the shut down. At this point, we collected the system state by Live-analysis. The system uses selfdeveloped script program to collect volatile information, and Graphical to the forensic results for facilitate analysis, to reduce barriers to operate. In this study, we collect volatile information of system by our script program. We show the results by using the Tkinter and Xdialog. The figure 2 shows the Live-analysis Menu. Figure 3. Basic information of system Figure 3 shows the state of system currently, which include kernel version, CPU information, hostname, date and time, partitions. Figure 4. MD5 and SHA-1 Figure 4 shows the MD5 value and SHA-1 value of all we obtained data.

4.2. Dead-Analysis We reboot victim system by LiveDVD/USB to execute the digital forensics, we called Dead-analysis. Since the way base on the LiveDVD/USB, so the state of the computer will not be altered. In this paper, we designed the LiveDVD/USB by remastersys and unetbootin, which include AIR (Automated Image and Restore) to create an image file of disk, Chinese locale support on TSK we made and Autopsy, etc. In this paper, the operation of Dead-analysis, first we create an image of disk by AIR as shown figure 5 then import the image file into TSK and Autopsy as shown figure 6, finally present the forensic result by using Web browser as shown figure 7. 5. DISCUSSION Table 2. Comparison of Digital Forensic Tools with Our System Encase FTK Helix Our system Live-analysis X X X Create filesystem image Verify hash value for image Support FAT16/32 Support NTFS Support EXT 2/3 Keyword Search Recover files Support for Traditional X X X Chinese Low Cost X X X Figure 5. AIR Figure 5 shows the AIR to make an image file while computing and identifying of the MD5 value. Figure 6. TSK and Autopsy Figure 6 shows the analyze of the image of disk by TSK and Autopsy, which provide several analysis functions, which include file content, Keyword, Metadata, file type, etc. Figure 6 is an example analyze for file content, which shows the deleted file name, create time, file size, etc. It can recover the files of have been deleted. 6. CONCLUSIONS In recent years, there are more and more cases of computer crime, the term hacking is no longer news. Therefore, the investigator how to collect any information of computer after an incident is becoming an important issue. The mostly of the digital forensics software are commercial version, cost is so high, and just support English version which obstacle to use. In this paper, this study is based on the open source software to reduce cost and we revised autopsy s graphic into the Traditional Chinese. We created a Live DVD/USB for analyzing Microsoft and Unix/Linux file systems (Dead analysis). Additionally, we collected the volatile information of system by using Live-analysis, which avoid lost the data due to showdown of machine. 7. ACKNOWLEDGMENTS This work was supported in part by research grants (NSC 98-2221-E-017-010-MY3) from the National Science Council of Taiwan. 8. REFERENCES [1] F. Adelstein, Live forensics: diagnosing your system without killing it first, Communications of the ACM, Vol.49, No.2, February 2006. DOI=http://doi.acm.org/10.1145/1113034.1113070 [2] J. Bates, Fundamentals of computer forensics, Information Security Technical Report, Elsevier, 1998.DOI=doi:10.1016/S1363-4127(98)80040-X

[3] E. Casey, T. Larson, and M. M. Ferraro, Digital Evidence and Computer Crime, Elsevier Science & Technology Books, December 2003. [4] E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computer and the Inter, Academic Press, 2000, pp.41-46. http://www.google.com/books?hl=zh- TW&lr=&id=Xo8GMt_AbQsC&oi=fnd&pg=PR7&dq= Digital+Evidence+and+Computer+Crime,+Elsevier+Sci ence+%26+technology+books,+december+2003.&ots =-XR8GW-2PE&sig=APk6XBvljEUrq7aIL0ZY2- VHRqc#v=onepage&q=&f=false [5] B. Carrier, Performing an autopsy examination on FFS and EXT2FS partition images: An introduction to TCTUTILs and the Autopsy Forensic Browser, SANSFIRE, July 2001. http://reference.kfupm.edu.sa/content/p/e/performing_a n_autopsy_examination_on_ffs_103762.pdf [6] B. Carrier, TSK & Autopsy. http://www.sleuthkit.org/autopsy/desc.php, April 2009. [7] L. Garber, EnCase: A Case Study in Computer-Forensic Technology, IEEE Computer Magazine, January 2001. [8] IOCE, http://www.ioce.org/fileadmin/user_upload/2002/ioce_b p_exam_digit_tech.html, April 2009. [9] C. E. Landwehr, Computer security, International Journal of Information Security, 2001, pp. 3 13. http://www.springerlink.com/content/nwk24a62ur0dfu9 j/ [10] S. Mocas, Building theoretical underpinnings for digital forensics research, Digital Investigation, Elsevier, 2004.DOI= doi:10.1016/j.diin.2003.12.004 [11] C. Negus, Live Linux CDs: Building and Customizing Bootable, Prentice Hall PTR, 2007. [12] NII, isecurity. http://www.isecurity.tw/learn/sub_200812_2.asp, April 2009. [13] C. Pogue, C. Altheide and T. Haverkos, UNIX and Linux Forensic Analysis DVD Toolkit, Syngress Publishing, 2008. [14] R. Petersen, Fedora Core 7 & Red Hat Enterprise Linux, McGraw-Hill Professional, 2007. [15] K. Rankin, Knoppix hacks, O Reilly, 2004. [16] Tux2live. https://tux.nchc.org.tw/trac/tux2live/, April 2009. [17] L. Volonino, R. Anzaldua, J. Godwin and G. C. Kessle, Computer Forensics: Principles and Practice, Prentice Hall, 2006.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information