Digital Forensic Science. Vassil Roussev
Чтение книги онлайн.

Читать онлайн книгу Digital Forensic Science - Vassil Roussev страница 4

СКАЧАТЬ 4 is focused on system forensics; that is, on the types of evidentiary artifacts that are produced during the normal operation of computer systems. Most of these are operating system and application data structures, but we also discuss the emerging problem of cloud system forensics.

      Chapter 5 discusses artifact forensics: the analysis of autonomous data objects, usually files, that have self-contained representation and meaningful intepretation outside the scope of a specific computer system. These include text, images, audio, video, and a wide variety of composite document formats.

      Chapter 6 is an effort to outline a medium-term research agenda that is emerging from the broader trends in IT, such as fast data growth, cloud computing, and IoT. The focus is on the difficult problems that need to be addressed in the next five years rather than on the specific engineering concerns of today, such as finding ways to get around encryption mechanisms.

      CHAPTER 2

       Brief History

      The beginning of the modern era of digital forensics can be dated to the mid-1980s, which saw the adoption of 18 U.S.C. § 1030 [1] as part of the Comprehensive Crime Control Act of 1984 [33]. The Computer Fraud and Abuse Act of 1986 was enacted by the U.S. Congress as the first of several amendements to clarify and expand the scope of the provisions. In 1984, the FBI initiatated its Magnetic Media Program [72], which can be viewed as a watershed moment in recognizing the importance of digital evidence, and the need for professionalization of the field.

      Prior to that, computer professionals used ad-hoc methods and tools primarily for the purposes of data extraction and recovery after unforeseen failures and human errors; to this day, data recovery remains a cornerstone of digital forensic methodology. In the pre-1984 days, there was little effort to build a systematic body of knowledge, or specialized expertise. This is not surprising as there was little societal need—computers were centralized timeshare systems used by businesses, and had little useful information for the legal system. This all began to change with the massive surge in popularity of personal computers, and the introduction of dial-up networking for consumers.

      The following dozen years (1984–1996) saw a rapid increase in personal computer use, along with fast growth in private network services like CompuServe, Prodigy, and AOL. This exploration period is characterized by substantial diversity of hardware and software, and saw the emergence of early de facto standard file formats (e.g., GIF [45]), most of which were poorly documented and rarely formally described [72].

      Toward the end of the period, the meteoric rise in popularity of the Netscape Navigator web browser marked the tipping point for the transition to standards-based internetworking. At the same time, the combination of the Intel x86 architecture and Microsoft Windows operating system became the dominant software on the PC desktop. Taken together, these developments rapidly reduced the platform diversity and enabled a coherent view of the digital forensic process to gradually emerge. It also became feasible to become an expert by focusing on just one platform that (at the time) had minimal security and privacy provisions to impede the analysis. For example, one of the major forensic vendors today, AccessData, advertised itself as “leaders in cryptography and password recovery since 1987,” and offered a set of tools for that purpose [2].

      In other words, the main uses of the forensic techniques of the time was to provide locksmith and disaster recovery services. Accordingly, the main thrust of the efforts was reverse-engineering/brute-forcing of the (weak) application-level encryption techniques employed by various vendors, and filesystem “undelete,” which enabled the (partial) recovery of ostensibly deleted information.

      Around 1997, we saw the emergence of the first commercial tools, like EnCase Forensic, that specifically targeted law enforcement use cases and provided an integrated environment for managing a case. This marked the beginning of a decade (1997–2007) of rapid expansion of forensic capabilities, both commercial and open source, against a backdrop of growing use of the Internet for business transactions, and a relatively weak understanding and use of privacy and security mechanisms. Garfinkel refers to this period as a “Golden Age” of digital forensics [72]. During this time, we saw the establishment of the first academic conference—DFRWS (dfrws.org) in 2001—with the exclusive focus on basic and applied digital forensic research.

      The most important source of forensic data during the period became local storage in the form of internal HDDs and removable media—CD/DVD and USB-attached flash/disk drives. This reflects an IT environment in which most computations were performed on workstations by standalone applications. Although the importance of the Internet was increasing dramatically, most of the related evidence could still be found in the local email client, or (web) browser caches. Thus, filesystem analysis and reconstruction (Section 4.1.4) became the main focus of forensic tools and investigations, and Carrier’s definitive book on the subject [23] can be seen as a symbol of the age.

      At the time, RAM was not considered a worthy source of evidence and there were no analytical tools beyond grep and hexdump to make sense of it. This began to change in 2005 with the first DFRWS memory forensics challenge [53], which led to the development of a number of tools for Microsoft Windows (discussed in Section 4.2); a follow-up challenge [76] focused research efforts on developing Linux memory analysis tools.

      Between 2004 and 2007 several technology developments hinted that a new chapter in the history of the field was getting started. In 2004, Google announced the Gmail service [79]; its main significance is to show that a web application can be deployed on an Internet scale. Web apps are an implementation of the software as a service (SaaS) delivery model in which the client device needs no application-specific installation locally; most of the computation is performed on the provider’s server infrastructure and only a small amount of user interface (UI) code is downloaded on the fly to manage the interaction with the user. Forensically, this is a big shift as most of the artifacts of interest are resident on the server side.

      In 2006, Amazon announced its public cloud service [3], which greatly democratized access to large-scale computational resources. It suddenly became possible for any web app—not just the ones from companies with big IT infrastructure—to work at scale; there was no conceptual impediment for all software vendors to go the SaaS route. In practice, it took several years for this movement to become mainstream but, with the benefit of hindsight, it is easy to identify this as a critical moment in IT development.

      In 2007, it was Apple’s turn to announce a major technology development—the first smartphone [6]; this was quickly followed by a Google-led effort to build a competing device using open source code, and the first Android device was announced in 2008 [183]. Mobile computing had been around for decades, but the smartphone combined a pocket-portable form factor with general purpose compute platform and ubiquitous network communication, to become—in less than a decade—the indispensible daily companion for the vast majority of people. Accordingly, it has become a witness of their actions, and a major source of forensic evidence.

      The current period is likely to be viewed as transitional. On the one hand, we have very mature techniques for analyzing persistent storage (Section 4.1) and main memory (Section 4.2) for all three of the main operating systems (OS) for the desktop/server environments—Microsoft Windows, MacOS, and Linux. СКАЧАТЬ