Cooperative mode: Comparative storage metadata verification applied to the Xbox 360

This work addresses the question of determining the correctness of forensic file system analysis software. Current storage systems are built on theory that is robust but not invincible to faults, from software, hardware, or adversaries. Given a parsing of a storage system of unknown provenance, the lack of a sound and complete analytic theory means the parsing's correctness cannot be proven. However, with recent advances in digital forensic theory, a measure of its incorrectness can be taken.We present FSNView, an N-Version programming utility. FSNView reports exhaustively the metadata of a single disk image, using multiple storage system parsers. Each parser reports its perspective of the metadata in Digital Forensics XML, a storage language used recently in a study on differential analysis. We repurpose the tools used for studying the changes in file systems from time to the changes in file systems from perspective. The differences in metadata summaries immediately note bugs in at least one of the tools employed. Diversity in tools and their analysis algorithms strengthens the analysis of a storage subject.We apply file system differencing to study the external storage of the Microsoft Xbox 360 game console. The console's storage serves as an exemplar analysis subject; the described strategy is general to storage system analysis. The custom volume management and new-though-familiar file system are features typical to an embedded system analysis. Two open-source utilities developed solely for analyzing this game console, and a third developed for general file system forensics, are extended to compare storage system metadata perspectives. We present a new file system and revisions to the DFXML language, library, and differencing process, which were necessary to enable a principled, automatic evaluation of storage analysis tools.

[1]  Christopher A. Lee,et al.  Creating Realistic Corpora for Forensic and Security Education , 2011 .

[2]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[3]  Sidney Amani,et al.  File systems deserve verification too! , 2013, PLOS '13.

[4]  Anna Carlin,et al.  Is the Open Way a Better Way? Digital Forensics Using Open Source Tools , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[5]  Matthew Geiger,et al.  Evaluating Commercial Counter-Forensic Tools , 2005, DFRWS.

[6]  Steven Bolt XBOX 360 Forensics: A Digital Forensics Guide to Examining Artifacts , 2011 .

[7]  Christin Wirth,et al.  In The Open , 2016 .

[8]  Simson L. Garfinkel,et al.  A general strategy for differential forensic analysis , 2012, Digit. Investig..

[9]  Simson L. Garfinkel,et al.  Digital forensics XML and the DFXML toolset , 2012, Digit. Investig..

[10]  Alex Nelson XML Conversion of the Windows Registry for Forensic Processing and Distribution , 2012, IFIP Int. Conf. Digital Forensics.

[11]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[12]  Golden G. Richard,et al.  Automatically Creating Realistic Targets for Digital Forensics Investigation , 2005, DFRWS.

[13]  Andrea C. Arpaci-Dusseau,et al.  A Study of Linux File System Evolution , 2013, FAST.

[14]  Brian D. Carrier,et al.  Open Source Digital Forensics Tools The Legal Argument 1 , 2003 .

[15]  Simson L. Garfinkel,et al.  Digital media triage with bulk data analysis and bulk_extractor , 2013, Comput. Secur..

[16]  Christopher James Hargreaves,et al.  Using a software exploit to image RAM on an embedded system , 2010, Digit. Investig..

[17]  Christopher A. Lee,et al.  Creating Realistic Corpora for Security and Forensic Education , 2011 .

[18]  Simson L. Garfinkel,et al.  Automating Disk Forensic Processing with SleuthKit, XML and Python , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[19]  Lorrie Faith Cranor,et al.  Usability of Forensics Tools: A User Study , 2011, 2011 Sixth International Conference on IT Security Incident Management and IT Forensics.

[20]  Simson L. Garfinkel,et al.  Bringing science to digital forensics with standardized forensic corpora , 2009, Digit. Investig..

[21]  Andrew Huang,et al.  Keeping Secrets in Hardware: The Microsoft Xbox™ Case Study , 2002, CHES.

[22]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Ashley L. Podhradsky,et al.  Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives , 2011, AMCIS.

[24]  Tim Storer,et al.  A comparison of forensic evidence recovery techniques for a windows mobile smart phone , 2011, Digit. Investig..

[25]  Andrew Blyth,et al.  Xbox 360: A digital forensic investigation of the hard disk drive , 2010, Digit. Investig..

[26]  Zoe L. Jiang,et al.  Forensic Analysis of Pirated Chinese Shanzhai Mobile Phones , 2012, IFIP Int. Conf. Digital Forensics.