The world of digital forensics involves the use of a very diverse array of tools, some highly specialized and technical and others pretty simple, as we all know, and these tools are constantly evolving as the digital landscape itself changes and becomes more complex (and more defensive if we’re also talking about those who try to cause harm or conceal their digital footprints).  One of the latest of these tools to enter the market and become useful to analysts, educators and students of the computer forensics industry has been none other than the now famous Google Glass.

These voice controlled glasses, which basically act as a sort of very sophisticated wearable computer, with its own applications and OS interface, can be worn and used in any place with a wireless connection of some kind. Users can integrate their glass with their personal preferences in their Google accounts, use them to find directions, look at interactive maps and access a wide assortment of online information about the physical world that’s actually around them at any time.

In essence, the vast amount of data access available thanks to the Google Glass interface makes them an excellent tools for technical work of any kind and especially powerful tools for those working or studying in the STEM fields (Science, Technology, Engineering and Mathematics). Additionally this same quality, amongst others, makes Google Glass a potentially powerful tool when it comes to digital security in the private, government and corporate sectors. Here are a few reasons why.

Education

Prospective students of forensics are faced with the moderate but constant dilemma of absorbing theory and technical educational materials on data protection and recovery while then having to apply them in the real world in a way that fluidly flows off from what they’ve learned.

Google Glass by its very nature makes this process capable of being run much more smoothly and efficiently than ever before.

A student of computer science and forensics in particular can perform field training on damaged or compromised machines and breached corporate networks while simultaneously being able to capture photos of everything he does, take screen shots of his investigative probing work and then share all of this information with colleagues and instructors in real time over social media and cloud sharing platforms.

Furthermore, if stumped on a certain aspect of field training or data analytics, the ability to access online resources and previously downloaded instruction materials would let someone in training much more quickly resolve their problem.

As a basic example: Imagine a police forensics trainee with low level experience sent in to capture as much data from some captured laptops that have just been shut down: the drives themselves are covered by full AES encryption systems but there is a chance of recovering the passwords and other crucial data by performing techniques such as those explained here. By being armed with Google Glass, the trainee could deal with this odd sort of scenario much more effectively while keeping their hands free to work; they could examine research material such as the content of the above article, contact a more experienced instructor and directly get instructions on techniques such as flash freezing the RAM card with compressed air as soon as possible, and at the same time they could contact their lab and notify that a memory that needs to be kept cool until analyzed will be coming in.

General Forensic Documentation

We’ve just gone over the benefits of on the fly advice consultation and documentation of work for digital forensics students, but the same capacities apply to any other IT and digital security professional moving through a complex investigative or work environment.

Imagine being able to walk into a data security crime scene at a corporate office or some other large space with numerous pieces of evidence which need to be collected for collation and later scrutiny. The hassle of multiple pieces of equipment, such as scanning devices and disk imagers will be an inevitable part of your work, yes, but with voice and eye operated power of Google Glass on your face, a lot of your image and video capture needs will be enormously simplified. While imaging a drive or running queries on network servers’ code, you can capture constant video or photo evidence as you work in real time and without interrupting anything you’re doing with your hands. This is where Google Glass has a lot of potential as a major forensic workplace stress reliever.

Stephan Jukic writes for LWGConsulting, a global leader in forensic engineering & recovery solutions.

Forensic Focus attended the Forensics Europe Expo at Kensington Olympia on the 29th & 30th of April. This article is a recap of some of the main highlights and over the next few weeks we will also be bringing you a number of interviews recorded at the expo.

The Digital Forensics part of the Expo brought together speakers and exhibitors from law enforcement, software development, academia and elsewhere to provide an overview of the unique challenges around forensics in the computer technology sphere.

Conference Highlights

There was a strong focus on the investigation of crimes organised through the internet; Charlie McMurdie, the former Head of eCrime for the Metropolitan Police, discussed the unique challenges associated with online marketplaces such as Ghost Market and Silk Road, where consumers can buy anything from illegal drugs to cybercrime tutorials.

McMurdie focused on the fact that there is no need for state of the art equipment for cyber criminals to be able to conduct their nefarious business; targeting high-profile organisations has become “a step up from playing World of Warcraft; a way for young cyber criminals to validate their hacker capabilities”.

Andrew Beckett from Airbus discussed the rise in cybercrime weapons, beginning with first-generation cyber weapon Stuxnet, which, Beckett explained, was flawed because it was tactical rather than strategic. We have not yet seen second generation cyber weapons, but Beckett predicts that these will also be tactical in focus, and will probably be short-lived. He highlighted the importance of building in a self-destruct element to any future state-sponsored cyber weapons, in order to prevent them from falling into the wrong hands.

In Beckett’s opinion, cybercrime is changing the state of international relations. Whilst of course there have always been crimes committed across borders, or with international implications, the popularity of the internet in today’s world has made it possible for even fairly simple criminal actions to have international relevance. For example, a criminal organisation based in any given country can easily segregate its data, using servers around the world to make tracing and prosecution more difficult than with “traditional” offline crimes.

Authentification of data was another focal point of the conference; Martino Jerian from Amped talked about the difficulties of validating images for use in criminal cases. Identifying whether an image is an original file can be challenging, but the main issue is with the authenticity of the image’s contents. Three of the main things that Amped look out for in image validation are recapture, staging and misrepresented content; once they are sure that none of these are problematic, they analyse the image itself for signs of modification. Even a relatively simple technique such as cropping or editing the colour saturation can have a strong effect on the perceived meaning of a picture.

Social media based evidence was a central focus of the conference, with several speakers mentioning it as an evolving area to be used in criminal investigations. Neil Smith, an investigative researcher and open source intelligence trainer, provided an overview of the ways in which freeware and social media can be used in this way. There are several commercial databases available which provide sufficient information to gather evidence, particularly concerning individuals’ identities and movements, and many such databases are free to use and easy to access.

Microsystemation XRY’s Paul Baxter discussed the investigation of data on mobile devices, pointing out that there are now more mobile devices than there are people on the planet. The largest growth in recent years has been in Samsung and ‘Other’ devices, such as those with Chinese chip sets. The extreme proliferation of mobile devices has meant that keeping up to date with the investigative tools needed to examine the software is a significant challenge for investigative organisations.

Yuval Ben Moshe from Cellebrite elaborated on this theme, emphasising that in some cases there are backlogs of up to six months for processing mobile devices. He encouraged the decentralisation of forensic capabilities to speed up investigations, for example placing forensic extraction devices in police squad cars to allow data to be analysed “on the job”, as it were.

Cloud storage forensics, a relatively new discipline, was explored by Marco Scarito from RN System Solutions. He discussed ways to find the usernames and passwords in cleartext in Dropbox, Google Drive and SkyDrive. The latter in particular has a relatively simple way of uncovering user data: if the ‘web access’ option has been enabled, it is possible to remotely access a user’s PC, which can be very useful in criminal investigations.

The penultimate talk of the second day was by Richard Leary from Forensic Pathways, who discussed how digital forensic evidence can be managed and standardised. He highlighted three areas that currently present challenges for digital investigators in court, perhaps the strongest of which was the ‘black box’ problem: producers of technology often do not want to explain in detail how they collate data in forensic investigations, largely due to concerns about competition within the industry. Leary advocated a mixture of ACPO and Daubert guidelines to set an overriding standard for interpretation of technical data.

The conference was brought to its conclusion by Professor David Last, who discussed how to maximise the potential of GPS evidence, making reference to his Forensic Focus article of the same name. He stressed the importance of understanding the level of exactness of GPS devices; city centres in particular present an issue here, as satellite signals can be blocked and reflected by buildings, giving a large margin for error.

Expo Highlights

There were several exhibitors showcasing their investigative technologies at the conference; Forensic Focus caught up with some of them over the course of the Expo, and their interviews will be available soon in the Interviews section.

Some of the forensic tools being presented included the TD3 Forensic Duplicator from Guidance Software, a Tableau device developed for the FBI in the US which in its latest incarnation includes a TDS2 SATA Drive enclosure.

ALI’s laser imaging technology, showcased at their exhibition stand, aims to address some of the challenges associated with the use of CCTV in criminal convictions. Rather than focusing on a single “line of sight”, as it were, the technology allows users to access a 360° laser image of a crime scene.

Other exhibitors included Paraben Software with their range of mobile and computer forensics tools; Magnet Forensics with Internet Evidence Finder (IEF); AccessData with FTK and MPE+; and Belkasoft’s Evidence Center.

The next Forensics Europe Expo will take place on the 21st – 22nd April 2015. Anyone interested in speaking or exhibiting should contact Rob Lozowski via the contact details here.

Over the past few years, it has been noticed that computer forensics and E-discovery have been a buzz word in the computer security arena and in legal societies. Although both of them refer to the process of handling digital data but is there any difference between them? To clear the confusion further we need to understand both the terms in details.

Genesis of E-discovery

The advent of email messaging, and various forms of electronic communications between individuals at work place has given tremendous pressure to litigation cases .With almost all evidence present in digital form, the litigators must not only have command over law but also a depth of knowledge over data retention approaches. Without this cognizance it won’t be easy for them to descry important evidence so as to defend a case in the court of law. Often litigators have to decipher the technical intricacies and it is not possible for them to individually carry out the reviewing process with such cumbersome amounts of data involving thousands of email messages and ESI. In such cases consensus, resolution of the problem is the formation of e-discovery team which generally comprises of a group that has lawyers, IT and management professionals.

Main Goal of E-discovery?

The main objective of E-discovery is to provide electronically stored information to the requesting party which may be legal authorities, government bodies or any type of third-party entity. It rests its foundation on three basic pillars which are law, technology and science. The approach involved over here is to descry the ESI so as to defend a court case.

How E-discovery is carried out?

E-discovery presents a new fractal unification which has become an emergent inevitability so as to meet the radical renovation in the system of justice because of ever increasing growth of technology. ESI forms the core part of e-discovery and spotting crucial ESI is considered to be important. Now the question comes, what e-discovery consists of? So let us discuss the procedure of e-discovery.

The E-discovery approach consists of the following steps

• Management of records
• Identification
• Preservation
• Collection
• Processing-Review-Analysis
• Production
• Presentation

Data which are considered as inherently significant by attorneys are put on legal hold. Then comes the process of abstracting evidence which are then analyzed by employing various types of forensic techniques and then these are reviewed on a platform that provides the facility for reviewing documents. Such kind of platforms have the potential to help forensic investigators to collect and search through the bulk of ESI data. The approach is generally targeted on information that are present in allocated clusters. The process filters out applications, system files and temporary files and takes into consideration only the active user related accessible files. Such kind of files generally involves PDFs, documents, spreadsheets and most importantly email messages.

The electronic data generally co-exists with metadata which cannot be traced out from normal paper documents. Preservation of metadata from these documents is one of the main challenges for the investigators so as to inhibit data spoliation.

Computer Forensics

Computer forensics refers to the scientific study and inquisition of computers in a way that is accordant with the rules of evidence extraction and with the rules of litigation procedure. To explain a lay man we can say that it can be considered as the application of forensic methodologies to computer based materials. Although it is generally thought of as a part of the traditional forensics arena. But it requires vast knowledge of computer software and hardware details for the purpose of avoiding the destruction of important evidence.

Now the question that comes around is extraction of what kind of evidence? It refers to investigation of culpable evidence which can be extracted from a computer’s hard drive and preparation of evidence for presentation in the court. Here, the information is already present on the hard-drive of the system but it is in hidden form. It also refers to the searching of data from unallocated disk space for retrieving copies of files which has been damaged, deleted or encrypted. So basically, the investigators have to carve out data so as to produce it as evidence in the court.

Methodology behind Computer Forensics

Forensic experts follow a set of standard rules while carrying out the investigation case. They physically isolate the computer which is being suspected to ensure that it is not further contaminated. For this they also make it a point to make a digital copy of the hard drive and all the investigation is carried out on this digital copy.

The computer forensic experts adopt well-defined procedures and work together as a team for a successful digital investigation. While conducting the process of gathering data, the forensics expert make it a point to document all those valuable information in a well-structured format.

With the rapid growth experienced in technology, the technical skills needs to be also expanded. A normal investigation procedure consists of the following parts.

• Detection of network intrusion
• Evaluation of threats and other vulnerabilities
• Forensic investigation on data

A computer forensic examination reveals lot of information like when a document first appeared on a computer, the date on which it was last edited, etc. All these information can bring out a great change in investigation procedures. To sum it all, the computer forensics procedure consists of the following basic steps.

• Identification of evidence
• Preservation of evidence
• Extraction of probative evidence
• Interpretation and necessary documentation
• Presentation of evidence in the court by adhering to the rules

Striking Out the Differences

It can be well pointed out that computer forensics and e-discovery go hand in hand, both the approaches thrust on gathering important evidence which is considered as the basic criterion of forensics investigations. However, strong differences have been pulled out between both of them and this comes while analyzing information. In case of e-discovery, the legal authorities are involved in reviewing the evidence aspects whereas in case of computer forensics, the investigation experts review the digitally stored data, collect important evidence and suitably present it before law.

On Monday 23rd of March 2015, Forensic Focus will be attending DFRWS EU – the European Digital Forensic Research Workshop – at University College Dublin, Ireland. If there are any topics you would particularly like us to cover in-depth, or if there are any speakers you think we should interview, please let us know in the comments.

DFRWS has been running in the USA since 2001 and expanded to Europe in 2013. Organised by some of the most prominent names in digital forensics, including Eoghan Casey, Frank Adelstein and Vassil Roussev, it has grown over the years from a small workshop group to a full conference with a double blind review and printed proceedings.

This year’s European conference runs from the 23rd – 26th of March, and Forensic Focus will be taking notes throughout the workshops and interviewing key figures.

For the first day, the conference is split into two workshop tracks, each focusing on a different area of digital forensics. Below is a brief overview of the workshops available, and of the talks and events throughout the remainder of the week.

Monday

GRR Incident Response Framework

Andreas Moser from Google will provide an introduction to the GRR environment for people who have never previously used it. Tasks will include reading files and registry keys and grabbing artifacts directly from live memory.

Digital Forensics Framework

Frederic Baguelin and Solal Jacob of ArxSys will demonstrate how to use DFF in forensic analyses of hard disks, memory snapshots or virtual machines. The workshop will include an overview of the graphical interface; a look at importing files and extracting information; and searching, filtering and reporting on data.

Digital Memory Forensic Interactive Workshop

Michael Cohen and Johannes Stüettgen from Google will use open source tools to detect malware and advanced system threats. Participants will be encouraged to try the techniques themselves, using both sample images and their own machines. The workshop will also cover extracting binaries from memory, memory management techniques and hooking.

Common Criteria for Digital Forensics Experts

Hans Henseler and Sophie Loenhout will present a draft version of common criteria for digital forensics experts involved in court cases in the Netherlands. This workshop is specifically aimed at expert witnesses and looks to work towards harmonising forensic computer science standards around the world.

First European Workshop on Data Analytics for Information Security and Forensics

This workshop will present a forum for digital forensics professionals to discuss innovative solutions to some of the main challenges faced in cybercrime investigations. Topics covered will include the wide-ranging sources of data available, the proprietary nature of digital forensic tools and their limitations, and how national data protection legislation can impede the investigative process.

Tuesday

Tuesday’s programme comprises of a series of talks about digital forensics, including a keynote address by Chris Ashton, the Director of Spectrum Engineering at Inmarsat. Ashton will discuss the lessons we can learn from the flightpath reconstruction analysis performed by Inmarsat when searching for flight MH370, an international passenger flight which went missing on the 8th of March 2014.

The first session following the keynote on Tuesday will look at network forensics, with topics including traffic aggregation and visualisation for network forensics, and the detection, analysis and investigation of spam campaigns.

Throughout the rest of the day a number of topics will be covered, including disk and mobile forensics, forensic tool validation, Tor forensics and malware analysis. There will also be presentations on malware triage and Android vulnerabilities.

Wednesday

The day will begin with a keynote address from Troels Oerting, the former head of European Cyber Crime (EC3) at Europol, followed by a session on forensic investigation of smart TVs and the Sony Playstation 4.

The remainder of Wednesday will be devoted to a session on handling digital evidence, and paper presentations from research groups covering topics such as handling the exchange of digital evidence across Europe, searching extracted data, and data scrutiny in fraud cases.

Thursday

The entire day on Thursday will consist of the First European Workshop on Data Analytics for Information Security and Forensics (E-DAIS). This will include discussions of current research challenges in large-scale forensic investigations; the technical problems of big data analysis for INFOSEC; and the privacy problems surrounding big data analysis for information security and forensics.

Attendees will then break into groups, where they will be encouraged to discuss text translation and mining, the legal aspects of cross-jurisdictional data collection and analysis, and approaches to strengthening human rights protection in big data analytics.

Forensic Focus will be in attendance for all four days of the conference, and you can see the full programme here. If there are any topics you would particularly like us to cover in-depth, or if there are any speakers you think we should interview, please let us know in the comments or email scar@forensicfocus.com with suggestions.

Oleg Afonin, Danil Nikolaev, Yuri Gubanov
© Belkasoft Research 2015

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage.

Security Model of Windows Tablets

Tablets running Windows 8, 8.1 and Windows RT are designed with certain security measures to prevent unauthorized access to their content if a device is lost or stolen. These security measures are similar to those present in desktop devices, and differ significantly from the approach employed by Google and Apple.

In Windows 8 and 8.1 installed on a tablet, security measures include optional whole-disk encryption (with BitLocker) and Secure Boot, an option to prevent booting into a non-recognized (unsigned) OS, effectively preventing the use of Linux-based bootable drives often used for digital forensics.

Note that Secure Boot is optional, but is often activated by default in the system’s UEFI. BitLocker keys can be retrieved from the user’s Microsoft Account (http://windows.microsoft.com/recoverykey) or extracted from a memory dump (if captured while the tablet is running).

Secure Boot

Secure Boot, even if activated in the tablet’s UEFI BIOS, can usually be disabled by booting into UEFI (by using the combination of Volume-DOWN and Power keys). However, if UEFI BIOS is protected with a password, resetting the password could be difficult. Notably, Secure Boot does not prevent booting from external media per se. If you have a bootable recovery image of Windows 8.1 or a bootable Windows PE 5.1 flash drive, these already carry the required signatures and can be used to start the tablet even if Secure Boot is enabled.

It is important to note that Secure Boot is permanently activated on Windows RT devices such as Microsoft Surface RT, Surface 2, Nokia Lumia 2520 and other RT-based tablets. Since these ARM tablets are locked with Secure Boot, and there is no way to disable that option, there is no known method to boot them into anything other than Windows RT or its recovery image. While one can technically use a Windows RT recovery image such as one provided by Microsoft (http://www.microsoft.com/surface/en-us/support/warranty-service-and-recovery/downloadablerecoveryimage), there are no forensic tools available for that OS. However, one can still use a built-in DSIM tool to capture the content of a Windows RT computer but that is out of the focus of this article.

BitLocker

BitLocker is an essential part of Windows security model. On many tablets, BitLocker encryption protects the C: partition. By default, BitLocker is activated on all Windows RT and many Windows 8 and 8.1 tablets. With BitLocker, one cannot access encrypted partitions without either logging in to Windows (by supplying the correct login and password) or providing the correct Recovery Key. This especially concerns situations with booting from an external device.

If the user’s BitLocker Recovery Key is unknown, it can be retrieved from https://onedrive.live.com/recoverykey (providing that the user’s Microsoft Account credentials are known).

Drives protected with BitLocker will be unlocked automatically every time the user logs in. As a result, if you have the user’s local login credentials for the given device, BitLocker does not represent a major problem.

Important note, however : If the Windows tablet you are about to acquire is running, or if it is in the Connected Standby mode, DO NOT TURN IT OFF before trying anything to capture the system’s live memory dump. If the C: partition is protected with BitLocker, capturing a live memory image is your chance to obtain (and retrieve) the binary key used by BitLocker to decrypt information. If you are able to extract that key, you will be able to use a tool such as Passware Kit Forensic to mount BitLocker-protected partitions even if you know neither the user’s login and password, nor Microsoft Account credentials.

Note that BitLocker is frequently disabled by default on cheaper, mass-produced tablets with smaller screens such as those running Windows 8.1 with Bing.

eMMC Storage

Most Windows tablets are equipped with built-in non-removable eMMC storage. Physically, an eMMC module (Embedded Multi Media Card) is a BGA chip that is soldered onto the main board. As such, standard acquisition methods involving the use of a write-blocking SATA imaging device are not applicable.

In order to acquire partitions from eMMC storage, you will need to boot from an external drive containing a bootable recovery image (such as Windows PE) and a set of forensic imaging tools. However, even that may present a problem with Windows tablets.

Compatibility

Some Windows tablets are equipped with 32-bit UEFI ROM, while few other devices come with fully featured 64-bit UEFI. As a result, you may be unable to boot a 64-bit Windows PE image (or 64-bit Linux) even if the tablet is equipped with a 64-bit capable CPU.

UEFI Secure Boot

The majority of Windows tablets come with the Secure Boot option activated in their UEFI BIOS. Contrary to popular belief, you will NOT need to disable Secure Boot in order to start the system from an external device, PROVIDED that the OS you are about to boot is signed. In other words, you will be able to boot into a Windows 8.1 Recovery and Repair Environment (WinRE) or use a custom Windows PE 5.1 image. However, with Secure Boot activated, you may be unable to boot into a Linux-based forensic image.

In order to disable Secure Boot, you will need to access the system’s UEFI by pressing and holding the Power-DOWN key while starting the device. However, access to Secure Boot is not required if you simply want to boot from a USB device containing a Windows PE or WinRE image.

Booting from an External USB Device

In order to boot from an external USB device, you’ll need to have a properly prepared WinRE or Windows PE based bootable media and a USB OTG (On-The-Go) cable. In order to change the boot sequence and make the system start from an external device, follow these steps:

1. Start the tablet.
2. At the login prompt, tap the Ease of access icon.
3. Select On-Screen Keyboard.
4. Tap the Shift key, the shift key should remain lit.
5. In the lower right corner, tap the power key and select Restart.
6. When the unit reboots, select the Troubleshoot option.
7. From here select Advanced options.
8. Select UEFI Firmware Settings. You will be transferred into UEFI BIOS.
9. From there, change the boot order to allow starting from a USB device.
10. If you are using a non-Windows PE (or WinRE) based image, disable the Secure Boot option. There is no need to touch this option if you are using a Windows PE 5.1 image.
11. Connect a bootable USB device via a USB OTG adapter.
12. Save settings and reboot. The system will start from the bootable image on your USB drive.
13. Follow the acquisition routine of your forensic toolkit.

Capturing a Memory Dump

Capturing a RAM dump of a Windows tablet is essential for digital investigations, and is one of the recommended practices by ACPO Guidelines. Most principles of capturing a live memory dump remain the same as compared to full-size PCs. The goals, tools and the process of capturing volatile memory images are described in Belkasoft whitepaper “Catching the ghost: how to discover ephemeral evidence with Live RAM analysis”.

However, there are minor differences between capturing volatile memory images on a PC and doing the same on a small tablet. One thing to consider is the lack of expansion ports such as FireWire on most tablets, which makes the FireWire attack impossible. Moreover, there is usually no possibility to add a FireWire port via an add-on card.

As such, on Windows tablets (with a notable exception of Windows RT devices) we are limited to using software tools such as Belkasoft Live RAM Capturer.

Since most Windows tablets lack full-size USB ports, you will need to use a USB OTG (USB On-The-Go) adapter in order to connect a flash drive. Since tablets are usually equipped with one or two gigabytes of RAM, even a small USB stick or memory card will suffice.

Analyzing a Memory Dump

Once RAM is acquired, you will need to analyze it with a forensic tool equipped with a Live RAM dump analysis feature, like Belkasoft Evidence Center:

There is a high chance of finding various forensically important artifacts. You can see some data found inside RAM dump by Evidence Center:

Conclusion

To conclude, acquiring Windows tablets is similar to dealing with full-size PCs, yet the process has its share of obstacles. We learned how to image partitions saved on soldered eMMC chips and how to deal with BitLocker protection. We figured out the meaning of Secure Boot, when and how to deactivate it if required. Finally, we reviewed steps to access the tablet’s UEFI BIOS and change device boot order in order to allow booting from a USB flash drive containing a set of forensic tools for imaging the device.

About the Authors

Oleg Afonin is Belkasoft sales and marketing director. He is an author, expert, and consultant in computer forensics.
Danil Nikolaev is Belkasoft sales and marketing manager, co-author, and content manager.
Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

You can contact the authors via email: research@belkasoft.com
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at http://belkasoft.com/articles.

by Oleg Afonin, Danil Nikolaev and Yuri Gubanov

In our previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition.

The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sound familiar? Well, in today’s connected world things do not work quite like that.

In this article, we will have a look at measures the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.

Windows Security Model

In our previous article, we mentioned Windows RT as an exemplary platform with strict and thorough implementation of a straightforward security model, which made forensic acquisition of Windows RT devices difficult. Fortunately for us, in general, Windows PCs and laptops are not anywhere close to reaching that security level, relying instead on restricting physical access to computer hardware and locking user accounts with passwords. This, however, does not protect the actual data.

Locked bootloader? We do not see that often on Windows laptops, let alone desktop computers. Secure Boot? Disabled by default or easily deactivated from the computer’s UEFI BIOS. BitLocker encryption? Not if the computer’s motherboard lacks TPM support. NTFS encryption? Can be attacked offline by recovering (or breaking) the user’s account password.

So does that all mean one can follow with the familiar pull-the-plug approach? Not quite. By powering down the device, you’ll be losing the content of the computer’s volatile memory, missing the chance to obtain valuable evidence – or even accessing the disk at all, if encrypted volumes are present.

Windows 7, BitLocker and TPM (Trusted Platform Module)

While BitLocker is an essential part of the Windows security model, it has never been all that popular on Windows desktops, and is only available on counted laptops. Why is it so?

Let us have a look at the Windows ecosystem consisting today of Windows tablets, laptops and desktop PCs. As mentioned in our previous article, Windows tablets run either Windows RT or Windows 8/8.1. These tablets often include TPM (Trusted Platform Module) hardware that is required for BitLocker to work. All Windows RT tablets and many mid-range and high-end Windows 8 devices such as Microsoft Surface Pro and Surface 3 are equipped with a TPM module and BitLocker, which activates automatically when the user logs in under their Microsoft Account credentials as an administrator.

This is not the case for many Windows desktops and laptops. First and most importantly, BitLocker is only available to Windows 7 (and Windows Vista) users in the Ultimate and Enterprise editions. These are the most expensive editions of Windows; relatively few of them were sold compared to the Professional edition.

Things have changed with the advent of Windows 8. While Windows 8 and 8.1 users can have BitLocker in the Pro and Enterprise editions, the core edition (as well as Windows RT) also supports BitLocker device encryption, a feature-limited version of BitLocker that encrypts the whole disk C: partition. Moreover, device encryption activates automatically when the user logs in as an administrator with their Microsoft Account.

While BitLocker device encryption is offered on all versions of Windows 8.1, device encryption requires that the device meets a number of specifications. Notably, the device must support Connected Standby, which requires solid-state drives, have non-removable RAM (to protect against cold boot attacks) and a Trusted Platform Module (TPM) 2.0 chip. Few laptops and very few desktops meet all specifications required for the activation of device encryption.

Are We Likely to See BitLocker Running on a Windows PC?

How likely is an investigator to encounter a BitLocker-protected device? If we were acquiring a Windows tablet, the chances would be pretty high, as BitLocker device encryption is activated automatically on most tablets. The chance of encountering BitLocker protection on a desktop or laptop computer are much lower.

By Q2 2015, about 16% of Windows computers are still running Windows XP, while over 60% are Windows 7 and Vista. That is 76% of devices that most likely will not have BitLocker protection (unless the user has Windows 7 Ultimate or Enterprise and manually activated BitLocker). Windows 8 and 8.1 together take a combined share of roughly 15% of the market. How many of those devices running Windows 8.x are using hardware that is not equipped with either a TPU chip, a solid-state storage or soldered memory chips is anyone’s guess. While we can expect BitLocker device encryption on most Windows tablets, the same cannot be said about Windows desktops and laptops. However, with more devices (especially laptops) manufactured to meet the required security standards, in time we will be seeing more BitLocker-encrypted computers.

Dealing with BitLocker Encryption

If you know the user’s Microsoft Account credentials, the user’s BitLocker Recovery Key can be retrieved from https://onedrive.live.com/recoverykey. Alternatively, when investigating a corporate computer, BitLocker Recovery Key can be obtained from the company’s Active Directory.

However, if the Recovery Key is not available, your only option of imaging a BitLocker disk would be capturing the content of the computer’s RAM (with a tool like Belkasoft Live RAM Capturer) and using a product such as Passware Kit Forensic or ElcomSoft Forensic Disc Decryptor to extract the binary key used by BitLocker to decrypt information. That key can be then used in the same product to mount BitLocker-protected partitions.

Making a RAM Dump

The importance of capturing memory dumps before shutting the computer down is hard to underestimate. Note that without a memory dump, you may be locked out of encrypted volumes and faced with the possibility of spending days or weeks trying to break into a crypto container – with dubious results.

Our tool of choice for making memory dumps is Belkasoft Live RAM Capturer. The tool runs in the system’s kernel mode, and allows acquisition of the complete contents of the computer’s ram along with protected memory areas.

Once RAM is captured, you will need to use a tool that has a Live RAM analysis feature. Belkasoft’s Evidence Center allows searching for various forensic artifacts inside the memory, like browser histories, including deleted data and Private browsing history, SQLite databases, pictures, documents, messenger chat histories, registry files, and more.

Conclusion

To sum up, acquiring Windows computers is more complex than simply pulling the plug and taking the disk out. Even if the computer is not protected by Windows security features such as BitLocker, acquiring data from a turned-off machine means missing evidence from Live RAM, where we are extremely likely to find some forensically important artifacts. That is why we strongly recommend creating a memory dump before powering down the computer.

About the authors

Oleg Afonin is Belkasoft’s sales and marketing director. He is an author, expert, and consultant in computer forensics.

Danil Nikolaev is Belkasoft’s sales and marketing manager, co-author, and content manager.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

You can contact the authors via email: research@belkasoft.com

Follow Belkasoft on Twitter: https://twitter.com/Belkasoft

Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at http://belkasoft.com/articles. To learn more about forensic analysis of RAM, please read Belkasoft article “Catching the ghost: how to discover ephemeral evidence with Live RAM analysis” at http://belkasoft.com/live-ram-forensics. Belkasoft’s previous article, Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets, can be found at http://belkasoft.com/en/ram-capture-on-windows-tablets. For more information about Belkasoft’s Live RAM Capturer, please visit http://belkasoft.com/en/ram-capturer.

by Oleg Afonin, Danil Nikolaev & Yuri Gubanov
© Belkasoft Research 2015

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

iOS Forensics

Since Apple uses full-disk encryption with passcode-dependent, hardware-based encryption, chip-off acquisition has not been a possibility for a long time. The following acquisition methods are available for Apple devices:

1. Sending the device back to Apple. Generally available to government agencies and law enforcement. Only for iOS versions prior to iOS 8.
2. Physical acquisition. A non-destructive acquisition method allowing one to obtain the full image of the device via the standard Apple cord.
3. Logical (backup) acquisition. Deals with offline backup files produced by the device being analyzed.
4. Over-the-air acquisition. Downloads information from the iCloud.

Let us briefly review the benefits, drawbacks and current trends for each acquisition method.

Sending to Apple

Sending devices for acquisition directly to Apple used to be a viable strategy, but not anymore. With the release of iOS 8, Apple explicitly states in their Privacy Policy that the new system is so secure that even Apple themselves cannot access information inside the device if the correct passcode is not known. Thus, modern devices running the latest version of iOS can only be acquired this way if the correct passcode is known. By June 2015, more than 80% of iOS devices were running iOS 8, so the chances of actually handling a device with an older version of iOS are becoming slim.

iOS Physical Acquisition

When it comes to physical acquisition, the technique only works for jailbroken 32-bit devices (both conditions must be met), or 32-bit devices with a known passcode that can be jailbroken by the investigator. Compared to Android, relatively few Apple users install jailbreak. Since there is currently no jailbreak for the latest version of iOS available, and all new devices are using 64-bit circuitry anyway, physical acquisition will only work in rare cases (with the exception of developing countries where older 32-bit Apple hardware still occupies a major market niche).

iOS Logical Acquisition

If a passcode is known, or there is a way of finding it out, investigators can make the device produce an offline backup via iTunes. The backup can then be analyzed, but with some restrictions:

• Device secrets (items stored in the keychain) will only be available if the backup was password-protected (and will NOT be available in backups saved without a password). Somewhat counterintuitively, if you have a device that is configured to produce backups without password protection, setting a known backup password and entering that same password in the forensic tool will enable access to more information compared to analyzing non-protected backups.
• Cached items such as downloaded mail are not available in backups.
• If the device is configured to produce password-protected backups, changing that password is not possible if the password is not known. According to Apple, “If you forgot your [backup] password, the only way to turn off backup encryption on your device is to erase your device and set up as new. Erasing removes all data from your device.” (https://support.apple.com/en-gb/HT203790). In other words, resetting the password is not an option if you do not know it already, and backups protected with an unknown password must be broken into by using forensic tools without any timeframe or success guarantee.

Other than that, there is a great number of forensically important items that you can find inside an iTunes backup using forensic tools. Our tool of choice is Belkasoft Evidence Center. The picture below illustrates how the tool was able to extract over 8 thousand instant-messenger related artifacts from a sample iTunes backup:

Over-the-Air Acquisition (iCloud)

Finally, there is a way to acquire the content of Apple devices by downloading backups from iCloud.

iCloud is a cloud service available to Apple customers. 5 GB of cloud storage are available free of charge, and up to 50 GB can be purchased for a fee.

Apple designed a very convenient system for backing up devices to the cloud. Backups are incremental and occur automatically every time the device is put on a charger while locked and connected to a known Wi-Fi network (all conditions must be met). Back in 2012, about 33% of Apple customers were using iCloud. While no recent statistics are available, we can suggest that iCloud usage has increased dramatically, with the majority of Apple customers backing up their information into the cloud.

Cloud backups contain all of the same information as offline backups produced via iTunes. iCloud backups can be retrieved with forensic software if the user’s Apple ID and password are known, or if a binary authentication token from the user’s computer is available. Information can also be obtained directly from Apple by law enforcement with a government request.

Android Forensics

Acquisition methods available for Android devices differ significantly.

1. Sending the device to the manufacturer for data extraction. Generally available to government agencies and law enforcement for most domestic devices. May not be available for international models (e.g. no-name Chinese phones).
2. Physical acquisition. A non-destructive acquisition method allowing one to obtain the full image of the device via a USB cord and forensic software.
3. JTAG forensics. Retrieves information via the phone’s Test Access Port.
4. Chip-off acquisition. Requires the removal of memory chips. Produces raw binary dumps.
5. Over-the-air acquisition. Involves downloading information from Google Account.

Sending to Manufacturer

Sending the device to its manufacturer may be a viable acquisition strategy if the device is unavailable via other means. For example, Samsung, who is the number one seller of smartphone devices in the US, has an official policy to support information extraction when serving a government request.

Notably, this approach may not be available in the case of international devices (in particular, no-name and C-brand smartphones originating from China). On the other hand, most Chinese devices are not secured in any reasonable way, and can usually be acquired via physical acquisition.

Android Fragmentation

Android is a highly fragmented platform with several hundred manufacturers and many thousands of device models (source: http://opensignal.com/reports/2014/android-fragmentation/). In a report dated August 2014, OpenSignal states: “We have seen 18,769 distinct devices download our app in the past few months. In our report last year we saw 11,868”. According to the same report, “Samsung have a 43% share of the Android market”, as illustrated by the chart:

Unlike iOS, Android has multiple major versions of the OS running on the plethora of devices. The official source demonstrates slow adoption of the latest Android 5 ‘Lollipop’ compared to blazing fast adoption of the latest iOS 8 by Apple users.

All this means that manual acquisition is probably out of the question (unless performed on a small sample of well-known models), with specialized software becoming the necessary middleman.

Notably, over-the-air acquisition (Google Account analysis) is the only method that has nothing to do with hardware fragmentation. Cloud acquisition will inevitably change as full data backups get introduced in Android M, but other than that it’s not dependent on the version of Android OS either.

Physical Acquisition of Android Devices

In this short overview, we will not go into comparing security implementation details between the different versions of Android, device manufacturers and carrier requirements. We will only give a qualitative assessment. Depending on your choice of forensic acquisition tool, the phone’s make, model, carrier, Android version, user settings, root status, lock status, whether or not the PIN code is known and whether or not the “USB debugging” option is enabled, you may or may not be able to perform physical acquisition of a particular device. (Translated to human language, the above paragraph means “you won’t know until you try”).

With all that said, a random Android device will most probably be a Samsung phone (a 43% probability). It will most probably have a locked bootloader, being protected with a 4-digit passcode, without root, and with USB debugging disabled (the user must alter certain phone settings explicitly in order to change any of the above, which is not always easy and even not always possible). Whether or not the device will be encrypted is a hit or miss (most devices are not encrypted out of the box, but enabling encryption is as easy as setting a PIN code and toggling a single setting). In other words, you will have to rely on the quality of your extraction toolkit in order to be able to perform physical acquisition of said device.

JTAG Forensics (Android)

JTAG forensics is an advanced acquisition procedure, which uses the standard JTAG port to access raw data stored in the connected device. By using specialized equipment and a matching device-specific JTAG cable, one can retrieve the entire flash memory contents from compatible devices. Notably, JTAG acquisition is often available even for locked, damaged or otherwise inaccessible devices.

It is important to realize that JTAG forensics is a low-level acquisition method that will return raw content of the memory chips. If whole-disk data encryption is present on the device (either pre-activated by the manufacturer or enabled by the user), JTAG acquisition will produce an encrypted image. In order to decrypt the raw image, one will need access to the phone’s higher-level API, which, in turn, requires supplying the correct passcode. Notably, whole-disk encryption is active out of the box on many Samsung phones, Nexus 6 and Nexus 9 devices as well as some other flagship phones sold by leading manufacturers.

Despite that, JTAG forensics remains a viable acquisition method for compatible Android devices. With Google’s decision to back away from encrypting new Android 5.0 devices by default, manufacturers are under no obligation to enforce whole-disk encryption in their existing devices receiving an upgrade to Android 5.0/5.1 as well as newly released phones running Lollipop out of the box. You can use JTAG forensics on compatible phones only if they are not using whole-disk encryption.

Once the acquisition is completed, an investigator can use a product such as Belkasoft Evidence Center for JTAG analysis. The product will automatically extract and analyze dozens of forensically important artifacts, including contacts, call logs, geolocation data messenger chat histories, browsing history, etc. 

Chip-Off Acquisition

Chip-off acquisition is a highly advanced, lowest-level destructive acquisition method requiring physical de-soldering of memory chips and using specialized hardware to read off their content. Chip-off acquisition is often used as a last resort. If whole-disk encryption is not enabled, chip-off acquisition will produce the full binary image of the device complete with unallocated space.

As opposed to computer hard drives, in the world of mobile forensic the lowest-level access is not always the best thing. Granted, chip-off acquisition will produce the complete raw image of the memory chip(s) installed in the device. However, the investigator will have to deal with issues such as block address remapping, fragmentation, and encryption. In the case of Apple devices, Samsung phones and many other devices encryption is enforced out of the box and cannot be bypassed during or after chip-off acquisition even if the correct passcode is known. As a result, chip-off acquisition is limited to unencrypted devices or devices using encryption algorithms with known weaknesses.

Nandroid Backups

Examiners analyzing a rooted Android device have yet another venue for extracting the full and complete file system of the device by generating a so-called NANDroid backup. Nandroid backups can be created by booting the device into a custom recovery (by either issuing an ADB command or, of USB Debugging is not enabled, by holding the Vol- and Power keys on the device) and selecting the corresponding menu item.

The following conditions must be met in order to produce a Nandroid backup:

• Bootloader is unlocked and custom recovery (e.g. CWM or TWRP) is installed, -or-
• The device is rooted, Busybox package installed and a Nandroid backup app such as this is used

Note that a Nandroid backup app can be used to produce a full NANDroid backup even if the bootloader is locked and no custom recovery is available when Busybox package is installed and a Nandroid backup app is used on a rooted device. Root is generally not required to make or restore Nandroid backups if the operation is performed through custom recovery.

If all of the above conditions are met, the expert can boot into custom recovery and make the device dump the content of its file system onto an SD card (if supported by the device) or an OTG flash drive (again, if supported by the device). There is also a small chance to discover existing Nandroid backups in the device being analyzed. Nandroid backups are standardized between different recoveries. NANDrpod is a de-facto standard format for storing Android system backups. 

Over-the-Air Forensics: Google Account

There are currently no full cloud backups available to Android users. Current versions of Android do not back up application data; instead, only the list of applications is generally backed up from Android devices. As a result, over-the-air forensics similar to iCloud acquisition is not available for Android devices. Apparently, this is about to change in the coming Android M. However, over-the-air forensics is far from being dead.

Google has mastered data collection. The company collects and maintains massive amounts of data from users of its services. The information is collected from all devices under the same Google ID including phones, tablets, desktop and laptop computers regardless of the operating system (if at least one service under the Google Account umbrella has been used).

Accessing such a massive amount of data is extremely tempting. With the user’s Google ID and password, forensic experts can access and analyze all information from the user’s Google Account including Gmail, Contacts, Google Drive data, synced Chrome tabs and bookmarks, passwords, registered Android devices and their location history, and a lot of other information.

Windows Phone 8 Forensics

Windows Phone 8 and 8.1 is a relatively new contender on the mobile arena. The platform enjoys a global market share of 4.2% (Q1 2015), while showing a much higher adoption rate in select markets (namely Spain, France, Germany, Italy and the UK).

The Windows Phone 8 platform does not by default use full-disk encryption on devices sold to consumers. However, Windows Phone devices used in corporate environments are always encrypted.

The Windows Phone platform is quite secure, and does not allow for logical or physical acquisition techniques. This means that traditional forensic acquisition tools such as Cellebrite, XRY, or Oxygen Forensic Suite cannot acquire information from a locked Windows Phone by connecting via a USB cable.

At this time, two vectors of attack exist for Windows Phone devices: over-the-air acquisition of the phone backup from Microsoft Account and JTAG/chip-off extraction.

Windows Phone Cloud Forensics

The Windows Phone OS comes with the ability to create periodic backups of the content of the device to Microsoft cloud storage. These backups work similarly to iOS, and contain much of the same information including application data, synced passwords, and device configuration settings.

Cloud backups can be downloaded from the user’s Microsoft Account with tools such as Elcomsoft Phone Breaker providing that their Microsoft Account login and password are known. Alternatively, the data can be requested from Microsoft with a warrant.

Windows Phone 8 JTAG and Chip-Off Extraction

Forensic acquisition of non-encrypted Windows Phones comes down to either JTAG or chip-off extraction. Since Windows Phone 8 is a Windows-based OS, it uses NTFS as a file system and has many similarities to desktop windows platform. Notably, these methods will work with most publically sold Windows Phone 8 devices.

Windows Phone: Sending to Manufacturer

Unlike Apple, Microsoft does not enforce full-disk encryption out of the box. For this reason, Windows Phone devices can be sent to their original manufacturers accompanied with a warrant to have information extracted. Since Nokia smartphones (now manufactured by Microsoft under its own name) constitute the majority of Windows Phone units, Microsoft will be the final stop for most cases involving Windows Phone acquisition.

Windows Phone Page File Analysis

A large portion of Windows Phones’ data is stored inside page files, including information from both running and background apps. However, due to a different device architecture, Windows Phone page file format differs from the one of desktop Windows, so one will need a forensic tool that specifically supports Windows Phone page file. Belkasoft Evidence Center was the first forensic product with proper WP page file parsing. Carving pagefile.sys files with Belkasoft Evidence Center will allow you to find multiple types of artifacts, such as web pages, pictures, chats, as well as registry files and many more.

BlackBerry 10 Forensics

Once being a major player having a 43% share of the US mobile market back in 2010, the Canadian manufacturer today is a distant fourth. With only 1.5% of the US consumer market, BlackBerry devices are still commonly used in corporate environments.

From the very beginning, BlackBerries were secure. BlackBerry smartphones used full-disk encryption, making chip-off acquisition fruitless. Early-generation devices had an exploit allowing the attacker to break the encryption key offline by running an attack on a device-encrypted SD card. This is no longer the case today.

At this time, the only vector of attack on BlackBerry smartphones is accessing a BlackBerry backup file (or making the device produce a backup via BlackBerry Link), obtaining the suspect’s BlackBerry ID and password and using the login and password combination to decrypt the backup. If the backup is available, you can analyze it with forensic tools that support Blackberry backups.

Breaking (or recovering) the password is not possible as information used for decrypting the backup is stored on (and is retrieved from) a BlackBerry server. However, a government request can be made to obtain the decryption keys from the company.

Conclusion

In our view, the future of iOS forensics lies with over-the-air acquisition. Since many users configure their devices to maintain cloud backups, the data can be obtained from iCloud (or requested from Apple). The alternative to this is logical acquisition via offline (iTunes) backups, which may not be available if either device passcode or backup password are not known. We consider physical acquisition to be dead for recent Apple devices used with the latest versions of iOS.

When it comes to Android, physical acquisition is quite alive, and is the first technique to attempt. If the device is not rooted, the passcode is not known, and the “USB Debugging” option is not enabled, the outlook does not look bright (but there are still possibilities such as bootloader exploits). JTAG acquisition remains a viable option for compatible devices (if whole-disk encryption is not used), while chip-off acquisition can still be used as a last resort on unencrypted devices.

Offline backups are not generally available to Android users, yet they can technically be produced with certain manufacturers (e.g. via Sony PC Companion for Xperia smartphones). There are no full cloud backups available either (the upcoming Android M is about to change that, bringing Apple-like backups to Android). However, a lot of information can be retrieved from the user’s Google Account, including synced Chrome bookmarks, passwords, list of registered devices and their geolocation information, mail (Gmail) and calendar events, and so on.

Android is slowly becoming a secure platform. More devices feature whole-disk encryption out of the box. Each version of Android is more secure than the one it replaces. Android 5 is secure enough to become an obstacle on the way of physical acquisition; many forensic tools still do not support physical acquisition of devices running Android 5 unless the correct passcode is known. Full-disk hardware encryption is about to become the norm for Android devices in near future (2-3 years). For now, physical acquisition (as well as JTAG forensics) remain viable extraction options for Android devices, slowly losing their significance as the platform becomes more secure with more devices shipped encrypted out of the box.

Google collects a lot of information about its users. This information is collected from all devices under the same Google ID including phones, tablets, desktop and laptop computers regardless of the operating system (if at least one service under the Google Account umbrella has been used). Obtaining information from the user’s Google Account can deliver lots of valuable evidence. We can certainly notice a trend here, with Android device forensics being complemented (and at a certain point replaced) by cloud-based analysis of the user’s Google Account.

The upcoming Android M will feature full device backups – just like iOS. When (or if) this materializes, forensic experts will be able to perform cloud acquisition of Android backups similar to iCloud acquisition they can do today. Android M will be released in less than a year. It will probably be a matter of at least two years before the new system takes a noticeable number in the Android OS version chart.

About Belkasoft Evidence Center

Belkasoft Evidence Center is an easy-to-use tool for both computer and mobile forensics. The tool has an extensive out-of-the-box support for hundreds of mobile apps, which makes Evidence Center a keen choice to look for digital evidence inside phone backups, dumps, and images. The product supports all major forensic formats, including iTunes backups, Android backups, Blackberry backups, UFED physical and logical dumps, chip-off and JTAG dumps.

Among 100+ mobile applications that the product is able to extract data from include browsers (Safari, Chrome, Firefox, Opera), mailboxes (Gmail, Yahoo Mail), various messengers (Skype, WhatsApp, Viber, Kik), and other apps (Facebook, LinkedIn, Foursquare, QIWI wallet).

Find out more at Belkasoft.com. To test the product, request a free fully functional trial license at http://belkasoft.com/trial.

About the authors

Oleg Afonin is Belkasoft sales and marketing manager. He is an author, expert, and consultant in computer forensics.

Danil Nikolaev is Belkasoft sales and marketing manager, co-author, and content manager.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

You can contact the authors via email: research@belkasoft.com
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com

See also:
Our previous article: Acquiring Windows PCs
All articles by Belkasoft

by James Gratchoff & Guido Kroon, University of Amsterdam

Project Spartan is the codename of the new Microsoft Edge browser and successor to its previous, Internet Explorer. This research paper gives insight into the current artefacts that the current development versions of Project Spartan leaves behind on workstations. The authors analysed what these artefacts are, where they are located and how can they be gathered. This research led to the conclusion that Project Spartan’s back end does not differ much from the latest Internet Explorer versions, as Project Spartan still uses similar ways to store data on the workstation it runs on. Furthermore, an open source tool has been developed to gather some of these artefacts in an automated way. The purpose of the tool is to gather the location of the artefacts not present in the database.

Introduction

Web browsing activity is a major source of information in forensics investigation. Much open-source and proprietary software already exists to perform forensic investigation on the most popular leading web browsers. These forensic tools depend on the architecture of the web browsers and thus need to adapt their code to new versions or new browsers.

Microsoft is moving away from their traditional web browser, called Internet Explorer (IE), and launching their new Edge web browser, formerly codenamed Project Spartan, which will be shipped by default on Windows 10. The web browser uses the new Edge engine, which is a fork from their former Trident engine that IE is based on. However, as Edge is currently still in development as Project Spartan, this research will refer to it as Project Spartan, and not as Edge.

The purpose of this project is to gather information about new artefacts that Project Spartan leaves behind on workstations. If time permits, an open source tool for analysing these artefacts will be created as a proof of concept.

1.1 Scope, motivation and research question

As Edge is a newly developed browser, it is interesting to research the artefacts it leaves on workstations, especially if more and more people are to start using it when Windows 10 is released next summer. Therefore, this new information may be valuable to the digital forensics community and will soon be needed for investigations. This project will only target the browser artefacts. A quick investigation of the new Cortana features has been also carried out. Information that can be found on this project is related to Project Spartan and not to the Edge browser that has not yet been released. However the browser is supposedly just to be given another product name thus the artefacts found should be the same and located in the same directory structure with a difference in the path name. The path name that will be used in Edge is not known on the day of writing.

Overall discussion of the significance and motivation resulted in the following research question:

What and where are the artefacts Project Spartan leaves behind on workstations, and how can these artefacts be gathered for further analysis to serve as forensic evidence?

The above research question can be divided into the following research sub-questions:

1. As the new Project Spartan engine is forked from its predecessor’s Trident engine used with IE, how much does Project Spartan differ from its predecessor and to what extent can existing forensic toolkits for browsers still gather these artefacts in the same way they gather artefacts for Internet Explorer?

2. Can a tool be developed, based on the assembled results, in order to gather the artefacts of the Project Spartan web browser in an automated way?

Related work

Due to it being a recent product, no forensic research related to Windows 10 or Project Spartan/ Edge has been published at the time of writing. However much research has been done regarding web browser forensics. This project started by analysing the structure of Project Spartan and also how the latest version of Microsoft IE stored its information. Version 10 and later of IE will be referred to as IE v10+ in the rest of this report. Then the similar features of Microsoft Project Spartan were compared to IE v10+ in terms of artefacts location and databases. Furthermore the new features of Project Spartan were analysed and traced back to find where the artefacts location were stored on disk.

2.1 Browser forensics

Forensics tools that investigate browser activity, rely on the location of artefacts stored on disk. These locations are specific to each browser. Thus these tools need to adapt the locations and way of gathering information when a new browser is released. Forensics investigators need to gather detailed and trustworthy information about all the artefacts left on the disk by the browser. Moreover, any kind of information that a browser leaves behind can be valuable and of extreme importance in investigations. That is why it is important not to neglect any artefacts that could lead to a stronger proof of user activity.

Private browsing has also become popular as it is a way of increasing privacy while browsing. Using private browsing, the browser is not supposed to store any browsing activity during the session. Thus it is understandable that private browsing forensics has been a developing area of research. Said et al researched Microsoft IE as well as Mozilla Firefox and Google Chrome regarding their privacy browsing features. They concluded that Google Chrome and Mozilla Firefox complete a better task in hiding their private browsing data, while Internet Explorer seems to leave evidence ‘all over the hard drive’. Chivers conducted another research project targeting the private browsing feature of IE 10, and was able to recover data from private browsing in a specific window of time. Indeed by carving log files he was able to identify some substantial records of private browsing that had taken place the last time the browser was opened. Due to the short life cycle of private browsing records in the database, these records could not be found after opening the browser a second time. To
carve the log files containing the previous records of the private browsing he developed a tool, ESECarve.

2.2 Structure of Internet explorer

A great deal of research has been done related to IE version 10 and later. And from our early investigation on the structure of Project Spartan we could say that it is extremely similar to IE v10+. Microsoft Project Spartan and IE v10+ rely on an Extensible Storage Engine (ESE) database, previously known as Joint Engine Technology (JET), to store their information. Metz, detailed in his research what the format of the database is and Chivers describes how the ESE works. In IE 10, a single database named WebCacheV1.dat is dedicated to storing artefacts. This database is located at:

Artefacts present in this database differ in their type (e.g. Cache, History, Cookies) and these types are divided into different containers tables (‘Containers XX’). These containers can be identified using another container table present in the same database, named ‘Containers’, that acts as an index table specifying which artefacts correspond to which containers. Each container shares the same fields that can be found in [9]. All these fields are valuable for forensic investigations. The functioning of the database follows the steps described in [6]. When a transaction is taking place the ESE first stores in memory the information regarding this transaction in a log cache, then it subsequently stores in memory the necessary database pages. As soon as the system is ready it writes to the log file (e.g. V01.log). After this, if possible, the database is updated with the new transaction and proceeds in a clean state, if not it will proceed in a dirty state. If the state of the database is dirty it will have to be recovered using the .chk files (that stores logged transactions from a known checkpoint) and the corresponding log files. The database can also be recovered to a clean state using the esentutl Windows tool. Most of the artefacts are not only stored in the database but can also be found on the disk as files. For IE 10, these artefacts are located in the subdirectories of:

The artefacts that can be found there are for example the cache files, the cookies, the favourites and what have you. Another location where IE stores information is in the registry key. The information located there is obfuscated but can be read with IE PassView[4]. The information that can be found there is autocomplete forms, auto complete password or typed URLs. The location of the registry key is:

Approach

The first part of the research was to understand the structure of the Project Spartan browser and understand what methods it was using to store information about an user. Secondly an investigation on how and where artefacts were found in most used web-browsers was carried out. This investigation was mainly focused on IE version 10 and later, due to the similarities found in the first step with the Project Spartan browser. Further to this investigation the authors compared the artefacts from IE and Project Spartan and documented what new artefacts could be found on Project Spartan. The next step was to discover where and how artefacts are stored on the disk. Thereafter tools used to investigate browser activity were tested on the new browser. The last step was to summarise what had been found using available tools and to create a tool that is able to find the new artefacts discovered on Project Spartan.

The following tools were used for this research:

• ESEDatabaseView v1.30 ESEDatabaseView is simple utility to browse through ESE structured database files, developed by Nir Sofer. We used it to browse through the ESE databases Project Spartan uses to store its data in, namely the WebCacheV01.dat and the Spartan.edb files.
• ESECarve v1.20 ESECarve is a forensic tool written by Chivers that is used to inspect and and recover deleted data from ESE database files.
• Notepad++ v6.7.8 (with the hex editor plugin v0.9.5) Notepad++ is an open source text editor for Windows operating systems. Together with the hex editor plugin we used this tool to open and read contents of many files.

Artefacts Analysis

This section describes where Project Spartan store its artefacts on disk and detail whereas or not these artefacts could be found in the Extensible Storage Engine (ESE) database. A section also describes what features, that are likely to leave artefacts, are not implemented yet in Project Spartan.

4.1 Database

Microsoft Project Spartan uses the same database structure as the latest versions of Internet Explorer, namely the ESE database. The Internet Explorer 10 ESE database structure has been researched in-depth by. The main WebCache database file is located in a dispersed fashion, which differs per user, hence the %LocalAppData% environment variable:

Numerous tools exist for reading these database files, which we will also list in the Tools section, but we mostly used ESECarve, ESEDatabaseView and esentutl. Within this database file, all sorts of information is stored, but not much actual content (some, but definitely not all). Rather, it is more like an index which keeps track of all the locations where the actual artefacts are stored.

When we try to open this file with a hex editor, we can see that this version still uses the same format that previous versions use. The hex dump of the database headers can be interpreted as follows (see figure 4.1). This can be verified when analysing the database with esentutl, which is installed by default on every Windows system. Note that the database is using little endian, so when compared with a hexadecimal dump, every byte range needs to be read in reverse order. While the database mostly stores Metadata as opposed to actual content, there are some interesting artefacts to be harvested from within this file, such as:

1. visited URLs (see section 4.5)
2. Cortana search queries (see section 4.8)
3. download history (see section 4.6).

The ESE database also contains the location of every other artefacts that are stored locally on the system (see figure 4.2).

The container that is being viewed in figure 4.2 shows all the container IDs of the other containers that can be viewed. It shows what content is being stored in which container and where it can be found on the system (folder paths).

4.2 Cache

Project Spartan stores its caches in a dispersed fashion as well, which differs per user, hence the %LocalAppData% environment variable:

Just like IE there are four cache folders in this directory, which each contain a portion of the cache. They contain all sorts of content which is saved locally when browsing with Project Spartan, like HTML pages, pictures and even downloads which are stored here temporarily before they are moved to the actual download folder. This is an example of such a cache folder:

4.3 Cookies

Project Spartan stores its cookies in a dispersed fashion as well, which differs per user, hence the %LocalAppData% environment variable:

The cookies are stored in txt files with a randomly chosen name. This is an example of a cookie ‘1YTEYKVD.txt’:

Project Spartan knows which cookie file belongs to which domain as this is being tracked in the WebCachev01.dat database.

4.4 Bookmarks

Project Spartan stores its bookmarks in a dispersed fashion as well, which differs per user, hence the %LocalAppData% environment variable:

Figure 4.4 shows a screenshot of the bookmarks folder.

4.5 Visited URLs

The visited URLs is a form of Metadata that reveals information of what URLs the user browsed. It does not show the actual content of the web pages, but it is still valuable information for forensic investigators. The URLs are stored within the database file we covered in section 4.1. The following screenshot (see figure 4.5) gives an impression of these artefacts. Some columns are not shown, which also reveal information about dates and time, and which can be useful when creating time lines:

4.6 Download history

Downloads history is also found in the database file we covered in section 4.1. The container name is ‘iedownload’. There are multiple containers under that name, but it is container ID 17 on our system (see figure 4.6). The values are hex encoded and thus need to be converted to ASCII readable text in order to read it (see appendix B for a more detailed overview). The downloads are temporarily stored in the cache location we covered in section 4.2. When the download is completed, it is no longer to be found there, as it is then moved to the download folder.

4.7 Web Notes

Interestingly enough, Microsoft Spartan stores its Web Notes in the bookmarks folder as well (see figure 4.7):

4.8 Cortana

Project Spartan uses Bing as its search engine for Cortana search queries. This is an experimental feature that was not available to our country yet (The Netherlands), so we used an OpenVPN[5] connection to the US to test this new feature. Spartan stores its search queries inside the database file we covered in section 4.1. The container name is ‘DependencyEntry 5′(see figure 4.9).

4.9 Reading list

The reading list is stored inside a separate database, also separate for each user. We added a web page to the reading list, which could be found inside the database when we opened the database with ESEDatabaseView (see figure4.10).

4.10 Tiles

Since Windows 8, tiles are available and can be modifiable. This feature is included in Project Spartan as well. It consists of fonts, colours and interface elements for applications. The tiles are not stored in the ESE database but can be found on the disk. They are located at:

4.11 Private browsing

For analysing artefacts for InPrivate browsing, we needed to upgrade our system with a newer version of Windows 10 (build 10122), which had the new Spartan Browser that supported InPrivate browsing. In order to retrieve the InPrivate pages visited, we used a tool created by Chivers, named ESECarve. This tool was intended to retrieve InPrivate browsing artefacts from the IE 10 browser. Due to incompatibility of the software on Windows 10, it was necessary to move the folder containing the database files (.chk, .log and WebCacheV01.dat) to an earlier version of Windows. We were successfully able to recover Project Spartan InPrivate pages with Windows 7 and the ESECarve tool (see figure 4.11).

The life cycle of InPrivate logs described in [6] was verified with Project Spartan. Indeed the InPrivate history could be recovered from the same session with ESEDatabaseView (see figure 4.12) but as soon as we cleared the cache and restarted the browser these entries disappeared from the container. However the entries were recovered using the ESECarve tool that uses the .log and .chk files to recover information about the InPrivate browsing.

4.12 Features not (yet) integrated in Project Spartan

The version of Project Spartan available in the latest Windows 10 build (10122) does not include all the features that should be present on a browser. New features are awaited such as the password storage or extensions capability. IThome, leaked some screenshots of an unreleased build of Windows 10 (10123).

These screenshots show new features implemented in Project Spartan such as:

• Credential storage As of yet, Project Spartan does not enable users to store their credentials whenever they login to a certain website.

• Forms storage As of yet, Project Spartan does not enable users to store forms whenever a user fills in a digital form.

• New features in Cortana Current features, such as Cortana, may change over time or have added features, which is also interesting for future research. These features could not be investigated as the 10123 release was not available at the time of writing.

Other potential features that are currently not part of Project Spartan:

• Synchronisation Current popular browsers are currently offering synchronisation of passwords, bookmarks and such. It would not be a far fetched idea that Microsoft may implement such a feature in later development versions of Project Spartan, or final versions of EDGE.

Results

This section presents what are the results of our investigation on the Project Spartan browser. First the similarities and differences found between Project Spartan and IE v10+ will be described. This is followed by a description of the automated tool created to find the missing artefacts that are not documented in the ESE database.

5.1 Project Spartan vs. Internet Explorer (similarities and differences)

The investigation performed in this research, highlighted the Project Spartan artefacts. This section compares the artefacts found in Project Spartan with the latest versions of IE. This comparison is done as the artefacts created by the two browsers are extremely similar. At the time of writing not all the features of Project Spartan are available. It is thus difficult to deduce all the similarities and differences.

First of all, it is worth mentioning that the back end of Project Spartan is really similar to IE v10+. They both use the same database engine, named ESE database, in order to store information about user activity and to provide a way of recovering crashes occurring in software. It is understandable that these two browsers use the same database engine as the ESE database is used as the core system of many Windows-like features such as Microsoft Exchange Server, Active Directory and Desktop Search. As a result, the structure of the Project Spartan database is also really similar to the latest versions of IE v10+. These allow most of the software created to find artefacts in the ESE database to work in with Project Spartan. However some tweaks need to be implemented to make them work with Windows 10.

However, new features have been introduced with Project Spartan. These features introduces new artefacts that can be of considerable importance in forensic investigations. The new features have been documented in Chapter 4. As an example, the information stored by Cortana can be valuable for an investigator as it stores the values that are searched using the engine. In this database suggestions made to the user (based on its profile) by the engine are also stored. Other new features such as the reading list or the Web Notes are likely to be of great interest to an investigator.

To conclude, the structure of Project Spartan is in the end similar to the latest versions of IE. New artefacts appeared as the browser offers features that were not implemented on IE. This artefacts have been documented and the upcoming section presents a proof of concept reuniting the artefacts that were not found in the ESE database.

5.2 Automated tool

Not all the artefacts are stored in the ESE database, that is why the authors created a proof of concept able to retrieve the missing artefacts. The script does not retrieve the artefacts present in the database as this database can be read with ESEDatabaseView or with the ESECarve tool. The goal was not to reinvent the wheel but to complete the tool present in the open source community.

This tool (named SpartanLeftovers) can be run next to ESECarve to retrieve the most valuable artefacts from the Project Spartan browser. The script is written in PowerShell 3.0 and allows an investigator to easily summarise the location of the missing artefact in clear and readable csv format. SpartanLeftovers is open source and available in appendix C. The artefacts that are targeted are the favourites, the web notes, the stored tiles and the last unexpectedly closed tabs. Figure 5.1 shows an output of the script. The script lists all the files present in the related directories with their path, creation time, last accessed time, last modification time, owner of the file, attributes and size. From a forensic standpoint the tool can be run on an mounted disk and does not write on the targeted disk. It has been chosen not to access and carve the files in order not to change the access time values this is why the tool only provides the location of the files.

The following figure shows the hash difference created using FTK:

It is however advisable to use a write blocker to prevent the connection from the disk to the forensic station to change the disk image and thus the hash.

Conclusion

Currently the way in which and the location where Project Spartan stores its artefacts is very similar to previous versions of Internet Explorer. The browser relies heavily on the ESE database structure, which makes current ways of collecting artefacts not much harder. Most artefacts of features have been analysed that are part of the current development builds of Project Spartan and we suspect that current forensic toolkits that also harvest artefacts of IE will not need to drastically alter their harvesting techniques to also gather artefacts from Project Spartan. Toolkit developers are advised to use the path locations specified in this paper to acquire the artefacts of Project Spartan. The new features such as the Web Notes or Cortana integration can also give insight into the digital footprint a user can leave on a system. These new features should also be added to existing forensic toolkits as well. It should be noted that Project Spartan is still in development and artefacts may change over time (see chapter 7 for more on future work considerations).

The authors also developed a tool which gathers some information analysed in an automated way. The tool is open source and has been designed for forensic/research purposes. It provides a way of recovering the artefacts, left behind by the Project Spartan browser, that are not stored in the ESE database and/or that cannot be retrieved with the ESECarve tool developed by Chivers. The source code (Appendix C) is open to any improvements.

Future work

This research outlines some new artefacts that can be gathered within the current development versions of Project Spartan. However, there are a couple of elements to be considered for future work.

This research should be reviewed whenever Microsoft releases a final and stable version of Edge. This research only focused on the development versions of Project Spartan. Current features that have been analysed during this research may change over time, as well as new features that might be added in the future, which we already outlined in section 4.12. Features like a credential manager, forms storage, synchronisation of connected device are features that would be very interesting subjects for research once they have been implemented.

Currently, the ESE database structure has not been greatly researched, and this also differs per implementation that uses the ESE database structure, such as IE, Exchange and now Project Spartan. Also, as InPrivate (private browsing) artefacts can still be harvested from the ESE database, it would be good to see Microsoft fix this and perform a similar project as done by Chivers[6] to see if these artefacts can still be harvested. However questions arise if this possibility to harvest such information, with the right forensics skills, was made intentionally for forensics purposes.

Bibliography

[1] Extensible storage engine. Microsoft Developer Network, 2012.
[2] Exclusive broke the news: Win10 preview version 10123, edge browser new change. IT House Original, 2015.
[3] Forensically interesting spots in the windows 7, vista and xp file system and registry. irongeek, 2015.
[4] Ie passview. Nirsoft, 2015.
[5] Openvpn. OpenVPN Technologies, Inc, 2015.
[6] Howard Chivers. Private browsing: A window of forensic opportunity. 2013.
[7] Jens Lorenz. Notepad++ Plugins – Browse Files at SourceForge.net. http://sourceforge.net/projects/npp-plugins/files/, 2015.
[8] Bonnie Malmstr ̈m and Philip Teveldal.o database in internet explorer 10. 2013. Forensic analysis of the ese
[9] Joachim Metz. Extensible storage engine (ese) database file (edb) format specification. 2010.
[10] Nir Sofer. ESEDatabaseView – View/Open ESE Database Files (Jet Blue/ .edb files). http://www.nirsoft.net/util/ese_database_view.html, 2015.
[11] Junghoon Oh, Seungbong Lee, and Sangjin Lee. Advanced evidence collection and analysis of web browser activity. digital investigation, 8:S62–S70, 2011.
[12] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi, and Mario Guimaraes. Forensic analysis of private browsing artifacts. In Innovations in information technology (IIT), 2011 International conference, pages 197–202. IEEE, 2011.
[13] Jason Weber. Project spartan and the windows 10 January preview build. Microsoft IE, 2015.

Appendix A

Spartan’s WebCache database

As previously mentioned before, Microsoft Project Spartan uses the same Extensible Storage Engine (ESE) database structure as previous versions of IE. The IE 10 ESE database structure has been researched in-depth by Malmstrom and Teveldal. When opening this file with a hex editor, we can see that this version still uses the same format that previous versions use:

This can be verified when analysing the database with esentutl, which is installed by default on every Windows system. Note that the database is using little endian, so when comparing with a hex dump, every byte range needs to be read in reverse order. For example, the page size is 0x00800000 which we need to reverse in Endianess, so that gives us 0x00008000, which is 32768 in decimal, which means it is 32768 bytes, or 32 KiB per page. Every page’s offset starts at 32 KiB increments, which is offset 0x8000 when exploring in a hex dump. If we go to this offset, we can see the start of the first page. The second starts at 64 KiB, and so on.

Appendix B

Download history

The download history is part of the ESE database. This is an example of :

If one were to convert this directly to ASCII, one would get a similar text like this:

This is not very helpful yet as some character cannot be converted to ASCII. If one were to omit all the unnecessary signs (here question marks) one would get the following text:

One can derive from this string that Piriform Recuva from filehippo.com has been downloaded with Project Spartan.

Appendix C

Powershell script

You can contact the authors on james.gratchoff@os3.nl (James Gratchoff) and guido.kroon@os3.nl (Guido Kroon). Download a PDF version of the original paper here.

Edit: you can now also download an adapted script that works with Microsoft Edge here (ps1 file).

From the 30th of September until the 2nd of October 2015, Forensic Focus will be attending the 10th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE) in Malaga, Spain. If there are any topics you’d specifically like us to cover, or any speakers you think we should interview, please let us know in the comments.

This is the first time that SADFE will take place in Europe, and the conference will focus on several aspects affecting the digital forensics community, including positing an Open Source Forensic Toolkit, to develop a common framework which would integrate different forensic tools.

Below is an overview of the speakers and subjects that will be featured at SADFE.

Wednesday 31st September 

Following the registration and welcome, the programme on day one will begin with a keynote from Michael M. Losavio concerning issues of foundation and ethics in digital forensics. After this there will be a variety of talks discussing tools, experiences and other areas relating to forensics, including similarity hashing, adjacency measures for reassembling text files, and chip-off matter subtraction.

After lunch a group of speakers will provide an evaluation of twelve years’ worth of police cases in Dubai, focusing on the factors that influence digital forensic investigations.

Program Logic Change forensics will be the next subject of discussion, including the use of PLC debugging tools when investigating SCADA systems.

The afternoon sessions will be focused around mobile forensics, with Paulo De Souza and Pavel Gladyshev presenting a paper on the dynamic extraction of data types in Android’s Dalvik virtual machine, followed by Yu Cho Kong discussing how to extract data from MTK-based Android phones.

There will then be a presentation and discussion of the open source initiative mentioned above, followed by a welcome reception.

Thursday 1st October

The first session of the morning will involve a panel discussion about future challenges for law enforcement – specifically, government agencies and security forces – in the digital forensics field. Panel members from the Dubai Police, the UK Competition & Markets Authority, and the National Police of the Netherlands will be present.

The majority of the day on Thursday will be taken up with presentations and discussions of forensic tools. These will include audio forensics for instant messaging, behaviour analysis of cyberlocker link sharers, and open forensic devices. There will also be a discussion on legal and ethical perspectives about event data recorders.

Two forensic platforms will then be presented: Uforia, by Arnim Ejikhoudt, Adrie Stander and Sijmen Vos; and The Evidence Project, which aims to bridge the gap in the exchange of digital evidence across Europe.

Following a further discussion around the Open Source Toolkit initiative, a gala dinner will then be held in the Restaurante Montana.

Friday 2nd October

The final day of the conference will begin with a keynote (speaker TBA), followed by two sessions on web forensics. These will include a case study of forensic acquisition of online metaverse IMVU, and another about the forensic analysis of BitTorrent-powered browsers.

The afternoon sessions come under the heading ‘Analysis and Reasoning’ and include a presentation on the use of ontologies in forensic analysis of smartphones, followed by an empirical study on current models for reasoning about digital evidence.

The latter half of the afternoon will largely be devoted to planning the Open Source Toolkit initiative, followed by a conference recap and farewell. The Friday evening social programme will begin at 5pm and will include a private guided visit to the La Concepción Botanic-Historic Gardens nearby.

Forensic Focus will be in attendance throughout the conference, and you can see the full programme and book tickets here. If there are any topics you would particularly like to see covered in-depth, or if there are any speakers you would like to see interviewed, please leave a comment below or email scar@forensicfocus.com with suggestions.

Abstract

The primary goal of this paper is to raise awareness regarding legal loopholes and enabling technologies, which facilitate acts of cyber crime. In perusing these avenues of inquiry, the author seeks to identify systemic impediments which obstruct police investigations, prosecutions, and digital forensics interrogations. Existing academic research on this topic has tended to highlight theoretical perspectives when attempting to explain technology aided crime, rather than presenting practical insights from those actually tasked with working cyber crime cases. The author offers a grounded, pragmatic approach based on the in-depth experience gained serving with police task-forces, government agencies, private sector, and international organizations. The secondary objective of this research encourages policy makers to reevaluate strategies for combating the ubiquitous and evolving threat posed by cybercriminality. Research in this paper has been guided by the firsthand global accounts via the author’s core involvement in the preparation of the Comprehensive Study on Cybercrime (United Nations Office on Drugs and Crime, 2013) and is keenly focused on core issues of concern, as voiced by the international community. Further, a fictional case study is used as a vehicle to stimulate thinking and exemplify key points of reference. In this way, the author invites the reader to contemplate the reality of a cyber crime inquiry and the practical limits of the criminal justice process.

Introduction

With escalations in reports of serious cyber crime, one would expect to see a corresponding increase in conviction rates (Broadhurst, Grabosky, Alazab, Chon, 2014; Kaspersky Lab, 2015; Ponemon Institute, 2015). However, this has not been the case with many investigations and prosecutions failing to get off the ground (Frolova, 2011; Onyshikiv & Bondarev, 2012; Zavrsnik, 2010). The chief causes of this outcome may be attributed to trans-jurisdictional barriers, subterfuge, and the inability of key stakeholders in criminal justice systems to grasp fundamental aspects of technology aided crime. In the same way that science influences the utility of forensic inquiry, the capacity of investigators, prosecutors, judges and jurors to understand illicit use of technology also directly impacts conviction rates (Dubord, 2008; Leibolt, 2010). The ease with which cyber crime crosses national borders, irreconcilable differences between national legal frameworks, and deceptions employed by cyber criminals impedes attribution, and prevents crime fighters from interrogating suspects and apprehending offenders.

Cyber crime offending can be technically complex and legally intricate. Rapid advancements in the functionality of information communication technologies (ICTs) and innate disparities between systems of law globally are stark challenges for first responders, investigating authorities, forensic interrogators, prosecuting agencies, and administrators of criminal justice. It is critically important to explore factors impeding investigation and prosecution of cyber crime offending to raise awareness and expose these barriers to justice. This paper examines criminal justice responses to cyber crime under the common law model. The capacity of criminal justice actors to perform their core function is analyzed and discussed. The author contends that the investigation and prosecution of cyber crime offending, including forensic services in support of inquiries, is hampered by a confluence of factors that influence the criminal justice process. This thesis is illustrated with aid of a case study examining the criminal justice lifecycle throughout a cyber crime inquiry. Based on notorious instances of cyber crime offending, Mary’s Case charts the initial commission of criminal activity through until the ultimate determination of culpability at trial.

This paper proposes a practical definition of cyber crime, which is linked to the impact of technology on modes of criminal offending. Victimology and impediments to cyber crime reporting are outlined. The common law model of criminal justice is surveyed, with a focus on the effect of both law and technology on policing cyber crime globally. Investigative techniques and operational challenges are discussed in detail. Evidentiary issues surrounding collection and presentation of electronically stored information (ESI) in criminal trials are evaluated. The key elements that coalesce to constitute serious criminal offending are deduced and contrasted with defenses to criminal capacity and culpability. The author also highlights issues concerning evidence admissibility, roles performed by lawyers, experts, and adjudicators during legal proceedings, and the media’s influence upon public perceptions of forensic science. Finally, recommendations for removing barriers to the effectiveness of cyber crime inquiry are considered, including new strategies for streamlining the administration of criminal justice.

The complete article is freely available at: http://www.cybercrimejournal.com/Brown2015vol9issue1.pdf

by Oleg Afonin, Danil Nikolaev, Yuri Gubanov

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things had changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

iOS 8.4 Forensics

Little changed in iOS 8.x forensics since publishing our original article. Some advances have been made though. iOS 8.4 was successfully jailbroken by the TaiG team (http://www.taig.com/en/), and physical acquisition is once again available for jailbroken 32-bit iOS devices (e.g. with Elcomsoft iOS Forensic Toolkit). However, 64-bit Apple hardware (including iPad mini Retina, iPhone 5s and all newer models) successfully resists physical acquisition attempts. Full-disk encryption still rules out chip-off, and there were never JTAG ports in Apple hardware. Unallocated space is still not recoverable as iOS does not keep decryption keys for unallocated areas.

One of our readers drew our attention to an acquisition method often referred as “Advanced Logical”. Besides physical acquisition, this was the only method allowing a user to extract mail. As far as we know, Apple shut the door to advanced logical acquisition in iOS 8.3, so only older devices remain susceptible to this method. Since Apple does not publish detailed iOS version breakdown (counting iOS 8 in general without giving any insight on how many users switched to the latest release), we do not know what percentage of devices running iOS 8 is still susceptible to advanced logical acquisition.

Apple constantly tweaks iCloud security, making adjustments to lifespan of binary authentication tokens that can be used by experts instead of the user’s login and password (and bypassing two-factor authentication).

iOS 9 Forensics

The latest version of iOS is a hot topic in the world of mobile forensics. With as many as 61% of eligible iOS devices running the latest version of the OS by the 19^th of October 2015, iOS 9 is a major concern to the forensic crowd.

The share of Apple devices running iOS 9 reaches 61% and growing [source]

Featuring a so-called “rootless” security system, the new generation of Apple’s mobile OS integrated a number of techniques to constrain security research. While this did not stop the Pangu team from releasing a working jailbreak (http://www.downloadpangu.org/pangu-9-download.html), the existence of this exploit changed little in the way of acquisition. So let’s recoup which acquisition options are available for iOS 9 devices.

Physical acquisition

For devices running iOS 9, physical acquisition remains a limited theoretical possibility. While 64-bit devices (iPhone 5S and newer, iPad mini 2 and newer) are out of the question, even 32-bit devices running iOS 9 remain resistant to existing methods of physical acquisition – even if they are unlocked and jailbroken. As such, no existing forensic tools can do physical acquisition of *any* iOS 9 device regardless of jailbreak status and architecture.

Status: physical acquisition is currently unavailable for all iOS 9 devices. This may change in the future, as physical acquisition of 32-bit devices remains a theoretical possibility.

Advanced logical acquisition

Nope. Advanced logical acquisition does not work on iOS 9 devices. And, unfortunately for us all, it is very unlikely that it is going to work later.

Logical acquisition

Logical acquisition remains available via the usual routine. Apple changed the format and encryption used in iTunes backups, so you will need to update whatever forensic software you are using to the latest version in order to gain iOS 9 support.

Products such as Belkasoft Evidence Center support analysis of iTunes backups of devices running iOS 9 (as well as Android, Blackberry and Windows Phones). This product finds and analyzes data from several dozens of iOS applications, including both most common and some of the newest apps: Skype, Viber, WhatsApp, Kik, WeChat, Whisper, FireChat, MeetMe, Tinder, ooVoo, MeowChat, and many more:

Over-the-air acquisition

Things get tricky when we speak about cloud acquisition of iOS 9 devices. Apple changed a lot of things in iOS 9 when it comes to cloud backups. There is a new data format, and there is a different type of encryption used. The biggest change, however, is the location of the cloud backup. Previously stored in Apple iCloud, iOS 9 backups are now saved into iCloud Drive, a cloud service with very different internal mechanics.

At this time most forensic software manufacturers are yet to adjust their products to able to acquire iOS 9 data from iCloud Drive. One of the tools that is already capable of this is recently released Elcomsoft Phone Breaker version 5.0. It is worth noting that binary authentication tokens continue to work in their usual fashion, allowing you to bypass two-factor authentication if you happen to use a non-expired token.

Android Forensics

There have been few advances in this area. A recent vulnerability report by Check Point introduces a backdoor allowing experts to acquire some Android devices remotely. One of our readers noted that bootloader-level exploits are available for many Android models and used by Cellebrite in their acquisition tools to dump the content of Android devices without rooting the phone.

Certifi-Gate

A major security vulnerability was discovered in Android by Check Point Software Technologies and revealed at Black Hat in Las Vegas. Dubbed Certifi-Gate, the vulnerability exists on millions of devices such as those manufactured by LG, Samsung, HTC, and ZTE, allowing attackers gain total control over affected devices remotely. The vulnerability exists in remote support tools pre-installed by some manufacturers to Android handsets in order to help users solve problems with their devices remotely. These tools include TeamViewer, MobileSupport (by Rsupport) and CommuniTake Remote Care. Apparently, a vulnerability exists in these tools allowing an attacker to use their security certificate to take over an Android device.

There is no way for the end user to revoke or invalidate the certificates. Waiting for a patch or uninstalling affected tools is the only protection method, and even that may leave behind a vulnerable certificate. Check Point estimates several million devices to be affected by this vulnerability.

At this time, we are not aware of any forensic tool that is able to exploit this vulnerability to gain access to Android devices. We do not know if it is even feasible to exploit this vulnerability to gain such access.

Stagefright and Stagefright 2.0

This famous security vulnerability has potential, yet the possibility of its forensic use for the purpose of gaining access to the phone’s data partition is questionable. So far, no forensic solutions that use this exploit exist.

Bootloader Exploit

Most Android devices sold by reputable vendors (including Samsung, LG, SONY, HTC, ASUS and many others) feature permanently locked bootloaders to protect devices against booting unsigned code. Physical acquisition options for bootloader-locked devices are limited, especially in the latest versions of Android. On many devices, rooting devices even temporarily requires unlocked bootloader as a pre-requisite.

One of our readers pointed out that a bootloader-level exploit exists for many devices, and is successfully implemented by Cellebrite in its acquisition kit. Cellebrite UFED can successfully boot some locked devices with an unsigned patched boot image to allow extracting device image.

The exploit exists in many devices based on the Qualcomm reference platform and using Qualcomm reference software. As a result, devices using an affected kernel can be booted with a patched kernel image without proper security verification.

Cellebrite were able to exploit this vulnerability to boot many affected models with their own patched kernels. This is not an easy task since a unique kernel had to be built for each individual device. Several hundred models are reported to be affected by this vulnerability.

If available for a given device, a bootloader attack is arguably the most forensically sound acquisition method available. Since booting an external image does not write anything to the device nor change any part of the system image, it is able to consistently extract unmodified images of the device that will persistently pass hash checks. Alternative physical acquisition methods work by acquiring root privileges and installing acquisition agents onto devices being acquired, which inevitably alters the content of the device.

Bootloader exploits are device specific. Cellebrite claims support for most Motorola Android devices, selected Samsung, Qualcomm, LG GSM and CDMA devices based on Qualcomm chipsets. Caution is required when using bootloader exploits as some devices are known to wipe data partition when booting a custom image.

Custom Recoveries

We have been asked whether a custom recovery such as TWRP or CWM can be used to boot the phone (tethered boot) and pull data partition. While this can be technically possible, particularly on devices with unlocked bootloaders or having a known bootloader exploit, booting a custom (read: unsigned) recovery can (and, in fact, does) trigger the phone’s protection mode, causing the device to wipe the content of the data partition immediately upon booting into recovery and without giving any sort of advance warning. For this reason, we cannot recommend custom recoveries as a viable forensic acquisition method.

Windows Phone 8 Forensics

With Windows 10 Mobile coming soon and considering the small market niche occupied by Windows Phone devices in general, Windows Phone 8 is becoming a white elephant. However, developments have been made to Windows Phone acquisition as well. We have the following data to add to our previous publication.

Windows Phone 8/8.1 Encryption Explained

When mentioning Windows Phone acquisition, we have to talk about JTAG and chip-off acquisition. Since most Windows Phones are consumer devices, their content is not encrypted, and JTAG works properly. However, we have been contacted by a customer who claimed that they had an encrypted Windows Phone device, and asked for help.

Windows Phone 8 and 8.1 do not have an option for the end user to control encryption of Windows Phone 8.x smartphones. Instead, encryption can be enabled or disabled by a group policy specified by the administrator of the corporate MDM (Microsoft Mobile Device Manager). If encryption is triggered by an MDM policy, the device will automatically encrypt the content of the user partition with BitLocker. As a result, JTAG and chip-off will not return a decryptable image.

What about BitLocker escrow keys? According to Microsoft, the Windows Phone 8 OS does not come with the provision of maintaining escrow keys outside of the device (unlike desktop versions of Windows featuring downloadable BitLocker Recovery Keys). Since private users cannot manually activate encryption in Windows Phone 8, the usual approach of grabbing escrow keys from https://onedrive.live.com/recoverykey will not work for Windows Phone devices.

So what happens when one is trying to acquire an encrypted Lumia phone with BitLocker encryption enabled through corporate device policies (consumer devices do not)? While one can technically make Windows Phone ask for a BitLocker recovery key at some stage (e.g. http://www.windowscentral.com/bitlocker-cyan-update-problems-windows-phones), the escrow key itself is never created, saved, or uploaded anywhere.

Windows Phone Bootloader Exploit

As suggested by a reader, an additional acquisition option is available for select Windows Phone devices. Some popular Windows Phone 8 devices such as Nokia Lumia 520 are susceptible to a bootloader exploit that enables physical acquisition of said devices. Cellebrite’s UFED is able to perform physical acquisition of select Windows Phones devices. Unencrypted images acquired via this method will contain full raw dumps of the phone’s storage. Supported Windows Phone 8 devices can be dumped with Cellebrite UFED via a USB cord.

Belkasoft Evidence Center fully supports analysis of UFED images. The product will automatically analyze the image, locating and laying out for you its contents: calls and messages, chat and messenger apps, email boxes, payment system apps, and so on.

Windows 8/8.1/10 and BitLocker

We were asked about ways to recover BitLocker escrow keys from the corporate MBAM (Microsoft BitLocker Administration and Monitoring). If a corporate account was used on a certain Windows computer, and the company maintains a MBAM to manage BitLocker keys, the first thing to verify is checking whether the MBAM had a policy of not using escrow keys (https://technet.microsoft.com/en-us/library/dn145038.aspx). To access BitLocker escrow keys, experts can follow steps described in Microsoft documentation: https://technet.microsoft.com/en-us/library/dn656917.aspx

BlackBerry 10 Forensics

In our original article, we wrote that BlackBerry’s only reason for existence was its exemplary security model. Full-disk encryption, non-bypassable PIN lock and securely locked bootloader all contributed to its security model, rendering JTAG and chip-off acquisition attempts useless.

Immediately after publishing the article we started receiving comments from mobile forensic experts who successfully performed JTAG acquisition of new-generation BlackBerries running BlackBerry OS 10, including Q10 and Z10 handsets. Apparently, there was no encryption to be found anywhere on those devices.

We stand corrected. BlackBerry OS 10 does not activate encryption by default. The user (or the administrator of the corporate BlackBerry Enterprise Server, BES) has to explicitly activate encryption on each device. If it is not enabled, the user partition will be stored in plain, unencrypted form. We have been only working with BlackBerry phones coming from corporate headquarters, and never experienced a BlackBerry phone seized from a private owner. From our experience, there are very few BlackBerry 10 devices sold to private customers, and we have never encountered one “in the wild”.

Conclusion

As we can see, mobile forensics is indeed a rapidly moving target. The latest version of iOS remained unjailbreakable for much too long, only to be finally jailbroken days after we finished our report. Windows Phone can surprisingly be encrypted with desktop-like BitLocker even though there is no trace of such an option anywhere in the phone settings. BlackBerry 10 does not enable encryption by default (who could have thought?), while a newly discovered vulnerability makes millions of Android handsets susceptible to a remote hack. Developers of forensic tools explore new opportunities and add non-obvious acquisition methods, even if for a limited range of handsets. The world is moving so fast these days…

© Belkasoft Research, research@belkasoft.com

The Tool

Whenever you have a mobile device backup, dump or image, our Evidence Center will help you to quickly find a few hundred of different types of forensically important artifacts, such as mails and calls, chat messages and SMSes, pictures and payment histories. Powerful SQLite viewer will recover deleted items from freelists, journal files and database unallocated space.

Evidence Center does the same quality job with computer and laptop drives or images, what makes it a really versatile tool, able to ease digital investigation both for computer and mobile forensics.

You can request a free full trial license as http://belkasoft.com/trial.

About the authors

Oleg Afonin is Belkasoft sales and marketing manager. He is an author, expert, and consultant in computer forensics.

Danil Nikolaev is Belkasoft sales and marketing manager, co-author, and content manager.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

You can contact the authors via email: research@belkasoft.com
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at http://belkasoft.com/articles.

by Nor Zarina Binti Zainal Abidin

Abstract

Forensic analysis of mobile phones’ third party applications is a new area that needs to be explored. There are a lot of third party applications available in App store.

Mobile forensic software tools basically extracted typical mobile phone data such as contact numbers, text messages and call logs. These tools overlook information saved in third-party apps. Many third-party applications installed in Apple mobile devices leave forensically relevant evidence or information available for investigation. Potential evidence can be held on these devices. This information can be made readily available to law enforcement through simple and easy-to-use techniques. This paper focuses on conducting forensic analysis on Instagram which is a widely used social networking application on smartphones. The tests were conducted on the most popular smartphones: iPhones.

1. Introduction

1.1 Apple Device

iPhone is the most favored Apple product since it was launched in 2007. Apple is the pioneer in Smartphones as they reinvented the mobile phone into what it is today. iPhone uses Apple’s iOS as an operating system. The iOS architecture is layered and consists of four abstraction layers. The functions of all applications that have been installed in iPhone will be determined by these layers. iPhones have their own default applications installed in the phone but users also can select third party applications of their choice and install them on the device. The applications can be downloaded from the App Store using the user’s Apple ID.

1.2 Instagram

Instagram is one of the social networking applications that are available for almost all smartphone platforms and operating systems. It is a widely used and universal application.

Instagram is available for free in the App Store. Users can upload photographs and short videos, follow other users’ feeds and geotag images with longitude and latitude coordinates, or the name of a location. The users can either share their Instagram account to public or keep it as private. Users can connect their Instagram account to other social networking sites, enabling them to share uploaded photos to sites such as Facebook, Twitter, Tumblr and Flickr.

The main purpose of this research is to identify various data security issues in social networking applications on the iOS platform which aid in forensic investigations. Information is stored in different formats at varied locations on the phone. Our aim is to summarize a general methodology to gather valuable information, so a standard investigation process can be followed for all similar applications.

2. Methodology

The main purpose of this research is to determine whether activities performed through smartphone social networking applications are stored on the internal memory of the device and what kind of data that can be extracted or recovered from the device. Prior to conducting the experiments, the device needs to be connected to the internet.

All activities were done and recorded. When the activities were done, we disabled the Wi-fi connection and a forensic workstation was set up and configured. Once the forensic workstation was ready, the device was switched on with flight mode to isolate any signal from the device. Then, all data were extracted using forensic tools. The following is a list of device, software and tools used for this forensic examination:

• iPhone 5s
• Model: A1530
• iOS 7.1.1
• Non-jailbroken phone
• Installed with Instagram version 6.9.2
• XRY version 6.13.1

3. Result

4. Future Work

• Extract data from another platform or operating system such as Android, Blackberry and Windows.
• Need to extract data from jailbroken iPhone or rooted Android phone, to identify what kind of data that can be extracted

5. Conclusion

There is no strong evidence to show that the exhibit has been used to post or upload pictures to Instagram. From the analysis, the Instagram account found in the phone could not be proven that it has been used to login as administrator. No registration details such as email and password were found in the device.

Nor Zarina Binti Zainal Abidin is a senior analyst at CyberSecurity Malaysia, an agency that encourages digital forensics professionals to work together to harness the power of information networks.

From the 29th to the 31st of March 2016, Forensic Focus will be attending the European Digital Forensics Research Workshop (DFRWS EU) in Lausanne, Switzerland. If there are any topics you’d particularly like us to cover, or any speakers you think we should interview, please let us know in the comments.

Below is an overview of the subjects and speakers that will be featured at DFRWS.

Tuesday 29th March

The week will open with a series of pre-conference workshops held at the University of Lausanne. The workshops will be split into three tracks, enabling attendees to choose a track that meets their interests. The tracks are as follows.

Track One will begin with Microsoft Exchange Forensics and will then continue with a proposal concerning evidence exchange between courts in Europe. The first half of the workshop, taking place from 9am until 12.30pm, will discuss new developments in how recent versions of Outlook and Exchange store data, and how to use these data to understand user activity. The afternoon session will be a discussion of the attempt by the EVIDENCE project to come up with a Common European Framework for digital evidence.

Track Two will commence with an introduction to virtual currencies, with a strong focus on Bitcoin. Criminal investigation of cases involving cryptocurrencies will also be discussed. In the afternoon, Track Two will be taken up by a Plaso Parser Workshop, in which Daniel White from Google will demonstrate the tool which automatically creates “super timelines”.

Track Three will have a single focus all day, although it will be split into sections. Titled ‘Fun With The Beast’, it will show attendees the intricacies of traffic mining using two important tools: Tranalyser and your brain. Role play scenarios will be set up, in which attendees will play the part of analysts trying to find anomalies in real IP traffic. This workshop is only open to attendees with Linux laptops.

Wednesday 30th March

The second day brings the start of the conference proper, with the morning’s keynote address still to be confirmed. The first session following the keynote will delve into memory forensics, with Michael Gruhn and Felix Freiling kicking off with a discussion of how to evaluate the integrity of memory acquisition methods. This will then be followed by demonstrations of Linux and Windows memory analysis respectively.

Following lunch, the afternoon will begin with a session on technology-specific analysis, including a talk from Christian Zoubek, Sabine Seufert and Andreas Dewald concerning RAID reassembly. After this the conference will continue with a series of short presentations, two of which will be based on the investigation of drug crimes. The first will talk about drug trafficking on the dark net and how it can be monitored through the analysis of trace evidence – whether digital, chemical or physical. In a similar vein, a group of researchers will follow this with a demonstration of how to use online forums to monitor the diffusion of drugs on the internet.

The final short presentation will be given by Mattia Epifani, Francesco Picasso and Marco Scarito, who will present their research into uncovering artifacts from the Windows Phone 8.

Bringing the day to a close, the last session will look at data acquisition, including the methodology used to find the best mobile forensics tool and a discussion of cold-boot attacks on scrambled DDR3 memory.

On Wednesday night the Gala Dinner will be hosted at the Starling Hotel, with the popular forensic rodeo contest and the awards for best paper included as part of the evening’s entertainment.

Thursday 31st March

The final day of the conference will begin with a keynote address, which has yet to be decided. The main session of the morning will be devoted to the handling of digital evidence, with subjects such as field triage by non-specialists, absence of expected data, and behavioural evidence analysis in cyberstalking cases being the three primary discussions.

Following lunch, a second series of short presentations will focus on a forensic overview of cloud computing; the analysis of Orweb anonymiser on Android devices; and a Digital Evidence Dashboard, which will be presented by Hans Henseler and Adrie Stander.

From 14:00 until 14:30 conference attendees will have the chance to give a ‘lightning talk’ on a topic of their choice. These can be put forward at the registration desk throughout the conference and are a great way to get your research noticed by leaders in the field.

The afternoon sessions on Thursday will begin with an in-depth look at cloud and network forensics. Benjamin Taubmann et al will discuss how to use a virtual machine to decrypt TLS information; Vassil Roussev and Shane McCulley will demonstrate the forensic analysis of cloud-based artifacts; and David Gresty et al will show us how a session-to-session analysis of internet history can aid in the forensic examination of multi-user environments.

The week will be rounded off with a final panel discussion – subject to be confirmed – and will close at 17:30 on Thursday 31st March.

Forensic Focus will be in attendance throughout the conference, and you can see the full programme and register here. If there are any topics you would particularly like to see covered in-depth, or if there are any speakers you would like to see interviewed, please leave a comment below or email scar@forensicfocus.com with suggestions.

by James Billingsley

Keyword searching is the primary tool investigators use to identify relevant evidence in a data set. However, poorly chosen keywords can miss important items or return too many irrelevant results. As data volumes grow, investigators must find better ways to focus on the items of interest within very large data sets. Expert forensic technician and investigator James Billingsley explains how visualising communication networks, timelines, maps and links between data sources can rapidly establish key players, their locations and their involvement in a matter of interest – all supported by forensic artefacts required for provenance.

Searching for the answers

Before the advent of computing, investigators who sought evidentiary documents that were relevant to their case faced the painstaking task of sifting through all the available pieces of paper and handwritten notes until only the significant ones remained.

The global adoption of computers and digitisation introduced a time-saving tool like no other: keyword searching. Investigators didn’t even have to read the documents; they would simply compile a list of keywords relevant to the investigation and use computer searches to find any instances of these words on the electronic media.

Making searches more effective

Keywords can be a powerful examination technique, especially when search queries are well crafted. Over many years, investigators and technology vendors developed ways to make keyword searching more effective:

• Forensic carving. We developed sophisticated ways to extract searchable text from areas of unused data, deleted data and volatile (temporarily stored) data. This would help uncover evidence that was created by automated processes, or deleted or modified in attempts to hide it.
• Decoding and text extraction. Not all data can easily be searched. Often it must first be decoded and presented in a text-searchable form. Decryption, decoding, optical character recognition (OCR) and many other techniques ensure the largest number of evidence sources can be searched for keywords.
• Indexing. In an effort to make keyword searching faster, repeatable and more accurate, most software tools moved to indexing the data on electronic devices. This process entailed calculating the location of each keyword within the data before carrying out any searches. Indexing sped up the overall search process and made it possible to construct complex search criteria and receive near-instantaneous results.

Common keyword problems

Effective keyword searching also requires experience. It can be largely ineffective if not applied appropriately. Specifically, keyword search technique has always presented the same two problems:

• Too few results. If investigators fail to predict the exact keywords that will lead to the relevant data, they will likely miss important evidence. At worst this could lead them to an inaccurate investigation conclusion. Even a simple typing error could have a substantial effect on results.
• Too many results. Large lists of untargeted keywords often return huge volumes of irrelevant data. Reviewing these false positives wastes investigation time and money. Compiling large lists of keywords, in an attempt to capture all relevant data, further exacerbates the problem of returning results irrelevant to the case.

The following are some examples of bad keywords.

• “dave” – Using a suspect’s name as a keyword may seem a sensible approach. However, if the suspect has named their user account on the computer after themselves, searching for “dave” will return masses of irrelevant data as the term forms a key part of the file system directory structure.
• “GE” – Using short keywords or acronyms – including company names, slang words or a person’s initials – will often return huge volumes of irrelevant data. Such a short term will occur with great frequency within the data. For example, the letters “ge” occur more than 30 times just in this article.
• “window” – A term such as this will return large volumes of irrelevant data. It forms a key part of the directory structure and documentation of Microsoft’s Windows operating system, for example.

Seeking a better way

Even with the most finely crafted searches, the number of results can be hard for a human being to take in. As we continue to aggressively digitise every facet of our lives, the explosion of data demands new, better ways to present the results to investigators so they can more easily digest and comprehend the data. This is where data visualisation comes into play.

The mind’s eye

“The purpose of visualisation is insight, not pictures.”[1]

Visualisations form the single easiest way for the human brain to receive and interpret large quantities of data. In investigations, visualising data achieves three primary goals:

• Intelligence gathering: discovering and establishing facts significant to the investigation.
• Interpretation: understanding and giving meaning to the intelligence.
• Communication: effectively reporting findings to a wider audience.

While many fields of knowledge have enthusiastically embraced data visualisation, its adoption has been slow in digital forensics and investigation. Those who have made the transition have seen their investigation workflows transformed by the way they can quickly present and interpret vast and growing volumes of keywords, statistics and raw data.

For example, Figure 1 shows a large quantity of communication records and messages, extracted from mobile phones and a desktop computer, presented to the investigator in a tabular text fashion.

Figure 1: A list of communication records and associated metadata in tabular form.

Discerning any patterns in these communications would require painstaking work and attention. This is because our brains interpret this data using verbal processing. However, by visualising this data, we can quickly extract value from it and communicate it in our investigation findings.

In Figure 2 we see the same communication data displayed in a network visualisation. Immediately we can comment on the primary communicators, the people they speak to, and the frequency of contact.

Figure 2: The same data as Figure 1 presented as a network of communications between devices.

In Figure 3 we see the same communication data displayed as a timeline. At a glance we can comment on how frequently each mobile device was used, how recently it was used and if there were any gaps in usage.

Figure 3: The same data as Figure 1 presented in a timeline.

A number of forensic artefacts, such as the EXIF data in digital photographs, contain geolocation coordinates. Other data sources may contain IP addresses which can be resolved to geographical coordinates. These coordinates can be extracted and plotted onto a map.

Figure 4 shows a map of the locations extracted from Skype data on the desktop computer, showing where the user logged onto Skype using specific devices and the locations of the other people contacted. This provides an example of how we might gather information to understand the movements of a suspect. With this information, we can better understand the context of the suspect’s communications.

Figure 4: Geographical coordinates extracted from IP addresses plotted onto a map.

In Figure 5, we have extracted and visualised references to company names, countries, and sums of money. This very quickly shows the investigator that there are references to significant sums of money, company names, and countries in the Skype communications extracted from the desktop computer.

Figure 5: Visualising connections between company names, countries, and sums of money.

In Figure 6 the investigator has focused solely on these interesting communication files from the desktop computer and exposed names of any people connected with those files. This provides intelligence around new identities who may be involved in the case.

We can also clearly see the message exchange highlighted in the centre contains references to all the other items of interest. We have targeted our search from a massive and incomprehensible list down to a single communication very quickly and efficiently.

Figure 6: Drilling down to the Skype communications extracted from a desktop PC and revealing the names of people mentioned in them.

In Figure 7, the investigator has focused on a file of interest and exposed linked forensic artefacts that speak to the activity history of that file.

Figure 7: Showing links between a file of interest and forensic artefacts such as link files and Windows Registry keys.

You will note that throughout this approach we did not employ a single keyword search. This avoided the need for guesswork around which keywords may or may not be relevant to our case. We have also avoided a long-winded linear text review of masses of responsive data. Visualisations have evolved our investigation technique beyond sifting through masses of information. Instead, they allow the most relevant information to bubble to the surface as we dynamically alter our visual point of reference.

Moving beyond traditional keyword searching

“The greatest value of a picture is when it forces us to notice what we never expected to see.”[2]

Traditional keyword searching has underpinned digital forensics since its inception. Given manageable data quantities and sufficient available time, keyword search analysis provides a great opportunity to identify digital evidence essential to an investigation.

However, over the past 10 years typical case sizes have grown from a few gigabytes to multiple terabytes. This means investigators have no choice but to embrace new technologies and techniques if they are to deliver results efficiently today and through the next 10 years of technological advance.

Every information management discipline is actively grappling with how best to manage masses of varied electronic data. Digital forensics is under the same pressure. Practitioners must look beyond their traditional techniques in order to best deal with the continued data growth, increasing case backlogs and growing financial and organisational pressures.

Data visualisation is the next logical step forward for digital forensics. As technology changes at an incredible pace, digital forensics must keep pace with the world around it and be open to explore these new techniques, methods and tools, while adhering to its strong scientific traditions.

[1] Ben Shneiderman, “Research Agenda: Visual Overviews for Exploratory Search”, National Science Foundation workshop on Information Seeking Support Systems, June 26-27, 2008
[2] John Tukey, Exploratory Data Analysis, Addison-Wesley, 1977

About the author

James Billingsley
Principal Solutions Consultant, Cybersecurity & Investigations, Nuix

James has more than a decade of experience in computer forensics. Before joining Nuix, he worked in 7Safe’s Security Investigation & Assessment team as a senior breach investigation consultant and a senior eDiscovery consultant. He previously worked as a senior computer forensics investigator at CCL-Forensics. James has contributed to web browser forensics software tools which law enforcement agencies and international corporations around the world use.

BitLocker is a popular full-disk encryption scheme employed in all versions of Windows (but not in every edition) since Windows Vista. BitLocker is used to protect stationary and removable volumes against outside attacks. Since Windows 8, BitLocker is activated by default on compatible devices if the administrative account logs in with Microsoft Account credentials. BitLocker protection is extremely robust, becoming a real roadblock for digital forensics.

Various forensic techniques exist allowing experts to overcome BitLocker protection. Capturing a memory dump of a computer while the encrypted volume is mounted is one of the most frequently used venues of attack. However, acquiring BitLocker-encrypted volumes may become significantly more difficult with the release of Windows 10 November Update. In this article, we’ll explore existing methods of recovering BitLocker volumes, look at what has changed with November Update, and review the remaining acquisition paths.

Windows 10 November Update

Microsoft has maintained compatibility between generations of BitLocker in all versions of Windows from Windows Vista through Windows 10 RTM. It was not until build 1511 of Windows 10 that BitLocker received a major overhaul. In Windows 10 build 1511 (often referred to as November Update), Microsoft updated BitLocker with support for XTS-AES encryption algorithm. The new mode supports both 128-bit and 256-bit XTS-AES keys, and provides an extra layer of protection against certain types of attacks. Since XTS-AES is not backward compatible with existing systems running earlier versions of Windows, this mode is an optional choice when encrypting an external drive with BitLocker to Go.

XTS-AES is not the only thing new to BitLocker with Windows 10 November Update. Microsoft has implemented a change to DMA port access, adding a new MDM policy to allow system administrators blocking DMA ports (think FireWire) when the device is starting up. In addition, unused ports with DMA access (e.g. FireWire) are automatically disabled when the device is locked (existing devices may continue to work). The DMA ports are turned back on when the device is unlocked.

This new policy makes it impossible to use a FireWire attack for capturing a live RAM dump if the device being acquired is locked. Since the FireWire attack was one of the major acquisition paths for encrypted volumes (as well as for capturing massive amounts of volatile evidence), the November Update presents a real obstacle to digital investigations.

The Use of BitLocker

It might be true that all versions of Windows since Windows Vista support BitLocker encryption. However, not all Windows editions do. BitLocker is available on the Ultimate and Enterprise editions of Windows Vista and Windows 7, as well as the Pro and Enterprise editions of Windows 8 and Windows 10.

However, there’s more to BitLocker than meets the eye. In addition to “full” BitLocker, Microsoft ships BitLocker Device Encryption with the core edition of Windows 8.1, Windows RT, and Windows 10 Home. Device encryption is a feature-limited version of BitLocker that automatically encrypts the system boot volume.

BitLocker device encryption is activated automatically if all of the following conditions are met:

• The device meets Connected Standby or Modern Standby specifications, which typically require solid-state storage (SSD or eMMC)
• The device features non-removable (soldered) RAM to protect against cold boot attacks
• The device is equipped with a TPM 2.0 chip
• At least one account with administrative privileges logs in with Microsoft Account credentials (as opposed to using a local Windows account)

These conditions are frequently met on Windows-powered tablets (such as Lenovo ThinkPad 8, Nokia Lumia 2520 or Dell Venue 8 Pro), most business laptops and many high-end and even mid-range ultrabooks. (Notably, Apple’s Macbooks are not equipped with TPM chips.)

As soon as the system meets the requirements, and the user logs in with a Microsoft Account, Windows begins encrypting the boot partition with BitLocker. The encryption is done completely in the background and without prompting the user; the user may not be even aware that their system partition is encrypted. The only indication of the encryption process may be the higher than usual disk activity and battery consumption.

BitLocker Escrow Keys

Unlike the “full” BitLocker that offers multiple options for creating and storing escrow keys, BitLocker device protection automatically creates a so-called Recovery Key. The Recovery Key is automatically uploaded into the user’s Microsoft Account. For this purpose, Windows uses the first Microsoft account with administrative privileges. The Recovery Key is then stored to the user’s Microsoft Account. Alternatively, the Recovery Key can be stored in the Active Directory, if a corresponding security policy exists.

New in Windows 10 November Update: the Recovery Key can now be stored in Azure Active Directory. According to Microsoft, “In addition to using a Microsoft Account, automatic device encryption can now encrypt devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory.” source

Attacking BitLocker Protection

There are several methods of decrypting a BitLocker volume.

1. For BitLocker volumes and removable devices encrypted with BitLocker To Go, one can perform an attack on the original plain-text password. Once the password is recovered, the volume can be instantly unlocked.
2. Volumes encrypted with either BitLocker Device Protection or the full BitLocker can be decrypted by extracting a binary encryption key from the computer’s RAM dump. The dump must be captured while the encrypted volume is mounted.
3. BitLocker Device Protection automatically saves an escrow key (BitLocker Recovery Key) into the user’s Microsoft Account, Active Directory or Azure cloud. The user may or may not be aware that a recovery key exists. By pulling the Recovery Key from https://onedrive.live.com/recoverykey, investigators can use it to unlock encrypted volumes.

Recovering BitLocker Password

Attacking the original plain-text password is the most obvious and straightforward acquisition approach. A number of forensic tools such as Elcomsoft Distributed Password Recovery exist allowing enumerating text-based passwords in an attempt to recover the correct one. However, BitLocker (as well as most recognized full-disk encryption products) was designed specifically to sustain this type of attack. Enumerating passwords is painfully slow even if you run a distributed attack with multiple computers, each equipped with a high-end GPU accelerator.

Due to the strong protection used by Microsoft on BitLocker volumes, brute-forcing passwords is extremely slow to the point of becoming unfeasible for all but the simplest passwords. Even if GPU acceleration is enabled, breaking BitLocker passwords remains painfully slow. Attempting to recover a BitLocker password only becomes feasible if a custom password dictionary is available (such as the list of passwords used by the same person to protect accounts, documents, archives etc.)

The actual recovery speed (using Elcomsoft Distributed Password Recovery on a single PC equipped with a single GPU unit) is as follows:

1. CPU Xeon E5-2603 (4 cores, 1.80GHz): 2 passwords per second
2. NVIDIA GeForce GTX 750 Ti: 150 passwords per second
3. NVIDIA GeForce GTX 980: 490 passwords per second
4. NVIDIA GeForce GTX Titan: 195 passwords per second

Even with 500 passwords per second, breaking a 6-character alphanumerical password could take over three years. If more than six alphanumerical characters are used, or if the password contains one or more special characters, the recovery time increases significantly.

Extracting Decryption Key

Extracting the binary decryption key from the computer’s RAM dump is one of the most commonly used attacks on BitLocker and other full-disk encryption tools. In order to extract the decryption key, one needs to make the computer produce a RAM dump.

Once the memory dump has been captured (one can use any kernel-mode RAM dumping tool such as Belkasoft Live RAM Capturer), one can use Elcomsoft Forensic Disk Decryptor to load the RAM image, locate and extract the BitLocker decryption key, and use that key to either mount the encrypted volume or decrypt it for offline analysis.

Sleep Mode

If the computer being acquired has entered sleep mode (or uses Modern Standby), the BitLocker decryption key is still stored in the computer’s RAM. If this is the case, it could be possible to run a DMA attack over a FireWire port to read the contents of physical memory. This attack is very common, and Windows provided no protection against it in all versions of Windows before Windows 10 November Update (build 1511).

New in Windows 10 November Update: Microsoft has finally addressed the ongoing security issue by implementing a new MDM policy allowing to block DMA port access while the computer is sleeping and before it is unlocked. The new policy, if enabled, allows disabling unused DMA ports (e.g. FireWire) when the device is locked or sleeping. source

If the computer has this new policy enabled, a FireWire attack is no longer possible.

BitLocker Device Protection and Hibernation

If BitLocker Device Protection is active, the hibernation file is automatically encrypted once the system enters deep sleep (hibernation) mode. It is therefore not possible to extract the decryption key from the hibernation file as that file itself is encrypted with BitLocker.

On the other hand, if the boot volume is not encrypted but other volumes are, the decryption key to unlock those other volumes will be saved into the hibernation file, and can be extracted and used to mount or decrypt those volumes.

Accessing BitLocker Escrow Keys

The easiest way to decrypt a system volume encrypted with BitLocker Device Protection is by using BitLocker escrow keys or, as Microsoft calls them, “BitLocker Recovery Keys”.

What triggers BitLocker device protection? The encryption starts on devices meeting the minimum requirements once the administrative user logs in with their Microsoft Account credentials instead of using a local Windows account. At this time, Windows generates a unique BitLocker identification record as well as the corresponding escrow (recovery) key. BitLocker Recovery Keys are then automatically uploaded to the user’s Microsoft Account (alternatively, they are uploaded to Active Directory or Azure Active Directory if the corresponding MDM security policy is in place).

Once you know the account password, you can access all BitLocker Recovery Keys from that account. The keys are available at the following link (must use the correct Microsoft Account credentials to access): https://onedrive.live.com/recoverykey

Once logged in, you’ll be able to access BitLocker Recovery Keys to all devices registered under that Microsoft Account:

Recovering Microsoft Account Password

Once you know the user’s Microsoft Account credentials, you can access BitLocker escrow keys. But what if you don’t? Since Microsoft Account is cloud-based, its authentication credentials are stored on Microsoft servers, meaning that you cannot brute-force the password in a traditional way.

However, you may still be able to brute-force that password if you have access to at least one computer that uses the same Microsoft Account credentials without BitLocker encryption. This scenario is extremely likely if the user owns a Windows tablet, business laptop or ultrabook that DOES have BitLocker protection and, at the same time, uses a desktop PC that DOES NOT have such protection.

This scenario is very likely because desktop computers rarely, if ever, meet the requirements for BitLocker Device Protection. Indeed, most desktop PCs have removable RAM (thus violating one of the requirements) and are not equipped with a TPM 2.0 module (which is an absolute must for BitLocker Device Protection).

Microsoft Account passwords are not normally stored anywhere on the user’s computer, meaning that simply extracting the password is not possible. However, in order to facilitate logins in the absence of network connectivity, Microsoft had to cache a password hash and store it on the computer. On the one hand, this allows users to log in to their computer while using it offline. On another hand, this also allows extracting the cached hash file and running an offline attack to recover the original password.

As you can see, recovering Microsoft Account passwords is a two-step process. During the first step, you will be extracting the password hash (and attempting a range of quick attacks to try some of the most common passwords). If the first step does not reveal the original password, you will need to attack the password offline using one or more computers equipped with GPU units. These attacks are straightforward and very well optimized, allowing enumerating password combinations extremely quickly.

In order to extract the user’s Microsoft Account password, you would need two tools: Elcomsoft System Recovery and Elcomsoft Distributed Password Recovery.

1. To extract password hashes, run Elcomsoft System Recovery, select one or more accounts, and click Next. The tool will export the hashes into a file.
   
2. Now when you have the hash file (let’s say its name is “x.pwdump”), transfer it to the computer where you have Elcomsoft Distributed Password Recovery installed. Launch the software and choose to recover a Windows account password. Select “x.pwdump” you’ve just exported. Configure attacks (dictionary, brute force, or combination). Schedule the task and wait while Elcomsoft Distributed Password Recovery enumerates all allowed password combinations.

Once Elcomsoft Distributed Password Recovery discovers the correct password, you can use it for logging in to the user’s online Microsoft Account, downloading BitLocker Recovery Keys and using them to decrypt the system partition protected with BitLocker. Alternatively, you can just use the recovered Microsoft Account credentials to log in to the system being investigated. In this case, the encrypted volume will be unlocked automatically without requiring the use of BitLocker Recovery Keys.

Conclusion

Windows 10 November Update introduced several changes to system security. A new XTS-AES encryption algorithm better protects BitLocker volumes. BitLocker escrow keys can now be saved to Azure Active Directory in addition to Microsoft Account. Finally, Microsoft has addressed the long-standing vulnerability allowing attackers capturing the content of the computer’s RAM via a FireWire attack by utilizing ports with DMA access. These security changes present new challenges to forensic experts. However, new acquisition methods are actively developed to overcome the challenge.

About Elcomsoft

ElcomSoft develops computer forensics tools for Windows and Mac OS X, provides computer forensics training and computer evidence consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military, and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms. More information at https://www.elcomsoft.com

What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.

by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

• SSD Forensics 2012
• SSD Forensics 2014

Introduction

Nearly a decade ago, Solid State drives (SSD) revolutionized computer storage, bringing to the table blazing fast access speeds, low power consumption, and absence of moving parts. Along with these benefits, consumers saw severely restricted lifespan. An older SSD could only withstand so much wear before it would start losing memory. A limited number of write cycles still remains a limitation today. By this day, we still have to cope with the same limitations thanks to the ever shrinking manufacturing process and the invention of new types of NAND cells (namely TLC cells that can keep 3 bits of information per physical cell instead of 2 bits in MLC and a single bit in SLC cells).

In order to overcome these technological limitations while continuously reducing the cost-per-gigabyte of storage, manufacturers perfected some very smart software algorithms. These algorithms ensure that the load is distributed evenly among the cells, quickly remapping logical addresses of NAND cells to ensure that the next write operation will occur to a cell with the least wear.

Another limitation of flash-based memory is the fact that one can only write new data into an empty (erased) cell. Once an SSD drive fills up, each subsequent write operation would involve erasing the content of a data block and then writing new data into the cell. Since erasing flash cells is a much slower process than writing data, manufacturers implemented garbage collection algorithms that erase cells containing data that is no longer used by the system.

How does the SSD controller know which data block is used and which one is not? The operating system tells it by sending the controller a so-called ‘trim’ command. Once the trim command is sent, the controller ‘knows’ that certain data blocks are no longer used, and adds them to the list of ‘dirty’ blocks. These blocks are scheduled to be erased by the internal garbage collection algorithm.

At the same time, the system does not have to wait while a certain physical cell is erased. Should the system need to write a new data block, the SSD controller immediately and instantly assigns a new empty flash cell to the logical address the OS is referring to. This is called remapping. In today’s SSD’s, remapping occurs all the time.

The big forensic question is: what happens to a ‘dirty’ data block then? Does its content immediately disappear, or can it still be extracted from an SSD drive? Today more than ever, the answer is “it depends”.

M.2: Thinner and Lighter SATA SSDs

Originally, SSD drives were available as 2.5” (notebook-size) disks. This was a real limitation when making ultra-portable devices. To overcome this problem, the industry started using M.2, a relatively new form factor for SSD modules used in thin and light devices.

Intel 530 Series M.2 SSD Drive

M.2 devices features a standard PCI-E connector. While most M.2 SSD drives conform to the AHCI specification, supporting all the features of their full-size counterparts and being recognized by the OS as a standard SATA SSD, some models conform to the newer NVMe specification that requires a different driver stack.

M.2 SSD drives can be used with some desktop motherboards

Strictly speaking, an M.2 SSD drive can be one of the following:

• Legacy SATA. Many M.2 SSD drives are employing the legacy SATA connection, and are interfaced through the AHCI driver. These M.2 drives behave no different from standard 2.5” SSD drives.
• PCI-E using AHCI. This standard is used for those PCI-E SSDs that are utilizing the PCI Express lanes for connection and AHCI for interfacing with the device. These drives require the OS to include the correct drivers.
• PCI-E using NVMe. These are the fastest SSD drives that are the least compatible, as they are very new. Installing an NVMe drive into a PC without proper BIOS support may result in an unbootable system. Many motherboards cannot boot from NVMe drives; however, Windows can access such drives with proper drivers even if an older motherboard is used. So far, we have not seen many of these, yet they make their way to some high-end models.

PCI Express (PCI-E) SSDs

Technically, M.2 SSDs are PCI-E devices. However, the PCI-E specification is much broader than M.2. As such, manufacturers can produce proprietary PCI-E SSD drives that do not conform to the M.2 standard, and that may not be used in computers designed to accept M.2 compliant SSD drives.

PCI-E SSD drives are most commonly used in certain high-end workstations (full-size form factor) as well as in some ultra-slim models (such as, for example, Apple’s MacBook 2015). These proprietary storage devices attach directly to the computer’s PCI-E bus, and require the OS to use the correct driver.

Most but not all PCI-E SSD drives support all of the same technologies as their full-size SATA-connected counterparts. Depending on the version of the driver, OS version, and the model of the PCI-E SSD drive, these disks may or may not work correctly with trim.

On a logical level, PCI-E SSD drives can work via the AHCI or NVMe interface.

Intel NVMe SSD drive.

In general, the following compatibility matrix applies to PCI-E SSDs:

• Mac OS X: trimming is supported on all Apple devices with factory installed PCI-E SSD drives.
• Macbook computers running Windows: Apple Macbooks use proprietary PCI-E SSD drives. Normally, Apple Bootcamp is used to install Windows as a double-boot or sole OS. In these configurations, trim pass-through is supported where applicable (see below).
• Windows: trim support for PCI-E drives depends on Windows version and the presence of the correct driver.
  • Windows 7: trim not supported on PCI-E drives regardless of the drivers, even if the PCI-E SSD would accept the command.
  • Windows 8, 8.1 and Windows 10: trim supported with native Microsoft drivers. Trimming in NVMe-based PCI-E SSDs is also supported. Devices using the SCSI driver stack support ‘unmap’, which is a full analog of the trim command from SATA.

NVM Express (NVMe) SSDs

NVM Express, or NVMe, is a relatively new logical drive interface for implementing non-volatile storage over a PCI Express (PCI-E) bus. NVMe has been designed from the ground up to realize the low latency and internal parallelism of flash-based storage devices.

Similar to SATA SSD drives that exist as 2.5” drives and as slim M.2 boards, NVM Express devices are also available as full-size PCI Express expansion cards, laptop-size boards and 2.5” drives that look similar to SATA SSD drives, only utilizing a PCI Express interface through the U.2 connector instead of a SATA port.

Some NVMe drives look like an ordinary SSD.

NVMe includes trim support as part of the optional command set. In real-life scenarios, NVMe SSD drives are typically found in high-end systems that are properly configured to enable data trimming.

Imaging M.2 and PCI-E SSDs

Forensic imaging of storage devices has its own demands. In particular, the connection to a write-blocking device is an obligatory requirement for digital forensics.

Imaging an M.2 or PCI-E SSD drive requires the use of a dedicated adapter. At this time, there are very few forensic disk imaging solutions targeting M.2 or PCI-E storage devices. Considering that there are at least three different types of M.2 SSDs (here we will not talk about the differences between B-key and M-key connectors), you are looking for a solution to support M.2 SATA (AHCI), M.2 PCI-E (AHCI) and M.2 PCI-E (NVMe) devices.

One solution that supports all three types of M.2 SSDs (albeit with M-key connectors only) is Atola DiskSense. The M.2 SSD drive is first connected to an adapter, then plugged into the imaging unit. Full support is available for SATA devices, while essential features (such as imaging and damaged drive support) are provided for PCI-E drives.

Atola M.2 adapter

Atola M.2 adapter attached to the imaging unit

Atola DiskSense creates forensically sound disk images that can be analyzed with your forensic tool of choice.

Atola DiskSense is included in Computer Acquisition Module for Evidence Center. Together with a portable RAM capturing tool, this combination of software and hardware will allow you to cover the full forensic cycle from acquisition stage to evidence discovery, analysis, and reporting.

Belkasoft Evidence Center can mount and analyze disk images created by Atola DiskSense, as well as many other types of images

Imaging Apple Proprietary PCI-E SSDs

Apple-made SSD drives used in full-size Macbooks employ proprietary connectors. In addition to being PCI-E, Apple’s SSD drives are also NVMe (as opposed to being AHCI-compliant). Forensic solutions for reading NVMe drives are virtually non-existent, while finding forensic-grade hardware for acquiring Apple proprietary SSD drives can be plain difficult.

Atola manufactures an extensible imaging solution that comes with a number of optional adapters including adapters for imaging proprietary Apple PCI-E SSDs:

Adapter for imaging Apple PCI-E SSDs

Apple adapter at work

Read more in Part 2 soon

In a couple of weeks, we will bring out more on the topic with the insight into the eMMC storages, eMMC trimming, and external SSDs.

About authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, FT-Day, TechnoSecurity and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

• You can contact the authors via email: research@belkasoft.com
• Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
• Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at belkasoft.com/articles.

This article is a recap of some of the main highlights from DFRWS EU which took place at the University of Lausanne, Switzerland, from the 29th-31st of March 2016.

Conference Highlights 

The conference began with a discussion of virtual currencies by André Fischer, Jakob Hasse and Thomas Gloe from dence GmhH. The speakers covered public perception of virtual currencies, particularly the idea of cryptocurrencies providing a theoretically “free” and international form of currency that is virtually untraceable. They focused primarily on Bitcoin, giving an overview of its usage to date and a demonstration of how the setup works.

Following on from this was a discussion of evidence exchange between courts in Europe. Mattia Epifani and his colleagues presented the work they have done so far on the EVIDENCE project, which helps the European Commission with issues surrounding data exchange across borders. Addressing the concerns of law enforcement agencies, corporations and individual practitioners, it aims to redefine the status quo and bridge the gap in the collection, use and exchange of digital evidence within Europe.

The remainder of the first day was taken up with workshops, which were divided into tracks, with options including Microsoft Exchange forensics, Plaso Parser, Tranalyzer and Windows Event Log analysis.

The main conference began on Wednesday 30th with a keynote from Eoghan Casey and David-Olivier Jacquet-Chiffelle, who spoke about the challenges of digital forensic investigations and how they fit into forensic science as a whole. Casey summed it up in a useful soundbite:

A particularly interesting part of the discussion looked at the concept of subjective versus objective analysis. In scientific fields generally, the latter is seen to be the most useful way of solving a problem or concluding an investigation; however, as Jacquet-Chiffelle pointed out, it is not always quite that simple.

After the morning break was a session concerned with memory forensics. Arkadiusz Socala demonstrated automatic profile generation for live Linux memory analysis, and this was followed by a presenter from BlackBag Technologies who demonstrated pool tag scanning for Windows memory analysis, and compared the tool against well-known alternatives such as Volatility and Rekall.

Oren Halvani spoke about authorship verification, the goal of which is to define who wrote a given document, usually in cases where it is suspected that two documents were written by the same author, despite apparent evidence to the contrary. Modelling the writing style of the author(s) involved was put forward as the best way to do this, and Halvani then demonstrated how this is achieved and extended across different languages and genres of text.

The next subject of discussion was RAID assembly. Christian Zoubek presented his research into reconstructing RAID content from single disks, or from disk images. Following this, Ludovic Staehli spoke about the analysis of drug trafficking on the dark net, and talked through various investigative methods. The presentation included a demonstration of how various branches of forensic science can work together effectively on investigations; in this case, digital, chemical and physical traces were being analysed.

The next subject of discussion followed on nicely from the dark net drug trafficking demonstration, with representatives from the School of Criminal Justice talking about how they use internet forums to monitor the online trafficking of drugs.

Mattia Epifani then took to the stage with a presentation of how to uncover Windows 8 artefacts and secrets, including an overview of default user accounts and how Windows Vaults can be decrypted with open source software to uncover useful evidence.

The final session of the day was devoted to data acquisition, with Shahad Saleem from Pakistan’s National University of Science and Technology presenting a case study for tool selection in mobile device forensics. This was followed by a lively discussion of cold-boot attacks on scrambled DDR3 memory, and how they are still working even with modern technological advances.

The day ended with a gala dinner, including the legendary “forensics rodeo” challenge, along with the best paper award. This year’s forensics rodeo winners were a joint team from Arxsys, RealityNet and a variety of other companies:

(c) Bruno Kerouanton 2016

The last day of DFRWS EU kicked off with a fascinating presentation of the forensic analysis of drones, by Zeno Geradts from the University of Amsterdam. Once again the topic of needing to link various forensic sciences together came up, and Geradts also pointed out that there have been huge developments in information storage in recent years, including a process for storing massive amounts of digital data in microscopic DNA strands.

The ever popular topic of data triage was next on the agenda, with Ben Hitchcock addressing the problem of backlogs in forensic investigations and underlining that the problem is only getting bigger as time goes on.

Hitchcock also pointed out that it is important to not overlook the impact backlogs can have on suspects and their families, adding that if it takes two years to solve a case, that is two years of a person who may not be guilty being put through a huge amount of mental strain.

Noora Al Mutawa from the University of Central Lancashire (UK) gave an interesting presentation on how behavioural evidence analysis can be used in cyber stalking investigations. Al Mutawa championed a multidisciplinary approach, in which forensic psychology and digital forensics can work hand in hand to solve cases more quickly and effectively.

Hans Henseler then presented Digital Evidence Dashboard – a combined project with Adrie Stander from Cape Town University – and this was followed by Claudia Mena discussing how to analyse data from Orweb anonymiser on Android devices.

The following session, chaired by Mark Scanlon from University College Dublin, discussed cloud forensics, including the forensic analysis of cloud-native artefacts and conducting investigations of multi-user environments through session-to-session internet history analyses.

The conference concluded with a lively discussion concerning likelihood ratios, with very diverse viewpoints within the room about the usefulness and accuracy of likelihood ratios in forensic investigations.

The next DFRWS conference will be held in Seattle, WA from the 7th-10th of August 2016. The next European chapter of the conference will be held in Lake Constance, Germany from the 21st-23rd of March 2017. Anyone interested in attending either conference should consult the official website for details.

Among the challenges facing digital forensic investigators today, the instantaneous nature of online communication is arguably one of the most persistent. Trying to investigate whether a crime has occurred, and if so to bring its perpetrators to justice in a space that is constantly changing, is no simple task. With the Apple App Store alone reportedly growing by up to 1,000 applications per day[1], keeping up to date with the necessary methods of communication becomes increasingly difficult.

Just in the past twelve months, there have been instances of paedophiles using within-game messaging services to groom youngsters[2], as well as the wave of recent discussion regarding Isis’ purported use of encrypted messaging app Telegram to communicate[3].

For those whose specialism is investigating crimes against children, there is another element of online life that makes the job even more challenging: live streaming.

In a report published by the Child Exploitation and Online Protection Centre (CEOP) in early 2013, the live streaming of images and videos depicting children being abused in real time was described as an emerging trend. The report attributes this to a number of factors, including increasing high-speed internet penetration in developing nations; the availability of relatively cheap hardware such as webcams; and a “vast and comparatively wealthy overseas client base.”[4]

The demand for images and videos of child abuse existed long before the internet entered our homes, but there is no denying that the speed of modern communications and the proliferation of cheap, easy to use devices through which relatively anonymous files and messages can be shared is providing easier access to child abuse images and spreading the problem quicker and further afield than ever before.

The internet allows for unprecedented growth in various other fields of communication, too. While in some respects this is undeniably a positive thing – we have more access to worldwide news than ever before, and people in oppressive political regimes have more of a chance to communicate with the rest of the world – it also means that the less savoury online trends enjoy the same chances of expedited growth.

By the time the Europol Financial Coalition Against Commercial Sexual Exploitation of Children Online released their 2014 report – just a year after the CEOP paper quoted above – live streaming in exchange for payment was “no longer an emerging trend but an established reality.”[5]

So what can be done? First of all, we asked Julia Davidson, Co-Director of the Centre for Abuse & Trauma Studies at Middlesex University, to outline some of the main challenges live streaming presents for law enforcement.

“There is currently no good empirical research in this area, so my response is based on anecdotal evidence and information from law enforcement experience. The EFC (European Financial Coalition Against Commercial Sexual Exploitation Online) report that was published in 2014 [stated] that indecent child images have become a currency in their own right and that offenders are increasingly using the dark web and bitcoin to avoid detection.

A challenge also facing law enforcement is the increased use of live streaming to share video [content] of child abuse. Unfortunately live streaming is much more difficult to discover once the stream has ended, and a fast response from law enforcement is necessary. The streaming is often not recorded, making it a form of real time abuse and also ensuring that no evidence remains.

The National Crime Agency in the UK recently undertook an operation that resulted in a sex offender ring, which streamed live sexual abuse of children, including 11 from the Philippines, some as young as six, being dismantled. Challenges in this area include the sad fact that some parents/families allow or enable the abuse for payment, the victims are often from poorer countries and offenders are willing to pay a great deal for the abuse. In this case over £37,000 was paid and 12 countries were involved in the arrest of the offenders.

An additional challenge in identifying and disrupting such rings is that the real time monitoring of streams presents policing, legal and technical challenges particularly across many geographical and jurisdictional boundaries, as offenders use many layers of anonymity online, encryption and multi-passwords, and in this way are often able to avoid detection.”

Devon Ackerman, a Supervisory Special Agent at the FBI, agrees:

“We can’t solve every untold story. In my mind, I think of Hollywood and its production of action movies. We all can think of a movie scene where the “good guy” is locked in a room, or tied to a chair, and is forced to watch as a family member or a friend is tortured. The “good guy” is a defenseless and helpless observer. In the end, even Hollywood understands the normal balance that we innately seek as human beings and the actor escapes, takes their “revenge,” brings satisfaction to the viewing audience, and an end to an imagined storyline.

In real life, those of us in Law Enforcement that have devoted our energy and mental well-being to rescuing innocence lost face a crippling realization that we can’t save them all. We can’t find them all. We can’t identify them all. Don’t misunderstand me – Law Enforcement is passionate, determined, and at times, extremely successful in rooting out child abusers as well as creators and possessors of child abuse material (18 U.S. Code § 2251 and 2252)[6], but as technology advances, so do the means The Investigative Challenges Of Live Streamed Child Abusewhich criminals use to avoid detection.”

All is not lost, however. While it may not be possible to set up and coordinate an international investigation quickly enough to prevent further abuse in real time – that is, while the streaming is actually taking place – it is highly unusual for abusers to simply watch live streamed content without saving any of it on their local machines. The most effective way to combat such crimes is therefore often through analysing collections of child abuse material seized from suspects’ computers, and comparing this against images that are already known to the authorities. In this way, evidence of new abuse images and videos can be collated, and law enforcement agents can then focus on identifying the children involved and ultimately removing them from harmful situations.

But this is easier said than done. The concept of “known images” is a common discussion point at child protection conferences. There are some sets of images that are seen time and time again by investigators; often these have been circulating for many years. With certain sets like these, investigators know who the victims are, and sometimes the original perpetrators have already been brought to justice. These are the “known knowns”. Other images are familiar and are seen fairly frequently, but the victims or perpetrators are not known. These are the “known unknowns”. In the case of preventing further live streaming of child sexual abuse online, however, what investigators need to find and analyse are the “unknown unknowns”.

An “unknown unknown” is an image that is not known to investigators, and has therefore probably not been circulating in child abuse circles for very long. Some of these will be taken by the perpetrators themselves, and will depict their own family members or children to whom they have access. However, others may be screenshots or downloaded images from live streamed child abuse which has been made to order.

To consumers and sharers of such content, having access to never before seen images is very useful. As investigative methods have improved over the years, so too have criminals’ methods of evading detection become increasingly sophisticated. Nowadays, in order to access some of the more hardcore and niche content in the child abuse sharing community, new members are often required to share an image that has not been previously seen by others in the space. The idea behind this is that law enforcement agents will understandably not want to promote or share images of child abuse, including (and perhaps especially) those that are not widely known, and therefore the likelihood of any new member being an undercover investigator decreases.

This does mean, however, that for those who have no direct access to children and who cannot create their own new images, live streaming is becoming an increasingly popular way to source content depicting new victims of abuse.

But how do law enforcement agents work out whether an image is an “unknown unknown”? After all, while police forces have reported seizures of up to two and a half million images in a single collection[7], not all investigators will have seen all the images. It is unrealistic to rely on human memory to work out whether an image has been seen before.

Image hashing is a common way of classifying depictions of child abuse, as well as categorising images of other crimes and of innocuous content. It is relatively straightforward for an investigative team to hash the images they collect and use these hash values to verify the content of files seized from new devices.

Devon Ackerman elaborates:

“Hashing identification systems within law enforcement circles have allowed investigators to more quickly identify where child exploitation material may be sequestered on a storage device and may even assist with initial legal processes. Rare, if not non-existent, are situations where entire cases are solved with image hashing lists, but the workloads are reduced with a properly used hash list.

If we recall from our college info. tech classes, hashing is simply a mathematical algorithm used in computer forensics for “digital fingerprinting” purposes, i.e., taking a variable length of digital information (data) and representing it with a fixed length value (e.g., hash). Any single-byte alteration to the original results in new fixed length value. With modern operating systems and Web 3.0 applications, the process of applying visual effects to images (adjusting brightness or contrast or adding a black square to obscure a face), resizing an image (1920×1028 -> 1024×768), and image or video compression techniques all result in a new underlying data structure and a new hash for arguably identical or near-identical content (as observed by the naked eye).

The separate highlighted problem of diverging hashes from techniques applied to data when creating copies of it is being addressed with image comparison, facial recognition, and skin tone detection technologies that the private sector and other groups are developing.”

Another challenge comes when crimes take place across different jurisdictions. Many criminal activities are not localised to a single territory, and the live streaming of child abuse is one such crime.

Operation Endeavour began in 2012 and to date has seen the arrests of individuals from twelve countries. The majority of the child abuse content was actually being created in, and streamed from, the Philippines, but most of the consumers of the content were based in the Western world. The operation required the joint efforts of the UK’s National Crime Agency, Australia’s Federal Police, and the US’ Immigration and Customs Enforcement teams.[8]

Such large-scale projects require large-scale budgets and a huge amount of investigators’ time, but Ackerman holds out hope for increasing international investigations:

“We are presented with a couple of obstacles regarding cross-border matters stemming from differing laws between countries and governing structures as well as financial (cost of investigations) considerations. There are also the investigative priorities of Agencies involved and the strained ranks of smaller countries and their governments.

I have been in meetings with representatives from other countries discussing matters related to how my organization executes Digital Forensics processes and when I mention that we have hundreds of examiners across the whole of the enterprise, I am met with looks of amazement because their whole country’s worth of certified and trained expertise is sitting at the conference table with me! All of the aforementioned factors need to align for a mission to move forward in a timely manner, but in the end, a passion for the work and a passion to succeed are a must.”

In summary, then, the live streaming of child sexual abuse is a growing problem, and one that is not easily investigated. However, progress is being made; advances in “fuzzy hashing” algorithms[9], which allow investigators to compare different images and see what percentage of the content is similar, are one way in which the field is moving forward. International cooperation on child protection investigations is also allowing investigators to uncover more evidence than ever before, and it can only be expected that as time moves on, methods of solving large-scale child protection cases will continually be developed.

All opinions stated by individuals quoted in this article are their own and do not necessarily reflect those of their employers.

Sources: [1], [2], [3], [4] (PDF), [5] (PDF), [6], [7] (PDF), [8], [9] (PDF)

What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.

by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016

In the first part of this article, we reviewed different kinds of the most commonly used modern SSDs (M.2, PCI-E, NVMe devices) and talked about acquisition of these devices. In this part of the article, we will talk about external SSDs and eMMC and will cover trimming of eMMC.

The Advent of eMMC Storage

eMMC is a storage specification for flash-based non-volatile storage used in many compact and mobile devices. You will find eMMC storage in most Android smartphones, Android and Windows tablets, and in some of the less expensive Windows convertibles, low-end netbooks and ultra-portable devices, particularly those equipped with smaller displays and Intel Atom CPUs. eMMC storage has a lot in common with SD cards, and lacks sophistication and parallelism of SSD drives.

Traditionally, SSD drives have been large and expensive. Recent generations of Windows tablets, convertibles and ultra-light nettops (most of which are built around Intel Atom chip sets) employ a much smaller, cheaper and slower kind of storage in the form of eMMC chips. An eMMC chip is essentially an SD card that is built as a BGA chip soldered to the main board. Just like SSD drives, eMMC chips have a built-in controller, although eMMC controllers are considerably simpler and slower compared to those used in SSD drives. As a result, while eMMC may employ many of the same techniques as SSD drives (namely, overprovisioning, remapping, trimming and background erase), they may not implement some other options (e.g. many security features such as DRAT or DZAT). Even if an eMMC controller implements background garbage collection, it is going to work much slower compared to SSD drives since there is only a single channel available that is used for all read and write operations. eMMC chips do not have the massive parallelism of SSD drives, and are much slower to read or write data.

Notably, eMMC standard correctly defines trimming of empty blocks. So what happens to trimmed blocks located on an eMMC chip? Similar to an SSD drive, they may or may not be mapped out of the addressable space at any given time. Unlike SSDs, the eMMC standard does not define either DRAT (definite read after trim) or DZAT (definite zeroes after trim), which leaves it to the eMMC manufacturer to define what exactly the storage controller returns when an attempt is made to read a trimmed data block. In our experience, trimmed blocks that have not yet been erased may still be read by making a physical dump of the eMMC chip (via physical acquisition, JTAG, ISP or chip-off).

Imaged eMMC chips have a much higher probability to retain data in trimmed blocks compared to SSD drives.

Similar to SSD drives, eMMC chips may have an overprovisioned area that is non-addressable and inaccessible from the outside. There is no feasible way of extracting information from the overprovisioned area. The area is invisible to physical acquisition, JTAG, ISP or chip-off since overprovisioned data blocks are not mapped onto available address space. Only the built-in controller has access to these data blocks. No interface is exposed to allow reading them from outside of the chip. Even if you take the chip out and read it directly, you will be unable to access overprovisioned blocks, as chip-off extraction of eMMC chips still relies on sending commands to the eMMC controller.

A Word on External SSDs: The Advent of UASP

In our original article, we claimed that external SSD drives and USB enclosures did not provide trim functionality. Since then, a relatively new development has emerged.

A new storage connectivity protocol was developed specifically for attaching solid-state storage over USB. USB Attached SCSI (UAS or UASP) is a new protocol that uses the standard SCSI command set instead of the older USB Mass Storage protocol available in most current products.

Essentially, the new protocol supports trim pass-through via SCSI “unmap” command. However, in order for trim to work, all of the following conditions must be met:

• Full hardware support for UASP: computer motherboard, SSD, and storage controller in the enclosure must all support UASP
• OS support: Windows natively supports UASP since Windows 8
• Drivers: only a handful of UASP-compliant chipsets have Windows driver support
• Cable and USB port: UASP will only work if the device is connected with a USB3.0 cable to a USB3.0 port. Connecting with a different cable or using a legacy USB2.0 port will in most cases break compatibility (the drive will still work as a USB Mass Storage device but no trim support will be available)

UASP compliant external storage devices have been around since late 2014, so it is about time we include them in our new article.

More on USB3.0 TRIM support in this AnandTech article.

eMMC: Trimming Behavior in Windows and Android

Trimming behavior differs between Windows and Android devices. Since you are very likely to encounter eMMC memory in an Android smartphone or tablet, we will make a mention of it here, although a more specialized Android literature will give you much more technical detail.

Windows

The trim command is issued to the OS immediately after the operating system releases a data block. Trimming only works on NTFS-formatted partitions. In addition, Windows 8 and later have a built-in disk optimization and defragmentation tool that can run periodically and trim the entire unallocated space on solid-state media. Windows 7 also has a disk defragmentation utility, although it does not come with optimization for solid-state media. In other words, once a file is deleted from an eMMC disk in Windows, you may assume its disk space has been trimmed (but not necessarily erased by the eMMC controller).

Android

Full trim support is only available in Android since version 4.3 Jelly Bean. Moreover, one can be certain that an Android device comes with active trim support if and only if the device originally shipped with Android 4.3 or newer. Many devices that shipped with Android 4.2 that were later updated to Android Kit Kat or even Lollipop never received trim support from their manufacturers (yet some other devices did).

According to Google, some 25% of all active Android devices are running Android 4.2 or earlier. Of those 34% running Kit Kat, an unknown number were updated from earlier versions of Android and did not receive full trim support. What about these older devices then?

Earlier versions of Android relied on Linux fstream for cleaning up unused data blocks. With no ‘live’ trimming available, the cleanup (trimming) was performed every time the device was shut down. This is one of the reasons for ACPO guidelines to exist, detailing the process of seizing and storing mobile devices in their original state (“if it’s turned on, don’t turn it off”).

If you are handling an Android device, and it is one of the older ones, you may be able to dump a physical image of its eMMC chip and have full access to its unallocated space.

Analyzing contents of SSD and eMMC devices with Evidence Center

Once you are through with acquisition part, you will need a reliable forensic tool to examine the data source. Belkasoft Evidence Center is an all-in-one forensic solution that allows investigators to quickly and conveniently discover hundreds of various types of evidence, such as images and videos, documents, chats, browsing histories, system files, databases, and many more. Evidence Center can analyze any operating systems – computer ones as well as mobile ones. The reporting feature is fast and convenient and has multiple options for investigators to choose from, and reports created by the product are accepted by courts worldwide.

Get your hands-on experience in working with Evidence Center! Request a fully functional evaluation license at https://belkasoft.com/trial.

Part 3: Use Cases

The next part of the article will be published in a couple of weeks. It will contain a number of real-life examples of SSD usage and problems that people may face in doing so.

About the authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, ICDDF, FT-Day, and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network athttp://linkedin.com/in/yurigubanov.

Contacting the authors

• You can contact the authors via email: research@belkasoft.com
• Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
• Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at https://belkasoft.com/articles.

What is the most urgent question facing digital forensics today? That in itself is not a question with a straightforward answer. At conferences and in research papers, academics and forensic practitioners around the world converge to anticipate the future of the discipline and work out how to overcome some of the more challenging aspects of the field.

In September 2015, Forensic Focus ran a survey of digital forensic practitioners. Almost five hundred people responded, giving their opinions on a wide range of subjects from current challenges to child protection.

The question ‘In your opinion, what is the biggest challenge facing digital forensic investigators today?’ prompted a plethora of answers. Researchers from University College Dublin’s School of Computer Science have also been grappling with this question recently, as evidenced by a recent paper from David Lillis, Brett A. Becker, Tadhg O’Sullivan and Mark Scanlon.

The results of the Forensic Focus survey indicated that cloud forensics and encryption were two of the things investigators are most concerned about. Triage, or the increasing volume of data per investigation, was also a concerning factor, as were the growth in the number of digital crimes and a lack of training and resources in the field.

Regarding the difficulty of investigating cases where multiple devices may contain evidence, Lillis et al point out that “mobile and IoT devices make use of a variety of operating systems, file formats and communication standards, all of which add to the complexity of digital investigations. In addition, embedded storage may not be easily removable from devices, unlike for traditional desktop and server computers, and in some cases a device will lack persistent storage entirely, necessitating expensive RAM forensics. Investigating multiple devices also contributes to the consistency and correlation problem, where evidence gathered from distinct sources must be correlated for temporal and logical consistency. This is often performed manually: a significant drain on investigators’ resources.”

In a field in which a lack of training and resources has also been posited as a major challenge, the concern that overworked investigators are performing manual examinations of multiple devices becomes paramount. We are all familiar with the concept of “push-button” forensics, in which investigators are given basic training in the use of a certain tool without a thorough understanding of its inner workings and methodology.

Interestingly however, the thing that concerned Forensic Focus’ survey respondents the most was neither triage (11%) nor device proliferation (5%), but cloud forensics (23%) and encryption (21%).

The UCD research paper agrees that cloud-based data storage is a challenge.

“Typically, data in the cloud is distributed over a number of distinct nodes unlike more traditional forensic scenarios where data is stored on a single machine. Due to the distributed nature of cloud services, data can potentially reside in multiple legal jurisdictions, leading to investigators relying on local laws and regulations regarding the collection of evidence. This can potentially increase the time, cost and difficulty associated with a forensic investigation. From a technical standpoint, the fact that a single file can be split into a number of data blocks that are then stored on different remote nodes adds another layer of complexity thereby making traditional digital forensic tools redundant.”

In a presentation at TDFCON in 2015, Janice Rafraf, a law student at Teesside University, spoke about some of the main challenges concerning cloud forensic investigations. Not only are there the more obvious difficulties such as understanding how to access data stored in these relatively new environments, there are also legal concerns. Cloud-based investigations tend to be international, with data being stored in several physical locations, some of which may not be legally accessible, without even beginning to discuss the technical difficulties.

Cloud services are widely used for legitimate means as well, of course; but the rise in anonymising tools and distributed data storage makes it easier than ever for criminals to cover their tracks.

Scanlon et al elaborate in their paper:

“The use of IP anonymity and the easy-to-use features of many cloud systems, such as requiring minimal information when signing up for a service, can lead to situations where identifying a criminal is near impossible [Chen et al., 2012, Ruan et al., 2013].”

Speaking of anonymity and covering one’s tracks, the question of encryption is a thorny one in the field of digital forensics at present. With the recent legal battle between Apple and the FBI, and the subsequent decryption of the iPhone in question by an unknown third party, encryption has been at the forefront of the headlines and of people’s minds, bringing it into the public sphere more than ever.

We asked Yuri Gubanov, CEO of Belkasoft, about the forensic challenges of encrypted devices and how much of an impact they have on investigations.

“There is no single answer to this question. The challenges (and acquisition approaches) vary greatly between devices. For example, full-disk encryption on Windows desktop computers (BitLocker) can be attacked by capturing a memory dump via a kernel-mode tool (such as Belkasoft Live RAM Capturer) while the volume is mounted, and analyzing that memory dump to extract the binary decryption key. This allows mounting BitLocker volumes in a matter of minutes.

When talking about Android devices, the answer is “it depends” on who made the device and what version of Android it’s running. In many cases, Android devices can be dumped and decrypted even if the passcode is not known (this no longer works on Android 5 and newer, and does not work on Samsung-made smartphones since Android 4.2).

When talking about Apple smartphones and tablets, their implementation is exemplary, especially since Apple started using Secure Enclave in 64-bit hardware (iPhone 5S and newer). For such devices, other acquisition paths are used such as cloud acquisition.

Finally, if only some data is encrypted (e.g. by using NTFS encryption), the real challenge is in actually locating the encrypted data. This is not an easy task as one might think. The encrypted file detection module for Belkasoft Evidence Center has a proprietary method implemented in order to be able to tell apart compressed files (e.g. ZIP, JPEG) and encrypted data.”

So what can be done in investigations where encrypted devices are essential for evidence? How can forensic practitioners rise to the challenge?

According to Gubanov, workarounds and exploits are the way forward.

“Most encryption schemes are designed to withstand brute-force attacks, so directly enumerating encryption keys and/or passwords is rarely possible (unless the same or very similar password was re-used on multiple accounts). In order to overcome encryption, experts are using a number of workarounds.

For example, a BitLocker volume can be unlocked if one knows the correct Microsoft Account password (if that is the case, one can simply retrieve the corresponding escrow key directly from Microsoft Account). Recovering that password is another story, but there are tools and techniques for doing that. One more method would be capturing a memory dump with Belkasoft Live RAM Capturer or a similar tool, then extracting a binary decryption key from that dump.

For Android smartphones, one has to know the weaknesses of each major Android release in order to overcome the protection. Even if this is not possible, one can still extract massive amounts of information from the user’s Google account, which may contain even more data than the phone itself. Apple smartphones are configured to back up information into the cloud by default, so those backups (if available) can be obtained and analyzed instead of attempting to break the device.”

Acquiring all the evidence isn’t the final challenge of the process, either. Even once all necessary data have been extracted, there still remains the need to go through it, work out what is useful or sufficient for the purposes of the investigation, and create a report to be presented in court or back to the client.

The research team at UCD agree:

“The digital evidence backlog is currently in the order of years for many law enforcement agencies worldwide. The predicted ballooning of case volume in the near future will serve to further compound the backlog problem – particularly as the volume of evidence from cloud-based and Internet-of-Things sources continue to increase.”

In summary, therefore, digital forensics as a field is experiencing a wide range of challenges, none of which are straightforward to overcome. In a world that rapidly develops new technologies, forensic practitioners can often find themselves desperately scrabbling to keep up. Arguably the best way of doing so is to ensure continued cross-collaboration between law enforcement agencies, academic institutions and corporate entities wherever possible. With an increasingly globalised society storing the bulk of its data online, the digital forensic field has the opportunity to use this trend to its advantage and collaborate more efficiently than ever before to help create effective solutions.

Read the full UCD research paper here. Find out more about Belkasoft Live RAM Capturer and Evidence Center here.