by Oleg Afonin, Danil Nikolaev & Yuri Gubanov
© Belkasoft Research 2015
Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality of online cloud services.
More and more people prefer using their laptop computers at home instead of a full-size desktop. As many laptops are equipped with relatively small, non-expandable storage, NAS becomes an obvious and convenient way to increase available storage. In home environments, NAS storage are often used for keeping backups and/or storing large amounts of multimedia data such as videos, music and pictures, often including illicit materials. Due to the sheer size of these storage devices and their rapidly increasing popularity with home users, NAS forensics becomes increasingly important.
When acquiring information from the suspect’s computer, investigators often face a challenge of extracting information also from all external storage devices. Why is NAS acquisition a challenge, and what can be done to overcome it?
NAS and External Enclosures
First and foremost, let us rule out one question: what is the difference between a single-bay NAS and a hard drive enclosure? Hard drive enclosures such as WD Passport, Seagate Expansion or Toshiba STOR and Canvio series are just that: 2.5” hard drives enclosed into a slim shell with one or more outputs allowing users to hot-plug these devices to their computers. USB is the most common connection used in these devices, but eSATA, FireWire and even wireless connectivity options are not uncommon. However, as these drives are connected directly to the computer, and that computer is most probably going to be a Windows PC, external hard drives are commonly formatted with either NTFS (mostly) or FAT32 (in rare cases, as FAT32 imposes a 4GB limitation on the maximum file size).
As a result, acquiring external hard drives is relatively easy and not different at all from acquiring a built-in hard drive.
NAS storage systems, on the other hand, are computer devices running an operating system of their own. There is no option for outside low-level access to the hard drive(s) used inside a NAS unit. Instead, the internal operating system manages all reads and writes, only allowing users to access information stored on its hard drives via a network share (SMB and DLNA are the most common communication protocols supported by NAS drives).
As a result, connecting a NAS unit as is to the investigator’s PC via the Ethernet link will do little in terms of forensic acquisition. Granted, the file system (or a part of the file system) may be available to read out of the box. However, unallocated space analysis is not available for network shares. In order to properly acquire and analyze information from NAS devices, you will need to take the drive(s) out and perform low-level acquisition.
NAS: a Linux Machine
Most NAS devices run a custom version of Linux, FreeBSD or similar system. For example, Synology (one of the higher-end manufacturers of a wide range of NAS devices) develops Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for their NAS products. Synology’s main competitor, QNAP, uses QTS, an operating system for their range of Turbo NAS units. According to the company, QTS is “built on a Linux foundation”. Shuttle uses embedded Linux in their NAS appliances, and WD makes use of embedded Linux in its MyCloud NAS series. Buffalo LinkStation units run on a custom version of Linux as well. Most other home-based NAS appliances are also using Linux, while some manufacturers opted to use a variation of the FreeBSD OS.
What does this mean for digital forensics? Well, you will need your Linux skills to read data from a NAS drive or array.
Linux File Systems: Acquiring Single-Bay NAS
The first obstacle in the acquisition of a NAS device is their choice of the native file system. As most NAS devices run versions of embedded Linux, their choice of the file system falls down to ext3, ext4, JFS or XFS. While ext3 and ext4 are fairly common with Linux users, and there are a lot of forensic acquisition tools supporting them natively, the XFS is far less common – even as this file system is arguably the better choice for network storage.
Developed by Silicon Graphics, Inc. (SGI) back in 1993, XFS is an extremely robust file system under heavy load. Supported by most Linux distributions, XFS is frequently used by manufacturers of file servers and network attached storage (NAS) devices. At the time, Google considered upgrade options from the aged ext2, the company tested ext4, JFS and XFS as possible upgrade paths and found these file systems as “close enough” in performance in the areas they cared about. The company went with ext4 due to the much smoother upgrade path from ext2.
Once again, NAS devices use Linux (or, generally, UNIX-originated) file systems. Native support of some of these file systems is available in most forensic tools. For example, Belkasoft Evidence Center natively supports ext2, ext3 and ext4 file systems. However, if you bumped into a NAS formatted with XFS (such as Shuttle KS10 or KD20), your analysis options suddenly become limited. As of today, only one tool (X-Ways Forensics) can natively deal with XFS-formatted devices.
Forensic support for XFS is rather limited. However, Linux-based forensic packages (and Linux computers in general) have native support of this file system, making them a possible choice for XFS forensics.
NAS: a RAID Storage
While single-bay NAS devices are widely available and extremely popular, two- and four-bay units are common. Consumer NAS devices are commonly configured into one of the following RAID configurations:
- JBOD (a single contiguous storage space with total storage capacity equal to the sum of all participating drives’ capacities),
- RAID 0 (or “striped” array, again with increased storage capacity at expense of reliability),
- RAID 5 (similar to RAID 0 but with partial redundancy for greater storage reliability),
- or manufacturer-specific RAID type such as Synology’s SHR (Synology Hybrid RAID, which, according to Synology, is an automated RAID management system, designed to simplify storage management and meet the needs of new users who are unfamiliar with RAID types – see https://help.synology.com/dsm/?section=DSM&version=5.2&link=StorageManager/volume_diskgroup_what_is_raid.html).
Depending on the user’s proficiency level and their particular requirements, you are likely to encounter one of either types of RAID.
From forensic perspective, you will need to extract individual drives out of the NAS unit, connect them to the computer you are using to acquire information, image the disks one by one, and then somehow remount the array on the computer you will be using to analyze information. While there are plenty of tools on the market allowing you to mount most common types of RAID arrays, the choice of tools that are able to work with proprietary RAID types such as Synology SHA can be extremely limiting. More information on RAID forensics in “RAID Reassembly – A forensic Challenge”http://pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html.
After remounting the array, you will be able to perform the usual analysis routine including unallocated space analysis with your forensic tools of choice. For instance, recently released v.7.3 of Belkasoft Evidence Center not only supports Linux as well as other Unix-like systems, but also allows you to choose which particular parts of the disc you would like to analyze, whether that be just unallocated space, disc partitions, or the whole disc:
SSD Drives in NAS
Using SSD drives in NAS storage systems is an interesting and controversial topic. As you may know from our SSD whitepaper (http://belkasoft.com/ssd-2014), SSD drives feature certain performance and lifespan optimization measures such as trimming erased data and using background garbage collecting mechanisms. However, support for these mechanisms in today’s NAS units is extremely limited. Most NAS units will not pass the TRIM command to SSD drives at all, effectively blocking most maintenance algorithms erasing released data blocks (and wiping unallocated space) performed by SSD drives in background. In turn, this means that evidence stored on SSD drives used in most NAS units WILL BE UNAFFECTED by the TRIM command and background garbage collection, and you may be able to recover deleted files. This is different from situations where SSD drives are used in a PC, trimming evidence soon after it has been deleted.
A notable exception from this rule are some NAS units manufactured by Synology. According to the document “Does Synology NAS support the SSD TRIM function?” https://www.synology.com/en-us/knowledgebase/faq/591, the company supports TRIM in a variety of NAS units running DSM 4.3 and later. After sending an inquiry to Synology regarding the complete list of NAS units supporting TRIM with SSD drives, we received a more definite reply: “SSD TRIM is available for all models, starting with DSM 4.3”.
Most consumer NAS devices (e.g. WD MyCloud, Shuttle KS10 and similar) do not offer self-encryption either on hardware or software level. Higher-grade NAS units such as those manufactured by Synology (https://www.synology.com/en-us/knowledgebase/tutorials/455) and QNAP (https://www.qnap.com/i/en/trade_teach/con_show.php?op=showone&cid=5) do support transparent data encryption using the industry-standard AES 256-bit encryption algorithm. Supplying (or recovering) the correct plain-text password is the only option for decrypting encrypted data, as attacking 256-bit AES encryption keys is unfeasible.
In this paper, we had a look at challenges presented to forensic analysts by consumer NAS devices, reviewed common problems and their solutions. We learned about the differences between network attached storage (NAS) and external hard drives, looked at the different file systems used in today’s NAS units, covered the types of RAID arrays employed by multi-bay NAS, and briefly talked about the use of data encryption and SSD drives in NAS.
About the authors
Oleg Afonin is Belkasoft sales and marketing manager. He is an author, expert, and consultant in digital forensics.
Danil Nikolaev is Belkasoft sales and marketing manager, co-author, and content manager.
Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.
Contacting the authors
You can contact the authors via email: [email protected]
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com