My Road to Digital Forensics Excellence

Day 1 DC3-2011 Part 1

Posted by Paul Bobby on January 26, 2011

Shadow Volume Link Manager and VirtualBox – Timothy Leschke
The presenter discussed the challenge he faced analyzing data from VSCs – five years ago. At that time XP was still the most prominent desktop OS – Vista was still trying to eek an existence. However when the Vista examinations finally came along, how does one tackle the problem of the volume shadow copy?

The presenter walked us through the usual techniques of list shadows and mklink, but again, the main problem was developing an operational analysis environment that could run under Windows XP.

He settled on VirtualBox as the VM method of choice; a choice that was easily made since it was the only product that worked. The issue was the inability of other VM products to mount a drive as a physical device – they all mounted them as logical devices. A running volume shadow service can only interrogate the VSCs on a volume if that volume is listed as a physical disk in Disk Manager.

The coup for this presentation came when it was cut short. Mark McKinnon was given the podium and demo’d for us ShadowAnalyzer (yep that tool we’ve all been waiting for). It is in beta at the moment, but he had a pile of CDs to hand out. Woot.

The tool works because they authors essentially reverse engineered the volume shadow service. Therefore they promise versions for Linux and MacOSX in the future. The other cool thing is that this tool can interpret multiple file versions even in the same VSC.

Don’t know what I mean? Well, imagine if a VSC is created every 24 hours, and in that 24 hours you changed a certain spreadsheet 10 times. If you need to get back a ‘previous version’ of that file, Windows will only give you the most recent version that was saved in the VSC even though the ‘diff’ data is there for all 10 versions. The same thing occurs when you manipulate your host OS in to interrogating VSCs on mounted media. ShadowAnalyzer will present to you all 10 different version. Oh my.

Applying the Science of Similarity to Computer Forensics – Jesse Kornblum
Ever attended a talk by Jesse? Then you’ll know you’re in for some fun. My favorite quip is that he asked all of us to turn off our cellphones. And if they did beep – he wouldn’t throw it out, instead he’d do a forensic analysis on the device in front of the entire class! Perfect way to start, I knew I was in store for something good.

Uh oh, this one got mathy. Fortunately all presentations came on some DVDs that were provided to us for the conference – this is one presentation that had some math, and plenty of ‘for more details’ references to go read on Wikipedia.

The problem of similarity began with the obvious, but inefficient method of the simple MD5 hash and compare for reducing data sets during review. While somewhat effective for operating system files (and even then many files through patching are missed by this process) it was highly ineffective for user based electronic files.

He walked us through block hashing and fuzzy hashing, introducing to us various algorithms that generate an end product that should have a low false positive rate and a high false negative rate. This one I might come back to once I read that statistics primer again.

Solid State Drives – Fred Barry
The class lasted 20 minutes but the presenter essentially refreshed everyones’ memory on the workings of SSDs and the implications for forensic examiners. He presented some useful statistics which more than validated that SSDs as a source medium for evidence files most definitely increased the speed of analysis.

The most eye-opening of tests concerned the TRIM command capable OSs (for example Windows 7, Windows Server 2008, and some nix’s). He wrote the same dataset (12gigs) to many test SSDs, and then deleted that data set. Through some measurement mechanism that he didn’t disclose, he would time how long before the data disappeared. While the details were not presented the values varied from 24hours (7gigs of the original data were still present) down to after 60 seconds (all the data was gone!) So while we are all still used to the OS handling garbage collection (i.e. tracking free space etc), when it comes to SSDs, TRIM sends that command to the drive. And worst case, after 60 seconds, you will no longer be able to carve.


2 Responses to “Day 1 DC3-2011 Part 1”

  1. hoover said

    Do these talks get recorded and more importantly, if so are they made public?

  2. Paul Bobby said

    The talks do not get recorded – the presentations are made available to conference participants. A lot of the DC3 content (from DC3 speakers) is available on various DC3 websites such as the NRDFI.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: