Macintosh Forensic Acquisition

June 23rd, 2009

Recently the Mac OS X Forensics site has been amassing a wealth of information on acquiring and analysing Macintosh OS X computers. Additionally, the “Inside the Core” podcast has made a strong start at presenting similar and related content as a podcast. Both teams deserve congratulations and encouragement for their contributions.

One problem that I have observed with acquiring Macs is a particular problem with some Apple keyboards that have a brushed aluminium appearance. They will not reliably allow one to boot to CD or target mode using option keys, due to (purportedly) a firmware bug. The result of this can be an unplanned booting of the hard disk in the computer, and resulting modification of the state of the disk.

I haven’t observed this problem with any other Apple keyboards. Forensic practitioners may want to consider making it a part of your practice to ensure that you are booting with a non aluminium keyboard.

Posted in Storage Forensics | No Comments »

Paper on new evidence container format accepted for presentation at DFRWS2009

May 1st, 2009

Michael Cohen, Simson Garfinkel and I have been collaborating recently on the development of a new digital evidence storage container format. Today we have had notification that a paper detailing the research behind this development has been accepted at the 2009 Digital Forensics Research Workshop, to be held in Montreal Canada. The title of the paper is “Extending the Advanced Forensic Format to accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic
Workflow”.

A new evidence container is sorely needed by the computer forensics community, due to the large amount of manual work currently required in managing evidence and the closed nature of the current generation of forensic containers and tools. With this new forensic container, we provide an open and extensible container standard which promotes forensic tool interoperability and simplifies evidence sharing and management.

Technically, this new container achieves these things by enabling:

  • efficient random access storage of multiple streams of digital evidence within a single container;
  • storage of arbitrary information such as case relevant information or tool derived analysis results;
  • composition of evidence containers into a larger corpus of related evidence through an inter container referencing scheme;
  • decomposition of evidence containers into sets of smaller containers to support filesystem limitations;
  • definition of virtual evidence streams as maps of existing evidence streams.

The new format is slated to replace the current generation of Simson’s Advanced Forensic Format (AFF) and will be known as AFF4. Michael has been providing some documentation on the format over at the forensicswiki, and he has a beta quality implementation in the C language. Plans are in place for a JAVA based parallel implementation.

The abstract follows:

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible evolutionary redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification was designed to be simple to implement, allowing the use of the well
supported Zip File format specifications for bit level file access.

UPDATE: The paper is now published on the DFRWS 2009 website.

Posted in Storage Forensics | 1 Comment »

IceTV wins appeal against Nine in database copyright case

April 22nd, 2009

IceTV Pty Limited v Nine Network Australia Pty Limited [2009] HCA 14 (22 April 2009) [AUSTLII]

Summary

The supreme court of Australia has found for the online TV media guide IceTV, in their long running copyright dispute with Australian TV broadcaster, the Nine Network. Channel 9 claimed that IceTV  infringed copyright of the weekly TV guide  which Nine produce for distribution via licensed parties such as newspapers.

IceTV’s position was that their guide was an an original work, due to the method of production of their database guide:

  1. An IceTV employee watched TV for three weeks in August 2004, noting TV programming characteristics such as the program, date, and time started. These details were entered into a database.
  2. After this initial “bootstrapping” exercise, the IceTV guide database was tweaked on a regular basis by comparison with the TV Guide of Nine. Where title and timing discrepancies occurred, the IceTV guide was altered to suit.

It was on this second method of production that Nine’s claim of infringement hinged.  Their claim was that using the title and timing information constituted a substantial infringement.

Nine’s claim was that IceTV’s method of compiling their TV guide reproduced a substantial part of Nine’s weekly guide, and on appeal, the Federal Court earlier found:

“Ice took, via the Aggregated Guides, precisely the pieces of information that reflected the exercise of skill and labour by Nine in determining the program for a particular day or other period … Ice’s use of material derived from the time and title information … appropriated the most creative elements of the skill and labour utilised by Nine in creating the Weekly Schedules.”

By framing the interpretation of the term “substantial” in terms of the “exercise of skill and labour”, the court found that IceTV had indeed reproduced a substantial part of the Nine Weekly Schedule. The High Court, however, disagreed, basing its interpretation of “substantial” to be largely dependent on “originality”.

However, the expression of the time and title information, in respect of each programme, is not a form of expression which requires particular mental effort or exertion. The way in which the information can be conveyed is very limited. Expressing a title of a programme to be broadcast merely requires knowledge of the title, generally bestowed by the producer of the programme rather than by a broadcaster of it. Expressing the time at which a programme is broadcast, for public consumption, can only practically be done in words or figures relating to a 12 or 24-hour time cycle for a day. The authors of the Weekly Schedule (or the Nine Database) had little, if any, choice in the particular form of expression adopted, as that expression was essentially dictated by the nature of the information. That expression lacks the requisite originality (in the sense explained) for the part to constitute a substantial part.

On the question of whether structural relationships such as the order of programming, the court found:

Counsel for Nine sought to place importance upon the reproduction not only of time and title information in respect of each programme, but also of the chronological arrangement of the time and title information for various programmes. Whether a selection or arrangement of elements constitutes a substantial part of a work depends on the degree of originality of that selection or arrangement. In this case, a chronological arrangement of times at which programmes will be broadcast is obvious and prosaic, and plainly lacks the requisite originality.

The court found that that the time and title information in the IceGuide was not a reproduction of a substantial part of Nine’s weekly schedule.

Commentary

Today, computer based databases are the primary repository of knowledge. Almost every website, from Google to your phone directory, is powered by a database. The current Web 2.0 generation of information sources embrace the reuse (or mash-up) of published information from a multitude of sources over the web.

Before this decision in IceTv v Nine,  The degree to which the database  producer or owner has a right over the constituent information within the database has been uncertain. This decision appears to clarify the position somewhat:

“Copyright does not protect facts or information …That facts are not protected is a crucial part of the balancing of competing policy considerations in copyright legislation. “

This decision favours third parties using basic factual  information from published databases (and websites in general).

Related Posts:

IceTV Announcement

High Court Judgement (AUSTLII)

Peter Black’s announcement post (with summary to come)

Lawfront’s announcement post (with summary to come)

Update: Warwick Rothnie’s summary of the judgement.

Posted in Case Law | No Comments »

dd2vmdk relocated into the cloud

April 15th, 2009

A while ago I wrote a tool to convert flat disk images (which we commonly call dd images) to VMWare .vmdk disk images (the original blog post on the tool, called dd2vmdk is posted here). I have in the mean time ceased development of it, but despite its relatively archaic nature, some still find it of use.

Today I relocated hosting of it to Google’s new cloud web application service, Google App Engine. My motivations to do this were to reduce adminitrative burden, to eliminate server costs, and to increase long term availability (the Java App Engine is Beta, so there might be some short term availability issues).

The relocation took roughly one hour of my time, was dead simple, and required no code modification, just the simple addition of a new text configuration file.

dd2vmdk is still available via my personal website.

Posted in Storage Forensics, Virtualisation | No Comments »

Schatz Forensic launched

April 11th, 2009

Since March I have returned to practicing under my own banner. I have taken this opportunity to change the name of my company to Schatz Forensic, to better reflect the focus of the business and the personal nature of the services that I offer. Schatz Forensic is now operating out of premesis in the Brisbane CBD, and continues to offer the same computer forensics and electronic discovery services that I have provided in the past.

Posted in Computer Forensics | No Comments »

libewf has relocated

April 7th, 2009

This won’t be news to many, but I came across a colleague today who didn’t realise that the libewf project has moved home to sourceforge.

Libewf is the only open source implementation of the Expert Witness Format (EWF) file format, which is the de facto standard for storage of forensic disk images. This open source implementation contains numerous utilities, including a faster than LinEn, UNIX based, command line EWF acquisition program, ewfacquire, and a command line validation utility called ewfverify. This latter tool I have found extremely useful in automating the evidence preservation process.

Related news is that Joachim Metz, the creator of libewf has recently released libpff, an open source implementation of the Outlook PST, OST and PAB file formats.

Posted in Computer Forensics | No Comments »

Recent speech on eDiscovery in Australia now posted

October 16th, 2008

Back in August this year, I delivered the keynote speech at an Oracle organised eDiscovery roadshow, which travelled to most of the capital cities in Australia.

I have packaged the audio of my speech and powerpoint slides into a SlideCast, which can be viewed and listened to below.

For the entire event, including an mp3 containing both mine and the other speakers speeches, Paul Ricketts of Oracle has blogged it over here.

Australian e-Discovery Update: preparing your company for electronic discovery
View SlideShare presentation or Upload your own. (tags: ediscovery australia)

Posted in eDiscovery | No Comments »

Stealth deployment of f-response Enterprise

September 29th, 2008

In the last couple of days I have taken a few moments to familiarise myself with F-Response. The tool has been getting a lot of buzz lately amongst the forensic community, as it allows read-only raw access to the drives of remote computers, using one’s regular forensic toolset. Think encase enterprise at a lower price tag and open tool access.

For the more technical reader, it does this by setting up an iSCSI target on the remote (target, or suspects) computer.

The field kit and consultant edition of this tool require you to run a GUI agent on the target computer, which is not stealthy. The enterprise version of this tool however allows the agent to be run as a service.

Stealth Deployment
The supplied manual shows you how to install the enterprise agent using a combination of command line and GUI, but dosen’t go so far as to instruct how to do this remotely, via only the command line. This post is to document how I achieved this.

I note here that these instructions apply to a Windows Domain based setup, with firewall rules on workstations set to enable remote administration and file sharing from the investigation computer.

1. Open two windows command prompts. One is to be for work on the target machine and one on the investigation machine.

2. On the target machine command prompt, we first want to get a shell on the target computer, by using psexec, xcmd or other. I am logging in here as a user with Administrator priveleges:

C:\Documents and Settings\bschatz>”c:\Documents and Settings\bschatz\Desktop\tools\psexec.exe” -u VINCENTS\bschatz_admin \\192.168.20.195 cmd

PsExec v1.94 – Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals – www.sysinternals.com

Password:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>mkdir f-response

3. Then in the same window, we make a directory to put the f-response agent and configuration file in.

C:\WINDOWS\system32>cd f-response

C:\WINDOWS\system32\f-response>

4. On the investigator machine command prompt, we now want to copy the f-response agent and configuration file (f-response-ent.exe and NetUniKey.ini) over to the target machine, and into the directory we just created. Look out for escaping of quotes here:

C:\WINDOWS\system32>runas /user:VINCENTS\bschatz_admin “xcopy \”c:\Program Files (x86)\F-Response\F-Response Enterprise Edition\”\* \\192.168.20.195\c$\windows\system32\f-response\ /e /s /v /y /i”

5. Back in the target machine command prompt, we (in order of commands below) first install the f-response agent as a service, start the service, and finally, assuming that your clients firewall rules prevent connection to the f-response iSCSI target, open the windows firewall on that port:

C:\WINDOWS\system32\f-response>f-response-ent -c

C:\WINDOWS\system32\f-response>net start “F-Response Enterprise Service”
The F-Response Enterprise Service service is starting.
The F-Response Enterprise Service service was started successfully.

C:\WINDOWS\system32\f-response>netsh firewall set portopening protocol=TCP port=3260 name=iSCSI mode=ENABLE profile=DOMAIN
Ok.

6. At this point the regular connection to f-response may be performed.

When you are done
How to undo the above?

C:\WINDOWS\system32\f-response>netsh firewall delete portopening protocol=TCP port=3260
Ok.

C:\WINDOWS\system32\f-response>net stop “F-Response Enterprise Service”
The F-Response Enterprise Service service is stopping.
The F-Response Enterprise Service service was stopped successfully.

C:\WINDOWS\system32\f-response>f-response-ent -d

C:\WINDOWS\system32\f-response>del *.*

C:\WINDOWS\system32\f-response>cd ..

C:\WINDOWS\system32>rmdir f-response

Posted in Computer Forensics | No Comments »

Ph.D. Thesis Published

December 5th, 2007

My Ph.D. thesis was accepted by my university a while ago. A result of this is that my thesis is now publically available at the Australian Digital Thesis project. The citation for the thesis is reproduced below.

This thesis addresses problems related to the complexity and volume of evidence drawn from computers and other digital devices (so-called digital evidence) in policing and legal matters. The research identifies methods for increasing the efficiency and reliability of investigations employing digital evidence, by proposing automated methods of processing and documenting such information. The research examined at a fundamental level the role of representation in interpreting and analysing digital evidence, identifying where a formal approach to representing digital investigations and digital evidence reduces the complexity and volume problems. A formal approach was shown to be of benefit in automating the identification of situations of interest from correlated event records sourced from computer security and other disparate event logs. Additionally a formal approach was shown to facilitate granular sharing of evidence and extensible documentation of investigations. Finally, the research identified flaws in the fundamental assumptions in the interpretation of time-stamped evidence, and proposed a novel method of inferring the temporal behaviour of arbitrary computers.

Many thanks to my Ph.D. supervisory team: Ajd. Prof. George Mohay, Dr. Andrew Clark, and Dr. Peter Best. Your support and encouragement have been instrumental in directing my research to this conclusion. Finally, thanks to my thesis examiners for their valued criticism and recommendations.

Posted in Computer Forensics | No Comments »

Computer Security Day – Brisbane 2007

November 29th, 2007

I will be giving a short half hour talk titled “Recent developments in volatile memory forensics” at the Brisbane Computer Security Day on Friday 29th November, 2007. In this talk I will be giving an overview of where volatile memory forensics fits into the general practice of forensics, identify the benefits and limitations of the current toolset, and outline the current developments in the field. The subjects of other talks include PCI data security, google hacking, and web application security.

This event has been organised by the Information Security Insititue, the Australian Information Security Association and AUSCERT.

UPDATE: The slided of my talk can be found here.

Posted in Volatile Memory Forensics | No Comments »

« Older Entries
Newer Entries »