Oh dear … How time flies when you are banging your head against a wall at work -P
Time to be perhaps a little controversial … twisted
Yesterday I attended an F3 day in the UK on Live Forensics. Several of the speakers postulated that, rather than complying with the three principles, by unplugging a machine at the time it is siezed, one actively contradicts the principles by destroying data that may be relevant, and, furthermore, with the advent of some of the more fun encryption products may be redering future access to areas of a disk at least computationally infeasable, if not actually impossible.
I am of the opinion that we should at least cover best practice for live aquisitions in DECAF, if not perhaps even ( and this is the controversial part ) suggest that this should be the common best practice 😯 where the situation allows for it …
Comments ? Flames ? Criticisms ? Suggestions ?
Kind Regards,
Azrael
Yesterday I attended an F3 day in the UK on Live Forensics. Several of the speakers postulated that, rather than complying with the three principles, by unplugging a machine at the time it is siezed, one actively contradicts the principles by destroying data that may be relevant,
IMHO, there is nothing controversial about this at all. How many time has this very topic been addressed in this and other forums (forii??)?
While I have no idea what "F3 day" is, nor do I know exactly which "three principles" you're referring to, this post serves to illustrate what I've thought for a long time now…that there are those of us who are going to forge ahead in this endeavor, whilst others in the community persist in discussing it.
The fact remains, my friends, that when police encounter a victim of a crime, be it physical assault or robbery or whatever, they do not wait for the coroner to execute the victim to begin their investigation. Why must we then persist with this doctrine that a system must be unplugged before any acquisition or analysis begins?
Yes, we know things get changed when we perform a live response, but guess what…things change even if we don't do anything! We can sit here all day, writing academic papers specifying the exact changes that occur, but no one will read them. We have already specified these things, as well as methodologies to use and follow…and yet live response is STILL considered "controversial". Like others, I will be patient and wait for others to recognize the usefulness and need for live response, but I will not wait for those who persist in continually revisiting the discussion to catch up.
and, furthermore, with the advent of some of the more fun encryption products may be redering future access to areas of a disk at least computationally infeasable, if not actually impossible.
No offense, Azreal, because this is not directed at you, but blah, blah, blah. This is old news folks! Call it what you will…"fun encryption products", "BitLocker", "PGP Disk", etc., etc…the issue itself is hardly new.
I am of the opinion that we should at least cover best practice for live aquisitions in DECAF, if not perhaps even ( and this is the controversial part ) suggest that this should be the common best practice 😯 where the situation allows for it …
What's DECAF?
Re best practices…those are out there, folks…have been for a while.
Comments ? Flames ? Criticisms ? Suggestions ?
Flames? None necessary. Criticisms? Nope. Just comments…
Yesterday I attended an F3 day in the UK on Live Forensics. Several of the speakers postulated that, rather than complying with the three principles, by unplugging a machine at the time it is siezed, one actively contradicts the principles by destroying data that may be relevant,
IMHO, there is nothing controversial about this at all. How many time has this very topic been addressed in this and other forums (forii??)?
While I have no idea what "F3 day" is, nor do I know exactly which "three principles" you're referring to, this post serves to illustrate what I've thought for a long time now…that there are those of us who are going to forge ahead in this endeavor, whilst others in the community persist in discussing it.
For our non-British friends …
F3 - http//
Three principles ( there are in fact four ! I just keep thinking Asimov rather than anything else … ) are taken from the ACPO Guidelines in the UK.
These are
Principle 1 No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2 In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3 An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4 The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
For the full thing, please see here … http//www.forensicfocus.com/index.php?name=Downloads&d_op=getit&lid=8
With regard to your comments about forging ahead or discussing … Whilst there is debate about the situation and even respected examiners can't agree on it, then it needs to be discussed. This is the nature of things where there are significant changes in methodology, introducing new concepts to legal systems which, lets face it, are barely coping with what we are giving them now, might not be great. In the UK at least, I don't believe that there is much in the way of cases using live forensic data, until this is better established, then people will be shy of it.
The fact remains, my friends, that when police encounter a victim of a crime, be it physical assault or robbery or whatever, they do not wait for the coroner to execute the victim to begin their investigation. Why must we then persist with this doctrine that a system must be unplugged before any acquisition or analysis begins?
Interesting way of looking at it - not an analogy I particularly like though as it doesn't really match up cleanly.
I perfer that we consider ourselves in the same way as other forensic specialists - e.g. we contaminate a crime scene in such a way that we can maximise the evidence collected and can scientifically exclude our interference from it.
Yes, we know things get changed when we perform a live response, but guess what…things change even if we don't do anything! We can sit here all day, writing academic papers specifying the exact changes that occur, but no one will read them. We have already specified these things, as well as methodologies to use and follow…and yet live response is STILL considered "controversial". Like others, I will be patient and wait for others to recognize the usefulness and need for live response, but I will not wait for those who persist in continually revisiting the discussion to catch up.
Here I have to disagree. We _do_ need to know the exact changes that take place, or as darn close as we can get - otherwise defence will have a fieldday. Maybe no one will read them, but you can't "just do it" - that would be irrisponsible.
To say that you are unwilling to help other examiners who may not have come accross this before is a shame - you have an excellent knowledge - and your book is quoted often ( and was at the F3 day as well ! ) when it comes to live forensics. I think that it isn't a closed case - there is more than one way to skin a cat as they say, the more discussion there is from people who are knowledgeable - the more acceptance there will be.
and, furthermore, with the advent of some of the more fun encryption products may be redering future access to areas of a disk at least computationally infeasable, if not actually impossible.
No offense, Azreal, because this is not directed at you, but blah, blah, blah. This is old news folks! Call it what you will…"fun encryption products", "BitLocker", "PGP Disk", etc., etc…the issue itself is hardly new.
None taken, I just couldn't be bothered to write the list !
No, it isn't new, and yes live forensics is the only real solution at this point. I concur 100%.
I am of the opinion that we should at least cover best practice for live aquisitions in DECAF, if not perhaps even ( and this is the controversial part ) suggest that this should be the common best practice 😯 where the situation allows for it …
What's DECAF?
Who's behind in their reading ? -P http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6516896
Re best practices…those are out there, folks…have been for a while.
You do realise that this is in the methodology thread right ? Yes, there are, significant parts of them say different things - and none of them agree about live forensics as far as I am aware …
Comments ? Flames ? Criticisms ? Suggestions ?
Flames? None necessary. Criticisms? Nope. Just comments…
😉 I'm glad !
With regard to your comments about forging ahead or discussing … Whilst there is debate about the situation and even respected examiners can't agree on it, then it needs to be discussed.
Feel free to discuss it. Like I said, there continue to be those within the "community" who recognize the need, develop (and publish) the methodology for meeting the need, and forge ahead. This is not recklessly charging ahead, but rather based on discussions and sharing as far back as 4 or 5 years ago.
Like I said, none of this is new…not the issues, not the apparent need to discuss it. I just think it's funny that there's a call for "best practices", and yet such things have already been made available.
In the UK at least, I don't believe that there is much in the way of cases using live forensic data, until this is better established, then people will be shy of it.
I'm not sure what you mean by "better established". There have been posts in this forum (and others) by those who appear or claim to be LEOs, who have conducted live response, and stated that as long as they could justify their actions (in part, principle #2), then the data has been useful as evidence.
I perfer that we consider ourselves in the same way as other forensic specialists - e.g. we contaminate a crime scene in such a way that we can maximise the evidence collected and can scientifically exclude our interference from it.
Okay, that'll work as a great starting point. Where would you suggest we go from there?
Here I have to disagree. We _do_ need to know the exact changes that take place, or as darn close as we can get - otherwise defence will have a fieldday. Maybe no one will read them, but you can't "just do it" - that would be irrisponsible.
You bring up a couple of good points. First, the changes that occur as a result of live response activities have been published, to one degree or another. I have done some of this myself. At this point, I am at a loss to what more can be done…were they not posted or published in the right location, and if so, what IS the right location.
Second, many times the issue of "the defense having a field day" is brought up. However, as I am sure is the case in the UK as it is in the US, the expert witness or examiner does not simply walk up to the stand unannounced; if there was any doubt as to the usability of the examiner's testimony, the prosecution would not allow that witness to be introduced.
This is not a tough issue at all. The fact remains that these issues have been raised in the past, and that there are those out there who are using volatile data to further their cases, either as intelligence leads, or as actual evidence. The fact that there is still a contingent of the community that is waiting for someone else to establish case law doesn't surprise me…the same thing happened with fingerprint and DNA evidence.
To say that you are unwilling to help other examiners who may not have come accross this before is a shame - you have an excellent knowledge - and your book is quoted often ( and was at the F3 day as well ! ) when it comes to live forensics.
IMHO, this is where "discussions" break down. I never said that I was unwilling to help anyone. I sent a specially crafted Perl script (compiled into a standalone EXE) to a LEO in Europe just last night.
When I say that I am going to continue using the methodologies that I and others have developed, I am not saying that I am unwilling to help others. Those are your words, not mine.
Who's behind in their reading ? -P http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6516896
I saw that, but so far, it's just a name. What *is* it? Is it a commercial application, or something open source?
Feel free to discuss it. Like I said, there continue to be those within the "community" who recognize the need, develop (and publish) the methodology for meeting the need, and forge ahead. This is not recklessly charging ahead, but rather based on discussions and sharing as far back as 4 or 5 years ago.
This is a methodology thread, the discussion here is all linked towards the creation of an open source framework or methodology for digital forensics, from acquisition through examination to presentation. There is fairly extensive support for the concept, internationally, both commercial and LE. The current working name is DECAF. The reason that live forensics is being discussed in this thread, is not to repeat old arguments ad infinitum, but to determine if it is ready to be included into such a document, and, if as a community led piece of work, if the wider community _wants_ to see it. Part of the ability of a given methodology to be taken up is the willingness of a community to see it as applicable to them. I want to discuss it within this scope in this thread.
Personally - I'm all for it. I'll be developing my skills and my toolkit in that direction, and I intend to research it as much as I can.
Like I said, none of this is new…not the issues, not the apparent need to discuss it. I just think it's funny that there's a call for "best practices", and yet such things have already been made available.
I wasn't suggesting that it was "new" - merely that it hadn't been discussed in relation to this specific topic - that of an open framework.
In the UK at least, I don't believe that there is much in the way of cases using live forensic data, until this is better established, then people will be shy of it.
I'm not sure what you mean by "better established". There have been posts in this forum (and others) by those who appear or claim to be LEOs, who have conducted live response, and stated that as long as they could justify their actions (in part, principle #2), then the data has been useful as evidence.
Yes there are indeed, and I spoke to some of them yesterday, but the majority of people there hadn't … There is a lot of momentum that needs to be overcome before this becomes "better established" in the day to day repertoire of most examiners. I believe though that the results have been restricted to intelligence collection though …
I perfer that we consider ourselves in the same way as other forensic specialists - e.g. we contaminate a crime scene in such a way that we can maximise the evidence collected and can scientifically exclude our interference from it.
Okay, that'll work as a great starting point. Where would you suggest we go from there?
Well, IMHO, I think that this is the key point. As soon as a Crime Scene Investigator opens a door, they have modified the crime scene, yet this is an accepted point in every case. When it comes to us it is that key phrase you used above "as long as we can justify our actions". It will come, and maybe it needs one or two test cases that show that without some modification of data, other key data would have been inaccessible.
Here I have to disagree. We _do_ need to know the exact changes that take place, or as darn close as we can get - otherwise defence will have a fieldday. Maybe no one will read them, but you can't "just do it" - that would be irrisponsible.
You bring up a couple of good points. First, the changes that occur as a result of live response activities have been published, to one degree or another. I have done some of this myself. At this point, I am at a loss to what more can be done…were they not posted or published in the right location, and if so, what IS the right location.
I know that you have, but what I am also hearing is that people are having difficulty getting the same results from the same machine following the same methodology twice in a row. There are some obvious artifacts when inserting a USB key for example, but the actual memory that gets overwritten running programs is still not hugely well documented unless I am mistaken ?
Second, many times the issue of "the defense having a field day" is brought up. However, as I am sure is the case in the UK as it is in the US, the expert witness or examiner does not simply walk up to the stand unannounced; if there was any doubt as to the usability of the examiner's testimony, the prosecution would not allow that witness to be introduced.
No, I agree with the legal procedure. But there are issues of reasonable doubt, and _this_ is the issue, not in a majority of cases - I have to concede, but it is a possible problem that needs to be tackled.
This is not a tough issue at all. The fact remains that these issues have been raised in the past, and that there are those out there who are using volatile data to further their cases, either as intelligence leads, or as actual evidence. The fact that there is still a contingent of the community that is waiting for someone else to establish case law doesn't surprise me…the same thing happened with fingerprint and DNA evidence.
Yes, and when one or two people evangalised, developed good practice and got cases through, it became common … I was won over yesterday, I only hope that others were as well. And hopefully people reading this will be as well !
To say that you are unwilling to help other examiners who may not have come accross this before is a shame - you have an excellent knowledge - and your book is quoted often ( and was at the F3 day as well ! ) when it comes to live forensics.
IMHO, this is where "discussions" break down. I never said that I was unwilling to help anyone. I sent a specially crafted Perl script (compiled into a standalone EXE) to a LEO in Europe just last night.
When I say that I am going to continue using the methodologies that I and others have developed, I am not saying that I am unwilling to help others. Those are your words, not mine.
You are absolutely right, you didn't say that you were unwilling to help, and that sentence came out a lot worse sounding than it intended … Please accept my apology …
What I was trying to say is
You are widely considered to be one of the foremost people on this subject , I think that you should participate in discussions, because your input is invaluable, and although you might be repeating yourself ad nauseum, others would learn immensely from it. I understand your frustration, revisiting the same arguments for newbies is irritating, but such is the life of a trend setter -)
I happen to have seen scripts that you have done for some LE here, and I know that you are not "unwilling to help" in the sense that I may have implied above.
Who's behind in their reading ? -P http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6516896
I saw that, but so far, it's just a name. What *is* it? Is it a commercial application, or something open source?
I think that I explained that above, but just in case. It is the working name of an open source project to provide a framework for digital forensics. Pretty much all discussion in the "Methodology" section relates to it …
Thanks,
Azrael
> The current working name is DECAF.
Do you have a URL for DECAF? You said that DECAF is the "working name of an open source project"…does this project have any publicly available documentation?
> I want to discuss it within this scope in this thread.
I'm sure. In fact, you posted again today after a full month of inactivity. Apparently, you are the only one within this forum who wants to discuss this.
At one point in the above post, I asked
"Where would you suggest we go from there?"
Within your response, you stated
"It will come, and maybe it needs one or two test cases…"
However, this doesn't answer my question; instead, it continues to put the onus on the "community"…the same "community" that itself is waiting for those "one or two test cases".
So again, within the context of a discussion of an open source framework, we appear (and please correct me if I'm wrong) to be in agreement that as with the real world, a "live response" forensic investigation inherently leads to some data being changed. If we do in fact agree to that, then again I ask, where do we go from here in this discussion? Do we agree to a point and stop, as we appear have done? Or do we agree to a point, and then move on to another point of discussion?
As far as proving your point about other key data being inaccessible, that's really rather trivial. If you don't agree, I will point you to any of the freely available images on the Internet and ask you to tell me which processes were running at the time the image of the HDD was acquired.
> I know that you have, but what I am also hearing is that people are
> having difficulty getting the same results from the same machine
> following the same methodology twice in a row.
Interesting…I hadn't heard any of that. It would appear that there are discussions going on, which is good, but not in more public arenas, which is potentially bad. Some differences are to be expected. Can you expand on this point at all? Is there any specific information that you can provide about these instances that you've heard about?
> …but the actual memory that gets overwritten running programs is still
> not hugely well documented unless I am mistaken ?
You're quite right…but the reason may be that it cannot be documented. Here is the reason why…when a process is created in Windows (for example) the memory manager will allocate memory for the process. In doing so, memory that is not already in use is allocated…if this were not the case, then processes would simply and mysteriously crash or begin behaving erratically. If there is not enough physical memory available, the memory manager will cull the memory and write infrequently used pages out to the pagefile. As at any given time the amount of available memory cannot be known by an examiner (per Heisenberg's, in order to find this out, one must load an application, which itself consumes memory, etc.), I would suggest that without specific, detailed information from the vendor, the information you are looking for cannot be known or documented. We can test all we want, but the fact remains that we cannot guarantee that any system we encounter will be amongst the test cases.
> You are widely considered to be one of the foremost people on this subject…
I can't say that I agree, but I do thank you for the thought. I do participate in the discussions that I am aware of. I participated in one on the DigitalDetective Forum and have participated in others.
While I do agree that this needs to be addressed, I have simply opted to turn my efforts to assisting those who ask for it. There are a great many in the "community" that not only need to be convinced, but also refuse to be convinced. There are also those who already recognize the need for this kind of work, and as you have seen, have done it and taken the data they've collected to court as evidence. We're already getting to those "one or two test cases" you were talking about. 😉
> The current working name is DECAF.
Do you have a URL for DECAF? You said that DECAF is the "working name of an open source project"…does this project have any publicly available documentation?
http//
> I want to discuss it within this scope in this thread.
I'm sure. In fact, you posted again today after a full month of inactivity. Apparently, you are the only one within this forum who wants to discuss this.
Hmmm, could be … Or it could be that I've been discussing it with people in places other than this ? Or, it could be that we all have jobs and have been working hard for the last month ? -) Or even conceivably people have been away on school holidays with their kids, and now they have gone back to school can devote more time again ? Dunno. I'll ask the other people I've been chatting with and get back to you … -P
At one point in the above post, I asked
"Where would you suggest we go from there?"
Within your response, you stated
"It will come, and maybe it needs one or two test cases…"
However, this doesn't answer my question; instead, it continues to put the onus on the "community"…the same "community" that itself is waiting for those "one or two test cases".
So again, within the context of a discussion of an open source framework, we appear (and please correct me if I'm wrong) to be in agreement that as with the real world, a "live response" forensic investigation inherently leads to some data being changed. If we do in fact agree to that, then again I ask, where do we go from here in this discussion? Do we agree to a point and stop, as we appear have done? Or do we agree to a point, and then move on to another point of discussion?
Well, much as I respect your opinion, I don't consider you posting in a thread that you don't apparently read, that "this has all been discussed already", when you have had no other input into the project other than to criticize to work of others to be a "discussion" … Perhaps some other people's opinion on the matter of if it could be considered mainstream enough to include in a generic framework would be worth considering ?
Assuming that we _all_ agree, and that is beyond you and I, as other people have put time and energy in so far, then I would suggest that we examine as many of the "best case" documents for live forensics that you tell me are around and that we can find, try and find some common ground in there that can be applied in as many cases as possible, write it up and submit it for peer review to the community. This is the same community that is buying copies of your book, so I think that we can assume that they have some sound judgment about the quality of what they read !
As far as proving your point about other key data being inaccessible, that's really rather trivial. If you don't agree, I will point you to any of the freely available images on the Internet and ask you to tell me which processes were running at the time the image of the HDD was acquired.
Very true, I can't … However, I can say that the image acquired has not been modified by any of my actions. That is what you would lose …
> I know that you have, but what I am also hearing is that people are
> having difficulty getting the same results from the same machine
> following the same methodology twice in a row.Interesting…I hadn't heard any of that. It would appear that there are discussions going on, which is good, but not in more public arenas, which is potentially bad. Some differences are to be expected. Can you expand on this point at all? Is there any specific information that you can provide about these instances that you've heard about?
I specifically asked yesterday in the lecture, of the gentlemen lecturing what footprint was specifically identifiable from running applications to take snapshots of RAM at a given time. I was told that not only would the same application have a vastly different footprint depending on the OS version & patch level, but also that two supposedly identical machines with same software were returning vastly different results. I don't have the exact details as it was a question in a talk, but given the speaker and the audience I see no reason to doubt he was telling the truth. I expect to see the gentleman concerned in a month or so, I'll see what further I can extract from him …
> …but the actual memory that gets overwritten running programs is still
> not hugely well documented unless I am mistaken ?You're quite right…but the reason may be that it cannot be documented. Here is the reason why…when a process is created in Windows (for example) the memory manager will allocate memory for the process. In doing so, memory that is not already in use is allocated…if this were not the case, then processes would simply and mysteriously crash or begin behaving erratically. If there is not enough physical memory available, the memory manager will cull the memory and write infrequently used pages out to the pagefile. As at any given time the amount of available memory cannot be known by an examiner (per Heisenberg's, in order to find this out, one must load an application, which itself consumes memory, etc.), I would suggest that without specific, detailed information from the vendor, the information you are looking for cannot be known or documented. We can test all we want, but the fact remains that we cannot guarantee that any system we encounter will be amongst the test cases.
Absolutely ! It is a nightmare ! But as opposed to a certainty in "dead" analysis, you can see why people might be a little twitchy !
> You are widely considered to be one of the foremost people on this subject…
I can't say that I agree, but I do thank you for the thought. I do participate in the discussions that I am aware of. I participated in one on the DigitalDetective Forum and have participated in others.
I have to insist - your name turns up in any discussion I seem to come across with regard to it ! I've just signed up to the Digital Detective to read that discussion specifically - again brought up yesterday - I'm rather looking forward to it -)
While I do agree that this needs to be addressed, I have simply opted to turn my efforts to assisting those who ask for it. There are a great many in the "community" that not only need to be convinced, but also refuse to be convinced. There are also those who already recognize the need for this kind of work, and as you have seen, have done it and taken the data they've collected to court as evidence. We're already getting to those "one or two test cases" you were talking about. 😉
Fingers crossed ! I think that it will come to pass, there is no way that it can be avoided over time, just hopefully sooner rather than later …
All the Best,
Azrael
There is a need for documentation of methodologies, easily accessible by both new and old in our field.
DECAF is a good start.
When you two are done playing, let me know so we can get moving.
Thanks for your time, Azreal. I can see that my presence is of no use to you. Good luck with DECAF, I sincerely wish you the best.
I am willing to contribute also.
Rich