Security Incidents mailing list archives
part deux, was -> RE: Digital forensics of the physical memory
From: Harlan Carvey <keydet89 () yahoo com>
Date: Sun, 19 Jun 2005 05:24:15 -0700 (PDT)
George and Ben, After further consideration, I wanted to add some additional thoughts...
The original author does at one point use the term "image" to describe his evidence collection process. I think that use of this term was unfortunate because it invites comparison with classical approaches to evidence gathering and standards. It is not possible to "image" a reality that is constantly changing. A "smear," on the other hand, is a pejorative term which assumes that a changing reality cannot therefore be measured accurately.
My first thought was to rephrase the question of what to call something that changes during the course of the collection process. What would we call something like this? As George has pointed out, it's not an "image", and the term "smear" denotes something that cannot be measured accurately. I asked the question in my previous email, that if "smear" assumes a change that cannot be accurately measured, how would one accurately measure the changes that occur to kernel memory during the process of collecting those memory contents with dd.exe? Of course the next step that this leads to is specificity of language for the community. I won't take this off-topic, but suffice to say that while many professions (doctors, lawyers, plumbers, mechanics, etc) have specific terms that mean very specific things to them, the IT security community (and in particular the IR/forensics community) seems to lack this sort of thing.
While individual pages of physical memory change at a very rapid rate, the overall structure of physical memory is remarkably stable and offers a basis on which the nature of the changes may be understood. In U.S. v. Al-Hussayen a decrypted password was extracted from a physical memory dump and used to show that the perp had system admin access to several websites associated with material support to terrorist activities.
How was the physical memory dump obtained? Since the user account had admin privileges, one can assume that the account had the necessary privileges associated with it to obtain the dump...so the question becomes, what process was used to obtain the dump, and how was the password string found, and associated with the web sites?
It all depends on how you present the evidence and what you are trying to show. A wise man recently remarked: "One of the things I'm seeing, or should I say, have been seeing for a while, is a move away from the purist approach to forensics, in that actual practitioners are moving away from the thinking that the process starts by shutting off power to the system."
Based on my conversations with several folks who are actively doing this kind of thing, yes, this seems to be the case. However, there doesn't seem to be a great deal of discussion on this topic...or others mentioned in this post, for that matter. I did see some discussion at HTCIA2004, during Eoghan Casey's presentation...but that was primarily between one member of the audience and Eoghan. During the same conference, I asked the question about using dd.exe to obtain the contents of memory...specifically, I asked what it was used for. One adventurous soul offered that he tried to get it, "in case we need it later." However, aside from running strings, no one offered up any sort of analysis process.
Even attempts at restating the classical approach depart from that approach rather dramatically, without admitting so. Compare
http://www.securityfocus.com/archive/104/400960/30/30/threaded
("...the foundations of criminalistics and crime scene analysis are based on the notion of 'minimizing' the introduction of changes")
Exactly...minimizing, but documenting the process, as well as those changes that are made.
with Good Practices Guide for Computer Based Electronic Evidence," 2003 ("No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court").
I get the impression that in most cases, the word "changed" is focused on in the above statement, without really considering the statement as a whole.
One of the things that concern me is that we have an emerging practice within the forensic and law enforcement community without any real reflection on its theoretical or hermeneutic underpinnings.
George, what is the "emerging practice" you see? "Emerging practice" to do what? Are you saying that you're seeing an emerging practice within the LEO community to move forward without any open discussion?
The absence of free and open public reflection and debate on this matter is a serious obstacle to computer forensic aspirations of becoming a scientific discipline.
Agreed. But how do we change that? Several years ago, someone within the community asked me several times what I thought about having a forum/listserv specifically for these purposes. I thought it was a great idea, but that it would go nowhere. I've since seen, time and again, that I was right. First off, my impression is that many of the folks, both within and without the LEO community, that are doing the actual work, are either (a) simply following procedures and methodologies that someone else wrote, or (b) too over-tasked to participate. I can name many that fall under (b)...and yet those are exactly the folks that would be of greatest benefit to "free and open public debates". There are other issues at hand, too...making such a forum "free and open" invites folks from the periphery, who are simply interested in sponging off the forum without contributing. Many within the LEO community will not contribute, simply for that matter...the concern seems to be that they cannot give up their 'secrets' to the 'bad guys'. In addition, many of the forums specifically for the LEO community quickly get reduced to a series of queries for security contacts at large companies. I won't go on with the shortcomings I've seen and experienced in this area, but will say that I would greatly appreciate the opportunity to take part in such a forum, should one be created.
Conventional forensic doctrine places heavy emphasis on not altering evidence during the acquisition process.
True. However, if a change is introduced to the media that can be measured and thoroughly documented, and show to NOT alter evidence, should that change have a significant detrimental effect on the prosecution (or defense) of the case?
But it does not explain the relationship between this principle and the notion of evidentiary reliability as this is understood in forensic science. Aiken and Taroni define reliability in the following manner: "Reliability is the probability of observing strong misleading evidence. This is related to the amount of evidence one has. If one wishes to improve the reliability of one's evidence then the amount collected has to be increased. This is intuitively reasonable." Colin Aitken and Franco Taroni, Statistics and the Evaluation of Evidence for Forensic Scientists. Second Edition (Chichester 2004), 198.
To me, this points back to corroborating evidence. No case should rest upon a single piece of digital evidence. An analyst should always use corroborating evidence to support their findings, as doing so makes each individual piece of evidence more reliable. However, lets look at the issues inherent to the Aitken and Taroni statement. Not even considering terabyte storage issues for the moment, consider the complexity of, say, the Windows operating system. Where does one look for evidence on a system? Let's say an analyst within the LEO community finds three pieces of corroborating evidence...what if I know where else he can look for half a dozen more, particularly in areas that are not covered by his analysis procedures? This has happened at conferences before, where the presenter couldn't answer the question, but there were members of the audience that knew the answer. My point is that there needs to be a way of exchanging information within the community, across "borders". There needs to be an exchange, either through training courses, or by someone simply asking the question, "...what do/can I do now?"
Reliable evidence is evidence for which the probability of observing strong misleading evidence is kept below a certain tolerable level. We do not approach this question in the abstract. Rather, we must compare the probability of observing strong misleading evidence with physical memory to the probability without this analysis. Increasingly the scale seems to be tipping in favor of considering this so-called "new" evidence.
I like how you put that, George, and I feel very strongly that this is possible...through training and education (even open discussion can be considered training) and documentation of processes and methodologies. Harlan ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- Digital forensics of the physical memory Mariusz Burdach (Jun 15)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)
- Re: Digital forensics of the physical memory Mariusz Burdach (Jun 17)
- Re: Digital forensics of the physical memory Harlan Carvey (Jun 17)
- RE: Digital forensics of the physical memory George M. Garner Jr. (Jun 18)
- RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: Digital forensics of the physical memory David Pick (Jun 20)
- Moderator's note: Re: Digital forensics of the physical memory Daniel Hanson (Jun 20)
- part deux, was -> RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: part deux, was -> RE: Digital forensics of the physical memory Ben Hawkes (Jun 20)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)