Selective and Intelligent Imaging Using Digital Evidence Bags

Bit-Stream imaging

Bit-by-bit copy from source drive to a forensic image

Small drives

• Effective

• Quick

Large drives

• Resource-consuming

• Time-consuming

Source Image

Bit-Stream imaging

May not be best to implement all the time

More useful imaging:

• Specify information to include

• Sort relevant data

Keep the process simple, but more effective than simple bit-stream imaging

Selective Imaging

Improvement on bit-stream imaging

Decides what content to include in the image based on some criteria

• File type (pictures, email logs, etc)

• Creation date

Used for multiple reasons

• Large drive

• Infeasible to make complete image

• Legal requirements

Selective Imaging

Manual

• Forensic investigator arbitrarily decides what files to include in the image

• File browser is used to navigate the file system

• Image is created based on the selections

Multiple types of selective imaging

Different modes of operation for each

File.doc

Selective Imaging

Semi-Automatic

• Forensic investigator uses categories of information or other criteria to decide what files to includeo File extensiono Signatureo Hash

• Imager includes files satisfying the criteria

Image

.JPG

.DOC

.DOC Criteria

Selective Imaging

Automatic

• Forensic investigator specifies source drive and destination target for the image

• Imaging application collects the relevant evidence

• Uses configuration files to decide what information to include

• Configuration files defined before run time (usually specific to the case)

SourceDrive

Image Destination

Imager Config.

Selective Imaging

Imaging options can get very complex

No way of keeping track of where the data came from originally

Data origin includes:

• Physical sector location (data runs)

• Logical cluster location (start of volume + offset)

• Folder location (path from root folder)

?

Data

Intelligent Imaging

Another way to improve on bit-stream imaging

Capture knowledge of domain experts to use in an intelligent system

Nontechnical users can acquire and analyze an image

• Choose the case type

• Imager acquires relevant information

• Based expert knowledge of the case type

Intelligent Imager

Intelligent Imaging

Meant to alert investigator of information categories outside initial line of inquiry

Not supposed to decide what to capture in the image

Difficulties:

• How do you get the expert knowledge?

• How do you know nothing is missing?

Imaging Problems

Selective and intelligent imaging offer more options than bit-stream imaging

However, no current (2006) tool implements selective or intelligent imaging while recording origin of information

No method records how an examiner or imager decided what to acquire

• Manual mode?

• Categories of information?

• Signatures?

DEBs

Selective and intelligent imagers can produce Digital Evidence Bags (DEBs)

Universal container for digital information

• Supports any source drive

• Data origin recorded, maintained

• Encapsulated (DEBs inside DEBs)

DEBs

A homogenous DEB is produced even if there are:

• Different drive sources

• Different imagers

• Device-specific imagers

Analysis and examination applications would be compatible with DEBs, independent of drive source

DEBs

DEBs

Source drives

• Drives with information to capture

DEBs

Selective/Intelligent Imager

• Imager application

• Acquires relevant information from source drives

DEBs

Category Definition File & Imager Configuration File

• Additional information for imager decisions

DEBs

Digital Evidence Bag

• Produced by Selective/Intelligent Imager from source drives

• Contains captured information

DEBs

Dynamic creation

Imager able to create a DEB regardless of mode of operation

• Manual

• Semi-Automatic

• Automatic

Mode of operation also recorded in the DEB

DEBs

DEB components:

• .tag files

• .index files

• .bag files

Evidence Unit (EU):

• .index + .bag files

DEBs

.tag files

Plaintext file with sections

.tag sections:

• [DEB Header]

• [Evidence Units]

• [DEB Footer]

• [TCB]

[DEB Header]

Contains metadata about the DEB and Index Format

DEBs

DEBs

[DEB Header]

Metadata:

• Investigator(s)

• Creation timestamp

• Description of evidenceo What evidence was collectedo Where evidence was collectedo When evidence was collected

DEBs

[DEB Header]

Index Format specifies the default content sequence of DEB .index files

Defines layout of information in an .index file

.index files are defined by meta-tags that store information captured from a device

DEBs

.index file meta-tags categories:

• Labelso File name/path (F), origin description (P), file attributes (Fa), command

(C)

• Timestampso Last modified (Tmod), accessed (Tacc), created (Tcrea)

• Numerico Physical sector (PS), Logical cluster number (LCN), file logical size

(Fls), file physical size (Fps)

• Integrityo MD5 hash (Hmd5), SHA hash (Hsha)

Index Format : F LCN PS Fa Tacc Tmod Tcre Fla Fps Hmd5

DEBs

[Evidence Units]

Records all EU's created in the DEB and their content type

EU integrity hashes:

• .index file hash

• .bag file hash

Format:

EU = ##

IndexHash = <Hash>

BagHash = <Hash>

ContentType = <Type>

DEBs

[Evidence Units]

The content of the first EU (Evidence Unit 0) is reserved for case notes and metadata about the case:

• Imager used to create DEBo Version numbero Integrity hasho Configuration fileo Capture criteria

• Additional informationo Photoso Text

DEBs

[Evidence Units]

The content of the rest of the EUs are defined by the examiner

Based on:

• Case requirements

• Configuration of imager tool

DEBs

[Evidence Units]

Content types:

• ContentType-Sig=<File signatures>

• ContentType-Ext=<File extensions>

• ContentType-Cat=<Category type>

• ContentType-Manual=<label>o Manually selected contents

• ContentType-CLI=<label>o Contents from command line

DEBs

[DEB Footer]

Records the number of EUs in a DEB, includes the .tag file integrity hash

DEBs

[TCB]

Tag continuity blocks (not pictured)

• Appended at the end of the DEB .tag file whenever accessed or analyzed

• Records application function, signature, and timestamp of access

DEBs

.index files

Contains metadata about information contained in the DEB Evidence Unit

Uses meta-tags to organize metadata

DEBs

.bag files

Concatenation of imager-generated binary information

• Referenced by each entry in the corresponding index file

DEBs

The Ultimate Test

Ultimate test for any imager and container that does not generate or store standard bit-stream images:

• Imaging method and container must store enough information about the origin of data captured so that when the information is restored it is identical to what would have been acquired with bit-stream imaging

To do this you must have application able to process DEB .index file physical data location in ascending order, generate hash over .bag contents

This would generate an image with the same contents as a bit-stream image

Conclusion

Many options exist for selective capturing of information

The container in which the captured information is stored is also important in order to ensure:

• Defined structure

• Unhindered examination

We can better understand the selective approach by following the techniques described

References

• http://www.dfrws.org/2006/proceedings/8-Turner.pdf

THANK YOU