Moving in the Dark—Evidence for an Influence of Artificial ...
Dark Data and Missing Evidence
-
Upload
rob-zirnstein -
Category
Technology
-
view
1.700 -
download
0
description
Transcript of Dark Data and Missing Evidence
![Page 1: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/1.jpg)
Dark Dataand
Missing Evidence
Rob ZirnsteinPresident
Forensic InnovationsJanuary 13th, 2011
![Page 2: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/2.jpg)
Darth Vader?
• No, “Dark Data”, but they both– Are often associated with evil– Keep secrets (“Luke, I’m your father”)– Are potentially harmful
![Page 3: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/3.jpg)
Dark Matter?
• No, “Dark Data”! But they both– Go undetected– Are surrounded by detectable stuff– Affect things around them
![Page 4: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/4.jpg)
What is Dark Data?
• Dark Data in our digital devices– Everyone creates it (unintentionally)– Criminals may hide it (Anti-Forensics)– Forensic tools can’t see it– But it is there!
• Data that we can’t see– On our hard drives– On out flash drives– In our computer files
![Page 5: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/5.jpg)
Where is Dark Data?
• DCO & HPA• Unformatted Disk Space• Deleted Files• Unknown Files• Between Files• Inside Common Files• Deleted Data Objects
![Page 6: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/6.jpg)
Hard Drive Layout
• Device Configuration Overlay (DCO)
– http://www.forensicswiki.org/wiki/SAFE_Block_XP– Data Cleaner+ http://www.mp3cdsoftware.com/blancco---data-cleaner--download-16317.htm– http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BE
B146864A2671.pdf
• Host Protected Area (HPA)
– http://www.thinkwiki.org/wiki/Hidden_Protected_Area– Forensic Duplicator http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf– HDD Capacity Restore Tool http://hddguru.com/software/2007.07.20-HDD-Capacity-
Restore-Tool/
• Unformatted Disk Space
![Page 7: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/7.jpg)
Deleted Files
• Deleted Files aren’t really gone?– Unused Disk Space (in a volume)– Disk Caches / Swap Files– Windows Recycle Bin
• Are they hard to recover?– Fragmentation is deadly– Large databases tend to be heavily fragmented– Even DFRWS Researchers find that fragmentation can make some file types impossible to recover (http://www.dfrws.org/2007/challenge/results.shtml)
![Page 8: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/8.jpg)
Unknown Files (1)
• 500 types of files handled by eDiscovery, Document Management & Computer Forensics Tools
• 50,000+* types of files in the world• 5,000 types of files typically in use
*http://filext.com
![Page 9: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/9.jpg)
Unknown Files (2)
Typical Tools FI Tools (23 wrong files) (26 Correct Files)
![Page 10: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/10.jpg)
Between Files
• Alternate Data Streams (ADS)– Files hiding behind files (on NTFS)
• RAM Slack– Padding between the end of a file and the end of the
current sector– Typically zeros, sometimes random content
• File/Cluster/Residual/Drive Slack– Padding between sectors used & the end of the current cluster– Previous sector content that should be used in File Carving– http://www.forensics-intl.com/def6.html
![Page 11: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/11.jpg)
Inside Common Files
• Deleted Objects– Ex: Adobe PDF & MS Office 2003 (OLE)
not removing deleted data (change tracking)
• Smuggled Objects– Ex: MS Office 2007 (Zip) and MS Wave
(RIFF) formats ignore foreign objects
• Object / Stream Slack– Ex: OLE objects have sector size issues,
just like with disk sectors
• Field Slack– Ex: Image files that don’t use the whole
palette, and/or less than 8/16/32/48 bpp– Steganography
![Page 12: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/12.jpg)
Smuggled Objects
• Some formats ignoreforeign objects–MS Office 2007 (Zip)–MS Wave (RIFF)
• This example– I added a file to a
Word 2007 document.– The document opens
without any error.
![Page 13: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/13.jpg)
Deleted Data in Slack
Deleted Data that evades Redaction
![Page 14: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/14.jpg)
Steganography
Intentional Data Hiding
![Page 15: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/15.jpg)
Is Dark Data Important?
• Cases are won or lost based on the ability to find the evidence.– The strongest evidence may be hidden accidentally or
intentionally.
• Corporate Digital Assets may be lost, but recoverable.
• Employee misconduct is tracked by the hidden trail of improper acts.
• Intellectual Property theft canput a company out of business.– Identify in-house criminals by detect-
ing smuggled data before it leaves.
![Page 16: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/16.jpg)
Dark Data Can Be Fragile
– Live Forensics software tools run on the live system.• The RAM that they use affects the memory cache files
on the hard drive.• The running computer deletes, fragments & over
writes files on the hard drive constantly.• Hard drive activity can destroy Dark Data!
– Dark Data must be collected first!• Before other tools interfere with the data.
1. Image RAM2. Image Hard Drive (when possible)3. Analyze Unallocated Disk Space4. Analyze File Slack Space5. Collect relevant file types
![Page 17: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/17.jpg)
What Does FI Do?
• Create Technologies to Capture Dark Data– File Investigator– File Expander– File Harvester
• Equip Law Enforcement with Tools– FI TOOLS– FI Object Explorer– FI Data Profiler Portable
![Page 18: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/18.jpg)
FI Technologies
• File Investigator– Discovers Files Masquerading as Other Types– Identifies 3,953+ File Types– High Accuracy & Speed
• File Expander– Discovers Hidden Data within files– Data missed by all forensic tools
• File Harvester (Under Development)
– Recovers deleted/lost files therest of the industry can’t
– Will eventually rebuild partial files
![Page 19: Dark Data and Missing Evidence](https://reader035.fdocuments.net/reader035/viewer/2022081512/5575b946d8b42a3b498b52ff/html5/thumbnails/19.jpg)
Thank you
• ContactRob ZirnsteinRob.Zirnstein@ForensicInnovations.comwww.ForensicInnovations.com(317) 430-6891