Creating & Accessing Forensic Images How to Access Multiple Image Types Using Various Forensic TechniquesBrett Shavers
Topics¾ Forensic Image Creation Applications¾ Forensic Image Types¾ Accessing the Forensic Images¾ Converting the Forensic Images into Different Forensic Image Types 2
Forensic Images¾ Basically, a forensic image is an exact, bit for bit copy of an original electronic media. This includes all the deleted files also (unallocated/slack/free space).¾ A mirror image is not the best way to describe a forensic image (do you look exactly the way you do in a mirror or is instead an opposite view of you?). A forensic image is an EXACT copy, not an opposite copy. 3
Forensic Images¾ When you ask for an image, make sure you know what you are asking for.¾ A Ghost image may not be a forensic image (unless you ask for a forensic Ghost image, and even then, it may not be)¾ An image may not be a complete forensic image.¾ A copy may not be a forensic image at all.¾ Ask for a FORENSIC IMAGE. There is no mistake as to what that means. It’s every single ONE and ZERO on the media. 4
Purposes of Creating Forensic Images
Purposes of Creating Forensic Images¾ Evidence preservation¾ Working “copy” of the original to examine¾ Multiple image copies for multiple examiners to decrease the amount of time to complete examinations.¾ Prove/Disprove Allegations such as the “Trojan Defense” in virtual environments. Forensic images can be booted virtually and tests can be run on the running image. 6
Creating Images1. Ideal World Example: ¾ Write blocked evidence source (hardware or software) ¾ Scrubbed/wiped destination drive ¾ Forensic boot CD (DOS or Linux), forensic boot floppy (DOS), Linux OS, Windows OS, or Apple OS2. Non-ideal World Examples: 1. Using suspect machine 2. Using Windows 3. No hardware write blocker 4. Using Software write blocker 5. Using no write blockers at all 7
Destination Drive Best CaseData Only Flows Direction of Arrows ForensicWorkstation Hardware Original Writeblocker Evidence 8
DDesDetsDrinitvrianievtaieotinon Data Only Flows Direction of ArrowsWFooFrkroesrnteasntiiscoinc Workstation OOrriiggiinnaall (Software Write Blocker, EEvviiddeenncceeand/or forensic DOS/LHinaurdxware Boot Writeblocker 9
Destination Drive Suspect Machine Software write blocker,forensic boot with CD/Floppy to DOS or Linux 10
Destination Drive Suspect MachineAcquisition tool running from operating system. 11
Types of Problems
Types of Problems¾ RAIDs¾ Whole Disk Encryption¾ Vista BitLocker¾ Apple computers¾ Hard to remove hard drives¾ Servers¾ NETWORKS-Windows Server, Netware, Novell, Unix, Linux, and “I NEED A MOTRIN! 13
Normal on the OutsideOver a half dozen hard drives!!! Is it a RAID or not? 14This is important as it can determine how to image.
Types of Image Formats
Types of Forensic Images¾ Encase/Expert Witness (GUIDANCE SOFTWARE)¾ SMART (ASR DATA)¾ Safeback (NTI)¾ WinHex (X-WAYS FORENSICS)¾ DD¾ ProDiscover File Format¾ SDI32 (VOGON)¾ ILook Image (IRS)¾ AFF-Advanced Forensic Format¾ Gfzip¾ Sgzip¾ Paraben Forensic Image Format¾ GHOST¾ Others (?) and others to come I’m sure. 16
Imaging Software Applications
Our Imaging Applications and Examples¾ X-Ways Forensics (WinHex backup)¾ Encase (Encase E01)¾ FTK (SMART)¾ NTimage (dd)¾ NTI (Safeback image)¾ Ghost (be careful, as it may not be a forensic image…)¾ Exact clone (not really an image, but an exact copy) We will be conducting an experiment during this presentation. The evidence sample will be a 7GB Windows XP systemOur evidence file will be “evidence.txt” on the evidence hard drive. 18
A brief on some tools¾ There are many tools you can use to create forensic images.¾ You need to know the strengths and limitations of each tool in order to choose the best for the task at hand.¾ Even when on site for one job, you may be using several different tools to handle different computer configurations. 19
Encase Format¾ Maybe the most widely used format (.e01)¾ Compressible and searchable¾ Proprietary format with additional information placed inside the image (header information, CRC’s every block of 64 sectors, plus a footer with a hash for the entire image (INTEGRATED HASH)¾ DOS and Windows acquisition¾ Limited to 2GB segment sizes http://guidancesoftware.com/ 20
21
WinHex Backup¾ Not interpretable as a disk-(Winhex backup)¾ Not accessible by other applications¾ Internal hash¾ DOS (using the imaging application known as Replica) and Windows Acquisition¾ However, it can also create other formats as well (dd, Encase, clone) http://x-ways.net/forensics/index-m.html 22
23
dd¾ Interpretable by many applications¾ No internal hash (separate file)¾ Not compressed (if it is compressed, it must be decompressed for forensic examinations)¾ Not restricted to the 2GB size restriction of the Encase format¾ Format: Raw image, compressed raw image http://www.dmares.com 24
25
¾ Windows based acquisition¾ Able to run from CD, Flashdrive or from the destination media (external hard drive as an example)¾ Ability to create multiple image types onto multiple destination drives at the same time¾ Formats: Encase, SMART, dd http://www.accessdata.com 26
27
Linux¾ Many bootable CD’s that can create several variants of images (Encase image, dd)¾ There are many free forensic versions of Linux bootable CD’s that contain other tools in additional to imaging applications. 28
Safeback
Safeback Image¾ The latest release of Safeback creates an image that isn’t accessible by the majority of forensic tools…¾ This is a serious drawback to this format. 30
31
Live Imaging¾ There are times when you can’t shut the computer down and need to create a forensic image. This is when you make an image of that running computer by running a forensic application on that computer! This is not something to try without testing and training!¾ Data on the computer will change, there is nothing you can do about it.¾ However, you can image the RAM.¾ You can create a logical or physical image using different tools. 32
Some Live Imaging Tools¾ FTK Imager¾ X-Ways Capture¾ Helix (dd) and NetCat¾ Enterprise editions of forensic applications (Encase EEE, ProDiscover IR/IN¾ Nearly any tool that can run from either an external device such as a USB drive or CD can be used on running machines to create an image. It is NOT a good idea to use an application that must be installed on the suspect machine. 33
Forensic Boot Disks¾ Boot floppy (to DOS) z Make it a FORENSIC boot floppy! z Non-forensic boot floppies WILL access the drive and then you will have explaining to do.¾ Linux Bootable CD z Make sure the distribution you choose doesn’t automatically MOUNT the drives! 34
Converting Images fromOne Format to Another
Practical Exercises¾ No matter which image format you create, there is always the request of providing a copy of your image in a format that is different than what you created.¾ Additionally, when you employ different forensic applications on one image, you may need to convert one format to another to access it with different tools.¾ For this, we are going to convert some images! 36
Image Conversion Examples We are going to convert the following:¾ Original to Encase (using FTK, Encase, & Winhex)¾ Encase image to dd (using FTK)¾ dd to Restored Clone (using Winhex)¾ Clone to dd (using FTK, WinHex)¾ Encase to Restored Clone (using Winhex, Encase)¾ SMART to Encase (using FTK)¾ SMART to dd (using FTK)¾ Any of the above to vmware to boot to a live machine! 37
38
Recap¾ We created Various Image Types… z dd format z Encase format z WinHex backup z SMART format¾ …Using Various Applications z Encase z FTK z X-Ways Forensics z Ntimage¾ And converted one image format to another 39
Accessing the Images
Accessing the Images¾ Forensic Applications z Guidance Software “Encase” z Accessdata “Forensic Tool Kit” z X-Ways “X-Ways Forensics” z Other misc forensic applications¾ Other Non-Forensic Applications z Mount Image Pro z LiveView z Vmware 41
But first, a word about GHOST¾ Ghost was NOT designed as a forenisc collection utility. It’s great at what it does (clones active data)¾ You can set it to capture all data space, but you will be limited to the forensic tools that can access it. You also risk not doing it correctly and losing your only chance to capture an original image.¾ If you truly need a forensic image, use an application that has been designed and tested solely for forensic images. Don’t make due with anything less, or you risk your forensic image. 42
Forensic Applications¾ Encase, FTK, X-Ways Forensics, etc… z Each can acquire the image for analysis z Indexing/cataloging of data z Searching of words, strings, etc… z Export of native files from the image z Creation of analysis reports z Duplication and conversion of images z Along with multiple other features 43
44
Non-Standard Applications¾ Mount Image Pro¾ Virtual Forensic Computing¾ LiveView¾ Vmware¾ Symantec Ghost (beware!) 45
Non-Standard Applications¾ Mount Image Pro z Access of the image as a drive letter in Windows z Tools can be run against the drive letter as if it were an actual drive (anti-virus, data recovery tools, etc…) z No (expensive) forensic applications required to view the image z Native files can be extracted z (Paraben’s P2 Explorer is similar to MIP)http://www.mountimage.com/ 46
47
48
¾ vmware z Clone can be booted into vmware z dd image can be booted into vmware z Encase image can be booted into vmware z vmware file can be accessed as a drive letter in Windows z VMware is a versatile application that was not designed for forensic use, but clearly can be used as supplement tool in examinations. http://www.vmware.com 49
Booting Encase Images into vmware¾ Virtual Forensic Computing (not free) z Allows an Encase image to be booted into vmware z Can also boot a physical drive or dd image z Requires Mount Image Pro (also not free) 50
Search
