Difference between pages "File Format Identification" and "BitLocker: how to image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (formatting Bibliographies)
 
(Traditional Imaging)
 
Line 1: Line 1:
File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.
 
  
=Tools=
+
= Imaging Options =
==libmagic==
+
* Written in C.
+
* Rules in /usr/share/file/magic and compiled at runtime.
+
* Powers the Unix “file” command, but you can also call the library directly from a C program.
+
* http://sourceforge.net/projects/libmagic
+
  
==DROID==
+
There are multiple ways to image a computer with bitlocker security in place.
* Writen in Java
+
* Developed by National Archives of the United Kingdom.
+
* http://droid.sourceforge.net
+
  
==TrID==
+
== Offline Imaging ==
* XML config file
+
* Closed source; free for non-commercial use
+
* http://mark0.net/soft-trid-e.html
+
  
==Forensic Innovations File Investigator TOOLS==
+
One can make an offline image with the image containing encrypted information.
* Proprietary, but free trial available.
+
* Available as consumer applications and OEM API.
+
* Identifies 3,000+ file types, using multiple methods to maintain high accuracy.
+
* Extracts metadata for many of the supported file types.
+
* http://www.forensicinnovations.com/fitools.html
+
  
==Stellent/Oracle Outside-In==
+
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
* Proprietary but free demo.
+
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
* http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
* [[EnCase]] (as of version 6) with the (optional) encryption module
 +
* [[libbde]]
  
==[[Forensic Assistant]]==
+
The recovery password is a long series of digits broken up into 8 segments.
* Proprietary.
+
<pre>
* Provides detection of password protected archives, some files of cryptographic programs, Pinch/Zeus binary reports, etc.
+
123456-123456-123456-123456-123456-123456-13456-123456
 +
</pre>
  
[[Category:Tools]]
+
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
  
=Bibliography=
+
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file. '''Please note that this bibliography is in chronological order!'''
+
  
 +
The basic steps are:
  
;2001
+
# Make an offline full disk image.
 +
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
 +
## Once booted log into the computer
 +
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
 +
## record the password
 +
#:
 +
# For EnCase v6 or higher with the encryption module installed
 +
## Load the image into EnCase
 +
## You will be prompted for the password.  Simply enter it and continue.
 +
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
 +
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
  
* Mason McDaniel, [[Media:Mcdaniel01.pdf|Automatic File Type Detection Algorithm]], Masters Thesis, James Madison University,2001
+
== Live Imaging ==
  
; 2003
+
=== FTK Live Imaging of a physical drive ===
  
* [http://www2.computer.org/portal/web/csdl/abs/proceedings/hicss/2003/1874/09/187490332a.pdf Content Based File Type Detection Algorithms], Mason McDaniel and M. Hossain Heydari, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003.
+
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
  
; 2005
+
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
* Fileprints: identifying file types by n-gram analysis, LiWei-Jen, Wang Ke, Stolfo SJ, Herzog B..,  IProceeding of the 2005 IEEE workshop on information assurance, 2005. ([http://www.itoc.usma.edu/workshop/2005/Papers/Follow%20ups/FilePrintPresentation-final.pdf Presentation Slides])  ([http://www1.cs.columbia.edu/ids/publications/FilePrintPaper-revised.pdf PDF])
+
=== FTK Live Imaging of a logical partition ===
  
* Douglas J. Hickok, Daine Richard Lesniak, Michael C. Rowe, File Type Detection Technology,  2005 Midwest Instruction and Computing Symposium.([http://www.micsymposium.org/mics_2005/papers/paper7.pdf PDF])
+
This has not been verified to work or fail at this time.
  
; 2006
+
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
  
* Karresand Martin, Shahmehri Nahid [http://ieeexplore.ieee.org/iel5/10992/34632/01652088.pdf  File type identification of data fragments by their binary structure. ], Proceedings of the IEEE workshop on information assurance, pp.140–147, 2006.([http://www.itoc.usma.edu/workshop/2006/Program/Presentations/IAW2006-07-3.pdf Presentation Slides])
+
=== FTK Live Files and Folders collections ===
  
* Gregory A. Hall, Sliding Window Measurement for File Type Identification, Computer Forensics and Intrusion Analysis Group, ManTech Security and Mission Assurance, 2006. ([http://www.mantechcfia.com/SlidingWindowMeasurementforFileTypeIdentification.pdf PDF])
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
  
* FORSIGS; Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints, John Haggerty and Mark Taylor, IFIP TC11 International Information Security Conference, 2006, Sandton, South Africa.
+
== See Also ==
 +
* [[BitLocker Disk Encryption]]
 +
* [[Defeating Whole Disk Encryption]]
  
* Martin Karresand , Nahid Shahmehri, "Oscar -- Using Byte Pairs to Find File Type and Camera Make of Data Fragments," Annual Workshop on Digital Forensics and Incident Analysis, Pontypridd, Wales, UK, pp.85-94, Springer-Verlag, 2006.
+
[[Category:Disk encryption]]
 
+
[[Category:Windows]]
; 2007
+
 
+
* Karresand M., Shahmehri N., [http://dx.doi.org/10.1007/0-387-33406-8_35 Oscar: File Type Identification of Binary Data in Disk Clusters and RAM Pages], Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), Springer, ISBN 0-387-33405-x, pp.413-424, Karlstad, Sweden, May 2006.
+
 
+
* Robert F. Erbacher and John Mulholland, "Identification and Localization of Data Types within Large-Scale File Systems," Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, WA, April 2007.
+
 
+
* Ryan M. Harris, "Using Artificial Neural Networks for Forensic File Type Identification," Master's Thesis, Purdue University, May 2007. ([https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2007-19.pdf PDF])
+
 
+
* Predicting the Types of File Fragments, William Calhoun, Drue Coles, DFRWS 2008. ([http://www.dfrws.org/2008/proceedings/p14-calhoun_pres.pdf Presentation Slides])  ([http://www.dfrws.org/2008/proceedings/p14-calhoun.pdf PDF])
+
 
+
* Sarah J. Moody and Robert F. Erbacher, [http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=04545366 SÁDI – Statistical Analysis for Data type Identification], 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, 2008.
+
 
+
; 2008
+
 
+
* Mehdi Chehel Amirani, Mohsen Toorani, and Ali Asghar Beheshti Shirazi, [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4625611 A New Approach to Content-based File Type Detection], Proceedings of the 13th IEEE Symposium on Computers and Communications (ISCC'08), pp.1103-1108, IEEE ComSoc, Marrakech, Morocco, July 2008.([http://webpages.iust.ac.ir/mtoorani/FTD.pdf Presentation Slides])  ([http://webpages.iust.ac.ir/mtoorani/C2.pdf PDF])
+
 
+
; 2009
+
* Roussev, Vassil, and Garfinkel, Simson, "File Classification Fragment-The Case for Specialized Approaches," Systematic Approaches to Digital Forensics Engineering (IEEE/SADFE 2009), Oakland, California. ([http://simson.net/clips/academic/2009.SADFE.Fragments.pdf PDF])
+
 
+
* Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.springerlink.com/content/g2655k2044615q75/ On Improving the Accuracy and Performance of Content-based File Type Identification], Proceedings of the 14th Australasian Conference on Information Security and Privacy (ACISP 2009), pp.44-59, LNCS (Springer), Brisbane, Australia, July 2009.
+
 
+
; 2010
+
*Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.alphaminers.net/sub05/sub05_03.php?swf_pn=5&swf_sn=3&swf_pn2=3 Fast File-type Identification], Proceedings of the 25th ACM Symposium on Applied Computing (ACM SAC 2010), ACM, Sierre, Switzerland, March 2010.
+
[[Category:Bibliographies]]
+

Revision as of 02:04, 15 July 2013

Imaging Options

There are multiple ways to image a computer with bitlocker security in place.

Offline Imaging

One can make an offline image with the image containing encrypted information.

Options to offline decrypt the information, provided the password or recovery password is available, exists some are:

The recovery password is a long series of digits broken up into 8 segments.

123456-123456-123456-123456-123456-123456-13456-123456

Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.

The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.

The basic steps are:

  1. Make an offline full disk image.
  2. Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone. (booting from a clone has not been tested at this time.)
    1. Once booted log into the computer
    2. Use the BitLocker control panel applet to display the password. This can also be done from the command-line.
    3. record the password
  3. For EnCase v6 or higher with the encryption module installed
    1. Load the image into EnCase
    2. You will be prompted for the password. Simply enter it and continue.
    3. If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase. The new image will have unencrypted data.
    4. After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire. Select "do not add to case". You will be presented a dialog window to enter new information about the image. Make sure the destination you select for your new image does not exist.

Live Imaging

FTK Live Imaging of a physical drive

Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.

Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Imaging of a logical partition

This has not been verified to work or fail at this time.

Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.

FTK Live Files and Folders collections

This was not attempted, but it seems reasonable to assume this will collect unencrypted files.

See Also