Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Accelerating your forensic & incident
response workflow:
the case for a new standard in forensic
imaging
Dr. Bradley Schatz
Director, Schatz Forensic
AusCERT Conference 2016
© Schatz Forensic 2016

© 2016 Schatz Forensic
The volume problem increases the
latency between evidence identification
and useful findings
Identify Acquire Analyse Reporting
Latency

Pick one of the below
You can’t have both
Latency
Completeness Physical Acquisition
Triage
You preserve
everything but
analysis will have to
wait
Near immediate
results at the
expense of
potentially missing
evidence
Live forensics

How can we reduce latency?
While maximising completeness
Latency
Completeness Physical Acquisition
Triage
Increase
I/O
throughput?
Live analysis
while we
acquire?
Dynamic partial
acquisition?
Live forensics

What’s stopping me increasing I/O
throughput?
Background

Forensic Imaging v1.0: Raw
Linear bitstream copy + linear bitstream hash
$ dd if=/dev/hda bs=4k conv=sync,noerror | tee
C1.D1.raw | md5sum > C1.D1.md5.txt

Forensic Imaging v1.0: Raw
MD5
Source Hard Drive
ACMECo.C1.D1.raw
ACMECo.C1.D1.raw.txt
# Linear Bitstream Hash

What affects throughput in
acquisition?
Target
Storage
Interconnect Hash Filesystem Interconnect
Evidence
storage

I/O throughput in Acquisition is a
systems problem
Target
Storage
Evidence
storage
Target Storage Sustained Read
1TB Seagate 3.5” 7200rpm SATA 100 MB/s
Current generation 3.5” 7200rpm SATA 200 MB/s
Intel 730 SSD 550 MB/s
Macbook Pro 1TB ~1 GB/s
RAID 15000rpm SAS > 1 GB/s

systems problem
Target
Storage
Evidence
storage
Interconnect Gb/s Max MB/s
PCIe / NVMe / Thunderbolt > 1000
SATA3 / SAS 6 600
USB3 5 500
Gigabit Ethernet 1 100
USB2 .48 48

systems problem
Target
Storage
Evidence
storage
Algorithm Throughput MB/s
SHA1 619.23
MD5 745.65
Blake2b 601.87

Example: Forensic Duplicator
1TB Seagate Target
Target
Storage
Evidence
storage
SHA1
600MB/s
SATA3
Spinning
Disk
93.6MB/s
SAS 6G
500MB/s
SATA3
Spinning
Disk
200MB/s
Acquisition 1TB @ 93.6MB/s = 2h 58m
Verification 1TB @ 200MB/s = 1h 23m
TOTAL = 4h 21m
SAS 6G
500MB/s

LiveCD Ancient Workstation
Acquisition
Target
Storage
Evidence
storage
SHA1
600MB/s
SATA3
Spinning
Disk
100MB/s
USB2
45MB/s
SATA3
Spinning
Disk
200MB/s
Acquisition 1TB @ 45MB/s = 6h 10m
TOTAL = 12h 20m

LiveCD Ancient Workstation
Acquisition
Target
Storage
Evidence
storage
SHA1
600MB/s
SATA3
Spinning
Disk
100MB/s
USB2
45MB/s
SATA3
Spinning
Disk
200MB/s
Acquisition 1TB @ 45MB/s = 6h 10m
TOTAL = 7h 33m
After copy, verify
image on device with
faster interconnect

Forensic Imaging v2.0: EWF
Original design
Source Hard Drive
MD5
Deflate
ACMECo.C1.D1.e01
Source Hard Drive
# Linear BitStream Hash
Linear Compressed
Block Stream

The deflate algorithm is a significant
bottleneck
Target
Storage
Interconnect Hash Compress Filesystem Interconnect
Evidence
storage
Data Deflate MB/s Inflate MB/s
High entropy 40.4 IO bound
Low entropy 259 439
*Single core of quad core i7-4770 3.4Ghz measured with gzip

FTK Imager EWF Acquisition
1TB Seagate 75% full, 4 core i5-750
Target
Storage
Evidence
storage
SHA1
600MB/s
SATA3
Spinning Disk
100MB/s
SATA3
500MB/s
SATA3
Spinning
Disk
200MB/s
Acquisition 1TB @ 67.8MB/s = 4h 06m
TOTAL = 6h 42m
Deflate
67.8
MB/s

Forensic Imaging v2.1: EWF
Guymager (2008), X-Ways, recent ewfacquire
MD5
Deflate DeflateDeflate
Source Hard Drive
ACMECo.C1.D1.e01

Lacklustre throughput reports (2013)
• Practitioner reports
– Low 100’s MB/s [Zimmerman 2013]
• Research publications
– FastDD <= 110 MB/s [Bertasi & Zago 2013]
• Our experience
– Low powered CPU’s give low throughtput

Our approach to increasing I/O
throughput

Scale to 8-core i7 & uncontended IO?
Threaded EWF is CPU bound
Target
Storage
Evidence
storage
SHA1
600MB/s
SATA3
Intel 720 SSD
500MB/s
SATA3
500MB/s
SATA3
Samsung
850 EVO Pro
500MB/s
Acquisition 240GB @ 255MB/s = 14m 35s
Verification 240GB @ 350MB/s = 10m 37s
TOTAL = 25m 12s
Deflate
31.9MB/s/core
*8 core i7-5820k @ 3.20 GHz

How about using a faster compression
algorithm?
Target
Storage
Interconnect Hash Compress Interconnect
Evidence
storage
Compression Algorithm Throughput
MB/s/core*
Deflate (ZIP, gzip) 31.9
Snappy (Google BigTable/MapReduce) 1,400
LZO (ZFS) 1,540

Forensic Imaging v4.0: AFF4 (2009)
• ZIP64 based container
• Storage virtualization
• Open source
implementation &
specification

AFF4: Storage Virtualisation
ACMECo.S1.RAID0.af4
ACMECo.S1.D1.af4 # Linear Bitstream Hash
ACMECo.S1.D2.af4
Compressed Block Storage Stream
Virtual Storage Stream (Map)

ACMECo.S1.RAID0.af4
ACMECo.S1.D2.af4
Storage
virtualisation

ACMECo.S1.RAID0.af4
ACMECo.S1.D2.af4
Inter –container
referencing

Linear bitstream hashing isn’t parallelizable.
Max. rate ~600 MB/s on current gen. CPU’s
Target
Storage
Evidence
storage
Algorithm Throughput MB/s
SHA1 619.23
MD5 745.65
Blake2b 601.87

Our solution: Block based hashing.
Hash
Compress CompressCompress
Source Hard Drive
Hash Hash
Block Hashes
# Block Hashes Hash

Block hashing shifts the bottleneck from
from CPU to Source I/O
Target
Storage
Evidence
storage
SHA1
600
MB/s/core
SATA3
Intel 730 SSD
500MB/s
4x
SATA3
2GB/s
RAID0
4x SATA3
2TB
800MB/s
Snappy
Avg
1.5GB/s/core
*8 core i7-5820k @ 3.20 GHz
Acquisition application Linear Acquisition Verification
X-Ways Forensics 14:35
255 MB/s (15.3 GB/min)
10:37
350 MB/s (21.0 GB/min)
Wirespeed (linear) 7:23
500 MB/s (30.3 GB/min)
4:12
888 MB/s (53.33 GB/min)

How can we take advantage of these
speeds?

Block hashing shifts the bottleneck from
from CPU to Source I/O
Target
Storage
Evidence
storage
SHA1
600
MB/s/core
SATA3
Intel 720 SSD
500MB/s
4x
SATA3
2GB/s
RAID0
4x SATA3
2TB
800MB/s
Snappy
Avg
1.5GB/s/core
*8 core i7-5820k @ 3.20 GHz
Acquisition application Linear Acquisition Verification
X-Ways Forensics 14:35
255 MB/s (15.3 GB/min)
10:37
350 MB/s (21.0 GB/min)
Wirespeed (linear) 7:23
500 MB/s (30.3 GB/min)
4:12
888 MB/s (53.33 GB/min)
Realistic?
More likely USB3
or 1GbE

Idea: can we aggregate output I/O?
Use 2x USB3 drives?
Target
Storage
Evidence
storage
SHA1
600
MB/s/core
SATA3
Intel 720 SSD
500MB/s
2x
USB3
1GB/s
2x SATA3
2TB
400MB/s
Snappy
Avg
1.5GB/s/core
*8 core i7-5820k @ 3.20 GHz

AFF4 Striping
ACMECo.S1.D1.2.af4
ACMECo.S1.D1.1.af4
Disk 1
Disk 2
Source blocks striped over multiple
containers on multiple output disks

AFF4 Striping
ACMECo.S1.D1.2.af4
ACMECo.S1.D1.1.af4
Disk 1
Disk 2
A copy of the map is stored in each
container.

How can we analyse while we acquire?

Acquire and access in parallel?
dd + iSCSI access to target
MD5
Source Hard Drive
ACMECo.C1.D1.raw
iSCSI
Remote
analysis
tools

MD5
Source Hard Drive
ACMECo.C1.D1.raw
iSCSI
Remote
analysis
tools
Access is contended.
Poor interactive
performance (lag )

MD5
Source Hard Drive
ACMECo.C1.D1.raw
iSCSI
Remote
analysis
tools
Early termination
may not have a
complete filesystem

Idea: Start with a non-linear partial
image and add from there
Entire disk
All allocated
Interactive
analysis artifacts
High value
files
Volume & FS
Metadata,
Memory
Analysis

Raw Image : Non-linear acquisition
driven by live analysis?
Source Hard Drive
ACMECo.C1.D1.raw
iSCSI How do you generate a hash
over a non-linear image?

• Non-linear acquisition
• Hash based imaging
(deduplication)

Partial, non-linear, block based hashing
Hash
Compress CompressCompress
ACMECo.C1.D1.af4
Volume Metadata
Filesystem Metadata
Sparse Data
File Content
Unknown
Hash Hash
Block Hashes
Compressed Block Stream
# Block Hashes Hash
Virtual Block Stream (Map)
Source Hard Drive

• Partial acquisition
– Represent what we didn’t
acquire vs. what we
couldn’t acquire
• Block based hashing

Partial acquisition brings reproducibility
and elasticity to IR and triage
Target
Storage
Interconnect Hash Compress Network
Evidence
storage
SHA1
600
MB/s/core
SATA3
Spinning disk
200MB/s
1GbE
100MB/s
RAID0
4x SATA3
2TB
800MB/s
Snappy
Avg
1.5GB/s/core
*8 core i7-5820k @ 3.20 GHz
Partial IR acquisition 21.9GiB @ 102MiB/s = 3m 39s
Volume metadata, filesystem metadata, 16G pagefile,
Registries, Logs, Link files, Jump lists, WMI CIM Repo,
Prefetch, USN Journal, $Logfile, Scheduler artefacts

How can I work with AFF4 images?

Why adopt this?
My toolset doesn't support AFF4.
• Wait for support from vendors?
• Convert AFF4 to EWF on fast workstation
– Can be done in near same time it takes to simply
copy by only deflate compressing low entropy blocks
• Emulate Raw image in the filesystem?

Emulation of AFF4 containers as RAW

Emulated raw is faster than native
EWF.
X-Ways processing task X-Ways Native EWF X-Ways w/ Wirespeed FS Bridge
Verify 0:42 0:08
FS Data Recovery 3:35 3:20
Hashing & header
validation
1:59:03 1:05:25
Carving unallocated 0:41 0:44
Total 3:25:43 2:02:09
Image: 1TB Macbook Pro i7,
processed on 8 core i7

How does this affect workflow?

Native EWF Acquisition vs AFF4
Native EWF Processing vs AFF4 FS Bridge

Single Threaded
EWF?

Multi Threaded
EWF

AFF4

AFF4: Copies in half
the time due to
striped acquisition
over 2 x 200 MB/s
spinning disks.
EWF: I/O bound on
single 200MB/s disk

AFF4: Verification
completes in 8m. I/O
bound by RAID.
EWF: CPU bound

AFF4: Filesystem
search in around ½
time.
EWF: CPU bound?

AFF4 & EWF around
the same throughput.

Will the courts accept the AFF4 format?

Courts accept expert evidence
Is it reliable?
• Is the expert reliable?
• Is the underlying theory reliable?
– Reliable by way of the application of Scientific methods
(eg. Daubert)
– 4 scientifically peer reviewed papers, unrefuted
• Are the methods implementing the theory reliable?
– Tool testing (as always, the expert’s ultimate
responsibility)

AFF4 is used in the following
evimetry wirespeed

More information
Implementations
• https://evimetry.com/
• https://github.com/google/aff4
• http://www.rekall-forensic.com/docs/Tools/
• https://github.com/google/grr
Ongoing specification and papers
• http://www.aff4.org/
• http://dfrws.org/2009/proceedings/p57-cohen.pdf
• http://dfrws.org/2010/proceedings/2010-314.pdf
• http://dfrws.org/2015/proceedings/DFRWS2015-16.pdf

Conclusion
• Optimising forensic workflow is a systems
problem
• Existing forensic formats are a bottleneck for
todays systems
• Existing forensic formats are incompatible with
triage and reproducible live analysis
• The Advanced Forensic Format 4 solves the
above

Contact
Hard disk head by amckgill
Footprints by kimba
Dr Bradley Schatz
http://schatzforensic.com.au/
bradley@schatzforensic.com.au
Schatz BL (2012) Digital Evidence (Chapter)
in Expert Evidence, Freckelton & Selby Eds
Available online via Westlaw AU and
Thomson Legal Online

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Semelhante a Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Semelhante a Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016 (20)

Último

Último (20)

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Notas do Editor