Slides from my workshop on Digital Forensics at the FLOSSUK DevOps conference 2015 in York

1. Digital Forensics
Practical Workshop

2. Who am I?
Tim Fletcher
@TimJDFletcher
http://blog.night-shade.org.uk

3. What are we going to cover?
Brief legal overview
Where can you find digital evidence
Collecting and preserving digital evidence
Examining digital evidence
Documenting the process

4. What am I not going to cover
Digital Forensics is a massive area and this
workshop only scratches the surface
Windows commercial tools
Network forensics
Report writing

5. So what, why do I care about this?
Understanding the landscape, what information
can be retrieved
Forensics Readiness, eg collecting FDE keys
Incident response
Ever been asked to “have a look at” what
someone has been doing?

6. Legal Overview
First I’m not a lawyer, but I have studied some
of the key acts involved.
Respect other people’s privacy
Have a plan if you find something unexpected
eg child pornography or terrorist material

7. ACPO Guidelines
Who are they - Association of Chief Police
Officers
Set guidelines on procedures for all police
forces in England and Wales
The guidelines are well thought out

8. Principle 1
No action taken by law enforcement agencies,
persons employed within those agencies or
their agents should change data which
may subsequently be relied upon in court.

9. In circumstances where a person finds it
necessary to access original data, that person
must be competent to do so and be able to give
evidence explaining the relevance and the
implications of their actions.
Principle 2

10. Principle 3
An audit trail or other record of all processes
applied to digital evidence should be created
and preserved. An independent third
party should be able to examine those
processes and achieve the same result.

11. Principle 4
The person in charge of the investigation has
overall responsibility for ensuring that the law
and these principles are adhered to.

12. Collecting Evidence
If you are examining digital evidence in a
workplace, consult HR and get permission in
writing.
If you are doing this professionally make sure
you have advice and support from a real
lawyer.

13. Chain of evidence
It is absolutely critical to be able to account for
what happened to an exhibit such as a
computer from the moment it was seized to the
moment it was examined by a forensic
examiner.
Fear the words “I’ve had a quick look…..”

14. Training
For learning and training purposes the key
point is that you should only examine kit you
own, and if in doubt seek advice from a real
lawyer.
Today you will get an iPhone and a Windows
system image to examine

15. Attribution
Digital evidence proves “a computer” did
something
Proving who was using the computer at the
time can be challenging.
Digital evidence can be considered “hearsay”

16. Where do you find digital evidence?
Desktops / Laptops
Embedded devices, eg home routers
Servers / Home NAS units
Cell phones
The Cloud
Public Internet / Social Media

17. Tools for collecting
Disk imaging - depends on your budget
Write blockers - hardware is expensive
Software can work
Collect to a blank disk - SSDs help here
otherwise 4 pass badblocks test
Key point - practice and test

18. How do you gather evidence?
Pull the power, ship it to the lab…...
When would this work?
When wouldn’t this work?
What about cloud storage?
What about Mobile devices?
What about full disk encryption?

19. Imaging normal computers
If the computer is active
Document the screen / gather artifacts
Assess if there is encryption
Do you need to image the RAM?
Secure the system and plan investigation

20. Imaging FDE computers
Who has the password?
Gather evidence without powering off?
Other evidence sources, logs or backups?
Exploit firewire or thunderbolt?
Cold boot attack - only get 1 go

21. Mobile devices
Passcodes / PINs
Backups?
Cloud storage?
Hardware flaws?
Remember - Faraday bags to stop remote wipe

22. NAS units and servers
Vast amounts of data
How do you find what matters?
Are you invading others privacy?
What is the business impact of seizure?
Where are they and who owns them?
Mostly just normal computers

23. Examining Digital Evidence
Understand the context
Consider what you are looking for
Build and understand a timeline

24. Digital Triage - what is the context?
Understand your adversary
Examine what matters
Reduce the evidence you have
Eliminate noise - eg NIST hash DB

25. What are you looking for?
Image files
Geolocation
Emails / Messages
Meta data
Content
Browser history

26. Timelines
What happened when?
Who or what caused it to happen?
What order did things happen in?
Correlation with other sources
System logs, Social Media
Can often point to new sources of evidence

27. Tool selection
There are 100s of tools that let you examine
systems, pick those you are comfortable with.
Autopsy - web front end to “the sleuthkit”
Standard unix tools find, strings and etc
Other tools - exiftool, sqlitebrowser
Windows tools - nirsoft and sysinternals
Volatility - Memory forensics

28. Mobile devices
Is the device jailbroken or joined to a MDM
Can you get the PIN?
Specialist software tools
iOS - Elcomsoft
Older Apple hardware - Limera1n
Android - ADB

29. Training - II
Virtualisation is very powerful for learning and
training
Resettable state - test your tool or technique
and then reset the VM
Dump RAM contents without complex tools

30. Documentation
Remember ACPO principle 3
Contemporaneous notes, paper or electronic
Video and photographic evidence is powerful
Log system sessions eg ssh

31. Your evidence bags
32GB memory stick containing
iPhone4 image - raw nand, key bag and
encrypted disk image
Windows XP disk image
1GB memory stick image
Remember - chain of evidence

32. Windows XP
Simple unencrypted computer

33. iOS exploitation demo
Using iphone-dataprotection
https://code.google.com/p/iphone-dataprotection/
iPhone 4 - note this doesn’t work on newer
models
Exploits the bootloader, uploads a ramdisk
Lets you bruteforce the PIN and extract the
NAND

34. What do you know?
Fluffy the dog has been dognapped!
The owner has been told to meet at a pub
The dognapper might have scouted the area
An iPhone and laptop have been seized
Can you find evidence that the owner of them
was involved?

35. What you are looking for
Photos
Emails
SMS messages
Documents
Internet History

36. Tools to use
sha1sum - check your images
Autopsy - apt-get install autopsy
Exiftool - apt-get install perl-exiftool
SQLitebrowser - apt-get install…..
Kali Linux - Bootable from the Memory Stick

37. Autopsy
Perl based web front end to The SleuthKit
Allows file browsing of disk images
Search for text strings
Build file timelines
Extract raw disk sectors

38. Interesting files on the memory stick
Memory Stick: MemoryStick.raw.gz
Windows: WindowsXP.raw.gz
iPhone: d0c3eaaaa2/d0c3eaaaa2-data.dd.gz
Checksums: sha1sums

39. Starting points
Most user files in iOS are under /var/mobile
iOS includes lots of SQLite databases
The memory stick might tell you where to look
Recycle Bin and Web history

40. How would I do this?
Copy disk images to high speed storage
Import into Autopsy
Timeline the disk images
Catch low hanging fruit first
Photos
Web history
Email