Updated slides: Accelerating your forensic & incident response workflow

Screen Shot 2017-08-17 at 10.32.58 am

Late last year I had the pleasure of attending the F3 conference in Gloucestershire, UK. It is quite unlike any other digital forensics conference I have ever been to; a community run, practitioner focused, 2 day conference situated in a stately manor in the English countryside. I can thoroughly recommend it.

I had the opportunity to present an updated version of my presentation: “Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging”. The slide deck is available for download here.

 


Call for participation – AFF4 Working Group meeting at DFRWS 2017 USA

The Advanced Forensic Format 4 Working Group (AFF4 WG) is calling for interested parties to join the second working group meeting, to be co-located at the DFRWS Conference 2017, in Austin, TX.

Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. The AFF4 WG has recently released v1.0 of the AFF4 Standard, including canonical images, specification, and open source libraries for implementers. Current AFF4 implementations include Rekall, Evimetry, Sleuth Kit, Volatility and GRR.

For more information, please see the working group mailing list, or contact Bradley Schatz or Michael Cohen.

Co-Chair: Dr Bradley L Schatz, Schatz Forensic/Evimetry, [ bradley <at> schatzforensic <dot> com ]
Co-Chair: Dr Michael Cohen, Google, [ scudette <at> google <dot> com ]

AFF4 working group mailing list: https://groups.google.com/forum/#!forum/aff4-wg


Compiling Sleuth Kit with AFF4 support on MacOS

We recently contributed patches to the Sleuth Kit to read AFF4 images. While we are waiting for those to be pulled into the main distribution, the following recipe should suffice for compiling a stand alone copy on MacOS.

Dependencies
The following dependencies are needed to compile libAFF4 on OSX. I use MacPorts, and the corresponding packages i needed to install are:

ossp-uuid
zlib
snappy
raptor2
google-glog
pcrexx
* tclap (missing *.pc file – place in /opt/local/lib/pkgconfig/)

Clone and compile LibAFF4 (C/C++)

Use the following to clone the current release of libaff4, configure it, and install.

git clone https://github.com/google/aff4.git
cd aff4
git submodule update –init third_party/gtest
cd third_party/gtest
git reset –hard
cd ../..
./autogen.sh
./configure CC=clang CXX=clang++ CXXFLAGS=”-std=c++11 -stdlib=libc++ -O2 -g0 -I/opt/local/include” LDFLAGS=”-stdlib=libc++ -L/opt/local/lib”
make
sudo make install

Clone and compile the Sleuth Kit

Use the following to compile the sleuthkit with libaff4 support.

git clone https://github.com/blschatz/sleuthkit.git
cd sleuthkit/
git checkout release-4.4
autoreconf –force –install –verbose
./configure
make
sudo make install

 


Evimetry v3 Released: Remote volatile memory support

We recently released Evimetry 3, the newest release of our revolutionary approach to forensic acquisition and analysis.

Whats new?

The big news is that we now support remote volatile memory acquisition. This means that in addition to being able to acquire remote disks, you can now acquire the volatile memory of live Windows, MacOS, and Linux hosts.  We primarily support Windows XP and above (x86 and x64) and OSX Mountain Lion and above (x64). The coverage for Linux memory acquisition is limited to 64 bit Intel machines where the kmem driver is enabled.

Get straight to analysis.

In addition to acquiring the physical memory, we also acquire and store the entry points needed to find the kernel page tables and base kernel data structures. The benefit of this is that time-consuming scanning for these entry points (which are fundamental to further analysis) can be bypassed getting you to analysing evidence sooner.

We have developed patches to the leading volatile memory analysis frameworks, Volatility and Rekall, to support reading these images, and the patches for Volatility have been contributed to the main Volatility project on GitHub.

Picture1

Acquire faster.

We take full advantage of Evimetry’s advanced compression to transport memory over the network at maximal rates. The effects of latency, a killer of network performance over long distance links, can be negated by pushing our networked evidence storage agents into the same network as the suspect computer.

Ready for digital evidence at wire speed?

If you would like to try these features, get in touch to organise an evaluation licence.

 


Sleuth Kit support for the AFF4 Standard v1.0 Released

I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last week the AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) .

Screen Shot 2016-10-24 at 3.48.55 pm

Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 6 years and 4 scientifically peer reviewed papers.

The release of these is a significant step forwards to the wider adoption of the format, enabling a large portion of the open source forensic toolchain to access AFF4 forensic images, and commercial implementers the ability to support reading the format by integration of a single unencumbered library.

The patches to the SleuthKit were contributed by Schatz Forensic (Evimetry), while the C/C++ library was originally developed by Michael Cohen (Google), with AFF4 Standard v1.0 support added by Schatz Forensic.

This release follows the release last week of the AFF4 Standard v.1.0 and a Python reference implementation (reader), and the release of Evimetry Community Edition, a freely licensed subset of the AFF4-based forensic tool.

For more information on the AFF4, attend the webcast “AFF4: The New Standard in Forensic Image Format, and Why You Should Care”, given by Bradley Schatz, in association with SANS, on 17 April 2017.

Implementers and interested parties are invited to join the AFF4 working group at aff4@googlegroups.com .


Introducing Evimetry Community Edition

Evimetry Community Edition provides a subset of the Evimetry system for free. The purpose of this is to grow the AFF4 ecosystem, firstly by providing a pain free path for Evimetry licensees to provide AFF4 images to non-licensees. Secondly, we wanted to provide practitioners, researchers and educators a freely available implementation of the AFF4 standard v1.0 which can be used to gain familiarity with the format. Schatz Forensic, the creators of Evimetry, drove the standardisation effort behind the AFF4 Standard v1.0.

With the Community Licenced Evimetry Controller, you can create Linear AFF4 Images on your Windows based analysis system, verify the integrity of AFF4 images, and convert between AFF4, E01/EWF and Raw images. You can also mount AFF4 images as virtual disks and analyse with your preferred forensic tools.

Using the Community Licenced Evimetry Filesystem Bridge, you can access entire repositories of AFF4 images as virtual raw files, enabling straightforward consumption with your existing forensic toolkit.

The release of Evimetry Community Edition coincides with the release by Schatz Forensic of open source implementations of the AFF4 format, patches to the Sleuth Kit supporting AFF4 images, and the release of the AFF4 Standard v1.0.

To gain access to the initial release of Evimetry Community Edition, email us at info@evimetry.com .


AFF4 Standard v1.0 Released

Today marks the release of the Advanced Forensic Format 4 (AFF4) Standard v1.0.

Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 8 years and 4 scientifically peer reviewed papers.

Bradley Schatz (Evimetry) and Michael Cohen (Google) have collaborated to make freely available:
a set of canonical reference images which serve as ground truth for the format; and
• an explanatory specification document describing the format in detail; and
• a Python AFF4  reference implementation capable of reading the format.

This release of a standard specification for the file format is a milestone towards the wider adoption of the format, providing implementers an unambiguous and straightforward path to implementation. The release of the AFF4 Standard coincides with the limited release of Evimetry Community Edition, a freely licensed subset of the AFF4 based forensic tool, and in the coming days, a C++ implementation and patches to the Sleuth Kit, and support for Volatility and Rekall.

The standard specification and reference images are available at [1], the python implementation at [2], and aff4.org [3] becoming the central point of publication.

Implementers and interested parties are invited to join the AFF4 Working Group mailing list [4], and/or contact Bradley Schatz or Michael Cohen.

Contact:
Bradley Schatz ( bradley@evimetry.com )
Michael Cohen (scudette@google.com )

[1] https://github.com/aff4
[2] https://github.com/google/aff4
[3] http://www.aff4.org/
[4] https://groups.google.com/d/forum/aff4-wg


AFF4: The new standard in forensic imaging and why you should care

At this year’s Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit.

While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.

The screenshot below demonstrates a non-linear partial physical image (containing only the allocated blocks from the target disk) being interpreted by the SleuthKit.

Screen Shot 2016-10-24 at 3.48.55 pm

We will be releasing patches for libaff4 (C++) and Sleuth Kit shortly.

My slides for the seminar are below.


Accelerating forensic and incident response workflow: AusCERT 2016 Slides

Existing forensic image formats are a bottleneck in the multi-core era: The slides from my recent presentation on accelerating forensic & incident response workflow at the AusCERT 2016 Conference. This summarises the research behind Evimetry Wirespeed.


CFP: Digital Investigation Special Issue on Volatile Memory Analysis

The Journal of Digital Investigation is currently calling for papers for a Special Issue on Volatile Memory Analysis. The Guest Editors of this issue are Michael Cohen (Google) and Bradley Schatz (Schatz Forensic).

We would welcome any novel research into aspects of Volatile Memory Analysis. Submissions are due 31 August 2016.

Memory analysis is a hot research topic with wide applications on many fronts – from malware detection and analysis, to recovery of encryption keys, to user activity reconstruction. As advanced contemporary malware increasingly reduces its on-disk footprint, and adopts increasingly sophisticated host detection subversion mechanisms, memory analysis is currently mainstreaming as a valuable technique for detection and response.

While memory analysis presents many new opportunities, it also presents new complications and challenges, ranging from reliance on undocumented program internals, to atomicity of acquisition methodologies. As memory analysis becomes the status quo methodology the use of directed anti-forensics is also becoming prevalent.

This special issue of the Journal of Digital Investigation invites original research papers that report on state-of-the-art and recent advancements in this rapidly expanding area of enquiry, with a particular emphasis on novel techniques and practical applications for the forensic and incident response community.

Topics of interest include but are not limited to:

  • Malware detection in memory
  • Live memory analysis
  • Live system introspection
  • Memory acquisition
  • Memory analysis of large systems
  • Userspace and application specific memory analysis
  • Cryptographic analysis, key recovery
  • Execution history analysis
  • Data fusion between memory/disk/network

Deadline for submissions is 31 August 2016.