O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging Dr. Bradley Schat...
© 2016 Schatz Forensic The volume problem increases the latency between evidence identification and useful findings Identi...
© 2016 Schatz Forensic Pick one of the below You can’t have both Latency Completeness Physical Acquisition Triage You pres...
© 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition ...
What’s stopping me increasing I/O throughput? Background
© 2016 Schatz Forensic Forensic Imaging v1.0: Raw Linear bitstream copy + linear bitstream hash $ dd if=/dev/hda bs=4k con...
© 2016 Schatz Forensic Forensic Imaging v1.0: Raw MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bit...
© 2016 Schatz Forensic What affects throughput in acquisition? Target Storage Interconnect Hash Filesystem Interconnect Ev...
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Inte...
© 2016 Schatz Forensic Example: Forensic Duplicator 1TB Seagate Target Target Storage Interconnect Hash Filesystem Interco...
© 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evi...
© 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evi...
© 2016 Schatz Forensic Forensic Imaging v2.0: EWF Original design Source Hard Drive MD5 Deflate ACMECo.C1.D1.e01 Source Ha...
© 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesys...
© 2016 Schatz Forensic FTK Imager EWF Acquisition 1TB Seagate 75% full, 4 core i5-750 Target Storage Interconnect Hash Com...
© 2016 Schatz Forensic Forensic Imaging v2.1: EWF Guymager (2008), X-Ways, recent ewfacquire MD5 Deflate DeflateDeflate So...
© 2016 Schatz Forensic Lacklustre throughput reports (2013) • Practitioner reports – Low 100’s MB/s [Zimmerman 2013] • Res...
Our approach to increasing I/O throughput
© 2016 Schatz Forensic Scale to 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Com...
© 2016 Schatz Forensic How about using a faster compression algorithm? Target Storage Interconnect Hash Compress Interconn...
© 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Open source i...
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1...
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1...
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1...
© 2016 Schatz Forensic Linear bitstream hashing isn’t parallelizable. Max. rate ~600 MB/s on current gen. CPU’s Target Sto...
© 2016 Schatz Forensic Our solution: Block based hashing. Hash Compress CompressCompress Source Hard Drive Hash Hash Block...
© 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Co...
How can we take advantage of these speeds?
© 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Co...
© 2016 Schatz Forensic Idea: can we aggregate output I/O? Use 2x USB3 drives? Target Storage Interconnect Hash Compress Fi...
© 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 Sour...
© 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 A co...
How can we analyse while we acquire?
© 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition ...
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ...
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ...
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ...
© 2016 Schatz Forensic Idea: Start with a non-linear partial image and add from there Entire disk All allocated Interactiv...
© 2016 Schatz Forensic Raw Image : Non-linear acquisition driven by live analysis? Source Hard Drive ACMECo.C1.D1.raw ACME...
© 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
© 2016 Schatz Forensic Partial, non-linear, block based hashing Hash Compress CompressCompress ACMECo.C1.D1.af4 Volume Met...
© 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Partial acquisition – Represent what we didn’t acquire vs. wha...
© 2016 Schatz Forensic Partial acquisition brings reproducibility and elasticity to IR and triage Target Storage Interconn...
How can I work with AFF4 images?
© 2016 Schatz Forensic Why adopt this? My toolset doesn't support AFF4. • Wait for support from vendors? • Convert AFF4 to...
© 2016 Schatz Forensic Emulation of AFF4 containers as RAW
© 2016 Schatz Forensic Emulated raw is faster than native EWF. X-Ways processing task X-Ways Native EWF X-Ways w/ Wirespee...
How does this affect workflow?
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Single Threaded EWF?
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Multi Threaded EWF
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Copies in half the tim...
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Verification completes...
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Filesystem search in a...
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4 & EWF around the same t...
Will the courts accept the AFF4 format?
© 2016 Schatz Forensic Courts accept expert evidence Is it reliable? • Is the expert reliable? • Is the underlying theory ...
Adoption Who is using AFF4?
© 2016 Schatz Forensic AFF4 is used in the following evimetry wirespeed
More information
© 2016 Schatz Forensic More information Implementations • https://evimetry.com/ • https://github.com/google/aff4 • http://...
Conclusion
© 2016 Schatz Forensic Conclusion • Optimising forensic workflow is a systems problem • Existing forensic formats are a bo...
Contact Hard disk head by amckgill Footprints by kimba Dr Bradley Schatz http://schatzforensic.com.au/ bradley@schatzforen...
Próximos SlideShares
Carregando em…5
×
Dados e análise
1.493 visualizações
31 de Mai de 2016

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Today’s forensic processes are mired by practices carried over from a pre-networked world. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine the role of existing forensic imaging formats in creating such an environment, and examine how an improved forensic image format (the AFF4 forensic container format) enables practitioners to perform forensic analysis without the delays imposed by current approaches.

no profile picture user

  • Entre para ver os comentários

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

  1. 1. Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging Dr. Bradley Schatz Director, Schatz Forensic AusCERT Conference 2016 © Schatz Forensic 2016
  2. 2. © 2016 Schatz Forensic The volume problem increases the latency between evidence identification and useful findings Identify Acquire Analyse Reporting Latency
  3. 3. © 2016 Schatz Forensic Pick one of the below You can’t have both Latency Completeness Physical Acquisition Triage You preserve everything but analysis will have to wait Near immediate results at the expense of potentially missing evidence Live forensics
  4. 4. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  5. 5. What’s stopping me increasing I/O throughput? Background
  6. 6. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw Linear bitstream copy + linear bitstream hash $ dd if=/dev/hda bs=4k conv=sync,noerror | tee C1.D1.raw | md5sum > C1.D1.md5.txt
  7. 7. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
  8. 8. © 2016 Schatz Forensic What affects throughput in acquisition? Target Storage Interconnect Hash Filesystem Interconnect Evidence storage
  9. 9. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s
  10. 10. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Interconnect Gb/s Max MB/s PCIe / NVMe / Thunderbolt > 1000 SATA3 / SAS 6 600 USB3 5 500 Gigabit Ethernet 1 100 USB2 .48 48
  11. 11. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  12. 12. © 2016 Schatz Forensic Example: Forensic Duplicator 1TB Seagate Target Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 93.6MB/s SAS 6G 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 93.6MB/s = 2h 58m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 4h 21m SAS 6G 500MB/s
  13. 13. © 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 45MB/s = 6h 10m TOTAL = 12h 20m
  14. 14. © 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 7h 33m After copy, verify image on device with faster interconnect
  15. 15. © 2016 Schatz Forensic Forensic Imaging v2.0: EWF Original design Source Hard Drive MD5 Deflate ACMECo.C1.D1.e01 Source Hard Drive # Linear BitStream Hash Linear Compressed Block Stream
  16. 16. © 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 IO bound Low entropy 259 439 *Single core of quad core i7-4770 3.4Ghz measured with gzip
  17. 17. © 2016 Schatz Forensic FTK Imager EWF Acquisition 1TB Seagate 75% full, 4 core i5-750 Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s SATA3 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 67.8MB/s = 4h 06m Verification 1TB @ 106MB/s = 2h 36m TOTAL = 6h 42m Deflate 67.8 MB/s
  18. 18. © 2016 Schatz Forensic Forensic Imaging v2.1: EWF Guymager (2008), X-Ways, recent ewfacquire MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
  19. 19. © 2016 Schatz Forensic Lacklustre throughput reports (2013) • Practitioner reports – Low 100’s MB/s [Zimmerman 2013] • Research publications – FastDD <= 110 MB/s [Bertasi & Zago 2013] • Our experience – Low powered CPU’s give low throughtput
  20. 20. Our approach to increasing I/O throughput
  21. 21. © 2016 Schatz Forensic Scale to 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Intel 720 SSD 500MB/s SATA3 500MB/s SATA3 Samsung 850 EVO Pro 500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
  22. 22. © 2016 Schatz Forensic How about using a faster compression algorithm? Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable/MapReduce) 1,400 LZO (ZFS) 1,540
  23. 23. © 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Open source implementation & specification
  24. 24. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
  25. 25. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Storage virtualisation
  26. 26. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Inter –container referencing
  27. 27. © 2016 Schatz Forensic Linear bitstream hashing isn’t parallelizable. Max. rate ~600 MB/s on current gen. CPU’s Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  28. 28. © 2016 Schatz Forensic Our solution: Block based hashing. Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
  29. 29. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 730 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
  30. 30. How can we take advantage of these speeds?
  31. 31. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min) Realistic? More likely USB3 or 1GbE
  32. 32. © 2016 Schatz Forensic Idea: can we aggregate output I/O? Use 2x USB3 drives? Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 2x USB3 1GB/s 2x SATA3 2TB 400MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz
  33. 33. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 Source blocks striped over multiple containers on multiple output disks
  34. 34. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 A copy of the map is stored in each container.
  35. 35. How can we analyse while we acquire?
  36. 36. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  37. 37. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools
  38. 38. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Access is contended. Poor interactive performance (lag )
  39. 39. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Early termination may not have a complete filesystem
  40. 40. © 2016 Schatz Forensic Idea: Start with a non-linear partial image and add from there Entire disk All allocated Interactive analysis artifacts High value files Volume & FS Metadata, Memory Analysis
  41. 41. © 2016 Schatz Forensic Raw Image : Non-linear acquisition driven by live analysis? Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI How do you generate a hash over a non-linear image?
  42. 42. © 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
  43. 43. © 2016 Schatz Forensic Partial, non-linear, block based hashing Hash Compress CompressCompress ACMECo.C1.D1.af4 Volume Metadata Filesystem Metadata Sparse Data File Content Unknown Hash Hash Block Hashes Compressed Block Stream # Block Hashes Hash Virtual Block Stream (Map) Source Hard Drive
  44. 44. © 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Partial acquisition – Represent what we didn’t acquire vs. what we couldn’t acquire • Block based hashing
  45. 45. © 2016 Schatz Forensic Partial acquisition brings reproducibility and elasticity to IR and triage Target Storage Interconnect Hash Compress Network Evidence storage SHA1 600 MB/s/core SATA3 Spinning disk 200MB/s 1GbE 100MB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Partial IR acquisition 21.9GiB @ 102MiB/s = 3m 39s Volume metadata, filesystem metadata, 16G pagefile, Registries, Logs, Link files, Jump lists, WMI CIM Repo, Prefetch, USN Journal, $Logfile, Scheduler artefacts
  46. 46. How can I work with AFF4 images?
  47. 47. © 2016 Schatz Forensic Why adopt this? My toolset doesn't support AFF4. • Wait for support from vendors? • Convert AFF4 to EWF on fast workstation – Can be done in near same time it takes to simply copy by only deflate compressing low entropy blocks • Emulate Raw image in the filesystem?
  48. 48. © 2016 Schatz Forensic Emulation of AFF4 containers as RAW
  49. 49. © 2016 Schatz Forensic Emulated raw is faster than native EWF. X-Ways processing task X-Ways Native EWF X-Ways w/ Wirespeed FS Bridge Verify 0:42 0:08 FS Data Recovery 3:35 3:20 Hashing & header validation 1:59:03 1:05:25 Carving unallocated 0:41 0:44 Total 3:25:43 2:02:09 Image: 1TB Macbook Pro i7, processed on 8 core i7
  50. 50. How does this affect workflow?
  51. 51. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge
  52. 52. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Single Threaded EWF?
  53. 53. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Multi Threaded EWF
  54. 54. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4
  55. 55. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Copies in half the time due to striped acquisition over 2 x 200 MB/s spinning disks. EWF: I/O bound on single 200MB/s disk
  56. 56. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Verification completes in 8m. I/O bound by RAID. EWF: CPU bound
  57. 57. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Filesystem search in around ½ time. EWF: CPU bound?
  58. 58. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4 & EWF around the same throughput.
  59. 59. Will the courts accept the AFF4 format?
  60. 60. © 2016 Schatz Forensic Courts accept expert evidence Is it reliable? • Is the expert reliable? • Is the underlying theory reliable? – Reliable by way of the application of Scientific methods (eg. Daubert) – 4 scientifically peer reviewed papers, unrefuted • Are the methods implementing the theory reliable? – Tool testing (as always, the expert’s ultimate responsibility)
  61. 61. Adoption Who is using AFF4?
  62. 62. © 2016 Schatz Forensic AFF4 is used in the following evimetry wirespeed
  63. 63. More information
  64. 64. © 2016 Schatz Forensic More information Implementations • https://evimetry.com/ • https://github.com/google/aff4 • http://www.rekall-forensic.com/docs/Tools/ • https://github.com/google/grr Ongoing specification and papers • http://www.aff4.org/ • http://dfrws.org/2009/proceedings/p57-cohen.pdf • http://dfrws.org/2010/proceedings/2010-314.pdf • http://dfrws.org/2015/proceedings/DFRWS2015-16.pdf
  65. 65. Conclusion
  66. 66. © 2016 Schatz Forensic Conclusion • Optimising forensic workflow is a systems problem • Existing forensic formats are a bottleneck for todays systems • Existing forensic formats are incompatible with triage and reproducible live analysis • The Advanced Forensic Format 4 solves the above
  67. 67. Contact Hard disk head by amckgill Footprints by kimba Dr Bradley Schatz http://schatzforensic.com.au/ bradley@schatzforensic.com.au Schatz BL (2012) Digital Evidence (Chapter) in Expert Evidence, Freckelton & Selby Eds Available online via Westlaw AU and Thomson Legal Online

×