Difference between pages ".XRY" and "Disk Imaging"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Decryption while imaging)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = XRY |
+
  maintainer = [[Micro Systemation]] |
+
  os = {{Windows}} |
+
  genre = {{Mobile forensics}} |
+
  license = {{Commercial}} |
+
  website = [http://www.msab.com www.msab.com] |
+
}}
+
  
'''XRY''', pronounced "ex-arr-why", is a forensic system specifically designed for analyzing mobile digital devices written by [[Micro Systemation]]. The software is designed to run on a Windows computer and will retrieve information from mobile phones for immediate display of the results or files can be saved for later analysis. At the time of writing support levels included smartphones, gps units and mobile tablets such as the iPad.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
== Overview ==
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
XRY comes complete as a package containing both hardware and software to read the device information. XRY currently includes the following hardware in the package; XRY Communications Unit, SIM Card Reader, Clone SIM Cards, Write-Protected Memory Card Reader & Complete set of Cables.  
+
This can be a time consuming process especially for disks with a large capacity.
  
The hardware is connected to a Windows computer using a USB cable and is capable of displaying immediate results from the device extraction.  
+
The process of disk imaging is also referred to as disk duplication.
  
The software can grab phone book information, SMS and other text messages, call lists, calendar entries, task items, pictures, media files, and SIM card information. XRY also retrieves a lot of information about the phone itself, such as IMEI/ESN, IMSI, model no., matching between the clock in the telephone and the computer, etc. The latest version includes support for some smartphone applications such as Facebook, Myspace, Skype and Gmail.
+
== Disk Imaging Solutions ==
 +
See: [[:Category:Disk Imaging|Disk Imaging Solutions]]
  
The system generates an encrypted file called .XRY which contains a copy of all the information retrieved from the phone. The company also licences customers to free issue their XRY Reader application so these secure encrypted files can be read by authorized third parties.
+
== Common practice ==
 +
It common practice to use a [[Write Blockers|Write Blocker]] when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.
  
== Supported devices ==
+
Also see: [[DCO and HPA|Device Configuration Overlay (DCO) and Host Protected Area (HPA)]]
The tool supports more than 4,000 different mobile device profiles including [[GSM]], [[UMTS]] and [[CDMA]] phones. SIM cards are supported as well. Smartphones such as Android, BlackBerry, iPhone, Symbian and Windows Mobile are also supported.
+
  
XRY is one of a limited number of mobile forensic products which also offers Physical Extraction capabilities on devices to gain access to potentially more information from a device, including deleted data.
+
== Integrity ==
 +
Often when creating a disk image a [http://en.wikipedia.org/wiki/Cryptographic_hash_function cryptographic hash] is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.
  
  
== XRY Reader ==
+
By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:
XRY creates a report containing the user's own logotype, address, etc. and the basic required information. The generated report can either be printed out, exported in whole or in part, or forwarded electronically with .XRY Reader which is distributed for free. A search function simplifies the task of searching for a particular name/number or some other type of text.
+
* A checksum
 +
* Parity data
 +
* [[Piecewise hashing]]
  
== External Links ==  
+
== Smart imaging ==
* [http://www.msab.com/en/mobile-forensic-products/XRY-Mobile-Version-Forensic-Software/ Official web site]
+
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Compressed storage
 +
* Deduplication
 +
* Selective imaging
 +
* Decryption while imaging
 +
 
 +
=== Compressed storage ===
 +
 
 +
A common technique to reduce the size of an image file is to compress the data. Where the compression method should be [http://en.wikipedia.org/wiki/Lossless_data_compression lossless].
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression for the [[Encase image file format]]. This technique is now used by various imaging tools including [http://www.tableau.com/index.php?pageid=products&model=TSW-TIM Tableau Imager (TIM)]
 +
 
 +
Other techniques like storing the data sparse, using '''empty-block compression''' or '''pattern fill''', can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
 +
 
 +
=== Deduplication ===
 +
Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image.
 +
It is even possible to store the data once for a corpus of images using techniques like hash based imaging.
 +
 
 +
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
 +
 
 +
[[EnCase]] Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by [[EnCase]].
 +
 
 +
=== Decryption while imaging ===
 +
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
 +
 
 +
== Also see ==
 +
* [[:Category:Forensics_File_Formats|Forensics File Formats]]
 +
* [[Write Blockers]]
 +
* [[Piecewise hashing]]
 +
* [[Memory Imaging]]
 +
 
 +
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
 +
 
 +
=== Hash based imaging ===
 +
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
 +
 
 +
[[Category:Disk Imaging]]

Revision as of 04:29, 28 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

The process of disk imaging is also referred to as disk duplication.

Contents

Disk Imaging Solutions

See: Disk Imaging Solutions

Common practice

It common practice to use a Write Blocker when imaging a pyhical disk. The write blocker is an additional measure to prevent write access to the disk.

Also see: Device Configuration Overlay (DCO) and Host Protected Area (HPA)

Integrity

Often when creating a disk image a cryptographic hash is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.


By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where int he data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Compressed storage
  • Deduplication
  • Selective imaging
  • Decryption while imaging

Compressed storage

A common technique to reduce the size of an image file is to compress the data. Where the compression method should be lossless. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process, parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression for the Encase image file format. This technique is now used by various imaging tools including Tableau Imager (TIM)

Other techniques like storing the data sparse, using empty-block compression or pattern fill, can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Deduplication

Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image. It is even possible to store the data once for a corpus of images using techniques like hash based imaging.

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

EnCase Logical Evidence Format (LEF) is an example of a selective image; although only file related contextual information is stored in the format by EnCase.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic, a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it again on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Also see

External Links

Hash based imaging