Join Us!

Pitfalls of Interpr...
 
Notifications
Clear all

Pitfalls of Interpreting Forensic Artifacts in the Registry  

Page 2 / 4
  RSS
JackyFox
(@jackyfox)
New Member

You must have read the whole document, I am very pleased that you have taken the time out to read my research.

One of my main aims was to achieve a greater degree of correlation so I'm very pleased that you think I achieved this.

With regard to "interpretation" I use this is in the stricter sense of the word, for example. If I find in the registry that a vendor ID is stored as 9999, I can choose to report this or to translate/interpret that information into something more human readable like company xyz. In doing so I am not strictly reporting what is found in the registry but an interpretation of that data. This is why I produce two logs one of the screen dump and an expert log detailing the original data. In the appendices I detail any interpretations made so that an examiner can fully explain these interpretations if required to do so in court.

My apologies to James McFarlane if I have misidentified any of his brilliant work. I see that he has a new version available too.

When I set out to do my research I did consider using or writing up new modules for regripper but I decided to write my own scripts for several reasons. One the main ones being that I wanted to do a deep dive into this area and come at it from a different angle which I hope that I did. My tools are currently an individual effort rather than a collaboration and absolutely will have limitations as all tools do. My hope is that analysts will see fit to use them alongside some of the other great tools out there and that some of my research can be used to help develop tools that are yet to come.

It is a great pleasure for me that so many people are showing interest in the research I have done and that it's not just gathering dust somewhere.

I thank you again for all your comments

Regards,

Jacky

ReplyQuote
Posted : 02/11/2012 4:41 pm
keydet89
(@keydet89)
Community Legend

Unfortunately, one of the things we see in the "community" is folks who write tools wanting to go their own way, rather than expand upon one of the currently available toolsets or frameworks.

Again, thanks for your work.

ReplyQuote
Posted : 02/11/2012 4:53 pm
keydet89
(@keydet89)
Community Legend

Something interesting that I thought I'd share…

Based on testing of a shellbag parsing plugin, I have seen the information provided for shell items of type 0x2e, which appear to be devices. So I modified the plugin to print out the hex content of the structure after that structure was parsed, so that I could see what the four devices listed in one hive file "looked like."

Of the four devices (labeled A - D), only device D appeared in the USBStor key, and devices A - C appeared in the USB key. All four devices appeared in the Windows Portable Devices key, and only device D appeared in the EMDMgmt key.

I think that what this shows is that you can't start at the USBStor key as your initial point and work from there; if you do, what you need to do is get all of the information and after you've completed the process of correlating it for specific devices, look at what you have left over.

Also, the MountPoints2 subkeys are a very good source for tying a device to a logged on use, but the shellbags can be, as well.

ReplyQuote
Posted : 02/11/2012 10:50 pm
JackyFox
(@jackyfox)
New Member

That is indeed interesting. I did quite a lot of work around analysing the order of key population on insertion of a USB storage device. I only included a selection in my thesis as I had to cull some research from it. I set up several virgin systems under XP, Vista & Windows 7 and in all cases when I installed a USB storage device there was an entry in USBStor. Out of interest in the hives you have is a serial number recorded anywhere or do you believe that a USB storage device was installed without a serial number being registered? If they are sample hives rather than a users actual hives I would love look at them.

Regards,

Jacky

ReplyQuote
Posted : 03/11/2012 2:54 am
athulin
(@athulin)
Community Legend

This was a very interesting piece of research – thank you for sharing it in this way. Minor theses can be very useful, yet are often difficult to identify.

A question

In section 2.5.2 you state that "ParseWin32Registry has proved accurate and reliable in the field", yet I find nothing to back up that point of view. What is it based on?

A possibly irrelevant note

One interesting question that is peripheral to your paper, but which affects it, is that of identification and interpretation of traces. You report a number of points where current interpretation is at odds with your own test observations. Most current findings are not clearly based on any kind of scientific discovery process, so it should probably not be surprising to find such inconsistencies. But it does raise the question how can identification of traces be done … well, more systematically and less prone to personal factors influencing the result? And how can the testing of those traces be comprehensive enough to provide a reliable interpretation of the trace data? (Here's where it may be possible to get an error rate, as requested by the Daubert criteria.)

I don't expect you to have an answer – but it is something I had almost hoped to see mentioned or acknowledged in the final chapter, as it is part of the foundation on which your tools were built.

It's a problem in just about any field of study – see for example Arbesman Truth decay The half-life of facts in New Scientist (September 25, 2012), which starts by observing that the number of human chromosomes were, in 1912, reasonably authoritatively asserted to be 48 … until 1956 when fresh counting and recounting did not identify more than 46 of them. In computer forensics the situation is even worse … while human 'system architecture' seems fairly static, software manufacturers may introduce changes at almost any time, particularly in undocumented areas.

ReplyQuote
Posted : 03/11/2012 3:18 pm
JackyFox
(@jackyfox)
New Member

Hi Athulin,

In response to your question about ParseWin32Registry, it is used by regripper which I know has an active field user base. I also did a lot of testing directly with ParseWin32Registry, comparing it's output to what was in the registry and I found it to be accurate and reliable.

With regard to your second note it is far from irrelevant and I did do more research around this (I didn't include in my paper as it was already quite large). It is an area that I have considered for further research, the idea of "at what point or if ever is data real or is it always just someones interpretation of what is real". In relation to making the process of tracing data more scientific I think this is a big but very worthwhile question. With regard to my own tools, as a starting point I preserved the source, logged everything, tested my output and documented any manipulations performed. I took this approach so that any conclusions or reports could be explained within current understanding and possibly re-visited in the future based on new developments.

Thank you for your comments and pointer to the New Scientist article.

Regards Jacky

ReplyQuote
Posted : 03/11/2012 5:23 pm
pavel_gladyshev
(@pavel_gladyshev)
New Member

Hi Anders,

I think that you are rising a very interesting question. It had been dealt with - to some extent - in the philosophy of science. Karl Popper, for example, argued that scientific theories cannot be proved conclusively and can only be falsified through experiments.

The complexity of real world digital systems is such that forensic experiments in most cases are incomplete. I think that forensic experimentation is essentially an attempt to approximate how something works based on incomplete set of observations. The success of it seems to depend on choosing the right model. In electrical and mechanical engineering, for example, linear system models are able to adequately describe great many real world phenomena - to the extent that we can use them to build machines, bridges, etc. I think we are missing something like that in digital forensics.

Another thought is that - although digital systems are designed to be deterministic - the way a particular digital system works is not exactly a law of nature. System specific glitches may result in spurious behaviors that would undermine our interpretation despite most rigorous experimentation.

All in all, a very interesting and important open research question.

ReplyQuote
Posted : 04/11/2012 2:54 am
jaclaz
(@jaclaz)
Community Legend

Another thought is that - although digital systems are designed to be deterministic - the way a particular digital system works is not exactly a law of nature. System specific glitches may result in spurious behaviors that would undermine our interpretation despite most rigorous experimentation.

Well, luckily enough D skynet has not (yet) gained self-awareness, and when you dd a 00 from source you normally get a 00 on the target.

A little "lighter" than Karl Popper

Anything you dream is fiction, and anything you accomplish is science, the whole history of mankind is nothing but science fiction.

…and of course, beware of the Devil…. 😯

jaclaz

ReplyQuote
Posted : 04/11/2012 4:31 pm
athulin
(@athulin)
Community Legend

Karl Popper, for example, argued that scientific theories cannot be proved conclusively and can only be falsified through experiments.

It was not my intention to go quite that far. Only that I have an impression that we don't do enough with what we have.

For example, I believe we should be capable of identifying what registry traces can be correlated with, say, USB insertion or removal to a fairly high degree of confidence. We don't need to be able to interpret the traces, or even put them into any kind of sequence, but we should be able to list them.

Of course, I'm not implying that Ms. Fox should have done this – her thesis deals with a larger area, and is related to synthesis of information, rather than analysis. But the inconsistencies reported in her thesis suggest that the basic science work in this area is not quite where it needs to be – at least if we hope to go for anything approaching Daubert criteria.

That is a bit irritating.

ReplyQuote
Posted : 04/11/2012 4:49 pm
pavel_gladyshev
(@pavel_gladyshev)
New Member

Hi jaclaz,

Before I specialized in digital forensics, I worked as an embedded systems engineer and have seen seen some very odd behaviors caused by ICs overheating, but you are right - these are normally rare events. Nevertheless, if we want to claim digital forensics as a science, I believe that we need to understand all sides of it - even those that are rare.

An engineer, an economist, a physicist, and a philosopher are hiking through the hills of Scotland. On the top of a hill they see a black sheep.
"What do you know," the engineer remarks. "The sheep in Scotland are black."
"No, no", protests the economist. "At least one of the sheep in Scotland is black."
The physicist considers this a moment. "That's not quite right. The truth is that there's at least one sheep which is black from one side."
"Well, that's not quite right either," interjects the philosopher. "There appears to be something describable as a 'sheep' that seems to be black from one side…"

–http//www.geocities.ws/russellian_society/jokes.html

D

ReplyQuote
Posted : 04/11/2012 5:56 pm
pavel_gladyshev
(@pavel_gladyshev)
New Member

Hi Anders,

Totally agree with you on that. We - as a community - can and should do better job at designing and executing experiments and generally producing better science of it.

ReplyQuote
Posted : 04/11/2012 6:01 pm
JackyFox
(@jackyfox)
New Member

Hi Anders,

With the regard to the apparent inconsistencies that I observed, it goes without saying that the data was always there. I think they just became easier for me to identify by automating the correlation of the data sets and observing them over time.

Jacky

ReplyQuote
Posted : 04/11/2012 9:34 pm
jaclaz
(@jaclaz)
Community Legend

Before I specialized in digital forensics, I worked as an embedded systems engineer and have seen seen some very odd behaviors caused by ICs overheating, but you are right - these are normally rare events. Nevertheless, if we want to claim digital forensics as a science, I believe that we need to understand all sides of it - even those that are rare.

Sure, the issue is all around the definition of "normally".

We - as a community - can and should do better job at designing and executing experiments and generally producing better science of it.

right )

JFYI, and OT 😯
An academic job is available in a scientific department, besides publications, an interview is held.
First candidate is a mathematician, the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality how much is 2+2" to which the mathematician answers quickly "4".
The commission comments "good answer, though maybe a bit too short, without providing any background theory."
Second candidate is an engineer, the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality how much is 2+2" to which the engineers answers quickly "Well, it should be 4, but it could be a little less than that for extremely low values of 2 or a little bit more for extremely large values of 2, but the average tends to be 4".
The commission comments "good answer, he gave both the canonical answer and an alternate one with a solid background."
Third candidate is a geologist, the the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality how much is 2+2" to which the geologist quickly looks around him, then in a low voice "How much should I make it result?"
D

For NO apparent reason wink
http//gailsmcmillan.cmswiki.wikispaces.net/file/view/Math_Jokes.jpg/320903462/325x365/Math_Jokes.jpg

jaclaz

ReplyQuote
Posted : 05/11/2012 1:14 am
pavel_gladyshev
(@pavel_gladyshev)
New Member

jaclaz,

Sure, the issue is all around the definition of "normally".

The issue is not just around the definition of "normally" it is about as deep and correct understanding of the subject as we can achieve. The discrepancies that Jacky found are there precisely because prior forensic research focused on what seemed reasonable and was not comprehensive enough.

ReplyQuote
Posted : 05/11/2012 1:46 am
jaclaz
(@jaclaz)
Community Legend

jaclaz,

Sure, the issue is all around the definition of "normally".

The issue is not just around the definition of "normally" it is about as deep and correct understanding of the subject as we can achieve. The discrepancies that Jacky found are there precisely because prior forensic research focused on what seemed reasonable and was not comprehensive enough.

Well, no.

Some of what Jacky found is what happens "normally" but had not been observed/recorded/interpreted correctly/completely.

The systems do remain of deterministic nature, "facts" happen "normally" and now we have a more accurate description of them, but there is seemingly nothing (yet) "casual", "random", "stochastic", i.e. everything is perfectly reproducible.

jaclaz

ReplyQuote
Posted : 05/11/2012 2:26 pm
Page 2 / 4
Share: