Existing forensic image formats are a bottleneck in the multi-core era: The slides from my recent presentation on accelerating forensic & incident response workflow at the AusCERT 2016 Conference. This summarises the research behind Evimetry Wirespeed.
The Journal of Digital Investigation is currently calling for papers for a Special Issue on Volatile Memory Analysis. The Guest Editors of this issue are Michael Cohen (Google) and Bradley Schatz (Schatz Forensic).
We would welcome any novel research into aspects of Volatile Memory Analysis. Submissions are due 31 August 2016.
Memory analysis is a hot research topic with wide applications on many fronts – from malware detection and analysis, to recovery of encryption keys, to user activity reconstruction. As advanced contemporary malware increasingly reduces its on-disk footprint, and adopts increasingly sophisticated host detection subversion mechanisms, memory analysis is currently mainstreaming as a valuable technique for detection and response.
While memory analysis presents many new opportunities, it also presents new complications and challenges, ranging from reliance on undocumented program internals, to atomicity of acquisition methodologies. As memory analysis becomes the status quo methodology the use of directed anti-forensics is also becoming prevalent.
This special issue of the Journal of Digital Investigation invites original research papers that report on state-of-the-art and recent advancements in this rapidly expanding area of enquiry, with a particular emphasis on novel techniques and practical applications for the forensic and incident response community.
Topics of interest include but are not limited to:
- Malware detection in memory
- Live memory analysis
- Live system introspection
- Memory acquisition
- Memory analysis of large systems
- Userspace and application specific memory analysis
- Cryptographic analysis, key recovery
- Execution history analysis
- Data fusion between memory/disk/network
Deadline for submissions is 31 August 2016.
The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk.
An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness). Unlike any other forensic system, live analysis activities are prioritised over bulk activities, enabling effective live analysis with minimal perceptual delay.
A video demonstrating liveness in partial live acquisition using Evimetry Wirespeed & EnCase is available on the Evimetry Website. This blog post summarises the salient parts of the video:
@1:08 Partial acquisition of triage artifacts
A partial acquisition of a 240GB SSD1, collecting Page Files, Swap files, Windows Registry Files, Log Files, and Windows Access Traces, is started.
This causes acquisition of volume metadata, followed by filesystem metadata, and then the content data blocks corresponding to these categories. This acquisition completes in 17s and has stored 2.3GiB in the forensic image2.
@2:01 Virtual disk sharing
The active partial image is shared as a virtual disk, and mounted in windows as the F: drive. Windows explorer is then used to browse the F: drive, into the F:\Videos\Videos1\ folder. All access of the blocks of the virtual disk come from the forensic image, as the filesystem metadata has already been acquired.
On traversing to the F:\Videos\Videos1\Videos\ folder, thumbnails are generated by explorer and shown. As the content for these has not yet been acquired, the underlying blocks are loaded from the suspect drive, stored in the partial image, and then passed on to windows via the iSCSI virtual disk emulator. From there windows explorer renders the thumbnails.
@2:37 Third party application access
The file Mario1_500_HQ_512kb.mp4 is accessed, which contains a mario runthrough video from archive.org. This causes the video to be played using VLC.
The purpose of this is to create an interactive acquisition load on the target drive (recalling that the content of this file have not yet been acquired).
@3:03 Virtual disk access using EnCase.
The virtual disk is loaded into EnCase3, which scans the volume metadata, and filesystem metadata (in this case parsing the MFT).
The volume metadata and MFT are loaded from the partial image. Interactive performance of the video is unaffected, with no glitches or pauses.
@4:40 Interactive analysis with EnCase
Within EnCase, the files are filtered down to JPEG files, and the view shifted to Gallery. All of the pictures displayed on the gallery are loaded from the suspect hard drive, and stored in the partial image on their way to EnCase. At this stage only VLC and Encase are competing for access to the target device, and interactive performance of the video is unaffected. There are no glitches or pauses, and load and display of the pictures in EnCase is snappy.
@5:08 Acquisition scope widened to all of Allocated
A successive partial acquisition operation is started, widening scope to all allocated files. This will only read blocks of files on the target device that aren’t already in the image (a significant portion of the video, and the pictures that were viewed in the gallery are already present in the image, in addition to the volume and filesystem metadata, system logs, registries, etc).
@5:48 Gallery browsing under high acquisition load
The gallery is scrubbed to a random point, causing acquisition and display of a number of as yet un-accessed images. While this interactive process is competing with the video and the batch acquisition (and proceeding at 238 MB/s), interactive latency has increased but still acceptable.
@6:00 Single file browsing under high acquisition load
Encase is switched to the Table browser, and random pictures browsed. Interactive latency for single file access is snappy.
@8:08 Video runthrough completes
Acquisition of 61GiB has completed when the video completes playing.
At the point where this screencast ends, acquisition of allocated space is still underway. The analyst needn’t wait for its completion, as a partial forensic image may be completed at any time, with the resulting image still accessible using regular forensic tools. With the volume & filesystem metadata, and the file content that has been acquired to that point, forensic tools will still be able to interpret the disk. Blocks that were not acquired simply show up as unknown data.
This blog post summarised the most important parts of the video, the purpose of which was to demonstrate:
- The incremental nature of partial acquisition using Evimetry Wirespeed;
- The ease of human-in-the-loop live analysis in driving forward partial acquisition;
- The performance of the Evimetry Wirespeed system.
1 around 50% full, content including a Windows OS folder heirarchy (no user profiles), random data, and multiple copies of the GovDocs corpus, and videos downloaded from archive.org.
2 We note that this dataset actually doesn’t have any page files or swap files in it.
3 EnCase is a trademark of Guidance Software and has no affiliation with Schatz Forensic.