part deux, was -> RE: Digital forensics of the physical memory

[Harlan Carvey <keydet89 () yahoo com>]

George and Ben,

After further consideration, I wanted to add some
additional thoughts...

> The original author does at one point use the term
> "image" to describe his
> evidence collection process.  I think that use of
> this term was unfortunate
> because it invites comparison with classical
> approaches to evidence
> gathering and standards.  It is not possible to
> "image" a reality that is
> constantly changing.  A "smear," on the other hand,
> is a pejorative term
> which assumes that a changing reality cannot
> therefore be measured accurately.  

My first thought was to rephrase the question of what
to call something that changes during the course of
the collection process.  What would we call something
like this?  As George has pointed out, it's not an
"image", and the term "smear" denotes something that
cannot be measured accurately.

I asked the question in my previous email, that if
"smear" assumes a change that cannot be accurately
measured, how would one accurately measure the changes
that occur to kernel memory during the process of
collecting those memory contents with dd.exe?

Of course the next step that this leads to is
specificity of language for the community.  I won't
take this off-topic, but suffice to say that while
many professions (doctors, lawyers, plumbers,
mechanics, etc) have specific terms that mean very
specific things to them, the IT security community
(and in particular the IR/forensics community) seems
to lack this sort of thing.

> While individual pages of physical memory change at
> a very rapid rate, the
> overall structure of physical memory is remarkably
> stable and offers a basis
> on which the nature of the changes may be
> understood.  In U.S. v.
> Al-Hussayen a decrypted password was extracted from
> a physical memory dump
> and used to show that the perp had system admin
> access to several websites
> associated with material support to terrorist
> activities. 

How was the physical memory dump obtained?  

Since the user account had admin privileges, one can
assume that the account had the necessary privileges
associated with it to obtain the dump...so the
question becomes, what process was used to obtain the
dump, and how was the password string found, and
associated with the web sites?

> It all depends on
> how you present the evidence and what you are trying
> to show. 
>
> A wise man recently remarked:
>
> "One of the things I'm seeing, or should I say, have
> been seeing for a
> while, is a move away from the purist approach to
> forensics, in that actual
> practitioners are moving away from the thinking that
> the process starts by
> shutting off power to the system."

Based on my conversations with several folks who are
actively doing this kind of thing, yes, this seems to
be the case.  However, there doesn't seem to be a
great deal of discussion on this topic...or others
mentioned in this post, for that matter.  I did see
some discussion at HTCIA2004, during Eoghan Casey's
presentation...but that was primarily between one
member of the audience and Eoghan.  

During the same conference, I asked the question about
using dd.exe to obtain the contents of
memory...specifically, I asked what it was used for. 
One adventurous soul offered that he tried to get it,
"in case we need it later."  However, aside from
running strings, no one offered up any sort of
analysis process.
 
> Even attempts at restating the classical approach
> depart from that approach
> rather dramatically, without admitting so.  Compare
http://www.securityfocus.com/archive/104/400960/30/30/threaded
> ("...the
> foundations of criminalistics and crime scene
> analysis are based on the
> notion of 'minimizing' the introduction of changes")

Exactly...minimizing, but documenting the process, as
well as those changes that are made.

> with Good Practices
> Guide for Computer Based Electronic Evidence," 2003
> ("No action taken by law
> enforcement agencies or their agents should change
> data held on a computer
> or storage media which may subsequently be relied
> upon in court").

I get the impression that in most cases, the word
"changed" is focused on in the above statement,
without really considering the statement as a whole.

> One of the things that concern me is that we have an
> emerging practice
> within the forensic and law enforcement community
> without any real
> reflection on its theoretical or hermeneutic
> underpinnings.  

George, what is the "emerging practice" you see? 
"Emerging practice" to do what?  Are you saying that
you're seeing an emerging practice within the LEO
community to move forward without any open discussion?

> The absence of
> free and open public reflection and debate on this
> matter is a serious
> obstacle to computer forensic aspirations of
> becoming a scientific discipline.

Agreed.  But how do we change that?  

Several years ago, someone within the community asked
me several times what I thought about having a
forum/listserv specifically for these purposes.  I
thought it was a great idea, but that it would go
nowhere.  I've since seen, time and again, that I was
right.

First off, my impression is that many of the folks,
both within and without the LEO community, that are
doing the actual work, are either (a) simply following
procedures and methodologies that someone else wrote,
or (b) too over-tasked to participate.  I can name
many that fall under (b)...and yet those are exactly
the folks that would be of greatest benefit to "free
and open public debates".  

There are other issues at hand, too...making such a
forum "free and open" invites folks from the
periphery, who are simply interested in sponging off
the forum without contributing.  Many within the LEO
community will not contribute, simply for that
matter...the concern seems to be that they cannot give
up their 'secrets' to the 'bad guys'.  In addition,
many of the forums specifically for the LEO community
quickly get reduced to a series of queries for
security contacts at large companies.

I won't go on with the shortcomings I've seen and
experienced in this area, but will say that I would
greatly appreciate the opportunity to take part in
such a forum, should one be created.

> Conventional forensic doctrine places heavy emphasis
> on not altering
> evidence during the acquisition process. 

True.  However, if a change is introduced to the media
that can be measured and thoroughly documented, and
show to NOT alter evidence, should that change have a
significant detrimental effect on the prosecution (or
defense) of the case?  

> But it does not explain the
> relationship between this principle and the notion
> of evidentiary
> reliability as this is understood in forensic
> science.  Aiken and Taroni
> define reliability in the following manner:
>
> "Reliability is the probability of observing strong
> misleading evidence.
> This is related to the amount of evidence one has. 
> If one wishes to improve
> the reliability of one's evidence then the amount
> collected has to be
> increased.  This is intuitively reasonable."  Colin
> Aitken and Franco
> Taroni, Statistics and the Evaluation of Evidence
> for Forensic Scientists.
> Second Edition (Chichester 2004), 198.

To me, this points back to corroborating evidence.  No
case should rest upon a single piece of digital
evidence.  An analyst should always use corroborating
evidence to support their findings, as doing so makes
each individual piece of evidence more reliable.

However, lets look at the issues inherent to the
Aitken and Taroni statement.  Not even considering
terabyte storage issues for the moment, consider the
complexity of, say, the Windows operating system. 
Where does one look for evidence on a system?  Let's
say an analyst within the LEO community finds three
pieces of corroborating evidence...what if I know
where else he can look for half a dozen more,
particularly in areas that are not covered by his
analysis procedures?  This has happened at conferences
before, where the presenter couldn't answer the
question, but there were members of the audience that
knew the answer.

My point is that there needs to be a way of exchanging
information within the community, across "borders". 
There needs to be an exchange, either through training
courses, or by someone simply asking the question,
"...what do/can I do now?" 
 
> Reliable evidence is evidence for which the
> probability of observing strong
> misleading evidence is kept below a certain
> tolerable level.  We do not
> approach this question in the abstract.  Rather, we
> must compare the
> probability of observing strong misleading evidence
> with physical memory to
> the probability without this analysis.  Increasingly
> the scale seems to be
> tipping in favor of considering this so-called "new"
> evidence.

I like how you put that, George, and I feel very
strongly that this is possible...through training and
education (even open discussion can be considered
training) and documentation of processes and
methodologies.  

Harlan



------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------