CHAPTER 6
Testing Your Tools
We’ll Cover
How and when to test your tools Where to get test evidence How and where to access forensic challenges How and where to access tool testing imagesIn Chapter 5, you learned how to choose your forensic imaging method, and in Chapter 8, you will learn about forensically imaging a system. In this chapter, you’ll learn about the tools and techniques you can use to test the forensic tools and procedures you use.
The first thing you need when you are going to test something is something to test against. If you already work in an established laboratory with ample evidence at your disposal, you can try to re-solve old cases, unless restrictions prevent you from accessing the evidence except for use in the original investigation. Alternatively, if you have the time to create sample images and know what you are trying to test for, you can set up test machines to image and look for what you have created.
The problem with both of these examples, however, is that they presume that you know the solution, or at least you know how to find the solution to the computer forensic puzzle before you. For this reason, many organizations—academic, government, and commercial—have created documented test images that will allow you to attempt to solve their scenario with supporting documentation when you need help.
In other cases, it’s not learning a new forensic technique in a controlled environment for an examination you are preparing for, but rather testing to see if your tool is correctly interpreting an artifact. In such a case, obtaining a documented test image will allow you to compare the results of different tools so that you can cross-validate your results if you are unsure or challenged on a finding.
When Do You Need to Test
An investigator usually decides to look for test images for three reasons:
To collect data for public research or presentations To test a forensic method To test a toolCollecting Data for Public Research or Presentations
As you expand your skills and knowledge in the field of computer forensics, you may find new and novel ways to accomplish analysis, or you may discover new computer forensic methods. When you present you findings, however, the original evidence that you examined when you discovered the technique will likely be confidential. This means that you can’t publicly disclose how you proved that the artifact existed and what it meant.
In such cases, you’ll need to re-create your findings either on a test forensic image that you create yourself or on someone else’s test forensic image that they’ve made publicly available. Presenting your findings, in the form of a blog, paper, or conference presentation, for example, means that you must grant other people the means to re-create your work. It would not be very helpful, of course, if you told them about some great thing you discovered but couldn’t explain how they might re-create it for themselves. In addition, if you were to go to a court of law, you would have to disclose your method, since the opposing expert will be allowed to verify your findings.
Testing a Forensic Method
When you are testing a method you have never attempted before, it is wise to use it in a controlled environment first, such as a forensic test image. This can apply to a new forensic imaging method, artifact recovery, or analysis technique that you are attempting for the first time. For instance, if you are attempting to recover deleted event log entries from Microsoft Windows, it makes sense to create or obtain a test image known to contain deleted event log entries. This allows you to determine whether your method is working correctly, because if you were to apply the method incorrectly, you would not recover any deleted event log entries. If you were to use the new method without testing, you might think your method worked, but you may have actually missed additional evidence because you weren’t yet adept at working with the new method. Whether you use a preexisting test forensic image or create one yourself, the important thing is to understand what is contained within it so you can create good tests.
Testing a Tool
In much the same context, if you are using a tool for the first time, being able to test it against a test image means you can assure yourself that you are operating the tool correctly. If you were using a search tool for the first time, or you were using a new search feature of a tool you already use, searching for data that you know to exist in different ways will allow you to discover how your tool supports different search syntax. Even testing new versions of tools to see if their behaviors have changed can be helpful.
In Actual Practice
I have an evidence room full of old cases that I can use for testing new tools. When I get a new version of software that includes a new feature or a change to an existing feature, I will typically test the tool using a previously solved case to see how it works.
Where to Get Test Evidence
Getting access to evidence to use in testing a new tool was problematic in the early days of computer forensics, when most investigators treated their research as a secret and barely even shared it on members-only web forums. In those days, we had to create our own test images—a time-intensive process—or test our own systems. Testing your own system can be a risky proposition if someone demands to see how you tested it and you expose your own data to them in the process.
In Actual Practice
Even worse than exposing your own data is exposing your clients’ data. If you are working to re-create something that may be shown to people who are not authorized to review the client data, you’ll find that making a new test image to work from is even more important.
Since those bad old days, life has gotten a lot easier. Today, you can use multiple public sources of test evidence in your testing. You’ll find forensic challenges and collections of images that are made specifically for tool testing available to download for free. Most of these images are raw images, so you don’t have to worry about what tool you are using for testing. You can still create your own test evidence, and there are times when that will be your only option.
LINGO
A raw image, also called a “dd image,” is a forensic image that has no container wrapped around it.
Raw Images
The EnCase forensic image format called e01 puts the contents of a forensic image in a compressible form, with its hashes contained within the same image. Other forensic image formats, such as AFF (Advanced Forensics Format, an open source forensic image format), .S01 (a raw image in a compressed .gz [gzip] format with hashes and geometry in a separate file), or AD1 (AccessData’s logical forensic image format), are also forensic images made to be loaded into a tool but not supported by every tool. Raw images are just the contents of a piece of media dumped into either a single file or a series of files segmented by a fixed file size. (The industry used to segment images into 640 MB because that is the maximum size file that could be burned to a CD-ROM.)
The most common tool used to create raw images is dd, which stands for data description; it creates copies of just about any type of data without trying to interpret or convert that data, unless told to, leading to reliable forensic images. dd is an open source tool that is available on every major platform. Because the images are just dumps of a raw disk or device, every tool supports the image format. The other added benefit of raw images is that they can be mounted as disks within tools such as VMware to experience the system as the user did.
Creating Your Own Test Images
There are times when you are trying to test something but you have no test image. This may occur because you are testing a server-based application that is not included in most test images, such as e-mail servers like Microsoft Exchange or database servers like Oracle. Or you might need to test a specific version of an operating system or application and no test image is available. In such cases, you can create two types of test images that involve different levels of effort.
Creating a Test Image from a Virtual Machine
If you do not need to test any results from the unallocated space, a virtual machine may be the best place to create your test image. Although you can create a fixed disk within a virtual machine that you can use to create a full image, a virtual machine is able to take snapshots of the active image as it changes. This will let you isolate system states for closer examination to see what changes occur as you interact with whatever artifact you are trying to re-create.
If you choose to create a test image from a virtual machine, you should do the following:
1. Install the operating system you are testing into a new virtual machine (using your choice of software).
2. Install the same applications and service packs/patches that are installed on the system you are re-creating. This is important to ensure that the same environment exists on both systems.
3. Create the type of data you are trying to recover or re-create.
4. Exit the virtual machine and either make a forensic image of it or feed it into your forensic tool directly.
Creating a Test Image from a Full System
Sometimes you need to test not only the functionality and artifact creation of an application or operating system, but you must also attempt to recover things from the unallocated space of the disk. In such cases, you can either work with a full image in a virtual machine or a fresh install on a new system that you can image afterward. Why a fresh install? Because you do not want software that may change or affect your results running on the system from an existing install.
If you create a test image from a full system, this is what you need to do:
1. Install the operating system on a new drive.
2. Install the same applications and patches that were running on the system you are trying to re-create.
3. Create the data you are trying to recover or re-create.
4. Create a forensic image of the disk. Unlike virtual machines, feeding in the drive directly to your forensic tool may change the state of your test evidence unless you hook it up via a write blocker. But even if you hook it up to a write blocker, we recommend that you create a forensic image.
NoteIf you are using virtual machines for your test images, most forensic tools can now read the disk files directly, saving you a step on reimaging them as you try to re-create your artifact. EnCase, FTK, and FTK Imager all support reading virtual disk files, including VMware.
In Actual Practice
In addition to creating test images, you can create a bootable image out of an existing forensic image without modifying its contents. Using programs such as SmartMount from ASR Data or Live View, you can boot a forensic image inside of a virtual machine. Any changes you make will be stored in an “overlay” file, so they will never affect the forensic image itself. Obviously, it’s a good idea to do this on a copy of the forensic image and not the original forensic image you made. With the original system booted into a virtual environment, you can try to re-create events using the exact configuration that your suspect used, which can yield very reliable results.
Forensic Challenges
Sometimes you are not looking to re-create an artifact but to test your skills or learn some new ones. To help you and others do so, many organizations have created challenges that help you test your skills. Some challenges are made to let you compete against other examiners, with points awarded for the speed and thoroughness of finding an artifact. Others will ask you to solve a puzzle with published answers so you can have a helping hand if you can’t solve it on your own.
As you progress as an examiner, you might want to enter some of your own forensic challenges. Remember that they will not be easy, so don’t be disappointed if you don’t come out on top in your first attempt.
Learn Forensics with David Cowen on YouTube
You’ll find sample images and challenges for each of the analysis chapters in this book at this YouTube site. You’ll find videos explaining how to work through each of them. Come on by and subscribe to extend your learning experience!
Honeynet Project
The Honeynet Project was originally founded as an Internet security research organization that focused on creating and publicly releasing honeypots—purposely vulnerable virtual systems in which researchers could observe attackers who broke into these systems. This research has grown to include a variety of malware and attack analyses that led to computer forensic research as well.
Honeynet Project Challenges
Here you’ll find current challenges that range from malware analysis, to protocol analysis and computer forensic analysis. At the time of writing, three forensic challenges on this page have been answered and are available for you to test your skills. (Notice I said “skills,” as luck will likely not help you.)
The Original Honeynet Project Challenge
The first Honeynet forensic challenge is also the most well-documented one. If you are looking to learn more about computer forensics or to learn more about Linux forensics, this is a great starting point.
NoteIn the answers to the challenges, you’ll notice that most people use open source tools. Remember that an artifact can be recovered with any forensic tool that supports recovering it. So, for example, if you are using EnCase or FTK, you can solve the same challenges being worked on with The Sleuth Kit or other open source tools. The steps to solve the challenge will be different, but if you understand what is being asked for and how your tools work, you should be able to solve the challenge using any tool. This applies to any forensic challenge and not just the original Honeynet project challenge.
DC3 Challenge
The Department of Defense Cyber Crime Center (DC3) has been hosting forensic challenges yearly since 2007. The DC3 challenges are made not only to test the skills of computer forensic examiners, but also to advance the state of the art of computer forensics. To compete successfully in an active DC3 challenge, you not only have to recover artifacts, but you also have to develop new tools that you provide to the contest to solve previously unsolved questions. Teams of up to four individuals can compete and win prizes for solving and developing solutions to the year’s hardest problems.
If you don’t feel up to the current year’s challenge, don’t worry. The past years’ challenges are all online with their answers, so you can keep learning without having to worry about who is judging you.
In Actual Practice
If you are thinking about participating in the DC3 challenge, make sure you inform your employer first, because to enter the contest, you must agree to provide to the public the source code of all tools made for the contest and techniques used to solve the challenge.
DFRWS Challenge
The Digital Forensic Research Workshop (DFRWS) is a yearly conference that brings together individuals who are researching new computer and other digital device forensic techniques. Researchers from academics, government, and commercial enterprises come together to network and share information. Along with the conference is a yearly forensic challenge that focuses on a digital device—in the 2010 challenge that you’ll find at this URL, the device is a camera. If you are looking to expand your computer forensics skills beyond standard file systems and out to the cutting edge, these challenges will help.
SANS Forensic Challenges
The SANS challenge is well documented and includes a full scenario to help you get into the investigative mindset. Although, so far, SANS has issued only one challenge (it was a contest at the time), look for more from them in the future.
High School Forensic Challenge
If you are looking for a more novice-friendly entry into forensic challenges, this is a good place to start. The Polytechnic Institute of New York University (NYU-Poly) runs this yearly competition that allows high school students to test their computer forensic skills.
NoteUnless you are part of a team of high school students, you can’t compete, but you can view prior years’ images and answers at http://www.poly.edu/csaw-forensics/previous-winners.
Collections of Tool Testing Images
If you want to test whether a tool is working as intended, you’ll find a special set of forensic images created especially for that purpose. These images are purpose-built to determine whether the forensic tool you are testing can find data, keywords, or artifacts that were placed within the image.
Digital Forensic Tool Testing Images
The Digital Forensic Tool Testing (DFTT) project is an open source effort to create small purpose-built forensic images that can test individual forensic tasks. Tests available at the time of this writing include the following:
Detecting extended partitions Finding a word in a FAT/NTFS/EXT3 file system Correctly handling daylight savings when retrieving files from a FAT file system Correctly recovering a deleted file from a FAT/NTFS file systemThis set of images is then tested against tools, and their results are submitted to the project for public viewing. The images are meant for tests that are smaller and less formal than those that NIST offers (more about NIST next), but they are equally as valid in their conclusions.
If you are looking to test a tool that is new to you or to test a tool you have developed, these forensic images can be very helpful.
NIST Computer Forensics Reference Data Sets Images
The U.S. government–funded National Institute of Standards and Technology (NIST) has devoted a project to creating test images for tool testing. The Computer Forensic Reference Data Sets (CFReDS) project currently offers 11 forensic images with answers on how they should be solved using any forensic tool. If you want to do a more extended test of your forensic tool, these images will help you more than the DFTT images.
The Hacking Case
This forensic image is particularly useful because it is so well structured. The image provides enough forensic artifacts within it to allow you to answer 31 questions based on the user’s activities and application settings. If you are looking for a good case to use for training or to perform an extended test of a forensic tool, this is a great one.
NIST Computer Forensics Tool Testing
This site offers prewritten reports that thoroughly document specific tests performed on computer forensic hardware and software. As of this writing, the NIST Computer Forensic Tool Testing (CFTT) program is testing hardware and software that perform one of the following tasks, and it provides the results of these tests to the public:
Forensic imaging Forensic media preparation Write blocking Deleted file recovery Mobile devices String searches NoteOverachiever? Already need more? Good for you! An updated list of sample evidence files is maintained by the Digital Forensics Association. You can find their list at http://www.digitalforensicsassociation.org/evidence-files/.
We’ve Covered
In this chapter, we discussed how to solve the problems that most examiners encounter early on—how to test their tools and get the images for testing. Knowing where to obtain test images and how to test your own tools or techniques is an important step in your career. Keep this chapter handy as you progress in your skills; you’ll want to come back to these images often. In the next chapter, we’ll review forensic analysis of live systems and when to employ these techniques versus traditional postmortem forensics.
How and when to test your tools
You learned why you need to test your tools. You learned when you need to test your tools.Where to get test evidence
You learned how to create your own test images. You learned about the differences among several test image creation techniques.How and where to access forensic challenges
What challenges are out there? Which challenges are friendlier to novices? Which challenges are made for more experienced investigators?How and where to access tool testing images
You learned about simple forensic tool testing images. You learned about complex forensic tool testing images. You learned about computer forensic tool test reports...................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.