Difference between pages "Snorkel" and "Forensic Disk Differencing"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Image File Formats Understood)
 
m (See Also)
 
Line 1: Line 1:
{{Infobox_Software |
+
Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.
  name = Snorkel |
+
  maintainer = NFI |
+
  os = Java |
+
  genre = {{Analysis}}  |
+
  license = proprietary |
+
  website = [http://www.holmes.nl/NFIlabs/Snorkel http://www.holmes.nl/NFIlabs/Snorkel] |
+
}}
+
  
'''Snorkel''' is a Java software library that is used by developers of forensic software. Snorkel is not a standalone forensic application, but it is an important piece of infrastructure that can be used by many forensic applications: Snorkel gives access to digital evidence files, file systems, files, slack space, unallocated clusters, etc. This type of access is a key enabler in the development of forensic software systems, ranging from single-purpose stand-alone tools to integrated forensic processing systems.
+
==Differencing Tools==
 +
===idifference.py===
 +
idifference.py is part of the [[Digital Forensics XML]] Python Toolkit distributed with [[fiwalk]]. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.
  
Snorkel is developed by the Netherlands Forensic Institute
+
For example, using the '''nps-2009-canon2''' series of disk images:
  
=Features=
+
<pre>
 +
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw
 +
>>> Reading nps-2009-canon2-gen2.raw
 +
>>> Reading nps-2009-canon2-gen3.raw
  
Snorkel recognizes and gives access to numerous storage formats for digital evidence, disk partitioning schemes, volume managers, file systems, and structured files. The formats supported are summarized below.
+
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
  
==Image File Formats Understood==
+
New Files:
  
{|
+
2008-12-23 14:26:12 1315993 DCIM/100CANON/IMG_0041.JPG
|Image file formats
+
|[[Encase image file format|EnCase]]
+
|-
+
|
+
|[[Raw Image Format|RAW (dd)]]
+
|-
+
|
+
|[[VMWare Virtual Disk Format (VMDK)|VMWare (VMDK)]]
+
|}
+
  
==File Systems Understood==
+
Deleted Files:
  
{|
+
2008-12-23 14:12:38 855935 DCIM/100CANON/IMG_0001.JPG
|Volume managers
+
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
|[[Logical Disk Manager (LDM)|Windows (LDM)]]
+
|-
+
|Partitioning schemes
+
|PC/MBR
+
|-
+
|
+
|Apple
+
|-
+
|
+
|GPT
+
|-
+
|
+
|BSD
+
|-
+
|File systems
+
|Windows ([[FAT]], [[NTFS]])
+
|-
+
|
+
|Apple ([[MFS]], [[HFS]], [[HFS+]])
+
|-
+
|
+
|Linux ([[Ext3|EXT]], [[Reiserfs|Reiser]])
+
|-
+
|
+
|Solaris, BSD ([[UFS]])
+
|-
+
|
+
|CD ([[ISO9660]], Joliet)
+
|-
+
|File Formats
+
|Windows registry (Win 9x, NT)
+
|-
+
|
+
|Microsoft Office (OLE2)
+
|}
+
  
<!-- ==File Search Facilities== -->
+
Files with modified content (but size unchanged):
<!-- ==Historical Reconstruction== -->
+
<!-- Can it build timelines and search by creation date? -->
+
<!-- ==Searching Abilities== -->
+
<!-- Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata? -->
+
<!-- ==Hash Databases== -->
+
<!-- Can it create hashes of files and/or blocks? Can it compare these hash values to any databases? -->
+
<!-- What sort of hash functions does it use? -->
+
<!-- ==Evidence Collection Features== -->
+
<!-- Can it sign files? Does it keep an audit log? -->
+
<!-- =History= -->
+
  
==License Notes==
+
Files with changed file properties:
  
Snorkel is has a proprietary license.
+
DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
An evaluation version is available from the website.
+
DCIM/CANONMSC/M0100.CTG crtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG mtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG resized 180 -> 188
  
= External Links =
+
Timeline
  
* [http://www.forensischinstituut.nl/ the Netherlands Forensic Institute]
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
* [http://www.holmes.nl/NFIlabs/Snorkel Snorkel website]
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG crtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 +
2008-12-23 14:26:12 DCIM/100CANON/IMG_0041.JPG created
 +
$
 +
</pre>
  
<!-- ==External Reviews== -->
+
Here are some more examples:
 +
* [[File:Idifference-demo1.txt]] --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)
 +
 
 +
==See Also==
 +
*[http://dfrws.org/2012/proceedings/DFRWS2012-6.pdf A general strategy for differential forensic analysis]

Latest revision as of 20:21, 21 October 2013

Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.

Differencing Tools

idifference.py

idifference.py is part of the Digital Forensics XML Python Toolkit distributed with fiwalk. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.

For example, using the nps-2009-canon2 series of disk images:

$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw 
>>> Reading nps-2009-canon2-gen2.raw
>>> Reading nps-2009-canon2-gen3.raw

Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw 

New Files: 

2008-12-23 14:26:12	1315993	DCIM/100CANON/IMG_0041.JPG

Deleted Files: 

2008-12-23 14:12:38	855935	DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG

Files with modified content (but size unchanged): 

Files with changed file properties: 

DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
DCIM/CANONMSC/M0100.CTG	crtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	mtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	resized	180	->	188

Timeline 

2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	crtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	mtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	resized	180	->	188
2008-12-23 14:26:12	DCIM/100CANON/IMG_0041.JPG	created
$

Here are some more examples:

  • File:Idifference-demo1.txt --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)

See Also