At DFRWS yesterday you gave a talk about Tor forensics on Windows. Could you briefly outline some of the main challenges associated with Tor forensics for our readers?
I think that nowadays there are new challenges related to encryption, anonymity and stuff like that. After a real case in which we had to find evidence of usage of Tor, we decided to go in-depth on the analysis of usage of Tor on that particular device. Not traces of Tor from a network point of view, but traces of Tor left on the device itself, because in our daily work we mainly perform post-mortem analysis of devices.So from the real case, we were able to find a trace left by the usage of the Firefox browser, because Tor uses the Private Browsing mode of Firefox. This kind of Private Browsing left a trace in pagefile, and this trace can be found by searching for the particular keyword – that is “HTTP-memory-only-PB”. That kind of artefact is really interesting because we can understand if a particular object was retrieved from a website. Every single cached file is not cached on the hard drive but is kept directly in memory. And to keep track of what is happening, Tor, or rather Firefox, uses this primitive function. For every single URL, every single object retrieved from the internet, there is a string before each object that is HTTP-memory-only-PB.
What challenges did you come up against during the research?
There are two problems with this research. First of all, memory in general and of course pagefile are highly volatile. Memory: when we turn off, memory is gone. Pagefile changes a lot when we use the device. So it’s really important to acquire the data of course, and we also need to be very lucky. Because if we are searching, we cannot say we will probably find what was happening yesterday and not what was happening one month ago. Pagefile is completely random. So we can possibly find something that happened one month ago, and nothing that happened yesterday. So that’s the first problem. And here there is no solution, we just need to be lucky.
The second point is that of course because Tor is using the same technique as Firefox, we need to distinguish between Tor activities and Firefox activities. And the good point here is that the Firefox version used by Tor is typically derived from a particular version of Firefox, the ESR version, so the customisable version of Firefox. And as we know, every single version of a browser has a user agent. So if in the pagefile we are able to find both the request to the website and the stored file with the HTTP-memory-only-PB, we are able to distinguish between activities made by the version of Firefox used by Tor browser, and normal Firefox.
The other point is of course that if on the computer Firefox is not installed, has never been used, like in the real case we had, this becomes a problem. In the case we had, it was a corporate environment where the users were forced to use Google Chrome by the rules imposed by the IT department. In that case a user cannot install Firefox. Of course the IT department had a flaw because users cannot use Firefox but they can use Tor browser, can install Tor browser on the device, so it’s not a very good implementation of security.
In that case we were lucky, but after the real case, we moved to a testing environment and we tested on Windows 7 and 8, and also on the pre-release of Windows 10, to be sure that we have the same artefacts in all operating systems, and we found that this system can be applied as a general methodology. That’s the most interesting part really, because it’s related to the surfing activities. But of course, to confirm the usage of Tor browser we also did an analysis of the traditional operating system artefacts to be sure that the executable works as expected. Because it’s the operating system that rules the world, that rules the environment.
In fact if you go on the Tor browser website, there is something like a to-do list to be sure that you are working in a really safe environment. But they didn’t write – or I was not able to find on the website – a suggestion to disable pagefile. If they suggested to people, OK, you need to disable the pagefile, and you need to not hibernate the computer, that’s a good suggestion, because in that way there will not be traces.
In all the tests we performed, we were not able to find traces in a part of the pagefile and the hiberfil. If we are lucky enough and we have the hiberfil, we can also do a more in-depth analysis from a memory point of view. Using tools like Volatility or Rekall, we can go in-depth and search for the process, and so in that instance it is much easier to find the traces. We can recover the part of the memory allocated to the Tor browser process and every string, HTTP-memory-only-PB, that is in that part of the memory, is really for sure coming from Tor browser activity, because it is in the part of the memory allocated to that process. It doesn’t overlap with the normal Firefox activity. And in that case, it is much more simple and we have more information about the activities performed by the user. Also if Tor browser was closed, because in some cases if the structure of the process is still in memory when we hibernate, we are able to identify the part of the memory allocated to that particular process.
Your research is conducted through RealityNet, where you're CEO. Could you tell us about the company and what your role there entails?
RealityNet is a small consulting company that was born in 2002 from an idea of mine and Marco Scarito’s, who is one of the two co-owners with me. Now we are three, because in 2010 Francesco Picasso joined us as a partner of the company.
We started the company in 2002 when I was twenty-four, one month after my degree in IT, and as always happens when you start a company, you start doing what you learn at university… so nothing. No, I’m joking! After that in 2007 my father, who is a civil lawyer in Italy, had a colleague who had a particular request about an analysis of a computer. And his colleague asked me to help, and so as always happens, a good IT guy before starting a job starts learning how to perform this job. So that’s why I started off in digital forensics in 2006/2007.
Then after that case we moved to a more in-depth approach and then we started studying again. After five years working, we took a class at the university of Milan. In Italian it is called corso di perfezionamente, it is shorter than a Master’s but at that time it was the only course involved in digital forensics in Italy.
And after that we moved to dedicated certifications like SANS and others, and then in 2009 we met Francesco, the other owner. He was a private consultant in the same city, in Genoa, and he did digital forensics. And we thought OK, we don’t need to be on opposite sides, we can join our power, and he joined the company. And from there, from 2009/2010, our company moved completely to digital forensics and incident response activities.
Nowadays we work for public prosecutors, judges and also private companies, mainly in Italy but of course also abroad if we have customers, it depends on the opportunity. The good point of our company is that we are small but we love researching. So we have partnerships with Italian universities, Genoa university, Milan university and others, to develop research in particular fields.
I think the good point is that when you are able to put together the real cases of a company with the ability to research of the university, and the time of the students in particular, that’s the way in which you can improve and the community can improve. Because if no one is researching it doesn’t work, but also if only research is done, without a real case comparison, it doesn’t work. So that’s why we try to be both researchers and performing commercial activities.
My position, also with my two co-owners is to do analysis, and also to have the vision of the company. Because when you are the owner of the company you have to have both work and vision.
You also develop open-source digital forensics tools. Tell us a bit about some of the tools you've created, and why you think it's important to have open-source solutions.
We develop open-source tools that we release for free, for example we released in 2011/2012 a simple tool that is called WhatsApp Xtract, that was nominated for the best open-source digital forensics tool.
So we develop open-source tools because we think it’s good for the community. And that tool had great success, but after that both Facebook and WhatsApp all changed, so we are working on improvements for the tool now.
The other good point that we caught was when Francesco Picasso developed a plugin for Volatility that is called mimikatz. That plugin is able to recover user passwords in the clear; Windows user passwords from a memory dump. And so that is really good, because if you have acquired a computer and you’re doing a post-mortem analysis, and in the computer you have the hibernation file, you can recover the password from the hibernation file in the clear, in one second, without cracking it. That is really interesting. Last week SANS published a poster on memory forensics and the plugin from Francesco is one of the most highlighted because it’s really interesting. So that’s what we try to do.
Do you have any advice for students who are trying to get started in digital forensics?
I think that first of all, they need passion. It’s a starting point.
Second, they need to find good training in this field. Training in this field is absolutely necessary. I think that there are only a few good Master’s or classes around Europe, for example here in Dublin there is a good Master’s at UCD, so that’s a starting point.
So my suggestion is an IT degree, and after that specialisation in forensics. It can be at a university or it can be in private companies’ certifications, SANS or others. After that, or with that at the same time, the main point is to find a company where you can have an internship to start learning how to do this work in real life. It’s not like CSI. The real world is much more complex, it’s not so easy to push a button and see the result. For every single analysis that you do, you also have to destroy your brain putting data together and trying to verify your results.
The other suggestion I want to give is this: please remember that judges and lawyers trust in you, because they think you are the expert. So be sure to verify your findings. Because if they trust in you and your findings are not correct, and for example the accused has no money to pay for a good private lawyer, they can be judged, they can be sent to jail for your error. So be sure of what you are doing, because from your point of view, from your report you can define the life of a person.
What do you think is the next big thing in digital forensics?
A lot. I want to mention at least three.
Encryption – that’s one of the bad things and good. From a security point of view, encryption is very good; I use encryption every day when I travel around Italy. For example, if I’m at a conference and during the night I need to work on real cases, I need to work with a completely encrypted hard drive, so encryption is good from that point of view.
The point from a forensic point of view is you are not able to do any kind of analysis. We had a case last year, a really big case in which a person who was incriminated was on trial for one possible activity and there were a lot of traces left by this person, but not digital traces. Because on their digital devices everything was encrypted and we were unable to break the encryption. I don’t know if it is true all over the world but for example in Italy, if you don’t give the password it’s not a problem. “I don’t remember the password” is acceptable from a legal point of view.
Second, anonymity. We talked about Tor before and of course we only talked about traces left on the device, but tracking the user in Tor is difficult. Of course there are researches and there are also results, but they are mainly based on social engineering or human-based flaws, not technical flaws.
Third point – the size of data that we need to analyse. We can say “big data”, that is a word that is really common now, but the problem is that now every person has no less than, say, 5TB of data: computer, smartphone, tablet, USB pen, external hard drive…. When you need to answer a question in one week, and you need to analyse 5TB of data in that time, and sometimes police or judges don’t know what they are looking for, and they ask you “OK, search for everything that can be useful.” OK, I have 5TB of data and I need to search everything, it’s not possible. So that is a real problem because we need to find a way to make our analysis faster, but also without losing information, without skipping information that can be vital for the case we are dealing with.
And the fourth one: there are standards on acquisition of devices, like computers, mobile phones and so on, but there are not standards of acquisition of data that are stored remotely. We can say stored in the cloud. And when we have to think about preservation of integrity of data that are not stored in a place that we can physically reach, the community needs to develop some standards on how an acquisition made from the cloud is acceptable.
What do you do in your spare time?
I love this question!
A lot of things, when I have spare time. Three things mainly: I travel a lot as a backpacker. I like travelling like that, not organised travel. I reserve a flight to a place, I reserve the first night, and then let’s go for fifteen days, and I have the flight to come back.
Second, I play music as a DJ. During summer, in particular in one place in my city, where the owner of the place is one of my old friends. I love to go there because my city is on the sea, so when I exit the office usually at 8 o’clock in the evening or later, I put on my beach wear and go there with my computer – I have another computer, it’s not the same computer I use for forensic activity – and then I play music there, because I love music.
The third thing is my soccer team, Genoa. That is the oldest Italian team, forza Genoa.
Mattia Epifani is a digital forensics analyst and researcher, and is CEO at Reality Net, who provide services in digital forensics, security and privacy for international clients. Mattia's latest book, Learning iOS Forensics, is available now via Packt Publishing.
Forensic Focus interviewed Mattia at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.