Difference between pages "BitLocker Disk Encryption" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(See Also)
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
  
== BitLocker ==
+
Many of these would make a nice master's project.
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header. Instead, they have in their volume header (first sector): <tt>2D 46 56 45 2D 46 53 2D</tt> or, in ASCII, <tt>-FVE-FS-</tt>.
+
  
These volumes can be identified by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
+
=Programming/Engineering Projects=
  
The actual data on the encrypted volume is protected with either 128-bit or 256-bit [[AES]] and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
==Small-Sized Projects==
* TPM (Trusted Platform Module)
+
; Sleuthkit:
* Smart card
+
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
* recovery password
+
; tcpflow:
* start-up key
+
* Modify [[tcpflow]]'s iptree.h implementation so that it only stores discriminating bit prefixes in the tree, similar to D. J. Bernstein's [http://cr.yp.to/critbit.html Crit-bit] trees.
* clear key; this key-protector provides no protection
+
* Determine why [[tcpflow]]'s iptree.h implementation's ''prune'' works differently when caching is enabled then when it is disabled
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
==Medium-Sized Non-Programming Projects==
 +
===Digital Forensics Education===
 +
* Survey existing DFE programs and DF practitioners regarding which tools they use. Report if the tools being taught are the same as the tools that are being used.
 +
===Improving quality of forensic examination reports===
 +
* Defense asks you: "When did you update your antivirus program during the forensic examination?", what will you reply: date, or date/hour, or date/hour/minute? How many virus signatures can be added and then excluded as false positives in 24 hours? Does mirroring of signature update servers make date/hour, date/hour/minute answers useless?
  
== BitLocker To Go ==
+
==Medium-Sized Development Projects==
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
===Forensic File Viewer ===
 +
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
 +
** Automatically pull out the strings
 +
** Show histogram
 +
** Detect crypto and/or stenography.
 +
* Extend SleuthKit's [[fiwalk]] to report the NTFS alternative data streams.
  
== manage-bde ==
+
===Data Sniffing===
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
<pre>
+
manage-bde.exe -status
+
</pre>
+
  
To obtain the recovery password for volume C:
+
===SleuthKit Modifications===
<pre>
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
manage-bde.exe -protectors -get C: -Type recoverypassword
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
</pre>
+
  
Or just obtain the all “protectors” for volume C:
+
===Anti-Frensics Detection===
<pre>
+
* A pluggable rule-based system that can detect the residual data or other remnants of running a variety of anti-forensics software
manage-bde.exe -protectors -get C:
+
</pre>
+
  
== See Also ==
+
===Carvers===
* [[BitLocker:_how_to_image|BitLocker: How to image]]
+
Develop a new carver with a plug-in architecture and support for fragment reassembly carving. Take a look at:
* [[Defeating Whole Disk Encryption]]
+
* [[Carver 2.0 Planning Page]]
 +
* ([mailto:rainer.poisel@gmail.com Rainer Poisel']) [https://github.com/rpoisel/mmc Multimedia File Carver], which allows for the reassembly of multimedia fragmented files.
  
== External Links ==
+
===Correlation Engine===
 +
* Logfile correlation
 +
* Document identity identification
 +
* Correlation between stored data and intercept data
 +
* Online Social Network Analysis
  
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
===Data Snarfing/Web Scraping===
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
+
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
+
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
+
* Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
+
  
== Tools ==
+
=== Timeline analysis ===
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]] but not limited to
* [[libbde]]
+
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
  
[[Category:Disk encryption]]
+
===Enhancements for Guidance Software's Encase===
[[Category:Windows]]
+
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
 +
 
 +
=== Analysis of packet captures ===
 +
* Identifying various types of DDoS attacks from capture files (pcap): extracting attack statistics, list of attacking bots, determining the type of attack (TCP SYN flood, UDP/ICMP flood, HTTP GET/POST flood, HTTP flood with browser emulation, etc).
 +
 
 +
==Reverse-Engineering Projects==
 +
=== Application analysis ===
 +
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
 +
** Fill in the missing information about older ESE databases
 +
** Exchange EDB (MAPI database), STM
 +
** Active Directory (Active Directory working document available on request)
 +
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
 +
* Reverse the on-disk structure of Microsoft SQL Server databases
 +
 
 +
=== Volume/File System analysis ===
 +
* Analysis of inter snapshot changes in [[Windows Shadow Volumes]]
 +
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
 +
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
 +
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
 +
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
 +
 
 +
 
 +
 
 +
==Error Rates==
 +
* Develop improved techniques for identifying encrypted data. (It's especially important to distinguish encrypted data from compressed data).
 +
* Quantify the error rate of different forensic tools and processes. Are these rates theoretical or implementation dependent? What is the interaction of the error rates and the [[Daubert]] standard?
 +
 
 +
==Research Areas==
 +
These are research areas that could easily grow into a PhD thesis.
 +
* General-purpose detection of:
 +
** Stegnography
 +
** Sanitization attempts
 +
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
 +
* Visualization of data/information in digital forensic context
 +
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
 +
 
 +
==See Also==
 +
* [http://itsecurity.uiowa.edu/securityday/documents/guan.pdf Digital Forensics: Research Challenges and Open Problems, Dr. Yong Guan, Iowa State University, Dec. 4, 2007]
 +
* [http://www.forensicfocus.com/project-ideas Forensic Focus: Project Ideas for Digital Forensics Students]
 +
 
 +
__NOTOC__
 +
 
 +
[[Category:Research]]

Revision as of 08:35, 10 September 2013

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.

Many of these would make a nice master's project.

Programming/Engineering Projects

Small-Sized Projects

Sleuthkit
  • Rewrite SleuthKit sorter in C++ to make it faster and more flexible.
tcpflow
  • Modify tcpflow's iptree.h implementation so that it only stores discriminating bit prefixes in the tree, similar to D. J. Bernstein's Crit-bit trees.
  • Determine why tcpflow's iptree.h implementation's prune works differently when caching is enabled then when it is disabled

Medium-Sized Non-Programming Projects

Digital Forensics Education

  • Survey existing DFE programs and DF practitioners regarding which tools they use. Report if the tools being taught are the same as the tools that are being used.

Improving quality of forensic examination reports

  • Defense asks you: "When did you update your antivirus program during the forensic examination?", what will you reply: date, or date/hour, or date/hour/minute? How many virus signatures can be added and then excluded as false positives in 24 hours? Does mirroring of signature update servers make date/hour, date/hour/minute answers useless?

Medium-Sized Development Projects

Forensic File Viewer

  • Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
    • Automatically pull out the strings
    • Show histogram
    • Detect crypto and/or stenography.
  • Extend SleuthKit's fiwalk to report the NTFS alternative data streams.

Data Sniffing

  • Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.

SleuthKit Modifications

  • Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
  • Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.

Anti-Frensics Detection

  • A pluggable rule-based system that can detect the residual data or other remnants of running a variety of anti-forensics software

Carvers

Develop a new carver with a plug-in architecture and support for fragment reassembly carving. Take a look at:

Correlation Engine

  • Logfile correlation
  • Document identity identification
  • Correlation between stored data and intercept data
  • Online Social Network Analysis

Data Snarfing/Web Scraping

  • Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
  • Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
  • Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login

Timeline analysis

  • Mapping differences and similarities in multiple versions of a system, e.g. those created by Windows Shadow Volumes but not limited to
  • Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.

Enhancements for Guidance Software's Encase

  • Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)

Analysis of packet captures

  • Identifying various types of DDoS attacks from capture files (pcap): extracting attack statistics, list of attacking bots, determining the type of attack (TCP SYN flood, UDP/ICMP flood, HTTP GET/POST flood, HTTP flood with browser emulation, etc).

Reverse-Engineering Projects

Application analysis

Volume/File System analysis

  • Analysis of inter snapshot changes in Windows Shadow Volumes
  • Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
  • Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see NTFS)
  • Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
  • Add support to SleuthKit for ReFS.


Error Rates

  • Develop improved techniques for identifying encrypted data. (It's especially important to distinguish encrypted data from compressed data).
  • Quantify the error rate of different forensic tools and processes. Are these rates theoretical or implementation dependent? What is the interaction of the error rates and the Daubert standard?

Research Areas

These are research areas that could easily grow into a PhD thesis.

  • General-purpose detection of:
    • Stegnography
    • Sanitization attempts
    • Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
  • Visualization of data/information in digital forensic context
  • SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;

See Also