Design and Implementation of a Live-analysis

Digital Forensic System

Pei-Hua Yen Chung-Huang Yang Tae-Nam Ahn
Graduate Institute of Information Graduate Institute of Information Security Engineering
and Computer Education, National and Computer Education, National Research Center
Kaohsiung Normal Kaohsiung Normal Hannam University, Korea
University, Taiwan University, Taiwan [email protected]
[email protected] [email protected]

ABSTRACT the investigator inquiring into computer crime must have the
As the popularity of the internet continues growing, not only aid of the computer forensics knowledge and technology in
change our life, but also change the way of crime. Number of the computer forensic field.
crime by computer as tools, place or target, cases of such Digital evidence is not physically and it was storage on the
offenders increases these days, fact to the crime of computer media. It has the following characteristics [4]: (1) easily to
case traditional investigators have been unable to complete copy or modify, (2) difficult to confirm the source and
the admissibility of evidence. To solve this problem, we must integrity, (3) cannot directly to understand its contents, etc.
collect the evidence by digital forensics tools and analysis During an investigation, the procedures must according to
the digital data, or recover the damaged data. the International Organization of Computer Evidence
In this research, we use the open source digital forensics proposed The Good Practice Guide for Computer-Based
tools base on Linux and want to make sure the stability of Evidence in order to have legal effect of digital evidence in
software then prove the evidence what we have. To avoid the 1999 [8].
data loss due to the shutdown of machines, we use the Live-
analysis to collect data and design the Live DVD/USB to
make image file and analysis the image. We use the MD5 2. RELATED WORKS
and SHA-1 code to identity the file before the final report In this paper focus on the digital evidence collect and recover
and ensure the reliability of forensic evidence on court. from electronic media, and accented the identity of source of
evidences. The following we will describe the details of the
digital forensic.
Keywords
Digital Forensics, Digital Evidences, Live-analysis, Live 2.1. Digital Forensics
DVD/USB
Digital forensics is the science of obtaining, preserving and
documenting evidence from electronic media, such as tablet
1. INTRODUCTION PC, server, digital camera, PDA, fax machine, iPod, smart
Internet is the most popular application in modern society. It phone and various memory storage devices [17].
brings a lot of convenience of communication to human. On
the other hand, due to its rapid development, lacking of Generally, the purpose for digital forensic is designed to
proper regulations, Internet happened to be crime breeding. investigate the evidence and it applications include computer
The most serious problem of Internet is Cybercrime. intrusion, unauthorized access, child pornography, etc.
January-June 2008 of crimes of computer in Taiwan Fundamentals of Computer Forensics analysis process as
published by National Police Agency [12], Ministry of The falling into three distinct areas acquisition, analysis and
Interior, 4,981 of Internet Fraud, 2,023 of Infringement of Presentation [2]. The list below briefs those procedures:
Computer Usage, 1,871 of Prevention and Punishment of Acquisition Phase: This phase is focus on the obtaining the
Sex-Trade Act, 1,340 of Copyright Act and 1,131of states of systems that have storage devices and all the digital
Obscenity, that show the seriousness of computer crimes. data for later analysis. We usually used the forensic tools to
But that have extremely distinct difference between in image the disk.
computer criminal offense and traditional crime action, so
Analysis phase: Identification of the evidences we have
collected, which include file types, contexts of directory and
rescue data for find the related between evidence and
incident.
Presentation Phase: Documentation of analyze of data for
assist the prosecutors to reference.
At present, the mining and analysis of evidence can not be Encase FTK TSK
completed manually. We must depend on the forensics tools techniques
such as EnCase and Forensic Toolkit (FTK) [7]. Most of such as file
them are commercial software. It is expensive for the small contest,
enterprises or individual. keyword,
metadata,
In this research, we used the open source tools to design and
etc.
implement our system.

2.2. Digital Evidence 2.4. Live-Analysis

Digital forensics is separated into Live-analysis and the
Digital evidence is stored in computer can play a major role
Dead-analysis [6], which to identify the computer whether or
in a wide range of crimes, including murder, rape, computer
not to boot. Currently, many research of digital forensic use
intrusions, espionage, and child pornography in proof of a
the Dead-analysis but the way may lose the data due to
fact about what did or did not happen [3, 17]. Digital
showdown of machine or removal the plug. For forensic
information is fragile in that it can be easily modified,
analysis, the collection of volatile information is very
duplicated, restored or destroyed, etc [10].
important such as Hardware information, Installed software
The course of the investigation, the investigator should packages or Process state, etc [13].Since gathering evidence
assure that digital evidence is not modified without proper on the target can affect other evidence on the target, a set to
authorization [9]. The typical goal of an investigation is to get maximize the quality of the evidence, which include
collect evidence using generally acceptable methods in order Running known good binaries, Hashing all evidence and
to make the evidence is accepted and admitted on the court. Gathering data in order of volatility [1].
The final report must include [17]:
(1) Where the evidence was stored? 2.5. Live DVD/USB
Live CD is a kind of operation system distribution which can
(2) Who had obtained to the evidence? be booting from a read-only medium (such as a CD-ROM)
(3) What had been done to the evidence? without installing into hard disk [11]. Usually, we named this
operation system depending on what media it stores.
Any step in the process must be carefully recorded in order
to prove the electronic records were not altered in the Consequently, it is named LiveDVD because its media is
investigation procedure. DVD-ROM, and so does LiveUSB. Currently, there are
many Live CD released such as KNOPPIX [15], Fedora
LiveCD [14], Tux2live [16], etc. We setup our system into
2.3. Forensic Tools LiveDVD/USB so that it becomes portable, and easily
All digital evidence must be analyzed to determine the type deploys even moving to different environment (such as
of information that is stored upon it. In this point, specialty Windows or Linux, etc).
tools are used that can display information in a format useful
to investigators. Such forensic tools include [5, 17]: FTK,
EnCase [7], SMART, PyFlag and The Sleuth Kit, etc. 3. SYSTEM ARCHITECTURE
In this study, we classify of the victim machine, one for the
computer system is still functioning, while another has been
Table 1. Comparison of Digital Forensic Tools shut down or can not reboot. We write a script program and
Encase FTK TSK storage on the USB. If the system is still running then
Language Traditional Simple implement the Live-analysis with the script program, which
English to collect the volatile information of system and then those
interface Chinese Chinese
generated files will store into the USB disk automatically.
Must receive
User
professional Ease of use Ease of use We show the results with Tkinter and Xdioalog. If the
interface
training computer is turned off, we must reboot the machine by Live
Create DVD/USB and make the image file of disk. The
Support Support Support
image file LiveDVD/USB contains the image file producer-AIR
Calculated (Automated Image and Restore), a computer forensics
MD5 and
of Hash MD5 MD5 program-TSK, program of graphical interface-Autopsy, etc.
SHA-1
value (system forensics process in Figure 1).
Open
Cost Expensive Expensive source
software
Graphical Support
Classification
disk many of
Advantage the digital
information evidence
evidence
interface search
 Start

Does the Using Live-analysis

computer Yes to collect the
boot? volatile data.

No

Using Live
DVD/USB to run
Shutdown
the Dead-analysis.

Figure 2. Live-analysis Menu

Imaged disk

Analysis

Report

Figure 1. System forensics process

4. IMPLEMENTATION

4.1. Live-Analysis Figure 3. Basic information of system

If the machine is still active when arrived at the crime scene, Figure 3 shows the state of system currently, which include
we should collect the volatile information of victim of kernel version, CPU information, hostname, date and time,
system rapidly, include which the TCP and UDP ports are partitions.
opened, user login history, what services are activated
currently, etc.
Those information of volatile may disappear from your
computer after the shut down. At this point, we collected the
system state by Live-analysis. The system uses self-
developed script program to collect volatile information, and
Graphical to the forensic results for facilitate analysis, to
reduce barriers to operate.
In this study, we collect volatile information of system by
our script program. We show the results by using the Tkinter
and Xdialog. The figure 2 shows the Live-analysis Menu.

Figure 4. MD5 and SHA-1

Figure 4 shows the MD5 value and SHA-1 value of all we
obtained data.
4.2. Dead-Analysis 5. DISCUSSION
We reboot victim system by LiveDVD/USB to execute the
digital forensics, we called Dead-analysis. Since the way Table 2. Comparison of Digital Forensic Tools
base on the LiveDVD/USB, so the state of the computer will with Our System
not be altered. In this paper, we designed the LiveDVD/USB
Our
by remastersys and unetbootin, which include AIR Encase FTK Helix
system
(Automated Image and Restore) to create an image file of
disk, Chinese locale support on TSK we made and Autopsy, Live-analysis X X X ○
etc. In this paper, the operation of Dead-analysis, first we Create
create an image of disk by AIR as shown figure 5 then filesystem ○ ○ ○ ○
import the image file into TSK and Autopsy as shown figure image
6, finally present the forensic result by using Web browser as Verify hash
○ ○ ○ ○
shown figure 7. value for image
Support
○ ○ ○ ○
FAT16/32
Support NTFS ○ ○ ○ ○
Support EXT
○ ○ ○ ○
2/3
Keyword
○ ○ ○ ○
Search
Recover files ○ ○ ○ ○
Support for
Traditional X X X ○
Chinese
Low Cost X X X ○

6. CONCLUSIONS
In recent years, there are more and more cases of computer
Figure 5. AIR
crime, the term hacking is no longer news. Therefore, the
Figure 5 shows the AIR to make an image file while investigator how to collect any information of computer after
computing and identifying of the MD5 value. an incident is becoming an important issue. The mostly of
the digital forensics software are commercial version, cost is
so high, and just support English version which obstacle to
use.
In this paper, this study is based on the open source software
to reduce cost and we revised autopsy’s graphic interface
into the Traditional Chinese. We created a Live DVD/USB
for analyzing Microsoft and Unix/Linux file systems (Dead
analysis). Additionally, we collected the volatile information
of system by using Live-analysis, which avoid lost the data
due to showdown of machine.

7. ACKNOWLEDGMENTS
This work was supported in part by research grants (NSC 98-
2221-E-017-010-MY3) from the National Science Council of
Taiwan.

Figure 6. TSK and Autopsy 8. REFERENCES

[1] F. Adelstein, Live forensics: diagnosing your system
Figure 6 shows the analyze of the image of disk by TSK and
without killing it first, Communications of the ACM,
Autopsy, which provide several analysis functions, which
Vol.49, No.2, February 2006.
include file content, Keyword , Metadata, file type, etc.
DOI=http://doi.acm.org/10.1145/1113034.1113070
Figure 6 is an example analyze for file content, which shows
the deleted file name, create time, file size, etc. It can recover [2] J. Bates, Fundamentals of computer forensics,
the files of have been deleted. Information Security Technical Report, Elsevier,
1998.DOI=doi:10.1016/S1363-4127(98)80040-X
[3] E. Casey, T. Larson, and M. M. Ferraro, Digital
Evidence and Computer Crime, Elsevier Science & [9] C. E. Landwehr, Computer security, International
Technology Books, December 2003. Journal of Information Security, 2001, pp. 3–13.
[4] E. Casey, Digital Evidence and Computer Crime: http://www.springerlink.com/content/nwk24a62ur0dfu9
Forensic Science, Computer and the Inter, Academic j/
Press, 2000, pp.41-46. [10] S. Mocas, Building theoretical underpinnings for digital
http://www.google.com/books?hl=zh- forensics research, Digital Investigation, Elsevier,
TW&lr=&id=Xo8GMt_AbQsC&oi=fnd&pg=PR7&dq= 2004.DOI= doi:10.1016/j.diin.2003.12.004
Digital+Evidence+and+Computer+Crime,+Elsevier+Sci
ence+%26+Technology+Books,+December+2003.&ots [11] C. Negus, Live Linux CDs: Building and Customizing
=-XR8GW-2PE&sig=APk6XBvljEUrq7aIL0ZY2- Bootable , Prentice Hall PTR, 2007.
VHRqc#v=onepage&q=&f=false [12] NII, iSecurity. http://www.i-
[5] B. Carrier, Performing an autopsy examination on FFS security.tw/learn/sub_200812_2.asp, April 2009.
and EXT2FS partition images: An introduction to [13] C. Pogue, C. Altheide and T. Haverkos, UNIX and
TCTUTILs and the Autopsy Forensic Browser, Linux Forensic Analysis DVD Toolkit, Syngress
SANSFIRE, July 2001. Publishing, 2008.
http://reference.kfupm.edu.sa/content/p/e/performing_a
[14] R. Petersen, Fedora Core 7 & Red Hat Enterprise Linux,
n_autopsy_examination_on_ffs_103762.pdf
McGraw-Hill Professional, 2007.
[6] B. Carrier, TSK & Autopsy.
[15] K. Rankin, Knoppix hacks, O’Reilly, 2004.
http://www.sleuthkit.org/autopsy/desc.php, April 2009.
[16] Tux2live. https://tux.nchc.org.tw/trac/tux2live/, April
[7] L. Garber, EnCase: A Case Study in Computer-Forensic
2009.
Technology, IEEE Computer Magazine, January 2001.
[17] L. Volonino, R. Anzaldua, J. Godwin and G. C. Kessle,
[8] IOCE,
Computer Forensics: Principles and Practice, Prentice
http://www.ioce.org/fileadmin/user_upload/2002/ioce_b
Hall, 2006.
p_exam_digit_tech.html, April 2009.