Timmi Lee Strand Jæger 2
Forensics Challenges with the Whonix OS
15/05/2015
Presented by Timmi Lee Strand Jæger
Timmi Lee Strand Jæger 3
The Whonix
• Open Source operating system, Released in 2012
• Based on the Tor network and «vanilla» Debian GNU/Linux
• Designed to be used with virtualization software
15/05/2015
Timmi Lee Strand Jæger 4
Whonix images
• Workstation• Connected to the gateway• Security by isolation• Tor artefacts – xchat, torchat,
gpg encryption, bitcoin software etc.
• Gateway• Routing all internet traffic
through Tor• Not recommended to use for
anything else than a gateway• Not recommended to be used
for anything else then a gateway
15/05/2015
Timmi Lee Strand Jæger 5
Aim and objective
• Researching the forensics challenges connected to the Whonix OS by mapping out the forensics artifacts
• Will focus primarily on the evidence files in the operating system
15/05/2015
Timmi Lee Strand Jæger 6
Tools and software
• National Institute of Standards and Technology Computer Forensics Tool Testing(NIST CFTT)
• Forensics ToolKit 5• FTK Imager
• Virtual Box
• KFF – Known File Filter
15/05/2015
Timmi Lee Strand Jæger 715/05/2015
Forensics methodology
Timmi Lee Strand Jæger 8
Analysis results
• Software artefacts • Tor Browser• Metadata Anonymisation Kit• GTK RecordMyDesktop• Xchat• TorChat• OpenPGP
• Debian artefacts• File Download• Program Execution• File Opening and creation• Deleted Files• Account Usage
15/05/2015
Timmi Lee Strand Jæger 9
Web browser
Tor Browser• Security modified• No data written outside the
bundle directory• home/user/tor-browser/
browser/TorBrowser/Data • No cache in deleted files
Ice Weasel• Limited security
modifications• Very similar to the Firefox
Browser• Only recommended to use to
download the tor browser• Stores cache, browser data• Able to recover browser data
15/05/2015
Timmi Lee Strand Jæger 10
Preinstalled utilities
• Metadata Anonymisation Toolkit
• Designed to delete all metadata for files
• Prevent anonymity leaks from metadata
• file /home/user/.local/share/recently-used.xbel log
• <bookmark href="file:///home/user/Selection_003.png" added="2015-03-10T14:23:27Z" modified="2015-03-10T14:23:27Z" visited="2015-03-10T14:23:27Z">
• Creates a copy of the original file without metadata
• GTK RecordMyDesktop• Desktop Session Recorder
• Create video files in several formats, settings outlined in the /home/user/.gtk-recordmydesktop
- Sound settings- Cursor- Full Shots – on or off- Filename - Number of Channels- Sound Device- Video Quality- Audio Quality - Working Directory
15/05/2015
Timmi Lee Strand Jæger 11
Communication
Xchat• Open chat communication
program, unregistered and registered users
• Logging off by default• Research recovered chat history
from scrollback logs• /home/user/.xchat2/
scrollback/OFTC/#ChannelName• Generates random UserID
TorChat• Chatting program with similar
features as MSN• Routed through the Tor network• Users have unique IDs• Connections listed in in
/home/user/.torchat/buddy-list.txt
• A log of the conversations were recovered from /home/user/.torchat/userID.log
15/05/2015
Timmi Lee Strand Jæger 12
Encryption
• OpenPGP
• Open Source GPG encryption program
• FTK able to find exported/import keys stored in the file system
• Password protected
• Encrypted files requires key and password
• Decrypted files are stored decrypted
15/05/2015
Timmi Lee Strand Jæger 13
Debian foundation artifacts
File download• Same structure as the Debian
Linux; /home/user/, /home/user/Desktop
• Hidden folder in /.• Program files in /usr , /usr/bin for
binary files; found 1325 files – 448 after KFF
Program execution• /var/log/auth.log
Mar 10 18:03:27 host sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/pip install
• /home/user/.bash_history • /var/log/dpkg.log
15/05/2015
Timmi Lee Strand Jæger 14
File system
File opening and creation• MAC – Modified, Accessed
Created• Time set to UTC • Recently used file log in
/home/user/recently-used.xbel• Bash history log
/home/user/.bash_history
Deleted files• Deleted 3 files, all recovered in
unallocated space• Approx. 30 hours use gave 7696
deleted files, 734 were html and jpeg files.
• /tmp & /var/tmp• Recovered Cache from Iceweasel
15/05/2015
Timmi Lee Strand Jæger 15
Account usage
• Traditional Linux utmp(current login state), wtmp(all logins and logouts) and btmp(failed logins) files.
• Virtual Box has a function called «save current state».
• Variety of log files such as the /var/log/auth.log, /var/log/timesanitycheck.log, root/.bash_history, program logs and logs in /var/log is going to show an history of the user being active.
• Remember that time is set to UTC by default everytime Whonix is booted up
15/05/2015
Timmi Lee Strand Jæger 16
Account usage
15/05/2015
Timmi Lee Strand Jæger 17
The way forward
• Creating a guideline for future forensics investigations
• Researching how the Tor network affects evidence
• Research what Linux packages that reveals privacy in Whonix
• This research will need future updates
15/05/2015
Timmi Lee Strand Jæger 18
Summary
• Traditional Debian artifacts
• All artifacts generated from a Linux Debian OS can be generated in Whonix
• Encryption recommended on host system
• Tor browser stores browser data temporarily in RAM
• Chat history from Xchat can be recovered
15/05/2015
Top Related