Difference between pages "Forensic Live CD issues" and "Upcoming events"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Orphan inodes deletion)
 
(Conferences)
 
Line 1: Line 1:
== The problem ==
+
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
 +
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
 +
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
  
[[Live CD|Forensic Live CDs]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.
+
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
  
== Another side of the problem ==
+
This listing is divided into three sections (described as follows):<br>
 +
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
 +
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
 +
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
  
Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.
+
== Calls For Papers ==
 +
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
  
=== Example ===
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="30%|Title
 +
! width="15%"|Due Date
 +
! width="15%"|Notification Date
 +
! width="40%"|Website
 +
|-
 +
|67th Annual Scientific Meeting of the American Academy of Forensic Sciences
 +
|Aug 01, 2014
 +
|Nov 01, 2014
 +
|http://www.aafs.org
 +
|-
 +
|Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics
 +
|Oct 01, 2014
 +
|Nov 15, 2014
 +
|http://www.ifip119.org
 +
|-
 +
|}
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
== Conferences ==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 +
|-
 +
|12th International Conference on Applied Cryptography and Network Security
 +
|Jun 10-13<br>Lausanne, Switzerland
 +
|http://acns2014.epfl.ch/
 +
|-
 +
|2nd ACM Workshop on Information Hiding and Multimedia Security
 +
|Jun 11-13<br>Salzburg, Austria
 +
|http://www.ihmmsec.org/
 +
|-
 +
|54th Conference on Audio Forensics
 +
|Jun 12-14<br>London, England
 +
|http://www.aes.org/conferences/54/
 +
|-
 +
|Cyber and NetCentric Workshop (Requires US Security Clearance)
 +
|Jun 17-19<br>Lincoln Laboratories, Lexington, MA
 +
|https://conferences.ll.mit.edu/cnw/
 +
|-
 +
|2014 USENIX Annual Technical Conference
 +
|Jun 19-20<br>Philadelphia, PA, USA
 +
|https://www.usenix.org/conference/atc14
 +
|-
 +
|26th Annual FIRST Conference: Back to the ‘root’ of Incident Response
 +
|Jun 22-27<br>Boston, MA
 +
|http://www.first.org/conference/2014
 +
|-
 +
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
 +
|Jun 23-26<br>Atlanta, GA, USA
 +
|http://www.dsn.org/
 +
|-
 +
|Symposium On Usable Privacy and Security (SOUPS) 2014
 +
|Jul 09-11<br>Menlo Park, CA, USA
 +
|http://cups.cs.cmu.edu/soups/2014/
 +
|-
 +
|11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
 +
|July 10-11<br>Egham, UK
 +
|http://dimva2014.isg.rhul.ac.uk/
 +
|-
 +
|Black Hat USA 2014
 +
|Aug 02-07<br>Las Vegas, NV, USA
 +
|https://www.blackhat.com
 +
|-
 +
|DFRWS 2014
 +
|Aug 03-06<br>Denver, CO, USA
 +
|http://dfrws.org/2014/index.shtml
 +
|-
 +
|23rd USENIX Security Symposium
 +
|Aug 20-22<br>San Diego, CA, USA
 +
|https://www.usenix.org/conferences
 +
|-
 +
|2014 HTCIA International Conference & Training Expo
 +
|Aug 25-27<br>Austin, TX
 +
|http://www.htcia.org/2013/11/2014-htcia-international-conference-training-expo/
 +
|-
 +
|International Conference on Availability, Reliability and Security (ARES)
 +
|Sep 08-12<br>Fribourg, Switzerland
 +
|http://www.ares-conference.eu/conference/
 +
|-
 +
|The New Security Paradigms Workshop (NSPW)
 +
|Sep 15-18<br>Victoria, British Columbia, Canada
 +
|http://www.nspw.org/2014
 +
|-
 +
|6th International Conference on Digital Forensics & Cyber Crime co-hosted with the Systematic Approaches to Digital Forensic Engineering (SADFE)
 +
|Sep 18-20<br>New Haven, CT
 +
|http://d-forensics.org/2014/show/home
 +
|-
 +
|17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
 +
|Sep 24-26<br>Gothenburg, Sweden
 +
|http://www.raid2014.eu/
 +
|-
 +
|24th Virus Bulletin International Conference
 +
|Sep 24-26<br>Seattle, WA
 +
|http://www.virusbtn.com/conference/vb2014/index
 +
|-
 +
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
 +
|Oct 06-10<br>Coeur d’Alene, ID, USA
 +
|http://www.leva.org/annual-training-conference/
 +
|-
 +
|5th Annual Open Source Digital Forensics Conference (OSDFCon)
 +
|Nov 05<br>Herndon, VA
 +
|http://www.basistech.com/osdfcon/
 +
|-
 +
|CyberCrime and Electronic Discovery Symposium 2014
 +
|Nov 5-7<br>Baton Rouge, Louisiana
 +
|http://www.ceds2014.com
 +
|-
 +
|2014 Annual Computer Security Applications Conference (ACSAC)
 +
|Dec 08-12<br>New Orleans, LA
 +
|http://www.acsac.org/
 +
|-
 +
|Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics
 +
|Jan 26-28<br>Orlando, FL
 +
|http://www.ifip119.org
 +
|-
 +
|67th Annual Scientific Meeting of the American Academy of Forensic Sciences
 +
|Feb 16-25<br>Orlando, FL
 +
|http://www.aafs.org
 +
|-
 +
|}
  
== Problems ==
+
==See Also==
 
+
* [[Training Courses and Providers]]
Each problem is followed by a list of distributions affected (currently this list is not up-to-date).
+
==References==
 
+
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
=== Journaling file system updates ===
+
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
 
+
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  File system
+
!  When data writes happen
+
!  Notes
+
|-
+
|  Ext3
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  Ext4
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  ReiserFS
+
|  File system has unfinished transactions
+
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
+
|-
+
|  XFS
+
|  Always (when unmounting)
+
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
+
|}
+
 
+
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
 
+
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
+
 
+
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|-
+
|  SPADA
+
|  4
+
|-
+
|  DEFT Linux
+
|  7
+
|}
+
 
+
=== Orphan inodes deletion ===
+
 
+
When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.
+
 
+
=== Root file system spoofing ===
+
 
+
''See also: [[Early userspace | early userspace]]''
+
 
+
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
 
+
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
+
 
+
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
+
 
+
List of Ubuntu-based distributions that allow root file system spoofing:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  Helix3 Pro
+
|  2009R3
+
|-
+
|  CAINE
+
|  1.5
+
|-
+
|  DEFT Linux
+
|  5
+
|-
+
|  Raptor
+
|  2.0
+
|-
+
|  BackTrack
+
|  4
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|}
+
 
+
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
+
 
+
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/images/aor/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
+
 
+
=== Swap space activation ===
+
 
+
''Feel free to add information about swap space activation during the boot in some distributions''
+
 
+
=== Incorrect mount policy ===
+
 
+
==== rebuildfstab and scanpartitions scripts ====
+
 
+
Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in ''/etc/fstab''. Some versions of these scripts use wrong wildcards while searching for available block devices (''/dev/?d?'' instead of ''/dev/?d*''), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).
+
 
+
=== Incorrect write-blocking approach ===
+
 
+
Some forensic Linux Live CD distributions rely on [[hdparm]] and [[blockdev]] programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting the block device to read-only mode does not guarantee that [http://archives.free.net.ph/message/20090721.105120.99250e3f.en.html no write commands will be passed to the drive].
+
 
+
== External links ==
+
 
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
+
 
+
[[Category:Live CD]]
+

Revision as of 14:24, 13 June 2014

PLEASE READ BEFORE YOU EDIT THE LISTS BELOW
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).
Some events may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

This is a BY DATE listing of upcoming events relevant to digital forensics. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic conferences page, but entries in this list have specific dates and locations for the upcoming event.

This listing is divided into three sections (described as follows):

  1. Calls For Papers - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)

  2. Conferences - Conferences relevant for Digital Forensics (Name, Date, Location, URL)

  3. Training Courses and Providers - Training

Calls For Papers

Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.

Title Due Date Notification Date Website
67th Annual Scientific Meeting of the American Academy of Forensic Sciences Aug 01, 2014 Nov 01, 2014 http://www.aafs.org
Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics Oct 01, 2014 Nov 15, 2014 http://www.ifip119.org

See also WikiCFP 'Forensics'

Conferences

Title Date/Location Website
12th International Conference on Applied Cryptography and Network Security Jun 10-13
Lausanne, Switzerland
http://acns2014.epfl.ch/
2nd ACM Workshop on Information Hiding and Multimedia Security Jun 11-13
Salzburg, Austria
http://www.ihmmsec.org/
54th Conference on Audio Forensics Jun 12-14
London, England
http://www.aes.org/conferences/54/
Cyber and NetCentric Workshop (Requires US Security Clearance) Jun 17-19
Lincoln Laboratories, Lexington, MA
https://conferences.ll.mit.edu/cnw/
2014 USENIX Annual Technical Conference Jun 19-20
Philadelphia, PA, USA
https://www.usenix.org/conference/atc14
26th Annual FIRST Conference: Back to the ‘root’ of Incident Response Jun 22-27
Boston, MA
http://www.first.org/conference/2014
44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Jun 23-26
Atlanta, GA, USA
http://www.dsn.org/
Symposium On Usable Privacy and Security (SOUPS) 2014 Jul 09-11
Menlo Park, CA, USA
http://cups.cs.cmu.edu/soups/2014/
11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment July 10-11
Egham, UK
http://dimva2014.isg.rhul.ac.uk/
Black Hat USA 2014 Aug 02-07
Las Vegas, NV, USA
https://www.blackhat.com
DFRWS 2014 Aug 03-06
Denver, CO, USA
http://dfrws.org/2014/index.shtml
23rd USENIX Security Symposium Aug 20-22
San Diego, CA, USA
https://www.usenix.org/conferences
2014 HTCIA International Conference & Training Expo Aug 25-27
Austin, TX
http://www.htcia.org/2013/11/2014-htcia-international-conference-training-expo/
International Conference on Availability, Reliability and Security (ARES) Sep 08-12
Fribourg, Switzerland
http://www.ares-conference.eu/conference/
The New Security Paradigms Workshop (NSPW) Sep 15-18
Victoria, British Columbia, Canada
http://www.nspw.org/2014
6th International Conference on Digital Forensics & Cyber Crime co-hosted with the Systematic Approaches to Digital Forensic Engineering (SADFE) Sep 18-20
New Haven, CT
http://d-forensics.org/2014/show/home
17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) Sep 24-26
Gothenburg, Sweden
http://www.raid2014.eu/
24th Virus Bulletin International Conference Sep 24-26
Seattle, WA
http://www.virusbtn.com/conference/vb2014/index
25th Annual Conference & Digital Multimedia Evidence Training Symposium Oct 06-10
Coeur d’Alene, ID, USA
http://www.leva.org/annual-training-conference/
5th Annual Open Source Digital Forensics Conference (OSDFCon) Nov 05
Herndon, VA
http://www.basistech.com/osdfcon/
CyberCrime and Electronic Discovery Symposium 2014 Nov 5-7
Baton Rouge, Louisiana
http://www.ceds2014.com
2014 Annual Computer Security Applications Conference (ACSAC) Dec 08-12
New Orleans, LA
http://www.acsac.org/
Eleventh Annual IFIP WG 11.9 International Conference on Digital Forensics Jan 26-28
Orlando, FL
http://www.ifip119.org
67th Annual Scientific Meeting of the American Academy of Forensic Sciences Feb 16-25
Orlando, FL
http://www.aafs.org

See Also

References