Uncertainty in Live Forensics - IfIP 2010
-
Upload
antonio-savoldi -
Category
Documents
-
view
217 -
download
0
Transcript of Uncertainty in Live Forensics - IfIP 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
1/19
A.Savoldi, Ph.D.
IFIP WG 11.9 Digital Forensic Conference 2010
Hong Kong, Jan 3, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
2/19
Outline Live forensic response
Volatile vs. Non-volatile data
To what extent does a collection tool affect the volatilememory Windows vs. Linux platform
Statistical measurement of the uncertainty Collection tool
Toolkits (e.g. Helix)
Uncertainty tables for forensic practitioners
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
3/19
Live Forensics Emerging paradigm of investigation
Timely triage investigation
Mission critical computer based systems Time is crucial for gathering decisive evidence Child abductions, missing people, investigations where time is not
enough
A lot of information is stored in the RAM memory List of processes, open ports
Issues to address: Is there a reliable way to quantify how much a collection tool, or a
live forensic toolkit, affects the volatile memory dump?
Is the collection tool able to delete or alter useful evidence when itruns?
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
4/19
Uncertainty No measurement of a system is certain
Consider the collection process as a measurementone
A collected snapshot is not able to capture thereal memory content => blurred snapshot
From a statistical point of view there are two maincomponents: Type A: Mean and Variance
N independent observations Xi,k obtained under thesame conditions of measurement
Estimated standard deviation of the mean
Type B: takes into account previous measurement data manufacturers specifications uncertainties assigned to reference data taken from
handbooks
Our case: only type A component has beenconsidered Uncertainty is underestimated
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
5/19
Uncertainty Background:
With the average mean, , and the average standarddeviation, , the resulting measurement can bedescribed better
The implicit assumption is that the data has a normal, orGaussian distribution
This is verified by looking at the real data distribution
We would like to evaluate how much the systemsmemory is modified by the collection process itself
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
6/19
Evaluating the Uncertainty Target(s):
Evaluate to what extent different collection tools modifythe volatile content while the memory dump is beingacquired
Every collection tool affects the volatile content in a differentway
Evaluate the uncertainty of a toolkit (some live
procedures which seriously affect the volatile memory) A live forensic procedure can seriously affect the volatile
memory. Is it possible to measure the extent of themodification by means of a software method?
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
7/19
Evaluating the Uncertainty Basic idea:
A measurement tool is required to set up the measurementprocess
We might use the binary difference between memorysnapshots as an approximation of the uncertainty of theresulting memory dump
Once we obtain the ordinary uncertainty of the measurementtool, we can try to measure something which affects the
volatile memory even more (e.g. forensic procedure with
Helix, Windows ToolChest) The precision of the measurement relies on the measurement tool
(lower bound of the uncertainty) We rely on the assumption that the collection tool has a fixed
uncertainty. This is true only for fixed OS configurations (e.g. known
background running processes)IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
8/19
Procedure Selection of a collection tool (e.g.)
6 tools for the Windows platform 2 tools for the Linux platform
Environment setup Windows-based system installed from scratch
Real and virtual machines Same procedure for Linux OS (virtual box)
Evaluation of the uncertainty of the collection tool
We use the collection tool as a measurement tool Series of snapshots are taken with different collection tools
Evaluation of the uncertainty of a toolkit E.g. To which extent is the volatile memory modified when a
full live procedure is completed (e.g. Helix in live mode)?
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
9/19
Procedure (2) Timeline of the experiment for evaluating the ordinary uncertainty of a
collection tool T1 T0 (time interval used to collect the memory snapshot S1) 21 = S2 S1 (number of 4Kbytes memory pages which are different)
Uncertainty: Average of back-to-back binary differences between raw memory snapshots The procedure is repeated a number of times that is statistically meaningful
(e.g. 10 times) The variance is therefore evaluated
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
10/19
Procedure (3) Timeline of the experiment that evaluates the uncertainty of a live forensic toolkit (e.g. Helix,
Windows Toolches) S1 is the first memory dump FT is the interval time when the forensic toolkit runs S2 is the second memory dump
21 is the binary difference between S2 and S1 (higher modification for memory snapshots) 43 takes into account the binary difference of S4 and S3 (number of different 4Kbytes memory pages) Idle time: the OS runs without any forensic tools it takes into account the normal background
operations
Total uncertainty of the toolkit is within:43 Utot 21IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
11/19
Tested Tools Is the uncertainty of different collection tools different?
Windows
dd (Forensic Acquisition Utilities)
Mdd (Mantech)
Fd (fast dump, issued by HBGary)
Two operational modes (with or without custom driver)
Win32dd (provided by M.Suiche)
Memorize (issued by Mandiant) Linux
Dd and dc3dd (Rubin et all.)
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
12/19
Test results
(1) Optiplex 330, Dell Windows XP SP3, 1 Gbyte RAM Snapshots copied
via USB 2.0
Tool name Number of snapshots (n) Memory pages (Mp.) Memory snapshots mean(n of 4Kbyte pages, size in
Megabytes, size in percent out of the total ) Memory snapshots variance Collection time (Tcollection) Total uncertainty: Utot = diff_mem_pages diff_mem_pages
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
13/19
Test results
(2) Virtual system
Windows XP Sp3 1 Gbyte RAM
Snapshots copied via USB2.0
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
The uncertainty increases on average
Win32dd is the tool with the lowestuncertainty
Why? Direct Vs. not direct I/O
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
14/19
Test results
(3) Virtual Box
Linux based system (Suse Linux 11.1, Kernel 2.6.27.7-9) 512 Mbytes RAM USB 2.0 transfer (with and without direct I/O)
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
Table 1 No direct I/O is set Uncertainty is
quite high
Table 2 direct I/O is set Uncertainty goes
down almost 5times
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
15/19
User mode buffer Minimum of the uncertainty
U = 3.7 0.08 B = 100 Kbytes dd if=/dev/mem of=/media/SIGMA/img1/dump01.dd oflag=direct bs=100K
Linux allows direct I/O when copying in user space
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
Virtual Box Linux based system
(Suse Linux 11.1,
Kernel 2.6.27.7-9) 512 Mbytes RAM
USB 2.0 transfer(without direct I/O)
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
16/19
Test results
(4) Uncertainty of GNU dd and dc3dd tools related to avirtual system
with 512 Mbytes of RAM when using the LAN communication link. Results are very close to the case of Direct I/O
dd if=/dev/mem | nc 192.168.1.12 10000
Better memory coherence
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
17/19
Test results
(5) Uncertainty of collection tools when a memory-consuming process is running
Custom Perl script which allocates memory blocks consecutively
Comparison between not-direct and direct I/O
The direct I/O reduces the uncertainty about 30% Kernel memory not used for paging user space data
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
18/19
Practical Consequences of the
Uncertainty Some parts of a process might be swapped-out as a
consequence of the kernel memory management The pagefile(s) (windows) or the swap area (Linux) is
required to reconstruct the full virtual space of differentprocesses (RAM dump + pagefile or swap area)
An Out of Memory (OOM) event might occur Many processes which require plenty of RAM
The last launched process is usually killed E.g. Collection tool might not run at all or might be killed by
the OS
Tip: Check the memory allocation before running thecollection tool
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010
-
8/9/2019 Uncertainty in Live Forensics - IfIP 2010
19/19
Conclusion and Future Works Simple methodology for measuring memory artifacts caused by a
collection tool It can also be used to measure artifacts (memory modification)
caused by a forensic toolkit
There are tools which affect the volatile memory less than others do Using Direct I/O on Linux or LAN transfer on Windows/Linux is
the best solution for having a more coherent memory snapshot
Improve the methodology and consider the Type B component
of the uncertainty and Understand how to control the I/O transfer via USB, LAN,Firewire, eSata
Understand how to measure the extent of a collection tool affectsthe collection process itself
IFIP WG 11.3, Hong Kong, Jan 3-6, 2010