Difference between pages "Research Topics" and "Virtual machine"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (EnCase Enhancement)
 
(From the linux command prompt)
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
+
= Creating a VM instance file from a forensic image =
  
Many of these would make a nice master's project.
+
There are a number of ways to convert forensic image to a VM instance. At present, this article provides a series of tools that can convert images to VMDK files.
 +
 +
== Creating a VMDK file from a forensic image ==
  
=Programming/Engineering Projects=
+
=== Linux tools as included in SIFT ===
  
==Small-Sized Projects==
+
Via the SIFT workstation (free), use the following steps:
; Sleuthkit:
+
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
+
; tcpflow:
+
* Modify [[tcpflow]]'s iptree.h implementation so that it only stores discriminating bit prefixes in the tree, similar to D. J. Bernstein's [http://cr.yp.to/critbit.html Crit-bit] trees.
+
* Determine why [[tcpflow]]'s iptree.h implementation's ''prune'' works differently when caching is enabled then when it is disabled
+
  
==Medium-Sized Projects==
+
1.open a terminal window
===Forensic File Viewer ===
+
2.sudo su
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
+
3.mkdir /mnt/ewf1
** Automatically pull out the strings
+
4.mount_ewf.py (Encase Image file path) /mnt/ewf1
** Show histogram
+
5.qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk
** Detect crypto and/or stenography.
+
* Extend SleuthKit's [[fiwalk]] to report the NTFS alternative data streams.
+
  
===Data Sniffing===
+
=== Paladin 4 ===
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
+
  
 +
- Paladin 4 (free) can convert DD and E01 images to VDMK as well.
  
===SleuthKit Modifications===
+
=== Live View ===
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
+
  
===Anti-Frensics Detection===
+
[http://liveview.sourceforge.net/ Live View] (opensource) is reported as not reliable, but it does work with some images.
* A pluggable rule-based system that can detect the residual data or other remnants of running a variety of anti-forensics software
+
  
===Carvers===
+
=== EnCase ===
Develop a new carver with a plug-in architecture and support for fragment reassembly carving. Take a look at:
+
* [[Carver 2.0 Planning Page]]
+
* ([mailto:rainer.poisel@gmail.com Rainer Poisel']) [https://github.com/rpoisel/mmc Multimedia File Carver], which allows for the reassembly of multimedia fragmented files.
+
  
===Correlation Engine===
+
use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk.  Guidance software has a good guide on how to do this in their support portal. 
* Logfile correlation
+
* Document identity identification
+
* Correlation between stored data and intercept data
+
* Online Social Network Analysis
+
  
===Data Snarfing/Web Scraping===
+
Note – EnCase v7 hasn't been proven to support this, just EnCase 6
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
+
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
+
* Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
+
  
=== Timeline analysis ===
+
=== VFC - Virtual Forensic Computing ===
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]] but not limited to
+
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
+
  
===Enhancements for Guidance Softwaren's Encase===
+
VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
+
  
==Reverse-Engineering Projects==
+
== Creating a KVM image ==
=== Application analysis ===
+
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
+
** Fill in the missing information about older ESE databases
+
** Exchange EDB (MAPI database), STM
+
** Active Directory (Active Directory working document available on request)
+
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
+
* Reverse the on-disk structure of Microsoft SQL Server databases
+
  
=== Volume/File System analysis ===
+
=== From the linux command prompt ===
* Analysis of inter snapshot changes in [[Windows Shadow Volumes]]
+
kvm -hda myimage.dd
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
+
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
+
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
+
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
+
  
 +
memory can be set as an option, cd drives can be presented, etc., and there is an option equivalent to the VMware non persistent mode.
  
 +
Warning: It has been determined that using kvm's non-persistent mode can still result in an altered image. Always, always, always work from a copy.
  
==Error Rates==
+
= Using the VMDK file =
* Develop improved techniques for identifying encrypted data. (It's especially important to distinguish encrypted data from compressed data).
+
* Quantify the error rate of different forensic tools and processes. Are these rates theoretical or implementation dependent? What is the interaction of the error rates and the [[Daubert]] standard?
+
  
==Research Areas==
+
Once you have the VMDK file, you can create a virtual machine in
These are research areas that could easily grow into a PhD thesis.
+
Virtualbox or VMware Workstation and use the VMDK as an existing hard
* General-purpose detection of:
+
disk for the virtual machine. I prefer to use VMware Workstation
** Stegnography
+
because it has a non persistent mode which allows you to write changes
** Sanitization attempts
+
to a cache file rather than the forensic image itself thus maintaining
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
+
integrity.
* Visualization of data/information in digital forensic context
+
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
+
  
==See Also==
+
= External Links =
* [http://itsecurity.uiowa.edu/securityday/documents/guan.pdf Digital Forensics: Research Challenges and Open Problems, Dr. Yong Guan, Iowa State University, Dec. 4, 2007]
+
* [http://www.myfixlog.com/fix.php?fid=35 How to Create a Virtual Machine from a Raw Hard Drive Image]
 
+
__NOTOC__
+
 
+
[[Category:Research]]
+

Revision as of 10:24, 19 June 2013

Contents

Creating a VM instance file from a forensic image

There are a number of ways to convert forensic image to a VM instance. At present, this article provides a series of tools that can convert images to VMDK files.

Creating a VMDK file from a forensic image

Linux tools as included in SIFT

Via the SIFT workstation (free), use the following steps:

1.open a terminal window
2.sudo su
3.mkdir /mnt/ewf1
4.mount_ewf.py (Encase Image file path) /mnt/ewf1
5.qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk

Paladin 4

- Paladin 4 (free) can convert DD and E01 images to VDMK as well.

Live View

Live View (opensource) is reported as not reliable, but it does work with some images.

EnCase

use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk. Guidance software has a good guide on how to do this in their support portal.

Note – EnCase v7 hasn't been proven to support this, just EnCase 6

VFC - Virtual Forensic Computing

VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.

Creating a KVM image

From the linux command prompt

kvm -hda myimage.dd

memory can be set as an option, cd drives can be presented, etc., and there is an option equivalent to the VMware non persistent mode.

Warning: It has been determined that using kvm's non-persistent mode can still result in an altered image. Always, always, always work from a copy.

Using the VMDK file

Once you have the VMDK file, you can create a virtual machine in Virtualbox or VMware Workstation and use the VMDK as an existing hard disk for the virtual machine. I prefer to use VMware Workstation because it has a non persistent mode which allows you to write changes to a cache file rather than the forensic image itself thus maintaining integrity.

External Links