Digital Forensics Lecture 2

Total Page:16

File Type:pdf, Size:1020Kb

Digital Forensics Lecture 2 Digital Forensics Lecture 2 0011 0010 1010 1101 0001 0100 1011 Hard Disk Drive (HDD) Media Forensics Quiz Number 1 0011 0010 1010 1101 0001 0100 1011 10 minutes to complete Current, Relevant Topics • --Study Turns Up Problems with eVoting System in Ohio 0011 0010(21 1010 August 1101 2006) 0001 0100 1011 A report based on a study of a May 2006 primary election in Cuyahoga County, Ohio indicates that the electronic voting system used in the election presents significant concerns about accuracy. Close to ten percent of the paper versions of the votes, or the voter-verifiable paper audit trail, generated by Diebold Election System's AccuVote TSx touch-screen voting equipment were "either destroyed, blank, illegible, missing, taped together or otherwise compromised." – http://www.computerworld.com Research Topics Presentation (Due Next Week) 0011 0010We 1010 are 1101 counting 0001 0100 1011 on you for the specifics 1. CD-R/RW and DVD+-R/RW media analysis 2. File carving 3. Tools for Mac digital forensics • With emphasis on HFS File System Lecture Overview 0011 0010 1010 1101 0001 0100Legal/Policy 1011 Findings/ Reporting/ Preparation Collection Analysis Evidence Action • The role of a HDD in DF • Our approach to understanding HDD DF • Physical-layer storage and operations • Volumes • Very brief file system overview • The boot process • Isolation through virtualization • Relevant DF tools The role of a HDD in DF 0011 0010 1010 1101 0001 0100 1011 Stored Physics Physical Process Data Transmitted Intelligence Automated Process Processed • HDDs are the most significant method of data storage • Relatively low internal data transfer rates and immature optimization algorithms extend the lifetime of data written to HDDs Our approach to understanding HDD DF 0011 0010• We 1010 will 1101 begin0001 0100 at 1011 the physical-layer and work toward increasing abstraction using a data driven approach Understanding and Evidence ? File File System Volume 1 Volume n Specific to Abstract Physical Media Module 1 0011 0010 1010 1101 0001 0100 1011 HDD Physical-Layer Types of Magnetic Storage 0011 0010• There 1010 are1101 a 0001variety 0100 of 1011magnetic storage devices that a DF investigator might encounter Zip Drive Video Cassette Tape Drive Floppy Drive Drum Memory Hard Drive Major Components of a HDD 0011 0010 1010 1101 0001 0100 1011 Platter Controller Read Write Head The Basic Unit of HDD Storage is a Platter 0011 0010 1010 1101 0001 0100 1011 Physical Disk Geometry 0011• 0010 One 1010 head 1101 for 0001 each 0100 1011 surface • All tracks at r = dn form a cylinder • The number of sectors varies with the cylinder • Each sector has 512+ octets of information • One surface is dedicated for positioning and synchronization • Not all portions of the disk are addressable by the OS A Linear Model For Magnetic Media • For simplicity, we will use a 0011 0010 1010Storage 1101 0001Platters 0100 1011 linear model of the magnetic media • Unless we are performing electron microscopy, the exact media geometry is not significant • The blank magnetic media has only geometric structure and End raw magnetic storage capacity Beginning Linear Model Beginning End Read/Write Process (simplified) 0011 0010 1010 1101 0001 0100 1011 Linear Model Read/Write Head Beginning End • Write Process – Digital signals are encoded (for timing recovery) and transformed into analog signals that drive the magnetic field on the write head • Read Process – Analog magnetic field is sensed, timing is recovered, and sampled signals are converted into digital data Disk Wiping Programs 0011 0010• Why 1010 1101isn’t 0001 a single0100 1011 pass adequate? • How many passes are necessary? • What influences each write pass? • What disk areas must be wiped to ensure destruction of data? – You should be able to answer this question at the end of the next lecture Physical Layer Forensics 0011 0010• Magnetic 1010 1101 0001 Force 0100 1011Microscopy (MFM) • can map the spatial distribution of magnetism by measuring the magnetic interaction between a sample and a tip. As magnetic devices have become smaller and smaller, an evaluation technique with nanoscale spatial resolution has become necessary. To meet this need, the MFM was developed. Magnetic Media Data Recovery 0011 0010 1010 1101 0001 0100 1011 Sense Magnetization Magnetic Force Microscope Transform Two Dimensional Signal Processing To Tracks One Sector Signal Processing Channel Data 512B Sector Timing Recover / Decode 100110… Does This Yield Useful Data? HDD User Storage, Administrative Storage, and Redundancy 0011 0010 1010 1101 0001 0100 1011 User Storage R HPA DCO Bad Beginning End • User Storage = Usable Capacity • R = Redundant Sectors • HPA = Host Protected Area • DCO = Device Configuration Overlay • Bad = Determined to be Bad At Manufacture or During Operation NOTE: These Sectors Are Distributed Throughout the Storage Media Low Level Format 0011 0010 1010 1101 0001 0100 1011 Sectors (512 octets plus overhead) Redundant Individual Sector 512 Sectors octets (Only visible to HDD controller) Sector overhead • Low-level formatting adds indivisible units of storage called sectors • Most modern HDDs use 512+ octet sectors – The + accounts for sector overhead bytes (differs by manufacturer) • Overhead bytes provide error correction and timing recovery functions • Bad sectors are automatically remapped to redundant sectors by the HDD controller HDD Interfaces •SCSI 0011 0010– Primarily 1010 1101 workstation 0001 0100 and1011 • IDE/EIDE/ATA/ATAPI/ server class machines PATA/SATA – Might be a good topic for a – Uses ATA commands research paper • E.g., Read Sector, Write – It’s possible to low-level Sector, format some SCSI drives Identify Device, etc. – Can be accessed directly – Basics are the same or through BIOS – There are write blockers to provide hardware protection against corrupted “evidence” Overview of Some Key Physical- Layer DF Issues with HDDs 0011 0010• Overwritten 1010 1101 0001 data 0100 can potentially1011 be recovered • Not all areas of a HDD can be accessed through standard ATA commands – Sector overhead, P-Lists, G-Lists, Administrative Storage, Excluded Storage… • Bad sectors are remapped to redundant sectors and no longer addressable (i.e., through ATA commands) • It is possible to replace failed controllers and interface circuitry • It is standard practice to use a hardware write-blocker when collecting data from a HDD • New physical interfaces on micro-disks •What else? Module 2 0011 0010 1010 1101 0001 0100 1011 HDD Volumes Volumes Are Logical Storage Containers On HDDs 0011 0010 1010 1101 0001 0100 1011 Volume 3 Volume 1 Volume 2 Unallocated Primary Storage Media 1 P G R PSM 2 • Volumes can contain most any data structure – File systems – Databases –Swap space – Hidden backups – Other containers P = P-List Sectors G = G-List Sectors R = Redundant Sectors Partitioning Inter-partition gap Unused sectors 0011 0010 1010 1101 0001 0100 1011 Partition #2 Master Boot Record Volume Boot Record (MBR) Partition #1 (VBR) MBC MPT VBC DPB VBC DPB On each partition a VBR contains Volume Boot Code and a Disk Parameter Block • The Master Boot Record is created and includes the Master Boot Code (MBC) and the Master Partition Table (MPT) – always at sector 1 on any bootable media • The MBC is executed at boot if the HDD is designated as the boot device • The MPT contains information about logical volumes (partitions), including the active partition, the partition whose Volume Boot Code (VBC) will be executed • Each partition has a Disk Parameter Block that stores information about extended partitions, file system type, date and time last mounted, etc. • Inter-partition gaps are a collection of unused sectors • Some sectors are unused due to addressing issues Module 3 0011 0010 1010 1101 0001 0100 1011 The Boot Process The Boot Process 0011 0010• Begin 1010 1101execution 0001 0100from 1011 ROM (address 0xFFF0) • Jump to BIOS power on self test (POST) • System initialization from CMOS and device BIOS • Transfer execution to master boot record (MBR) at cylinder 0, head 0, sector 1 of boot media (if it exists) • Transfer execution to boot code on “active” partition indicated by the master partition table in the MBR – Hundreds of files are modified/touched • Constant memory and HDD modification during system operation Module 4 0011 0010 1010 1101 0001 0100 1011 Isolation Through Virtualization (e.g., VMWare) The Goal is to Maintain Integrity of the Investigation Unauthorized Investigator New Tools Testing Users and Change Networks ACCESS ACCESS Process MODIFY Investigation “Evidence” Environment Data READ Investigator T VERIFY OOL Verify S Evidence Consumer MODIFY Reports GENERATE GENERATE MODIFY READ GENERATE Incremental Reports Analysis Data VMWare Will Serve as Our Investigation Environment 0011 0010 1010 1101 0001 0100 1011 VMware Device Specifics • Provides a variety of virtual hardware 0011 0010– HDD1010 (IDE 1101 or 0001 SCSI) 0100 1011 • Stored as a binary file on the host OS • Can add or remove HDD very easily – CD and DVD drives (IDE or SCSI) • Can use ISO image on host OS as CD or DVD – Memory (RAM) – limited by physical RAM – USB 1.1 and 2.0 – Floppy • Can use ISO image on host OS as floppy – NIC (Ethernet) – Audio Adapter – Serial port – Parallel port – Generic SCSI device • Can save and revert to snapshots of system state • Virtual hardware is very stable Module 5 0011 0010 1010 1101 0001 0100 1011 Relevant Tools The Sleuth Kit Tools (learn through hands-on labs) • File system layer (partitions, file systems) 0011 0010 1010 1101 0001 0100 1011 – fsstat – first used in lab 3 to determine block size • File name layer (file name structures) – ffind –fls • Meta-data layer (inodes, directory entries, file attributes) – icat –ifind – ils –istat • Data unit layer (disk blocks) – dcat – first used in lab 3 to extract disk blocks – dls – first used in lab 2 to copy unallocated space and slack space –dstat – dcalc – first used in lab 3 to compute absolute block to recover Questions? 0011 0010 1010 1101 0001 0100 1011 After all, you are an investigator.
Recommended publications
  • Engineering Specifications
    DOC NO : Rev. Issued Date : 2020/10/08 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : ENGINEERING SPECIFICATIONS Product Name: CVB-CDXXX (WT) Model CVB-CD128 CVB-CD256 CVB-CD512 CVB-CD1024 Author: Ken Liao DOC NO : Rev. Issued Date : 2020/10/08 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Version History Date 0.1 Draft 2020/07/20 1.0 First release 2020/10/08 DOC NO : Rev. Issued Date : 2020/10/08 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Copyright 2020 SOLID STATE STORAGE TECHNOLOGY CORPORATION Disclaimer The information in this document is subject to change without prior notice in order to improve reliability, design, and function and does not represent a commitment on the part of the manufacturer. In no event will the manufacturer be liable for direct, indirect, special, incidental, or consequential damages arising out of the use or inability to use the product or documentation, even if advised of the possibility of such damages. This document contains proprietary information protected by copyright. All rights are reserved. No part of this datasheet may be reproduced by any mechanical, electronic, or other means in any form without prior written permission of SOLID STATE STORAGE Technology Corporation. DOC NO : Rev. Issued Date : 2020/10/08 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Table of Contents 1 Introduction ....................................................................... 5 1.1 Overview .............................................................................................
    [Show full text]
  • Insight Analysis
    WINTER 2016 ISSUE 6 IT ASSET DISPOSAL • RISK MANAGEMENT • COMPLIANCE • IT SECURITY • DATA PROTECTION INSIGHT EU Data Protection Regulation Page 3 ANALYSIS Exploring the Hidden Areas on Erased Drives Page 17 9 TONY BENHAM ON 13 JEFFREY DEAN LOOKS 20 A GAME OF TAG: THE 21 WHO’S WHO: FULL LIST THE TRIALS OF BEING IN DETAIL AT THE DATA CLOSED-LOOP RFID OF CERTIFIED MEMBERS AN ADISA AUDITOR SECURITY ACT SYSTEM WORLDWIDE 2 Audit Monitoring Service EDITORIAL WINTER 2016 EDITOR Steve Mellings COPY EDITOR Richard Burton CONTENT AUTHORS Steve Mellings Anthony Benham When releasing ICT Assets as part of your disposal service it is vital to ensure your supply chain is Gill Barstow Alan Dukinfield processing your equipment correctly. This is both for peace of mind and to show compliance with the Data Protection Act and the Information Commissioner’s Office guidance notes. All members within This edition was due for release in the We welcome external authors who wish DESIGN summer. But the events of June 23 were to discuss anything that will add value Antoney Calvert at the ADISA certification program undergo scheduled and unannounced audits to ensure they meet the not only the stuff of debate in bars and to members. In this edition, Gill Barstow Colourform Creative Studio certified requirements. Issues that arise can lead to changes in their certified status – or even having it boardrooms throughout Europe – they discusses a favourite subject of ours – colour-form.com forced us into countless re-drafts. building your value proposition. And an old withdrawn. These reports can be employed by end-users as part of their own downstream management PRODUCTION friend, Gavin Coates, introduces his ITAD tools and are available free of charge via the ADISA monitoring service.
    [Show full text]
  • Datasheet (PDF)
    DOC NO : Rev. Issued Date : 2020/10/07 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : ENGINEERING SPECIFICATIONS Product Name: CVB-8DXXX-WT Model CVB-8D128- WT CVB-8D256 - WT CVB-8D512- WT CVB-8D1024 - WT Author: Ken Liao DOC NO : Rev. Issued Date : 2020/10/07 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Version History Date 0.1 Draft 2020/03/30 1.0 First release 2020/10/07 DOC NO : Rev. Issued Date : 2020/10/07 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Copyright 2020 SOLID STATE STORAGE TECHNOLOGY CORPORATION Disclaimer The information in this document is subject to change without prior notice in order to improve reliability, design, and function and does not represent a commitment on the part of the manufacturer. In no event will the manufacturer be liable for direct, indirect, special, incidental, or consequential damages arising out of the use or inability to use the product or documentation, even if advised of the possibility of such damages. This document contains proprietary information protected by copyright. All rights are reserved. No part of this datasheet may be reproduced by any mechanical, electronic, or other means in any form without prior written permission of SOLID STATE STORAGE Technology Corporation. DOC NO : Rev. Issued Date : 2020/10/07 V1.0 SOLID STATE STORAGE TECHNOLOGY CORPORATION 司 Revised Date : Table of Contents 1 Introduction ....................................................................... 5 1.1 Overview .............................................................................................
    [Show full text]
  • Anti-Forensics: the Rootkit Connection for Black Hat USA 2009
    [Black Hat USA 2009] Anti-Forensics: The Rootkit Connection Black Hat USA 2009 Conference Proceedings Anti-Forensics: The Rootkit Connection Bill Blunden Principal Investigator Below Gotham Labs www.belowgotham.com Abstract Conventional rootkits tend to focus on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. hooking, detour patching, covert channels, peer-to-peer communication, etc.). However, the technology required to survive a post-mortem analysis of secondary storage, which is just as vital in the grand scheme of things, recently doesn’t seem to have garnered the same degree of coverage. In this paper, we’ll examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who’s performing an autopsy of a disk image. 1 | Below Gotham Labs [Black Hat USA 2009] Anti-Forensics: The Rootkit Connection Contents Introduction 4 Post-Mortem Dance Steps 5 Worst-Case Scenario 6 Strategies for the Worst Case 7 Disk Analysis: Tactics and Countermeasures 9 Defense in Depth 9 Forensic Duplication 10 Reserved Disk Regions 10 Recovering File System Objects 10 Full Disk Encryption 10 File System Attacks 11 File concealment 11 Out-of-Band Concealment 11 In-Band Concealment 13 Application Layer Concealment 15 Recovering Deleted Files 16 File Wiping 16 Meta-Data Shredding 17 Encryption 17 Key Management 17 Collecting File Meta Data 18 Altering Checksums 18 Modifying Timestamps 19 Identifying Known Files 20 Injecting
    [Show full text]
  • Wipedrive Home 9
    WipeDrive Home 9 Table of Contents IMPORTANT! PLEASE READ CAREFULLY: ........................................................................................................ 3 General Information ...................................................................................................................................... 3 WipeDrive ..................................................................................................................................................... 3 Overview ................................................................................................................................................................... 3 System Requirements ............................................................................................................................................... 3 Key Features .................................................................................................................................................. 4 Secure Removal of HPA and DCO .............................................................................................................................. 4 Secure Erase Option .................................................................................................................................................. 4 WipeDrive Boot Via CD ................................................................................................................................. 5 Overview ..................................................................................................................................................................
    [Show full text]
  • Advanced Computer Forensics
    ADVANCED COMPUTER FORENSICS EnCE EnCase Forensics: The Official EnCase Certified Examiner Study Guide CHAPTER 4 Acquiring Digital Evidence EnCase Forensic Boot Disks • Creating with EnCase 7 • Download the image of a boot floppy from Guidance Software’s support portal • Downloads Tab • Boot Disk • Tools Create Boot Disk • Booting Using the EnCase Boot Disk • When to utilize your boot disk • Geometry mismatches between the suspect machine and your machine • Suspect HD “married” to the motherboard for security reasons • HD part of HD RAID • HPA / DCO Seeing Invisible HPA and DCO Data • Host Protected Area (HPA) • ATA-4 – creates a place for vendors to store information • Recovery, security, registration etc. • Invisible to BIOS thus protected from users • Device Configuration Overlay (DCO) • ATA-6 – limiting the apparent capacity of a drive • End of the drive and is also invisible to BIOS • Accessing this “invisible” data • Direct ATA (legacy method of access) • EnCase for DOS on a forensic boot disk • EnCase communicates directly with the controller • LinEN-EnCase under Linux and FastBloc SE HPA or DCO? • Check Manufacturer’s website for drive specifications • If EnCase reports less sectors than the manufacturer specs then suspect HPA or DCO Steps for DOS Boot • Prepare for the unexpected and have a hand on the power • Follow your own policies • Disconnect power and inspect the connections • Disconnect power and data (label each drive • Insert forensic boot disk or CD • Reconnect the power and start the computer • Enter the setup mode
    [Show full text]
  • Introduction: Post-Mortem Digital Forensics
    Digital Forensics 1.0.1 Introduction: Post-mortem Digital Forensics CIRCL TLP:WHITE [email protected] Edition May 2020 Thanks to: AusCERT JISC 2 of 102 Overview 1. Introduction 2. Information 3. Disk Acquisition 4. Disk Cloning / Disk Imaging 5. Disk Analysis 6. Forensics Challenges 7. Bibliography and Outlook 3 of 102 1. Introduction 4 of 102 1.1 Admin default behaviour • Get operational asap: ◦ Re-install ◦ Re-image ◦ Restore from backup ! Destroy of evidences • Analyse the system on his own: ◦ Do some investigations ◦ Run AV ◦ Apply updates ! Overwrite evidences ! Create big noise ! Negative impact on forensics 5 of 102 1.2 Preservation of evidences • Finding answers: ! System compromised ! How, when, why ! Malware/RAT involved ! Persistence mechanisms ! Lateral movement inside LAN ! Detect the root cause of the incident ! Access sensitive data ! Data exfiltration ! Illegal content ! System involved at all • Legal case: ! Collect & safe evidences ! Witness testimony for court 6 of 102 1.2 Preservation of evidences • CRC not sufficient: ◦ Example: Checksum 4711 ! 13 ◦ Example: Collision 12343 ! 13 • Cryptographic hash function: ◦ Output always same size ◦ Deterministic: if m = m ! h(m) = h(m) ◦ 1 Bit change in m ! max. change in h(m) ◦ One way function: For h(m) impossible to find m ◦ Simple collision resistance: For given h(m1) hard to find h(m2) ◦ Strong collision resistance: For any h(m1) hard to find h(m2) 7 of 102 1.3 Forensics Science • Classical forensic Locard's exchange principle https://en.wikipedia.org/wiki/Locard%27s_exchange_principle
    [Show full text]
  • HPA D DCO HPA And
    International Journal of Digital Evidence (Fall 2006) Hidden Disk Areas : HPA an d DCO forensic‐proof. com proneer 16/11/2009 Outline 1. Introduction 2. Host Protected Area 3. Device Configuration Overlays 4. Host Protected Area 5. Co‐existence of HAP and DCO 6. ItitiInvestigative Sign ificance page 1 HPA and DCO Other Transfer Maximum Other Standard Names Modes (MB/s) disk size New Features pre‐ATA IDE PIO 0 2.1 GB 22‐bit LBA ATA‐1 ATA, IDE Single‐word DMA 137 GB 28‐bit LBA EIDE, Fast ATA, ATA‐2 Multi‐word DMA PCMCIA connector Fast IDE, Ultra ATA ATA‐3 EIDE Single‐word DMA S.M.A.R.T AT Attachment Packet Interface(ATAPI), ATA‐4, ATA/ATAPI‐4 Ultra DMA 0, 1, 2 Host Protected Area(HPA), CompactFlash Ultra ATA/33 Association(CPA) ATA‐5 ATA/ATAPI‐5 Ultra DMA 3, 480‐wire cables; CompactFlash connector Ultra ATA/66 48‐bit LBA, Device Configuration ATA‐6, ATA/ATAPI‐6 Ultra DMA 5 144 PB Ol(DCO)Overlay(DCO), AiAutomatic AiAcoustic Ultra ATA/100 Management ATA‐7, Ultra DMA 6 ATA/ATAPI‐7 SATA 101.0 Ultra ATA/133 aka SATA/150 ATA/ATAPIpage‐ 82 ATA‐8 ‐ Hybrid drive Introduction HPA and DCO 9 Host Protected Area(Hidden Protected Area) 9 HDD(Hard Disk Drive)에 의해 예약된 영역 9 OS, BIOS 에 의해 보이지 않는 영역 9 ATA(Advanced Technology Attachment) -4 부터 등장 9 사용자, BIOS, OS가 쉽게 수정하거나 변경할 수 없는 영역의 필요 9 일반적으로 HDD utilities, diagnostic tools, boot sector code 저장 page 3 Introduction HPA and DCO 9 Device Configuration Overlay 9 HDD 제조사로부터 구입한 HDD를 모두 같은 섹터로 만드는 것이 가능 9 80 GB HDD를 BIOS, OS 모두 60 GB 의 HDD로 보이도록 구성 가능 page 4 Introduction Issue for forensic investigators 9 HPA와
    [Show full text]
  • Wipedrive Home 8, May 14 2018
    WipeDrive Home 8, May 14 2018 Table of Contents IMPORTANT! PLEASE READ CAREFULLY: ........................................................................................................ 3 General Information ...................................................................................................................................... 3 WipeDrive ..................................................................................................................................................... 3 Overview ................................................................................................................................................................... 3 System Requirements ............................................................................................................................................... 3 Key Features .................................................................................................................................................. 4 Secure Removal of HPA and DCO .............................................................................................................................. 4 Secure Erase Option .................................................................................................................................................. 4 WipeDrive Boot Via CD ................................................................................................................................. 5 Overview ..................................................................................................................................................................
    [Show full text]
  • Samsung Spinpoint D8X Mobile SATA
    D8X Product Manual 2.5” Hard Disk Drive January 20, 2016. Rev 2.2 PMD8X 100778771 Rev. E © 2015 Seagate Technology LLC. All rights reserved. Seagate and Seagate Technology are registered trademarks of Seagate Technology LLC in the United States and/or other countries. SeaTools is either a trademark or registered trademark of Seagate Technology LLC or one of its affiliated companies in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. When referring to drive capacity, one gigabyte, or GB, equals one billion bytes and one terabyte, or TB, equals one trillion bytes. Your computer’s operating system may use a different standard of measurement and report a lower capacity. In addition, some of the listed capacity is used for formatting and other functions, and thus will not be available for data storage. Actual data rates may vary depending on operating environment and other factors. The export or re-export of hardware or software containing encryption may be regulated by the U.S. Department of Commerce, Bureau of Industry and Security (for more information, visit www.bis.doc.gov), and controlled for import and use outside of the U.S. Seagate reserves the right to change, without notice, product offerings or specifications. TABLE OF CONTENTS CHAPTER 1 SCOPE .............................................................................................................................1 1.1 USER DEFINITION ..............................................................................................................................1
    [Show full text]
  • Forensically Sound Data Acquisition in the Age of Anti-Forensic Innocence
    Forensically Sound Data Acquisition in the Age of Anti-Forensic Innocence Forensisch korrekte Datensicherung im Zeitalter anti-forensischer Arglosigkeit Der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg zur Erlangung des Doktorgrades Dr.-Ing. vorgelegt von Michael Gruhn aus Bad Windsheim Als Dissertation genehmigt von der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg Tag der mündlichen Prüfung: 2016-11-24 Vorsitzender des Promotionsorgans: Prof. Dr.-Ing. Reinhard Lerch Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Zeno Geradts Abstract In this thesis, we tackle anti-forensic and rootkit problems in digital forensics. An anti-forensic technique is any measure that prevents a forensic analysis or reduces its quality. First, we investigate the anti-forensic threat of hard drive firmware rootkits, which can prevent a forensic analyst from acquiring data from the hard drive, thus jeopardizing the forensic analysis. To this end, we first outline the threat of hard drive firmware rootkits. We then provide a procedure to detect and subvert already published hard disk drive firmware bootkits. We further outline potential avenues to detect hard drive firmware rootkits nested deeper within the hard disk drive’s so-called Service Area, a special storage on the magnetic platter reserved for use by the firmware. After addressing the acquisition of persistent data storage in form of hard disk drives, we shift towards acquisition and later analysis of volatile storage, in the form of RAM. To this end, we first evaluate the atomicity and integrity as well as anti-forensic resistance of different memory acquisition techniques with our novel black-box analysis technique.
    [Show full text]
  • Blancco Erasure Software Security Target
    BLANCCO ERASURE SOFTWARE SECURITY TARGET Security Target Document for the Common Criteria Certification of Blancco Erasure Software v5.1.0 for X86 architecture Version 5.0 13.12. 2011 ID 96 Juha Levo, Quality Manager TABLE OF CONTENTS SECURITY TARGET INTRODUCTION ...................................................................... 4 Abbreviations and Terms ............................................................................................. 4 ST Reference ............................................................................................................... 5 TOE Reference ............................................................................................................. 5 TOE Overview .............................................................................................................. 5 TOE Description .......................................................................................................... 6 CONFORMANCE CLAIMS..................................................................................... 10 CC Conformance Claim .............................................................................................. 10 PP Claim .................................................................................................................... 10 SECURITY PROBLEM DEFINITION ......................................................................... 11 Threats ...................................................................................................................... 11 Assumptions
    [Show full text]