FOSS Digital Forensics

BJ Gleason Associate Professor University of Maryland

Overview
What is Free and Open Source Software? The Pros and Cons of FOSS Open Source Tools

Utilities Helix Other Live CDs

Open Source in Court

What is FOSS?
Free and Open Source Software Free Redistribution Access to Source Code Allows for Derived Works

When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. People improve it, people adapt it, people fix bugs.

Pros of Open Source

Lower Acquisition Costs Can Examine the code look under the hood Greater independence from companies Can be maintained even if company disappears Proprietary formats lead to vendor lock in Cutting Edge Development Internationalization Selection Security

Pirated Forensic Software

There have been several US domestic and international cases where forensic examiners have used pirated copies of forensic software. This has caused the defense to challenge the authenticity and reliability of the evidence and the examiner. The results can be devastating for the prosecution.

International Cooperation

In March 2005, according to the Ministry of Public Security, a man who hacked into 100,000 computers to launch group attacks was arrested in Tangshan, north China's Hebei Province. More than 60,000 of the 100,000 "corpse network" computers were within China, and some of them were owned by government departments and other important sectors. That means about 40,000 computers were located outside of China. Using forensic software that all countries can share can promote international cooperation.

Cons of Open Source

Lack of Support / Documentation May require additional technical skills Developers abandon applications Compatibility Issues Training not always available

Common Open Source Tools

GNU DD
Used by FBI, among other tools, in Zacarias Moussaouis Case

The Coroners Toolkit, Sleuth Kit, and Autopsy Browser

Can analyze multiple file system types

Foremost and Scalpel

Data carving

md5sum, sha1sum
Used to create digital fingerprints of evidence.

Others
Fatback, ntfsundelete - recover deleted files Tcpdump - packet decoder Snort - intrusion detection system Ethereal - network protocol analyzer

Cell Phone Forensics

In April 2004, registered GSM cell phones exceeded 1 billion. Researchers in Italy developed SIMbrush: an Open Source Tool for GSM and UMTS Forensics Analysis Why Open Source? If a tool can not be examined and tested, it is contrary to principles of forensic soundness, digital integrity and the definition of Digital Forensics itself. In addition, this is not a theoretical problem any more, because it could invalidate the results of a digital investigation at the court stage, where the cost of such a failure is highest.

Forensic Server Project

Developed by Harlan Carvey, is an open-source framework for collecting volatile and non-volatile information from live systems. FSP consists of a server component and a client component the "First Responder Utility" The software is available from the Windows Forensics and Incident Recovery Website and is also included on some of the Live CDs such as Helix. Open Source allows the tool to be tailored to the environment.

Forensic Server Project

Helix
e-fense, Inc. Free Download Windows Utilities Bootable Linux CD Designed for

Forensics Incident Response Electronic Discovery

Collection of Open Source tools Updated every 3 months

Tools

Standard Windows trusted binaries and utilities Static Compiled Binaries for Linux and Solaris Other free tools
Foundstone tools: fport, sfind, hfind, afind, ntlast, etc Sysinternals tools: psloggedon, pslist, ntfsinfo, etc Cygwin toolkit sleuthkit : Brian Carrier's replacement to TCT. autopsy : Web front-end to sleuthkit. mac-robber : TCT's graverobber written in C. MAC_Grab : e-fense MAC time utility. AIR : Steve Gibson Forensic Acquisition Utility. foremost : Carve files based on header and footer. fatback : Analyze and recover deleted FAT files. md5deep : Recursive md5sum with db lookups. sha15deep : Recursive sha1sum with db lookups. dcfldd : dd replacement from the DCFL. sdd : Specialized dd w/better performance. PyFLAG : Forensic and Log Analysis GUI. Faust : Analyze elf binaries and bash scripts. e2recover : Recover deleted files in ext2 file systems. Pasco : Forensic tool for Internet Explorer Analysis. Galleta : Cookie analyzer for Internet Explorer. Rifiuti : "Recycle BIN" analyzer. Bmap : Detect & Recover data in used slackspace. Ftimes : A toolset for forensic data acquisition. chkrootkit : Look for rootkits. rkhunter : Rootkit hunter. ChaosReader : Trace tcpdump files lshw : Hardware Lister. logsh : Log your terminal session ClamAV : ClamAV Anti Virus Scanner. F-Prot : F-Prot Anti Virus Scanner. 2 Hash : MD5 & SHA1 parallel hashing. glimpse : Indexing and query system. Outguess : Stego detection suite. Stegdetect : Stego detection suite. Regviewer : Windows Registry viewer. Chntpw : Change Windows passwords. Grepmail : Grep through mailboxes. logfinder : EFF logfinder utility. linen : EnCase Image Acquisition Tool. Retriever : Find pics/movies/docs/web-mail. Scalpel : Carve files based on header and footer.

Live System Response

Goals
Determine if an incident has occurred or is in progress. Take steps to contain the incident. Record all steps taken.

Tools Required
View processes, network ports, disk files. Network sniffer and diagnostic tools. Trusted binaries. Cant trust any programs on the system. Tools to help automate information gathering and reporting.

Note: Everything done on a live system changes it!

Helix Live Response

Helix Live Response

Audit Trail

Dead System Response

Goals
Gather evidence from computer media. Gather evidence from network traffic logs. Analyze data to to determine what happened. Do not alter the evidence. Maintain a chain of evidence. Create record of all steps taken.

Tools Required
Tools to acquire the digital data. Tools to analyze the data. Tools to help automate the analysis and create a record.

Helix Bootable Environment

Acquisition

Autopsy Browser

Reasons to Use Linux

It can run from bootable media Supports many file system types
Ext2, Ext3, FFS, UFS (Linux, BSD, Unix) FAT, VFAT, NTFS (DOS, Windows) HFS (Mac), ISO9660 (CD-ROM)

Can examine a file system without affecting it

Windows tools require Hardware Write-Blockers

Many forensic analysis tools developed for it Control over file system access
Drives are not mounted by default Can be mounted with options such as:
read-only to prevent modifying files noatime to prevent modifying access time noexec to prevent executing code by mistake

Other Live CDs

Auditor / Backtrack - http://www.remote-exploit.org

System Auditing, Penetration Testing

THE FARMER'S BOOT CD - http://www.forensicbootcd.com

Optimized for previewing systems before acquisition

Many other Live CDs available

Different Features Different Focuses Some free, others low cost

Open Source in Court

Can these open source tools be used in a court of law?

Short Answer: Yes Long Answer: Depends Falls under the rules of Scientific Evidence

Daubert v Merrell Dow (1993)

Daubert criteria
Whether it [a scientific theory or technique] can be (and has been) tested Whether the theory or technique has been subjected to peer review and publication Consider the known or potential rate of error... and the existence and maintenance of standards controlling the technique's operation The technique is generally accepted as reliable in the relevant scientific community

These criteria have been recognized worldwide

Open Source and Daubert

Testing
Closed source relies on the vendor

Peer review and publication

Open source allows more experts to examine the code

Error Rate
Closed source Black Box testing is not conclusive Open Source software were determined to be more reliable than commercial software in a study designed to test failure rates of software utilities

General Acceptance
Used and recommended by National White Collar Crime Center, SANS and many others

Problems with Closed Source

Problems of using proprietary / law enforcement only products: disclosure of method protection of commercial interests of vendor parity of arms for defence Proprietary formats and disclosure the release of material to the defence

DUI Defendants Beat Charge By Asking for Source Code

Seminole County, Florida, June 2005. Hundreds of DUI defendants had their cases thrown out because the vendor of the breathalyzer units has refused to disclose proprietary source code. Unless such disclosure is made, the Seminole criminal bench is not satisfied that evidence procured from the machines is reliable. According to the vendor, it should not be required to reveal trade secrets in order for the DUI convictions to stand. Seminole judges have ruled that although the information may be a trade secret and controlled by a private contractor, defendants are entitled to it. The whole point, defense attorneys say, is that defendants have a right to know how the machine works and whether it is working accurately.

Ensuring Admissibility

Evidence collection
Correct legal processes Accepted techniques and tools Properly trained personnel

Chain of custody Establishing provenance Corroboration Validation and Verification

Some Questions
Can the results of the technical analysis be duplicated using other tools? Does the Analyst understand what the tools they use are actually doing, or are they merely taking for granted what an automated process is reporting? Do other professionals use the same techniques and methodology? Is the Analyst technically capable of defending/supporting their interpretation of the evidence?

An Answer
If the tools being used are the mechanism to find evidence on a computing device, and several different tools can replicate the process, then it doesn't matter what tools were used. The evidence is simply there and can be found by any competent forensic analyst using a variety of tools. Steven Hailey

Any Questions?

BJ Gleason University of Maryland [email protected]

References and Websites

Open Source - http://www.opensource.org Open Source Digital Forensics - http://www.opensourceforensics.org/ Carrier, Brian. Open Source Software in Digital Forensics. http://www.digital-evidence.org/papers/opensrc_legal.pdf Preservation of Fragile Digital Evidence by First Responders. http://www.dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Incident Response Homepage - http://www.incidentreponse.org Sleuthkit, Autopsy, and mac-robber - http://www.sleuthkit.org Remote Data Acquisition - http://www.md5sa.com/downloads/rda Foundstone tools - http://www.foundstone.com Gatekeeping Out Of The Box: Open Source Software As A Mechanism To Assess Reliability For Digital Evidence http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally.html Helix http://www.e-fense.com/Helix GPL and other licenses - http://www.opensource.org/licenses/ THE FARMERS BOOT CD - http://www.forensicbootcd.com