Live View: A New View on Forensic Imaging - withani.net · 2018-07-14 · software used was FTK...
Transcript of Live View: A New View on Forensic Imaging - withani.net · 2018-07-14 · software used was FTK...
Live View
A New View On
Forensic Imaging
Matthiew Morin
Champlain College
Morin 1
Executive Summary
The main purpose of this paper is to provide an analysis of the forensic imaging tool known as
Live View. This analysis will include an introduction to the program, a demonstration and
description of the functionality of the program and finally the benefits of this program and how it
will have a future impact on the digital forensics industry. This paper will also include a brief
overview of past and current forensic imaging techniques and how they compare with the use of
Live View to conduct a forensic analysis of a system.
The concept of virtualization of computer systems has been around for a number of years now,
but it has been quickly gaining popularity throughout various computer-related industries. In
many industries virtualization can help reduce energy costs and save space, however
virtualization is able to support an entirely different role in the forensic field. Running a
computer system in a virtual environment can be extremely beneficial from a forensic
perspective, mainly because the system can be easily isolated from many variables as well as
easily restored to a previous state.
Live View takes the convenience and efficiency of virtualization and takes it one step further by
allowing current forensic imaging tools and practices to interface with a virtual environment,
such as one found in VMware. Live View allows for a raw disk image or a physical disk to be
converted to a virtual image and accessed through VMware just as if the system was actually
running, all without modifying any of the data found on the disk or image.
Morin 2
Acknowledgments
This paper is a product of research and testing scenarios; however, it may also act as an
introduction and guide to the Live View software. For the scope of this paper, the only operating
system that was tested and analyzed was Microsoft Windows XP Service Pack 2; however, Live
View supports versions of Microsoft Windows 98 to Microsoft Windows Server 2008; this also
includes the Microsoft Server operating systems. The Live View version used during the
research for this paper was 0.7b, the most current version at the time of research. The imaging
software used was FTK Imager Version 3.1.0 and the version of VMware used was Version 7.0.
The Microsoft Windows XP machine was configured as a VMware machine in order to keep the
size of the forensic image low to reduce the amount of time needed to create the initial image. In
addition, the machine was imaged in a live environment; however, no changes were documented,
as there was to be no forensic analysis of the machine. The image was only used to verify that
Live View would convert a raw disk image to a virtual machine.
Morin 3
Disk Imaging
Perhaps one of the most important steps in the process of digital forensics is the process of data
mirroring, more commonly known as disk imaging. While all of the steps in the forensic process
need to function together to correctly conduct a forensic investigation, the process of disk
imagining acts as the most pivotal role in the entire process. There are many ways to define disk
imagining; however, a few widely accepted definitions have emerged as the field of digital
forensics has grown. Jim Bates, the Technical Director of Computer Forensics Ltd, defines disk
imaging as; “An image of the whole disk [copied]. This [is] regardless of any software on the
disk and the important point [is] that the complete content of the disk [is] copied including the
location of the data. Disk imaging takes a sector-by-sector copy usually for forensic purposes
and as such it will contain some mechanism…to prove that the copy is exact and has not been
altered. It does not necessarily need the same geometry as the original as long as arrangements
are made to simulate the geometry if it becomes necessary to boot into the acquired image”
(Saudi 3). It is the process of disk imaging that allows a forensic investigator to view the
contents of a storage media or computer without altering the original data in anyway.
The process of disk imaging can be described in three general steps. The first step is to first
acquire the original storage media, this storage media can be any number of pieces of evidence
that are acquired from a secure crime scene. The storage media can be a Compact Disk (CD), a
USB flash drive, an internal hard drive or any other hardware that can be used to store digital
data. The next step in the process is to create an image of the storage media. At this step, the
forensic investigator can approach the imaging process in one of two ways; the investigator can
create a bit-for-bit copy or the investigator can create a bit-stream copy of the original storage
media. The details of these two options will be discussed at a later point in this paper.
Additionally at this stage, the forensic investigator should also choose the proper storage media
that will contain the forensic image. When deciding this, the investigator should take into
account the size of the image file, the time needed to image the file and the duration of the
investigation. The third and final step of the disk imaging process is to verify the image of the
original storage media. In this step the forensic investigator will compare the encrypted hash
values of both the original storage media and the newly created image. In addition, the
Morin 4
investigator will also verify the chain of custody. “The phrase ‘chain of custody’ refers to the
accurate auditing and control of original evidence material that could potentially be used for
legal purposes…there should be accurate logs tracking the movement and possession of evidence
material at all times” (Gast).
As aforementioned, there are two options that the forensic investigator must decide upon when
creating a forensic image. The investigator must decide between the use of a bit-for-bit image of
the original data or a bit-stream image of the original data. It is important to note that while the
ways in which these images are created differ slightly from one another, they are both acceptable
methods as defined by the National Institute of Standards and Technology (NIST). The first
option, a bit-for-bit image, is perhaps the most ideal way to create an image of the storage media.
A bit-for-bit image is an exact clone of the original storage media, the tool used to forensically
image the storage media duplicates each individual bit and creates a file of raw data commonly
known as a dd image. This form of image is commonly used for any time of storage media as
well as for computers that were not found powered off at the crime scene. The second option,
the bit-stream image, requires a different process of imaging. Instead of duplicating the original
storage media bit-for-bit, it duplicates the original storage media cylinder-by-cylinder or sector-
by-sector. While both of these methods provide an exact clone of the storage media, the bit-
stream image, commonly known as a “live image,” is used to image a computer system that is
powered on at the crime scene. This form of imaging becomes extremely useful when the
storage media or system that needs to be imaged cannot be powered off or taken offline.
Morin 5
While there are many ways to simply copy files on computer systems; however, tools used to
create a forensic image of a disk must meet specific requirements that have been adopted by
NIST.
The required features of a forensic imaging tool. (NIST)
These requirements are created to help establish a standard of forensic imaging tools within the
digital forensic field. These requirements aim to ensure that forensic tools on the market are
both technically and legally unflawed. They also ensure that forensic tools that are released are
able to obtain as much data as possible to aid the investigative and analytics of the acquired data.
Morin 6
Concerns and Issues
As the practice of digital forensics continues to grow throughout the industry, many
professionals and individuals are gaining a deeper understanding of how a computer system
operates and how the process of forensic imaging applies to the investigation; however, there are
still issues and concerns about the forensic imaging process. One of the most pressing and
important issues to address in regards to the forensic imaging process is the integrity and validity
of the cloned image. “[The main concern with a] disk imaging tool is whether it produces a copy
that is exactly the same as the original. Users scare that if they use disk imaging tools, it might
alter the layout of the copy…in computer forensics, priority and emphasis are on accuracy and
evidential integrity and security…it is essential to have a forensically sound copy from original
evidence” (Saudi 4). It is possible for much of the digital data collected from a crime scene to be
dangerously volatile, in which the data could easily become corrupt or altered. As such, NIST
and other leading forensic organizations have created strict guidelines for a forensic
investigation, which must be adhered to at all times. Not only do these guidelines ensure that the
evidence stays secure and unaltered but they also ensure that the investigation is legally flawless.
As the field of digital forensics has progressed over the past few years, there have been many
advances in the techniques and tools used to protect the security and integrity of data acquired
from a crime scene. These new tools and practices are constantly being reviewed and revised as
new technologies are developed and current technologies and methods are being adapted to
fulfill the needs of the forensic investigators. One such example of a tool on the forefront of the
digital forensics field is the forensic tool Live View.
Morin 7
Live View
In short, “Live View is a Java-based graphical forensics tool that creates a VMware virtual
machine out of a raw (dd-style) disk image or physical disk, [allowing] the forensic examiner to
‘boot up’ the image” (Live View). The Live View program features a simple and intuitive
interface that accomplishes a vital technical task. The program can be extremely useful to a
forensic investigator as it allows them to run the computer system that is being examined exactly
as it existed when it was imaged. The examiner is able to do all this without ever altering the
forensic image. This unprecedented access is granted by a unique file that Live View generates
when the VMware virtual machine is created from the image.
When the VMware virtual machine is powered on, all of the changes that are made to the virtual
machine are written to a temporary “cover file.” VMware interprets this file as part of the
original image and as a result, no information is changed, written to or deleted from the forensic
image. If the forensic investigator needs to revert back to the original image, they need only to
clear the cover file generated by Live View. Additionally, Live View includes many other
benefits and functionality to a forensic investigator; Live View is not only able to create a virtual
machine from a dd image, such as one created by a bit-for-bit clone but it is also able to create a
virtual machine from a physical disk image, such as one created from a bit-stream clone. In
addition to an array of image options, Live View is also able to complete many technical tasks
dealing with hardware compatibility and boot sectors. “Some of these [tasks] include: resolving
hardware conflicts resulting from booting on hardware other than that on which the OS was
originally installed; created a customized MBR for partition-only images; and correctly
specifying a virtual disk to match the original image or physical disk” (Live View).
Live View features a clean and intuitive interface that provides all of the necessary configuration
options to ensure that the virtual machine is successfully created and the forensic image is in no
way altered.
Morin 8
The Main Live View Window
The main Live View window presents all of the configuration options needed to create a virtual
machine from the forensic image. Live View allows the investigator to manually set the amount
of Random Access Memory (RAM) used on the virtual machine; this option helps mimic the
original system as closely as possible. The system time option allows the examiner to set the
time of the virtual machine to any desired time. This option is particularly important as it can
thwart any attempts of an attack triggered by the system time reaching a certain point; this attack
is commonly known as a “time bomb attack.” Live View is also equipped with an operating
system automatic detection feature; this feature detects the operating system present on the
forensic image and creates the virtual machine based on that detection. Additionally the
investigator can manually select the operating system to install on the virtual machine.
Morin 9
The next feature allows the investigator to select the source of the image; this can be either a raw
dd image or an image on a physical disk. The next option prompts the investigator for the output
location of the VMware virtual machine files, this location can be anywhere on the host system
or the network that it is connected to. The final option allows the investigator to create the
virtual machine files and launch the virtual machine or just create the virtual machine files and
choose to launch it later. The final step is to click the ‘Start’ button.
When the start button is clicked the investigator is prompted with this dialogue box:
Live View Read-Only Setting Dialogue Box
This prompted option provides an additional layer of security in addition to the cover file. In the
unlikely case that the forensic image would be accessed, this option will make writing or
changing the forensic image impossible, although, all changes are written to the cover file above
the virtual machine so it is unlikely that the forensic image would ever be accessed.
Morin 10
After the virtual machine configuration options are properly set, Live View will commence the
creation of the VMware virtual machine. The box entitled “Messages” at the lower part of the
main Live View window displays the current configuration step as well as any errors that
occurred during the creation of the virtual machine.
Live View Message Window
Once Live View has successfully created the virtual machine configuration files, it will
automatically launch the VMware application and power on the created virtual machine
Morin 11
One of the most useful and intriguing features of the Live View program is its ability to easily
revert back to the original state of the forensic image that the virtual machine was created from.
When a forensic investigator configures a virtual machine using Live View, the program
searches the host system for other instances of virtual machines created with that forensic image
and prompts the investigator with the options to continue working with the virtual machine or to
start over.
Previously Launched Image Dialogue Box
The ‘Continue’ option will launch the last instance of a virtual machine created with that image
from the point it was terminated. The ‘Start Over’ option will clear the cover file that the
changes were written to, giving the forensic investigator a new, unaltered instance of the forensic
image.
Morin 12
Comparison
As mentioned earlier in this paper, the tool set used to conduct a digital forensic investigation
using a virtual environment is limited and very specific. There are only a few tools available that
can create a virtual machine out of an acquired forensic image and maintain a precise level of
data integrity. In terms of comparison to the functionality of Live View, there are two tools in
particular that are worth mentioning: Mount Image Pro and Virtual Forensic Computing (VFC),
both developed by Get Data Software Development Company.
Mount Image Pro is not specifically a virtual environment in that it does not create a virtual
machine that can be started and examined; rather, it mounts a forensic image as a readable disk
on the host machine. With an image mounted in such away, the host operating system is able to
interact with it as if it were a secondary disk physically attached to the computer. This technique
provides many advantages for a forensic examiner; for example, the examiner could browse
through the file structure looking for any suspiciously named files and retrieve them from the
image. Additionally, other forensic tools and programs can be run pointed toward the mounted
image; such programs can include virus and malware scanners and file recovery tools.
Similar to Live View, Mount Image Pro is able to mount a full array of file types including
Encase images, DD images as well as virtual machine files such as VMware and Microsoft
Virtual PC. Additional functionality comes from the ability to mount a Redundant Array of
Independent Disks (RAID) configuration, to display unallocated disk space and to show deleted
files present within the forensic image.
Of course, Mount Image Pro is able to provide this functionality while still maintaining the
complete integrity of the data; however, the ability to run tools against and examine the file
structure at a fairly basic level is the upper limit of functionality that the program can provide. In
order to create an environment comparable to Live View the VFC program must work in
conjunction with Mount Image Pro. Additionally, Mount Image Pro is a commercial piece of
software developed and distributed exclusively by Get Data Software Development Company.
As a result of this, it is necessary to pay a fee to obtain a license to use the program; this also
Morin 13
means that the source code of Mount Image Pro is not readily available and cannot be accessed
or modified.
As mentioned above; two programs, Mount Image Pro and VFC, must be used to create an
environment that is comparable to Live View. The second component, VFC, is the software that
interprets the mounted image and creates a virtual machine file from that data. VFC is a quick
and responsive program that can start an image that has been mounted by Mount Image Pro
utilizing VMware. Just as with Live View, the forensic data remains completely unaltered and
allows the examiner to change various settings about the virtual machine to create an optimal
investigation environment. In addition to many features similar to Live View, VFC offers a few
extra features that can greatly increase the efficiency of a forensic investigation. One such
feature is the ability to overwrite the password of a user account on the virtual machine. This
saves a large amount of time as it eliminates the need for the investigator to get the password
from the suspect or spend the time cracking the password with a third-party program. However,
similar to Mount Image Pro, VFC requires a commercial licensed that is purchased through Get
Data and it does not have its source code readily available.
Taking all of these facts into consideration, it is apparent that both Live View and Get Data’s two
programs are reputable platforms from which to conduct a forensic investigation. When
determining what set of software to use, there are a few important points to remember; first, Live
View is an open source program licensed under the GNU Public License. This means that Live
View’s source code can be examined and tweaked by members of the professional community to
provide further enhancements to the program; additionally, Live View is available at no cost to
the user. Second, VFC contains an extra set of features over Live View that may be desirable to
some forensic investigators. Such features can overcome some of the most difficult problems
encountered during a forensic investigation. Finally, Live View is able to run without any
supporting software, with the exception of Java and VMware. VFC requires Mount Image Pro to
even begin examining a forensic image; both of which have to be activated with a commercial
license.
Morin 14
Conclusion
There has been much skepticism and caution taken around the forensic imaging process, as it is
crucial to ensure that no evidence is destroyed or modified in the collection and analysis of the
evidence. As the digital forensics field continues to grow and the demand for digital forensic
investigations increases, forensic investigators are forced to find more efficient and secure ways
of collecting and analyzing the data involved with the investigation. One such tool that is at the
forefront of forensic analysis is the program Live View. This tool allows a forensic investigator
to create a VMware virtual machine from a forensic image and access the image without ever
changing any data in the forensic image, providing the investigator with unprecedented access to
the image.
Morin 15
Definitions
Digital Forensics: A sub-division of forensic science, also known as computer and network
forensics, is considered to be the application of science to the identification, collection,
examination, and analysis of data while preserving the integrity of the information and
maintaining a string chain of custody for the data.
Disk image: A virtual representation of a real disk drive.
Forensic Science: is generally defined as the application of science to the law.
Host Machine: The physical computer hardware and operating system that a virtual machine is
run on.
Master Boot Record (MBR): The data found at the beginning of a storage device that initiates
the startup process of a computer system.
Random Access Memory (RAM): A piece of computer hardware that is responsible for
temporarily storing data that is to be quickly accessed by other hardware components.
Redundant Array of Independent Disks (RAID): A configuration of two or more disks that
stores data across all disks present in the array. This configuration can be used to
perform quicker read and write times as well as to create a redundant set of data.
Storage Media: Any form of electronic device that can contain or store electronic data. Storage
Media is a general term for a large variety of devices which include, but are not limited
to: hard drives, USB storage devices, CD-ROMs, DVD-ROMs, Floppy Disks, etc.
The National Institute of Standards and Technology (NIST): The NIST is a federal
technology agency that works with industry to develop and apply technology,
measurements and standards.
Morin 16
Virtual Machine: A simulated environment created by virtualization.
Virtualization: The simulation of the software and/or hardware upon which other software runs.
This simulated environment is called a virtual machine (VM).
Morin 17
Works Cited
Brown, Christopher L. T. "Imaging Methodologies." Computer Evidence: Collection and
Preservation. 2nd ed. Boston, MA: Charles River Media/Cengage Learning, 2010. 267-
93. Print.
Digital Data Acquisition Tool Specification. Tech. National Institute of Standards and
Technology, 4 Oct. 2004. Web. 10 Dec. 2011. <http://www.cftt.nist.gov/Pub-Draft-1-
DDA-Require.pdf>.
Gast, Ty. "Forensic Data Handling." Forensic Data Handling. Cybertrust, Inc. Web. 10 Dec.
2011. <http://www.bizforum.org/whitepapers/cybertrust-1.htm>.
Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. "Guide to Integrating Forensic
Techniques into Incident Response." Nist.gov. The National Institute of Standards and
Technology, Aug. 2006. Web. 21 July 2012.
<http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf>.
Mamoun, Sitalakshmi Venkatraman, and Paul Watters. "Effective Digital Forensic Analysis of
the NTFS Disk Image." UbiCC Journal 4.3 (2009). Ubiquitous Computing and
Communication Journal. UbiCC, 2009. Web. 10 Dec. 2011.
<http://www.ubicc.org/files/pdf/3_371.pdf>.
"Mount Image Pro V5 - Forensic Software (Released May 2012)." Computer Forensics
Software: Mount EnCase Images and DD Images. Get Data Software Development
Company, n.d. Web. 26 July 2012. <http://www.mountimage.com/>.
Saudi, Madihah Mohd. An Overview of Disk Imaging Tool in Computer Forensics. Tech. System
Administration, Networking, and Security Institute, 2001. Web. 10 Dec. 2011.
<http://www.sans.org/reading_room/whitepapers/incident/overview-disk-imaging-tool-
computer-forensics_643>.
Morin 18
Scarfone, Karen, Murugiah Souppaya, and Paul Hoffman. "Guide to Security for Full
Virtualization Technologies." Nist.gov. The National Institute of Standards and
Technology, Jan. 2011. Web. 21 July 2012.
<http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf>.
"Virtual Forensic Computing (VFC): Boot Mounted EnCase Images." Virtual Forensic
Computing. Use VFC to Boot EnCase or DD Forensic Evidence Files. Get Data Software
Development Company, n.d. Web. 01 Aug. 2012.
<http://www.virtualforensiccomputing.com/>.