Uncertainty in Live Forensics - IfIP 2010

8/9/2019 Uncertainty in Live Forensics - IfIP 2010

1/19

A.Savoldi, Ph.D.

IFIP WG 11.9 Digital Forensic Conference 2010

Hong Kong, Jan 3, 2010


2/19

Outline Live forensic response

Volatile vs. Non-volatile data

To what extent does a collection tool affect the volatilememory Windows vs. Linux platform

Statistical measurement of the uncertainty Collection tool

Toolkits (e.g. Helix)

Uncertainty tables for forensic practitioners

IFIP WG 11.3, Hong Kong, Jan 3-6, 2010


3/19

Live Forensics Emerging paradigm of investigation

Timely triage investigation

Mission critical computer based systems Time is crucial for gathering decisive evidence Child abductions, missing people, investigations where time is not

enough

A lot of information is stored in the RAM memory List of processes, open ports

Issues to address: Is there a reliable way to quantify how much a collection tool, or a

live forensic toolkit, affects the volatile memory dump?

Is the collection tool able to delete or alter useful evidence when itruns?



4/19

Uncertainty No measurement of a system is certain

Consider the collection process as a measurementone

A collected snapshot is not able to capture thereal memory content => blurred snapshot

From a statistical point of view there are two maincomponents: Type A: Mean and Variance

N independent observations Xi,k obtained under thesame conditions of measurement

Estimated standard deviation of the mean

Type B: takes into account previous measurement data manufacturers specifications uncertainties assigned to reference data taken from

handbooks

Our case: only type A component has beenconsidered Uncertainty is underestimated



5/19

Uncertainty Background:

With the average mean, , and the average standarddeviation, , the resulting measurement can bedescribed better

The implicit assumption is that the data has a normal, orGaussian distribution

This is verified by looking at the real data distribution

We would like to evaluate how much the systemsmemory is modified by the collection process itself



6/19

Evaluating the Uncertainty Target(s):

Evaluate to what extent different collection tools modifythe volatile content while the memory dump is beingacquired

Every collection tool affects the volatile content in a differentway

Evaluate the uncertainty of a toolkit (some live

procedures which seriously affect the volatile memory) A live forensic procedure can seriously affect the volatile

memory. Is it possible to measure the extent of themodification by means of a software method?



7/19

Evaluating the Uncertainty Basic idea:

A measurement tool is required to set up the measurementprocess

We might use the binary difference between memorysnapshots as an approximation of the uncertainty of theresulting memory dump

Once we obtain the ordinary uncertainty of the measurementtool, we can try to measure something which affects the

volatile memory even more (e.g. forensic procedure with

Helix, Windows ToolChest) The precision of the measurement relies on the measurement tool

(lower bound of the uncertainty) We rely on the assumption that the collection tool has a fixed

uncertainty. This is true only for fixed OS configurations (e.g. known

background running processes)IFIP WG 11.3, Hong Kong, Jan 3-6, 2010


8/19

Procedure Selection of a collection tool (e.g.)

6 tools for the Windows platform 2 tools for the Linux platform

Environment setup Windows-based system installed from scratch

Real and virtual machines Same procedure for Linux OS (virtual box)

Evaluation of the uncertainty of the collection tool

We use the collection tool as a measurement tool Series of snapshots are taken with different collection tools

Evaluation of the uncertainty of a toolkit E.g. To which extent is the volatile memory modified when a

full live procedure is completed (e.g. Helix in live mode)?



9/19

Procedure (2) Timeline of the experiment for evaluating the ordinary uncertainty of a

collection tool T1 T0 (time interval used to collect the memory snapshot S1) 21 = S2 S1 (number of 4Kbytes memory pages which are different)

Uncertainty: Average of back-to-back binary differences between raw memory snapshots The procedure is repeated a number of times that is statistically meaningful

(e.g. 10 times) The variance is therefore evaluated



10/19

Procedure (3) Timeline of the experiment that evaluates the uncertainty of a live forensic toolkit (e.g. Helix,

Windows Toolches) S1 is the first memory dump FT is the interval time when the forensic toolkit runs S2 is the second memory dump

21 is the binary difference between S2 and S1 (higher modification for memory snapshots) 43 takes into account the binary difference of S4 and S3 (number of different 4Kbytes memory pages) Idle time: the OS runs without any forensic tools it takes into account the normal background

operations

Total uncertainty of the toolkit is within:43 Utot 21IFIP WG 11.3, Hong Kong, Jan 3-6, 2010


11/19

Tested Tools Is the uncertainty of different collection tools different?

Windows

dd (Forensic Acquisition Utilities)

Mdd (Mantech)

Fd (fast dump, issued by HBGary)

Two operational modes (with or without custom driver)

Win32dd (provided by M.Suiche)

Memorize (issued by Mandiant) Linux

Dd and dc3dd (Rubin et all.)



12/19

Test results

(1) Optiplex 330, Dell Windows XP SP3, 1 Gbyte RAM Snapshots copied

via USB 2.0

Tool name Number of snapshots (n) Memory pages (Mp.) Memory snapshots mean(n of 4Kbyte pages, size in

Megabytes, size in percent out of the total ) Memory snapshots variance Collection time (Tcollection) Total uncertainty: Utot = diff_mem_pages diff_mem_pages



13/19

Test results

(2) Virtual system

Windows XP Sp3 1 Gbyte RAM

Snapshots copied via USB2.0


The uncertainty increases on average

Win32dd is the tool with the lowestuncertainty

Why? Direct Vs. not direct I/O


14/19

Test results

(3) Virtual Box

Linux based system (Suse Linux 11.1, Kernel 2.6.27.7-9) 512 Mbytes RAM USB 2.0 transfer (with and without direct I/O)


Table 1 No direct I/O is set Uncertainty is

quite high

Table 2 direct I/O is set Uncertainty goes

down almost 5times


15/19

User mode buffer Minimum of the uncertainty

U = 3.7 0.08 B = 100 Kbytes dd if=/dev/mem of=/media/SIGMA/img1/dump01.dd oflag=direct bs=100K

Linux allows direct I/O when copying in user space


Virtual Box Linux based system

(Suse Linux 11.1,

Kernel 2.6.27.7-9) 512 Mbytes RAM

USB 2.0 transfer(without direct I/O)


16/19

Test results

(4) Uncertainty of GNU dd and dc3dd tools related to avirtual system

with 512 Mbytes of RAM when using the LAN communication link. Results are very close to the case of Direct I/O

dd if=/dev/mem | nc 192.168.1.12 10000

Better memory coherence



17/19

Test results

(5) Uncertainty of collection tools when a memory-consuming process is running

Custom Perl script which allocates memory blocks consecutively

Comparison between not-direct and direct I/O

The direct I/O reduces the uncertainty about 30% Kernel memory not used for paging user space data



18/19

Practical Consequences of the

Uncertainty Some parts of a process might be swapped-out as a

consequence of the kernel memory management The pagefile(s) (windows) or the swap area (Linux) is

required to reconstruct the full virtual space of differentprocesses (RAM dump + pagefile or swap area)

An Out of Memory (OOM) event might occur Many processes which require plenty of RAM

The last launched process is usually killed E.g. Collection tool might not run at all or might be killed by

the OS

Tip: Check the memory allocation before running thecollection tool



19/19

Conclusion and Future Works Simple methodology for measuring memory artifacts caused by a

collection tool It can also be used to measure artifacts (memory modification)

caused by a forensic toolkit

There are tools which affect the volatile memory less than others do Using Direct I/O on Linux or LAN transfer on Windows/Linux is

the best solution for having a more coherent memory snapshot

Improve the methodology and consider the Type B component

of the uncertainty and Understand how to control the I/O transfer via USB, LAN,Firewire, eSata

Understand how to measure the extent of a collection tool affectsthe collection process itself


Uncertainty in Live Forensics - IfIP 2010

Documents

Transcript of Uncertainty in Live Forensics - IfIP 2010