Advances in Forensic Data Acquisition

Editor’s note: You all know this from watching CSI: When a crime is committed, usually some form of digital evidence is left on devices such as computers, mobile phones, or the navigation system of a car a suspect has used. Indeed, law enforcement agencies are regularly interested in data from personal devices to find evidence, guide investigations, or even act as proof in a court of law. This tutorial article by Felix Freiling et al. mentions the San Bernadino case as a prominent example. But how do police investigators go about accessing this evidence? Is what is shown on TV realistic? Whereas, in times of classical hard disks, accessing data was quite easy due to the non- volatility of the memory device. However, this is getting increasingly difficult because of developing technologies like SSDs, other forms of flash storage, and, in particular, for volatile memory such as RAM, with the major problem being to read out data while guarding “authenticity.” In the past ten years, there has been some substantial development in the area of forensic data acquisition, which is summarized by the article. It gives clear indications of what currently can be technically done and what cannot be done by police investigators. So, if you watch CSI again and the cops need to access some digital evidence, you can tell truth from fiction. —Jürgen Teich, Friedrich-Alexander-Universität Erlangen-Nürnberg

[1]  Zhiyong Liu,et al.  Libvmi: A Library for Bridging the Semantic Gap between Guest OS and VMM , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[2]  Tilo Müller,et al.  FROST - Forensic Recovery of Scrambled Telephones , 2013, ACNS.

[3]  Reetuparna Das,et al.  Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[4]  Timothy M. Vidas,et al.  The Acquisition and Analysis of Random Access Memory , 2007, J. Digit. Forensic Pract..

[5]  Peter Gutmann,et al.  Data Remanence in Semiconductor Devices , 2001, USENIX Security Symposium.

[6]  Johannes Götzfried,et al.  Analysing Android's Full Disk Encryption Feature , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[7]  Stefan Vömel,et al.  An evaluation platform for forensic memory acquisition software , 2013 .

[8]  Felix C. Freiling,et al.  Styx: Countering robust memory acquisition , 2018, Digit. Investig..

[9]  Felix C. Freiling,et al.  A Systematic Assessment of the Security of Full Disk Encryption , 2015, IEEE Transactions on Dependable and Secure Computing.

[10]  Michael Gruhn Forensic limbo: Towards subverting hard disk firmware bootkits , 2017, Digit. Investig..

[11]  Kim-Kwang Raymond Choo,et al.  Distributed filesystem forensics: XtreemFS as a case study , 2014, Digit. Investig..

[12]  Friedrich-Alexander,et al.  Self-Encrypting Disks pose Self-Decrypting Risks How to break Hardware-based Full Disk Encryption , 2013 .

[13]  Michael I. Cohen,et al.  Characterization of the windows kernel version variability for accurate memory analysis , 2015, Digit. Investig..

[14]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[15]  Felix C. Freiling,et al.  Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition , 2012, Digit. Investig..

[16]  Felix C. Freiling,et al.  Lest we forget: Cold-boot attacks on scrambled DDR3 memory , 2016, Digit. Investig..

[17]  Aurélien Francillon,et al.  Implementation and implications of a stealth hard-drive backdoor , 2013, ACSAC.

[18]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[19]  Michael Cohen,et al.  Robust Linux memory acquisition with minimal target impact , 2014, Digit. Investig..

[20]  Sergei P. Skorobogatov,et al.  Data Remanence in Flash Memory Devices , 2005, CHES.

[21]  Felix C. Freiling,et al.  Evaluating atomicity, and integrity of correct memory acquisition methods , 2016 .

[22]  Alastair Nisbet,et al.  A Forensic Analysis And Comparison Of Solid State Drive Data Retention With Trim Enabled File Systems , 2013 .

[23]  Eoghan Casey,et al.  Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd Edition , 2011 .

[24]  Tilo Müller,et al.  On the Practicability of Cold Boot Attacks , 2013, 2013 International Conference on Availability, Reliability and Security.

[25]  H. Marshall Jarrett,et al.  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations , 1979 .

[26]  Lorenzo Martignoni,et al.  Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.