FOSS

Digital
Forensics
BJ Gleason
Associate Professor
University of Maryland
Overview

~ What is Free and Open Source Software?

~ The Pros and Cons of FOSS
~ Open Source Tools
• Utilities
• Helix
• Other Live CDs
~ Open Source in Court
What is FOSS?

~ Free and Open Source Software

~ Free Redistribution
~ Access to Source Code
~ Allows for Derived Works

~ When programmers can read, redistribute, and

modify the source code for a piece of software,
the software evolves. People improve it, people
adapt it, people fix bugs.
Pros of Open Source

~ Lower Acquisition Costs

~ Can Examine the code – “look under the hood”
~ Greater independence from companies
~ Can be maintained even if company disappears
~ Proprietary formats lead to vendor lock in
~ Cutting Edge Development
~ Internationalization
~ Selection
~ Security
Pirated Forensic Software

~ There have been several US domestic and

international cases where forensic examiners
have used pirated copies of forensic software.
~ This has caused the defense to challenge the
authenticity and reliability of the evidence and the
examiner.
~ The results can be devastating
for the prosecution.
International Cooperation

~ In March 2005, according to the Ministry of Public

Security, a man who hacked into 100,000 computers to
launch group attacks was arrested in Tangshan, north
China's Hebei Province.
~ More than 60,000 of the 100,000 "corpse network"
computers were within China, and some of them were
owned by government departments and other important
sectors.
~ That means about 40,000 computers were located
outside of China.
~ Using forensic software that all countries can share can
promote international cooperation.
Cons of Open Source

~ Lack of Support / Documentation

~ May require additional technical skills
~ Developers abandon applications
~ Compatibility Issues
~ Training not always available
Common Open Source Tools
~ GNU DD
• Used by FBI, among other tools, in Zacarias Moussaoui’s Case
~ The Coroners Toolkit, Sleuth Kit, and Autopsy Browser
• Can analyze multiple file system types
~ Foremost and Scalpel
• Data carving
~ md5sum, sha1sum
• Used to create digital fingerprints of evidence.
~ Others
• Fatback, ntfsundelete - recover deleted files
• Tcpdump - packet decoder
• Snort - intrusion detection system
• Ethereal - network protocol analyzer
Cell Phone Forensics

~ In April 2004, registered GSM cell phones exceeded 1

billion.
~ Researchers in Italy developed “SIMbrush: an Open
Source Tool for GSM and UMTS Forensics Analysis”
~ Why Open Source? If a tool can not be examined
and tested, it is “contrary to principles of forensic
soundness, digital integrity and the definition of Digital
Forensics itself.”
~ In addition, this is not a “theoretical problem any
more, because it could invalidate the results of a
digital investigation at the court stage, where the cost
of such a failure is highest.”
Forensic Server Project

~ Developed by Harlan Carvey, is an open-source

framework for collecting volatile and non-volatile
information from live systems.
~ FSP consists of a server component and a client
component – the "First Responder Utility"
~ The software is available from the Windows
Forensics and Incident Recovery Website and is
also included on some of the Live CDs such as
Helix.
~ Open Source allows the tool to be tailored to the
environment.
Forensic Server Project
Helix
~ e-fense™, Inc.
~ Free Download
~ Windows Utilities
~ Bootable Linux CD
~ Designed for
• Forensics
• Incident Response
• Electronic Discovery
~ Collection of Open Source tools
~ Updated every 3 months
Tools
~ Standard Windows trusted binaries and utilities
~ Static Compiled Binaries for Linux and Solaris
~ Other free tools
• Foundstone tools: fport, sfind, hfind, afind, ntlast, etc •
• Sysinternals tools: psloggedon, pslist, ntfsinfo, etc
• Cygwin toolkit
• sleuthkit : Brian Carrier's replacement to TCT.
• autopsy : Web front-end to sleuthkit.
• mac-robber : TCT's graverobber written in C.
• MAC_Grab : e-fense MAC time utility.
• AIR : Steve Gibson Forensic Acquisition Utility.
• foremost : Carve files based on header and footer. •
• fatback : Analyze and recover deleted FAT files.
• md5deep : Recursive md5sum with db lookups.
• sha15deep : Recursive sha1sum with db lookups.
• dcfldd : dd replacement from the DCFL.
• sdd : Specialized dd w/better performance.
• PyFLAG : Forensic and Log Analysis GUI.
• Faust : Analyze elf binaries and bash scripts.
• e2recover : Recover deleted files in ext2 file systems. •
• Pasco : Forensic tool for Internet Explorer Analysis. •
• Galleta : Cookie analyzer for Internet Explorer.
• Rifiuti : "Recycle BIN" analyzer.
• Bmap : Detect & Recover data in used slackspace.
Ftimes : A toolset for forensic data acquisition.
• chkrootkit : Look for rootkits.
• rkhunter : Rootkit hunter.
• ChaosReader : Trace tcpdump files
• lshw : Hardware Lister.
• logsh : Log your terminal session
• ClamAV : ClamAV Anti Virus Scanner.
• F-Prot : F-Prot Anti Virus Scanner.
2 Hash : MD5 & SHA1 parallel hashing.
• glimpse : Indexing and query system.
• Outguess : Stego detection suite.
• Stegdetect : Stego detection suite.
• Regviewer : Windows Registry viewer.
• Chntpw : Change Windows passwords.
• Grepmail : Grep through mailboxes.
• logfinder : EFF logfinder utility.
linen : EnCase Image Acquisition Tool.
Retriever : Find pics/movies/docs/web-mail.
• Scalpel : Carve files based on header and footer.
Live System Response
~ Goals
• Determine if an incident has occurred or is in progress.
• Take steps to contain the incident.
• Record all steps taken.
~ Tools Required
• View processes, network ports, disk files.
• Network sniffer and diagnostic tools.
• Trusted binaries. Can’t trust any programs on the system.
• Tools to help automate information gathering and
reporting.
~ Note: Everything done on a live system changes it!
Helix Live Response
Helix Live Response
Audit Trail
Dead System Response
~ Goals
• Gather evidence from computer media.
• Gather evidence from network traffic logs.
• Analyze data to to determine what happened.
• Do not alter the evidence.
• Maintain a chain of evidence.
• Create record of all steps taken.
~ Tools Required
• Tools to acquire the digital data.
• Tools to analyze the data.
• Tools to help automate the analysis and create a record.
Helix Bootable Environment
Acquisition
Autopsy Browser
Reasons to Use Linux
~ It can run from bootable media
~ Supports many file system types
• Ext2, Ext3, FFS, UFS (Linux, BSD, Unix)
• FAT, VFAT, NTFS (DOS, Windows)
• HFS (Mac), ISO9660 (CD-ROM)
~ Can examine a file system without affecting it
• Windows tools require Hardware Write-Blockers
~ Many forensic analysis tools developed for it
~ Control over file system access
• Drives are not mounted by default
• Can be mounted with options such as:
– read-only to prevent modifying files
– noatime to prevent modifying access time
– noexec to prevent executing code by mistake
Other Live CDs

~ Auditor / Backtrack - http://www.remote-exploit.org

• System Auditing, Penetration Testing
~ THE FARMER'S BOOT CD - http://www.forensicbootcd.com
• Optimized for previewing systems before acquisition

~ Many other Live CDs available

• Different Features
• Different Focuses
• Some free, others low cost
Open Source in Court

Can these open

source tools be
used in a court of
law?
Short Answer: Yes
Long Answer: Depends –
Falls under the rules of
Scientific Evidence
Daubert v Merrell Dow (1993)

~ Daubert criteria
• “Whether it [a scientific theory or technique] can be
(and has been) tested”
• “Whether the theory or technique has been subjected to
peer review and publication”
• “Consider the known or potential rate of error... and the
existence and maintenance of standards controlling the
technique's operation”
• “The technique is ‘generally accepted’ as reliable in the
relevant scientific community”
~ These criteria have been recognized worldwide
Open Source and Daubert
~ Testing
• Closed source relies on the vendor
~ Peer review and publication
• Open source allows more experts to examine the code
~ Error Rate
• Closed source – “Black Box” testing is not conclusive
• Open Source software were determined to be more
reliable than commercial software in a study designed
to test failure rates of software utilities
~ General Acceptance
• Used and recommended by National White Collar
Crime Center, SANS and many others
Problems with Closed Source

Problems of using proprietary / “law enforcement

only” products:
~ disclosure of method
~ protection of commercial interests of vendor
~ “parity of arms” for defence
~ Proprietary formats and disclosure – the release
of material to the defence
DUI Defendants Beat Charge By
Asking for Source Code
~ Seminole County, Florida, June 2005.
~ Hundreds of DUI defendants had their cases
thrown out because the vendor of the breathalyzer
units has refused to disclose proprietary source code.
~ Unless such disclosure is made, the Seminole criminal
bench is not satisfied that evidence procured from the
machines is reliable.
~ According to the vendor, it should not be required to reveal
trade secrets in order for the DUI convictions to stand.
~ Seminole judges have ruled that although the information
may be a trade secret and controlled by a private
contractor, defendants are entitled to it.
~ The whole point, defense attorneys say, is that defendants
have a right to know how the machine works and whether
it is working accurately.
Ensuring Admissibility

~ Evidence collection
• Correct legal processes
• Accepted techniques and tools
• Properly trained personnel
~ Chain of custody
~ Establishing provenance
~ Corroboration
~ Validation and Verification
Some Questions

~ Can the results of the technical analysis be

duplicated using other tools?
~ Does the Analyst understand what the tools they
use are actually doing, or are they merely taking
for granted what an automated process is
reporting?
~ Do other professionals use the same techniques
and methodology?
~ Is the Analyst technically capable of
defending/supporting their interpretation of the
evidence?
An Answer

“If the tools being used are the mechanism to find

evidence on a computing device, and several
different tools can replicate the process, then it
doesn't matter what tools were used.

The evidence is simply there and can be found

by any competent forensic analyst using a
variety of tools.”
– Steven Hailey
Any Questions?

BJ Gleason
University of Maryland
bjgleason@asia.umuc.edu
References and Websites
~ Open Source - http://www.opensource.org
~ Open Source Digital Forensics - http://www.opensourceforensics.org/
~ Carrier, Brian. Open Source Software in Digital Forensics.
http://www.digital-evidence.org/papers/opensrc_legal.pdf
~ Preservation of Fragile Digital Evidence by First Responders.
http://www.dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf
~ Incident Response Homepage - http://www.incidentreponse.org
~ Sleuthkit, Autopsy, and mac-robber - http://www.sleuthkit.org
~ Remote Data Acquisition - http://www.md5sa.com/downloads/rda
~ Foundstone tools - http://www.foundstone.com
~ Gatekeeping Out Of The Box: Open Source Software As A
Mechanism To Assess Reliability For Digital Evidence
http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally.html
~ Helix – http://www.e-fense.com/Helix
~ GPL and other licenses - http://www.opensource.org/licenses/
~ THE FARMER’S BOOT CD - http://www.forensicbootcd.com