Presented by:IBRAHIM YUSOFSAUFI BUKHARI

SIMULTANEOUS DISK IMAGING USING OPEN-SOURCE TOOLS

FOR DIGITAL FORENSIC

• Branch of forensic science which involves forensic investigation on digital materials

• Objectives:– Explain current state of a digital artifact (registries,

storage, documents, packets)– Analyze information inside digital artifacts to be used as

digital evidence– Recover deleted or lost information– Analyze how the system is being

compromised

WHAT IS DIGITAL FORENSIC?

BASIC STEPS IN DIGITAL FORENSICIdentification: identify the system that will be investigated

Preservation: isolate and secure the system to prevent further damage or modification

Collection: obtain digital evidence using disk imaging technique

Examination and analysis: examine digital evidence to discover specific evidence

Presentation and decision: present the result of analysis for decision making

• Process of duplicating hard disk drive or other storage devices sector by sector rather than separated files

• Operates below file-system layer (NTFS,Ext2,Ext3)• Preserves the content, structure, and accounting of

the files• Allows compression and archiving of the image file

to save storage space

WHAT IS DISK IMAGING?

• Commercial software:– AccessData Forensic Tool Kit (FTK) Imager– Guidance Software EnCase

• Open-source software:– dd: originally developed for UNIX/LINUX system now available for

other OS’s such as Windows

– dcfldd: enhanced version of dd developed by U.S. Department of Defense Computer Forensics Lab with integrity verification capability

– dd_rescue & GNU ddrescue: another enhanced version of dd with intelligent error recovery

– aimage: advanced forensic format (AFF) imaging tool with intelligent error recovery, compression and verification

APPLICABLE DISK IMAGING TOOLS

• Advantages:– Save cost– Can be shared and customized freely

• Disadvantages:– Require expertise to configure and use– Most of them do not offer graphical user interface (GUI) to

ease the user• Require execution of raw disk imaging command• Example: dcfldd if=/dev/hda of=/media/disk bs=32K hash=md5 md5log=/media/disk/md5log.txt

WHY USE OPEN-SOURCE TOOLS?

• Adopts normal disk imaging functionalities• Advanced functionalities:

– Integrity verification (checksum and hashing)– Metadata (details about data) preservation– Imaging logs generation

• Must satisfy digital forensic requirements for disk imaging– The tool shall not alter the original– The tool shall perform imaging even if there are I/O errors– The tool shall compute hash or checksum value and perform

verification– The tool shall produce accurate and correct documentation

• Drawback: slower imaging process than normal imaging

FORENSIC DISK IMAGING

THE EFFECTS OF ADVANCED FUNCTIONALITIES TO IMAGING SPEED

Normal

Normal

Normal

Forensic

Forensic

• Prepares the exact duplication of the digital evidence for analysis

• Avoids performing analysis on the original digital evidence to prevent damage or modification

• Allows the original digital evidence to be duplicated unlimitedly

WHY USE FORENSIC DISK IMAGING?

• dcfldd– On-fly hashing (hashing is performed during data transfer

from source to destination)– Image verification and splitting– Logs generation into external applications

• aimage– Image verification, compression, and archiving– Hashing (sha1, md5, sha256)– Metadata preservation– Logs generation

BEST TOOLS FOR FORENSIC DISK IMAGING

• Preparations:– Source hard disk or other storage devices attached to the

target system

– Destination hard disk (external hard disk) USB attachable much larger than the source hard disk size

– Live CD (Linux): contains disk imaging tool and digital forensic analysis utilities

HOW TO PERFORM DISK IMAGING?

• Hardware setup:

CONTINUED…

Figure 1: Illustration of hardware setup

• Hands on execution:– Execute imaging command in Linux terminal (as shown

below)

CONTINUED…

Figure 2: Sample of dcfldd execution

• Simultaneous disk imaging: multiple disk imaging executions done at the same time

• WHY?– Many server computers have more than one hard disks– To simplify the job of the user to image multiple hard

disks– Time utilization

SIMULTANEOUS DISK IMAGING

User doesn’t have to wait for the current imaging process to complete in order to execute next imaging process

• HOW?– Use existing functionalities of Linux OS which allows

multiple commands to be executed– Examples:

• command1 & command2;• command1 ; command2;

• PROBLEM: long and complicated command to execute

• SOLUTION: use of graphical user interface (GUI) to generate the command automatically

CONTINUED…

• Based on AIR (Automated Image and Restore) – GUI front-end to dd/dc3dd created by Steve Gibson

• Using Perl/tk programming language

• Currently developed specifically for Linux (SUSE 10.2)

• Allows two imaging processes to be executed at once

• No memorization of long and complicated commands required

• Collaboration with aimage (AFF disk imaging tool)

• WHY we chose aimage?

OUR GRAPHICAL USER INTERFACE (GUI) OVERVIEW – (AFF) Imager 1.0.x

Its functionalities most meet current digital forensic requirements

Start button Stop button

Dual source and destination browser

Imaging options tab: checkbox based

• Many to one: multiple source hard disk being imaged and stored into one destination hard disk

DIFFERENT MODES OF SIMULTANEOUS DISK IMAGING

Figure 3: Many to one mode illustration

• Many to many: multiple source hard disk being imaged and stored into multiple destination hard disks

CONTINUED…

Figure 4: Many to many mode illustration

MANY TO ONE vs. MANY TO MANY

Figure 5: Average imaging rate comparison of simultaneous disk imaging modes

Normal mode

• In forensic disk imaging, integrity and accuracy are more important than speed

• Open-source disk imaging tool can be very reliable with additional improvement (e.g.: GUI)

• The usage of graphical user interface (GUI) simplifies the process of imaging significantly

• Simultaneous imaging (many to many) is another way to simplify the imaging process and save imaging time– Requires additional storage devices to perform best

CONCLUSIONS

THANK YOU FOR YOUR ATTENTION…

Q & A