Descrambling data on solid-state disks by reverse-engineering the firmware

Data recovery is an important component of digital forensic research. Although recovering data from hard drives or small-scale mobile devices has been well studied, solid-state disks (SSDs) have a very different internal architecture and some additional functions, and it is not clear whether these differences will have an effect on data recovery. Data scrambling is an additional function of an SSD controller which can improve data reliability, but makes data recovery difficult. In this research, the dedicated flash software was first introduced that can acquire the physical image of an SSD without destroying the device hardware. Based on the software, a validation experiment was presented to evaluate the effect of data scrambling on data recovery and the causes of the effect were analyzed. Then two approaches to descrambling the data in the flash chips were proposed and their advantages and disadvantages discussed. After that, a procedure to identify the scrambling seeds that are used to descramble the scrambled data was described. Finally, descrambling software was implemented based on the second descrambling method. The experiment shows that this software can successfully descramble the data from an SSD flash drive regardless of the internal structure of the scrambler in the SSD controller and can generate an unscrambled physical image on which most existing data-recovery techniques can be effective.     

Reassembling Linux-based Hybrid RAID

Network-attached storage (NAS) is a system that uses a redundant array of disks (RAID) to create virtual disks comprising multiple disks and provide network services such as FTP, SSH, and WebDAV. Using these services, the NAS's virtual disks store data about individuals or groups, making them a critical analysis target for digital forensics. Well-known storage manufacturers like Seagate, Synology, and NETGEAR use Linux-based software RAID, and they usually support Berkeley RAID (e.g., RAID 0, 1, 5, 6, and 10) as well as self-developed hybrid RAID. Those manufacturers have published data on the introduction and features of hybrid RAID, but there is not enough information to reassemble RAID from a digital forensic perspective. Besides, digital forensic tools (such as EnCase, FTK, X-ways, and RAID Reconstructor) do not support automatic RAID reassembly for hybrid RAID, so research on hybrid RAID reassembly methods is necessary. This paper analyzes the disk array composed of hybrid RAID and explains the layout of disk array, partition layout in hybrid RAID, and hybrid RAID configuration strategy. Furthermore, it suggests parameters that are required for RAID reassembly and then propose a hybrid RAID reassembly procedure using them. Finally, we propose a proof-of-concept tool (Hybrid RAID Reconstructor) that identifies hybrid RAID from disk array and parse RAID parameters.     

Two anaphylactic deaths after chemonucleolysis.

Chemonucleolysis is a procedure for treatment of low back pain due to discogenic disease in which the drug chymopapain is injected into lumbar disks to produce chemical dissolution of the nucleus pulposus. More than 15,000 cases have been treated by chemonucleolysis world-wide. Anaphylaxis after the injection of chymopapain occurs in about 1% of such cases. The two cases described in this paper are the only known deaths due to anaphylaxis. Both patients suddenly became hypotensive after injection of chymopapain into a disk. One patient died shortly after this, whereas the second patient died of the complications of prolonged shock.     

Forensic limbo: Towards subverting hard disk firmware bootkits

We discuss the problem posed by malicious hard disk firmware towards forensic data acquisition. To this end, we analyzed the Western Digital WD3200AAKX model series (16 different drives) in depth and outline methods for detection and subversion of current state of the art bootkits possibly located in these particular hard disks' EEPROMs. We further extend our analysis to a total of 23 different hard drive models (16 HDDs and 7 SSDs) from 10 different vendors and provide a theoretical discussion on how hard disk rootkits residing in the firmware overlays and/or modules stored in the special storage area on a HDD called the Service Area could be detected. To this end, we outline the various debug interfacing possibilities of the various hard disk drives and how they can be used to perform a live analysis of the hard disk controller, such as dumping its memory over JTAG or UART, or how to access the Service Area via vendor specific commands over SATA.     

Contagious errors: Understanding and avoiding issues with imaging drives containing faulty sectors

When using certain tools to image drives that contain faulty sectors, the tool may fail to acquire a run of sectors even though only one of the sectors is really faulty. This phenomenon, which we have dubbed “contagious errors” was reported by James Lyle and Mark Wozar in a recent paper presented at DFRWS 2007 [Lyle, J., Wozar, M. Issues with imaging drives containing faulty sectors. Digital Investigation 2007;4S: S13–5.]. Their results agree with our own experience from testing disk imaging software as part of our work for the Swedish National Laboratory of Forensic Science.We have explored the issue further, in order to determine the cause of contagious errors and to find ways around the issue. In this paper we present our analysis of the cause of contagious errors as well as several ways practitioners can avoid the problem. In addition we present our insights into the problem of consistently faulty drives in forensic tool testing.     

An assessment of four solvents for the recovery of 2-chlorobenzylidenemalononitrile and capsaicins from "CS" and "Pepper" type lachrymator sprays, and an examination of their persistence on cotton fabric

The rising incidence of assaults involving lachrymator sprays has led to an increase in items being submitted to this laboratory for the analysis of the associated chemical residues. The following work was undertaken to identify an efficient solvent with which to extract the compounds of interest from cotton fabric. The persistence and subsequent recovery of such compounds was also examined following protracted exposure to wind and rain. Ethyl acetate was established as the most efficient solvent of those examined for the extraction of 2-chlorobenzylidenemalononitrile and a range of capsaicins from "CS Gas" and '"Pepper" sprays respectively. Controlled experiments undertaken showed that capsaicins were recoverable after 72 h of exposure to the "elements" and 2-chlorobenzylidenemalononitrile was still recoverable after one week.     

Establishing Correspondence in Wood: The Challenge and Some Solutions?

Establishing correspondence between the upper portion of a white birch sapling, a suspected weapon, and a potential source from a stand of trees was posed to one of us (GMC). A bending force shattered the sapling, precluding physical matching. Three white birch saplings were taken from the same stand of trees in a similar manner. Correspondence was achieved by measuring the width of the annual rings along four radii from a disk cut above and below the break. The regression coefficient of the data from the two disks from the same sapling was r² = 0.95. Regressing the upper disk against the lower disk of two other saplings resulted in r² values of 0.26 and 0.17, respectively. The various characteristics that are confined to a wood stem as part of its normal process of growth can be used to eliminate candidate saplings and establish correspondence between two pieces of wood.     

浅析数据恢复技术

目的以常见的计算机存储介质硬盘为例,从数据原理的角度出发,介绍数据恢复技术在公安工作中的应用。方法针对硬盘故障不同(物理故障和逻辑故障),利用硬盘的物理性能和EasyRecovery、Finaldata等软件进行数据恢复。结果大部分被破坏的数据格均可恢复,并应用到实际案例中。     

Reverse engineering a CCTV system,a case study

Given a disk image of a CCTV system with a non-standard file system, how is the data interpreted? Work has been done in the past detailing the reverse engineering of proprietary file systems and on the process of recovering data from CCTV systems. However, if given a disk image without the CCTV system itself, or if under time constraints, the task becomes much more difficult. This paper explains a different approach to recovering the data and how to make sense of data on a CCTV disk. The method does not require extensive reverse engineering of the CCTV system, or even to have access to the CCTV system itself.     

VMware虚拟磁盘结构分析及在电子数据取证中的应用

详细分析了VMware的虚拟磁盘结构,并针对电子数据取证中的磁盘镜像虚拟加载、虚拟机数据迁移、虚拟磁盘文件的搜索和虚拟磁盘数据的鉴定与恢复等实际问题提出相应的解决方案。     

Bin-Carver: Automatic recovery of binary executable files

File carving is the process of reassembling files from disk fragments based on the file content in the absence of file system metadata. By leveraging both file header and footer pairs, traditional file carving mainly focuses on document and image files such as PDF and JPEG. With the vast amount of malware code appearing in the wild daily, recovery of binary executable files becomes an important problem, especially for the case in which malware deletes itself after compromising a computer. However, unlike image files that usually have both a header and footer pair, executable files only have header information, which makes the carving much harder. In this paper, we present Bin-Carver, a first-of-its-kind system to automatically recover executable files with deleted or corrupted metadata. The key idea is to explore the road map information defined in executable file headers and the explicit control flow paths present in the binary code. Our experiment with thousands of binary code files has shown our Bin-Carver to be incredibly accurate, with an identification rate of 96.3% and recovery rate of 93.1% on average when handling file systems ranging from pristine to chaotic and highly fragmented.     

Characteristics of Forensic Imaging Performance—An Analysis of Forensic Imaging Bottlenecks

Disk imaging involves copying all of the data from a source disk drive to a target. Typically, the target for the copy is another disk drive. Forensic processes developed years ago do not appear to be adequate for current storage technology. For example, with disk drive capacities now exceeding 1 Terabyte, a typical disk imaging can take over 8 hours at typical rates. With disk drive capacities increasing, forensic copying is expected to take even longer. Along with increase in disk capacity, the industry has also seen an increase in data transfer rates. In many cases, forensic imaging is taking longer than necessary. To identify the bottlenecks, an examination of different methods used to transfer data from a source disk was performed. Factors considered were differing disk access technologies. One finding is that the USB disk access technology (version 2.0 and earlier) is a significant bottleneck for data transfer rates, especially when the USB device is a write‐blocker. Other factors that contribute to the efficiency of a forensic copy are the file system used to write a forensic image and the data transfer size used when reading from a disk drive. Optimal parameters for performing a forensic acquisition from a disk drive are identified.     

恢复性司法的困境及其超越

恢复性司法是一个最热门却又最不成熟的话题。目前恢复性司法已经成为西方刑事法学界的一大“显学”,在数十个国家的立法和实践中获得采信,并已受到国际社会的广泛关注。但建立在刑事实证学派的目的刑思想、犯罪被害人学理论、犯罪标签理论和相对报应主义刑罚观基础上的恢复性司法,在自身定位、理念、功能甚至制度设计上都存在着诸多的困境与挑战,需要重新梳理和整合,从而探索出超越恢复性司法固有缺陷的改革路径,以适应构建和谐社会之法治精神的理性诉求而不断革新和完善。     

Advanced carving techniques

Carving is the term most often used to indicate the act of recovering a file from unstructured digital forensic images. The term unstructured indicates that the original digital image does not contain useful filesystem information which may be used to assist in this recovery.Typically, forensic analysts resort to carving techniques as an avenue of last resort due to the difficulty of current techniques. Most current techniques rely on manual inspection of the file to be recovered and manually reconstructing this file using trial and error. Manual processing is typically impractical for modern disk images which might contain hundreds of thousands of files.At the same time the traditional process of recovering deleted files using filesystem information is becoming less practical because most modern filesystems purge critical information for deleted files. As such the need for automated carving techniques is quickly arising even when a filesystem does exist on the forensic image.This paper explores the theory of carving in a formal way. We then proceed to apply this formal analysis to the carving of PDF and ZIP files based on the internal structure inherent within the file formats themselves. Specifically this paper deals with carving from the Digital Forensic Research Work-Shop's (DFRWS) 2007 carving challenge.     

Extending the advanced forensic format to accommodate multiple data sources,logical evidence,arbitrary information and forensic workflow

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.     

Carving contiguous and fragmented files with fast object validation

“File carving” reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings – “objects” – from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.     

File Marshal: Automatic extraction of peer-to-peer data

Digital forensic investigators often find peer-to-peer, or file sharing, software present on the computers, or the images of the disks, that they examine. Investigators must first determine what P2P software is present and where the associated information is stored, retrieve the information from the appropriate directories, and then analyze the results. File Marshal is a tool that will automatically detect and analyze peer-to-peer client use on a disk. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a forensically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation). This paper describes the general design and features of File Marshal, its current status, and the plans for continued development and release. When complete, File Marshal, a National Institute of Justice funded effort, will be disseminated to law enforcement at no cost.     

Detecting file fragmentation point using sequential hypothesis testing

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.     

Detecting file fragmentation point using sequential hypothesis testing

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.     

Applying a data acquisition system to the analysis of breath alcohol profiles

A breath alcohol profile is generated as a continuous function of time while a person is providing a breath sample. This paper describes a data acquisition system which samples breath alcohol concentrations at discrete intervals during exhalation. The data are stored on disk for later analysis. It is shown that the area under the profile curve for samples preceded by breath-holding is significantly larger than when breathing is normal prior to sample provision (p less than 0.001). The differences between the breath alcohol concentration measurements are also statistically significant (p less than 0.001) for the two different breathing patterns prior to breath exhalation. These results have physiological implications and suggest another means of evaluating breath alcohol profiles.