SlideShare a Scribd company logo

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

Download as PPTX, PDF
B
Bradley Schatz

Today’s forensic processes are mired by practices carried over from a pre-networked world. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine the role of existing forensic imaging formats in creating such an environment, and examine how an improved forensic image format (the AFF4 forensic container format) enables practitioners to perform forensic analysis without the delays imposed by current approaches.

1 of 67
Downloaded 16 times
Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging Dr. Bradley Schatz Director, Schatz Forensic AusCERT Conference 2016 © Schatz Forensic 2016
© 2016 Schatz Forensic The volume problem increases the latency between evidence identification and useful findings Identify Acquire Analyse Reporting Latency
© 2016 Schatz Forensic Pick one of the below You can’t have both Latency Completeness Physical Acquisition Triage You preserve everything but analysis will have to wait Near immediate results at the expense of potentially missing evidence Live forensics
© 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
What’s stopping me increasing I/O throughput? Background
© 2016 Schatz Forensic Forensic Imaging v1.0: Raw Linear bitstream copy + linear bitstream hash $ dd if=/dev/hda bs=4k conv=sync,noerror | tee C1.D1.raw | md5sum > C1.D1.md5.txt
© 2016 Schatz Forensic Forensic Imaging v1.0: Raw MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
© 2016 Schatz Forensic What affects throughput in acquisition? Target Storage Interconnect Hash Filesystem Interconnect Evidence storage
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Interconnect Gb/s Max MB/s PCIe / NVMe / Thunderbolt > 1000 SATA3 / SAS 6 600 USB3 5 500 Gigabit Ethernet 1 100 USB2 .48 48
© 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
© 2016 Schatz Forensic Example: Forensic Duplicator 1TB Seagate Target Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 93.6MB/s SAS 6G 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 93.6MB/s = 2h 58m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 4h 21m SAS 6G 500MB/s
© 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 45MB/s = 6h 10m TOTAL = 12h 20m
© 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 7h 33m After copy, verify image on device with faster interconnect
© 2016 Schatz Forensic Forensic Imaging v2.0: EWF Original design Source Hard Drive MD5 Deflate ACMECo.C1.D1.e01 Source Hard Drive # Linear BitStream Hash Linear Compressed Block Stream
© 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 IO bound Low entropy 259 439 *Single core of quad core i7-4770 3.4Ghz measured with gzip
© 2016 Schatz Forensic FTK Imager EWF Acquisition 1TB Seagate 75% full, 4 core i5-750 Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s SATA3 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 67.8MB/s = 4h 06m Verification 1TB @ 106MB/s = 2h 36m TOTAL = 6h 42m Deflate 67.8 MB/s
© 2016 Schatz Forensic Forensic Imaging v2.1: EWF Guymager (2008), X-Ways, recent ewfacquire MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
© 2016 Schatz Forensic Lacklustre throughput reports (2013) • Practitioner reports – Low 100’s MB/s [Zimmerman 2013] • Research publications – FastDD <= 110 MB/s [Bertasi & Zago 2013] • Our experience – Low powered CPU’s give low throughtput
Our approach to increasing I/O throughput
© 2016 Schatz Forensic Scale to 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Intel 720 SSD 500MB/s SATA3 500MB/s SATA3 Samsung 850 EVO Pro 500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
© 2016 Schatz Forensic How about using a faster compression algorithm? Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable/MapReduce) 1,400 LZO (ZFS) 1,540
© 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Open source implementation & specification
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Storage virtualisation
© 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Inter –container referencing
© 2016 Schatz Forensic Linear bitstream hashing isn’t parallelizable. Max. rate ~600 MB/s on current gen. CPU’s Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
© 2016 Schatz Forensic Our solution: Block based hashing. Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
© 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 730 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
How can we take advantage of these speeds?
© 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min) Realistic? More likely USB3 or 1GbE
© 2016 Schatz Forensic Idea: can we aggregate output I/O? Use 2x USB3 drives? Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 2x USB3 1GB/s 2x SATA3 2TB 400MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz
© 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 Source blocks striped over multiple containers on multiple output disks
© 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 A copy of the map is stored in each container.
How can we analyse while we acquire?
© 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Access is contended. Poor interactive performance (lag )
© 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Early termination may not have a complete filesystem
© 2016 Schatz Forensic Idea: Start with a non-linear partial image and add from there Entire disk All allocated Interactive analysis artifacts High value files Volume & FS Metadata, Memory Analysis
© 2016 Schatz Forensic Raw Image : Non-linear acquisition driven by live analysis? Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI How do you generate a hash over a non-linear image?
© 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
© 2016 Schatz Forensic Partial, non-linear, block based hashing Hash Compress CompressCompress ACMECo.C1.D1.af4 Volume Metadata Filesystem Metadata Sparse Data File Content Unknown Hash Hash Block Hashes Compressed Block Stream # Block Hashes Hash Virtual Block Stream (Map) Source Hard Drive
© 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Partial acquisition – Represent what we didn’t acquire vs. what we couldn’t acquire • Block based hashing
© 2016 Schatz Forensic Partial acquisition brings reproducibility and elasticity to IR and triage Target Storage Interconnect Hash Compress Network Evidence storage SHA1 600 MB/s/core SATA3 Spinning disk 200MB/s 1GbE 100MB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Partial IR acquisition 21.9GiB @ 102MiB/s = 3m 39s Volume metadata, filesystem metadata, 16G pagefile, Registries, Logs, Link files, Jump lists, WMI CIM Repo, Prefetch, USN Journal, $Logfile, Scheduler artefacts
How can I work with AFF4 images?
© 2016 Schatz Forensic Why adopt this? My toolset doesn't support AFF4. • Wait for support from vendors? • Convert AFF4 to EWF on fast workstation – Can be done in near same time it takes to simply copy by only deflate compressing low entropy blocks • Emulate Raw image in the filesystem?
© 2016 Schatz Forensic Emulation of AFF4 containers as RAW
© 2016 Schatz Forensic Emulated raw is faster than native EWF. X-Ways processing task X-Ways Native EWF X-Ways w/ Wirespeed FS Bridge Verify 0:42 0:08 FS Data Recovery 3:35 3:20 Hashing & header validation 1:59:03 1:05:25 Carving unallocated 0:41 0:44 Total 3:25:43 2:02:09 Image: 1TB Macbook Pro i7, processed on 8 core i7
How does this affect workflow?
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Single Threaded EWF?
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Multi Threaded EWF
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Copies in half the time due to striped acquisition over 2 x 200 MB/s spinning disks. EWF: I/O bound on single 200MB/s disk
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Verification completes in 8m. I/O bound by RAID. EWF: CPU bound
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Filesystem search in around ½ time. EWF: CPU bound?
© 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4 & EWF around the same throughput.
Will the courts accept the AFF4 format?
© 2016 Schatz Forensic Courts accept expert evidence Is it reliable? • Is the expert reliable? • Is the underlying theory reliable? – Reliable by way of the application of Scientific methods (eg. Daubert) – 4 scientifically peer reviewed papers, unrefuted • Are the methods implementing the theory reliable? – Tool testing (as always, the expert’s ultimate responsibility)
Adoption Who is using AFF4?
© 2016 Schatz Forensic AFF4 is used in the following evimetry wirespeed
More information
© 2016 Schatz Forensic More information Implementations • https://evimetry.com/ • https://github.com/google/aff4 • http://www.rekall-forensic.com/docs/Tools/ • https://github.com/google/grr Ongoing specification and papers • http://www.aff4.org/ • http://dfrws.org/2009/proceedings/p57-cohen.pdf • http://dfrws.org/2010/proceedings/2010-314.pdf • http://dfrws.org/2015/proceedings/DFRWS2015-16.pdf
Conclusion
© 2016 Schatz Forensic Conclusion • Optimising forensic workflow is a systems problem • Existing forensic formats are a bottleneck for todays systems • Existing forensic formats are incompatible with triage and reproducible live analysis • The Advanced Forensic Format 4 solves the above
Contact Hard disk head by amckgill Footprints by kimba Dr Bradley Schatz http://schatzforensic.com.au/ bradley@schatzforensic.com.au Schatz BL (2012) Digital Evidence (Chapter) in Expert Evidence, Freckelton & Selby Eds Available online via Westlaw AU and Thomson Legal Online
Ad

Recommended

AFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careAFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should care
Bradley Schatz
 
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu YongUnlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Ceph Community
 
IPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media PlayerIPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media Player
Masaaki Nabeshima
 
Ceph on rdma
Ceph on rdmaCeph on rdma
Ceph on rdma
Somnath Roy
 
optimizing_ceph_flash
optimizing_ceph_flashoptimizing_ceph_flash
optimizing_ceph_flash
Vijayendra Shamanna
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storage
Anurag Dashputre
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language Client
Sayyaparaju Sunil
 
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph Community
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye tool
Vikram G Hosakote
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure Data
Yan Wang
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike Architecture
Peter Milne
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for Hadoop
All Things Open
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analytics
Aerospike
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal Cloud
MongoDB
 
Email storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-GaafEmail storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-Gaaf
Ceph Community
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Community
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0
J.B. Langston
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDs
Aerospike, Inc.
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph Solutions
Red_Hat_Storage
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than ever
Masahiko Sawada
 
Ceph's journey at SUSE
Ceph's journey at SUSECeph's journey at SUSE
Ceph's journey at SUSE
Ceph Community
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-time
Aerospike, Inc.
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data Access
Aerospike, Inc.
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Ata Turk
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
DataStax
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
Bradley Schatz
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Виталий Стародубцев
 
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Databricks
 
Ad

More Related Content

What's hot (19)

Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph Community
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye tool
Vikram G Hosakote
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure Data
Yan Wang
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike Architecture
Peter Milne
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for Hadoop
All Things Open
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analytics
Aerospike
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal Cloud
MongoDB
 
Email storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-GaafEmail storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-Gaaf
Ceph Community
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Community
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0
J.B. Langston
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDs
Aerospike, Inc.
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph Solutions
Red_Hat_Storage
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than ever
Masahiko Sawada
 
Ceph's journey at SUSE
Ceph's journey at SUSECeph's journey at SUSE
Ceph's journey at SUSE
Ceph Community
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-time
Aerospike, Inc.
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data Access
Aerospike, Inc.
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Ata Turk
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
DataStax
 
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph Community
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye tool
Vikram G Hosakote
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure Data
Yan Wang
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike Architecture
Peter Milne
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for Hadoop
All Things Open
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analytics
Aerospike
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal Cloud
MongoDB
 
Email storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-GaafEmail storage with Ceph - Danny Al-Gaaf
Email storage with Ceph - Danny Al-Gaaf
Ceph Community
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Community
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0
J.B. Langston
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDs
Aerospike, Inc.
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph Solutions
Red_Hat_Storage
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than ever
Masahiko Sawada
 
Ceph's journey at SUSE
Ceph's journey at SUSECeph's journey at SUSE
Ceph's journey at SUSE
Ceph Community
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-time
Aerospike, Inc.
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data Access
Aerospike, Inc.
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Ata Turk
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
DataStax
 

Similar to Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016 (20)

Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
Bradley Schatz
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Виталий Стародубцев
 
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Databricks
 
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdfDead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Josef Weingand
 
An introduction and evaluations of a wide area distributed storage system
An introduction and evaluations of a wide area distributed storage systemAn introduction and evaluations of a wide area distributed storage system
An introduction and evaluations of a wide area distributed storage system
Hiroki Kashiwazaki
 
IBM Tape Update Dezember18 - TS1160
IBM Tape Update Dezember18 - TS1160IBM Tape Update Dezember18 - TS1160
IBM Tape Update Dezember18 - TS1160
Josef Weingand
 
San Presentation
San PresentationSan Presentation
San Presentation
Phuoc Pham Hong
 
040419 san forum
040419 san forum040419 san forum
040419 san forum
Thiru Raja
 
Drobo range ppt v.1.6
Drobo range ppt v.1.6Drobo range ppt v.1.6
Drobo range ppt v.1.6
Clayton Desouza
 
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Kyle Hailey
 
JetStor X Storage Products 2017! New HOT products!
JetStor X Storage Products 2017! New HOT products!JetStor X Storage Products 2017! New HOT products!
JetStor X Storage Products 2017! New HOT products!
Gene Leyzarovich
 
Storage and performance, Whiptail
Storage and performance, Whiptail Storage and performance, Whiptail
Storage and performance, Whiptail
Internet World
 
The future of tape
The future of tapeThe future of tape
The future of tape
Josef Weingand
 
JetStor NAS series 2016
JetStor NAS series 2016JetStor NAS series 2016
JetStor NAS series 2016
Gene Leyzarovich
 
Introduction to storage
Introduction to storageIntroduction to storage
Introduction to storage
sagaroceanic11
 
iSCSI for better or worse
iSCSI for better or worseiSCSI for better or worse
iSCSI for better or worse
Steven Aiello
 
JetStor Unified Storage NAS/SAN/Cloud 1600s
JetStor Unified Storage NAS/SAN/Cloud 1600sJetStor Unified Storage NAS/SAN/Cloud 1600s
JetStor Unified Storage NAS/SAN/Cloud 1600s
Gene Leyzarovich
 
IBM Tape the future of tape
IBM Tape the future of tapeIBM Tape the future of tape
IBM Tape the future of tape
Josef Weingand
 
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
NETWAYS
 
Vmfs
VmfsVmfs
Vmfs
Erick Treviño
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
Bradley Schatz
 
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Технологии работы с дисковыми хранилищами и файловыми системами Windows Serve...
Виталий Стародубцев
 
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Databricks
 
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdfDead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Dead for more than 70 years! The ultimate Tape Update! ISP24.pdf
Josef Weingand
 
An introduction and evaluations of a wide area distributed storage system
An introduction and evaluations of a wide area distributed storage systemAn introduction and evaluations of a wide area distributed storage system
An introduction and evaluations of a wide area distributed storage system
Hiroki Kashiwazaki
 
IBM Tape Update Dezember18 - TS1160
IBM Tape Update Dezember18 - TS1160IBM Tape Update Dezember18 - TS1160
IBM Tape Update Dezember18 - TS1160
Josef Weingand
 
San Presentation
San PresentationSan Presentation
San Presentation
Phuoc Pham Hong
 
040419 san forum
040419 san forum040419 san forum
040419 san forum
Thiru Raja
 
Drobo range ppt v.1.6
Drobo range ppt v.1.6Drobo range ppt v.1.6
Drobo range ppt v.1.6
Clayton Desouza
 
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Kyle Hailey
 
JetStor X Storage Products 2017! New HOT products!
JetStor X Storage Products 2017! New HOT products!JetStor X Storage Products 2017! New HOT products!
JetStor X Storage Products 2017! New HOT products!
Gene Leyzarovich
 
Storage and performance, Whiptail
Storage and performance, Whiptail Storage and performance, Whiptail
Storage and performance, Whiptail
Internet World
 
The future of tape
The future of tapeThe future of tape
The future of tape
Josef Weingand
 
JetStor NAS series 2016
JetStor NAS series 2016JetStor NAS series 2016
JetStor NAS series 2016
Gene Leyzarovich
 
Introduction to storage
Introduction to storageIntroduction to storage
Introduction to storage
sagaroceanic11
 
iSCSI for better or worse
iSCSI for better or worseiSCSI for better or worse
iSCSI for better or worse
Steven Aiello
 
JetStor Unified Storage NAS/SAN/Cloud 1600s
JetStor Unified Storage NAS/SAN/Cloud 1600sJetStor Unified Storage NAS/SAN/Cloud 1600s
JetStor Unified Storage NAS/SAN/Cloud 1600s
Gene Leyzarovich
 
IBM Tape the future of tape
IBM Tape the future of tapeIBM Tape the future of tape
IBM Tape the future of tape
Josef Weingand
 
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
OSBConf 2015 | Contemporary and cost efficient backups to to tape by josef we...
NETWAYS
 
Vmfs
VmfsVmfs
Vmfs
Erick Treviño
 
Ad

Recently uploaded (20)

VKS-Python-FIe Handling text CSV Binary.pptx
VKS-Python-FIe Handling text CSV Binary.pptxVKS-Python-FIe Handling text CSV Binary.pptx
VKS-Python-FIe Handling text CSV Binary.pptx
Vinod Srivastava
 
Ch3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendencyCh3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendency
ayeleasefa2
 
GenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.aiGenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.ai
Inspirient
 
Developing Security Orchestration, Automation, and Response Applications
Developing Security Orchestration, Automation, and Response ApplicationsDeveloping Security Orchestration, Automation, and Response Applications
Developing Security Orchestration, Automation, and Response Applications
VICTOR MAESTRE RAMIREZ
 
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
Simran112433
 
Digilocker under workingProcess Flow.pptx
Digilocker under workingProcess Flow.pptxDigilocker under workingProcess Flow.pptx
Digilocker under workingProcess Flow.pptx
satnamsadguru491
 
FPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptxFPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptx
ssuser4ef83d
 
C++_OOPs_DSA1_Presentation_Template.pptx
C++_OOPs_DSA1_Presentation_Template.pptxC++_OOPs_DSA1_Presentation_Template.pptx
C++_OOPs_DSA1_Presentation_Template.pptx
aquibnoor22079
 
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Abodahab
 
Conic Sectionfaggavahabaayhahahahahs.pptx
Conic Sectionfaggavahabaayhahahahahs.pptxConic Sectionfaggavahabaayhahahahahs.pptx
Conic Sectionfaggavahabaayhahahahahs.pptx
taiwanesechetan
 
Flip flop presenation-Presented By Mubahir khan.pptx
Flip flop presenation-Presented By Mubahir khan.pptxFlip flop presenation-Presented By Mubahir khan.pptx
Flip flop presenation-Presented By Mubahir khan.pptx
mubashirkhan45461
 
Defense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptxDefense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptx
Greg Makowski
 
Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...
Pixellion
 
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
gmuir1066
 
Cleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdfCleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdf
alcinialbob1234
 
04302025_CCC TUG_DataVista: The Design Story
04302025_CCC TUG_DataVista: The Design Story04302025_CCC TUG_DataVista: The Design Story
04302025_CCC TUG_DataVista: The Design Story
ccctableauusergroup
 
183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag
fardin123rahman07
 
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptxMolecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
7tzn7x5kky
 
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
James Francis Paradigm Asset Management
 
Stack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptxStack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptx
binduraniha86
 
VKS-Python-FIe Handling text CSV Binary.pptx
VKS-Python-FIe Handling text CSV Binary.pptxVKS-Python-FIe Handling text CSV Binary.pptx
VKS-Python-FIe Handling text CSV Binary.pptx
Vinod Srivastava
 
Ch3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendencyCh3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendency
ayeleasefa2
 
GenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.aiGenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.ai
Inspirient
 
Developing Security Orchestration, Automation, and Response Applications
Developing Security Orchestration, Automation, and Response ApplicationsDeveloping Security Orchestration, Automation, and Response Applications
Developing Security Orchestration, Automation, and Response Applications
VICTOR MAESTRE RAMIREZ
 
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
1. Briefing Session_SEED with Hon. Governor Assam - 27.10.pdf
Simran112433
 
Digilocker under workingProcess Flow.pptx
Digilocker under workingProcess Flow.pptxDigilocker under workingProcess Flow.pptx
Digilocker under workingProcess Flow.pptx
satnamsadguru491
 
FPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptxFPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptx
ssuser4ef83d
 
C++_OOPs_DSA1_Presentation_Template.pptx
C++_OOPs_DSA1_Presentation_Template.pptxC++_OOPs_DSA1_Presentation_Template.pptx
C++_OOPs_DSA1_Presentation_Template.pptx
aquibnoor22079
 
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Day 1 - Lab 1 Reconnaissance Scanning with NMAP, Vulnerability Assessment wit...
Abodahab
 
Conic Sectionfaggavahabaayhahahahahs.pptx
Conic Sectionfaggavahabaayhahahahahs.pptxConic Sectionfaggavahabaayhahahahahs.pptx
Conic Sectionfaggavahabaayhahahahahs.pptx
taiwanesechetan
 
Flip flop presenation-Presented By Mubahir khan.pptx
Flip flop presenation-Presented By Mubahir khan.pptxFlip flop presenation-Presented By Mubahir khan.pptx
Flip flop presenation-Presented By Mubahir khan.pptx
mubashirkhan45461
 
Defense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptxDefense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptx
Greg Makowski
 
Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...
Pixellion
 
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
Adobe Analytics NOAM Central User Group April 2025 Agent AI: Uncovering the S...
gmuir1066
 
Cleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdfCleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdf
alcinialbob1234
 
04302025_CCC TUG_DataVista: The Design Story
04302025_CCC TUG_DataVista: The Design Story04302025_CCC TUG_DataVista: The Design Story
04302025_CCC TUG_DataVista: The Design Story
ccctableauusergroup
 
183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag
fardin123rahman07
 
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptxMolecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
7tzn7x5kky
 
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
James Francis Paradigm Asset Management
 
Stack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptxStack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptx
binduraniha86
 
Ad

Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging - AusCERT2016

  • 1. Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging Dr. Bradley Schatz Director, Schatz Forensic AusCERT Conference 2016 © Schatz Forensic 2016
  • 2. © 2016 Schatz Forensic The volume problem increases the latency between evidence identification and useful findings Identify Acquire Analyse Reporting Latency
  • 3. © 2016 Schatz Forensic Pick one of the below You can’t have both Latency Completeness Physical Acquisition Triage You preserve everything but analysis will have to wait Near immediate results at the expense of potentially missing evidence Live forensics
  • 4. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  • 5. What’s stopping me increasing I/O throughput? Background
  • 6. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw Linear bitstream copy + linear bitstream hash $ dd if=/dev/hda bs=4k conv=sync,noerror | tee C1.D1.raw | md5sum > C1.D1.md5.txt
  • 7. © 2016 Schatz Forensic Forensic Imaging v1.0: Raw MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
  • 8. © 2016 Schatz Forensic What affects throughput in acquisition? Target Storage Interconnect Hash Filesystem Interconnect Evidence storage
  • 9. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s
  • 10. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Interconnect Gb/s Max MB/s PCIe / NVMe / Thunderbolt > 1000 SATA3 / SAS 6 600 USB3 5 500 Gigabit Ethernet 1 100 USB2 .48 48
  • 11. © 2016 Schatz Forensic I/O throughput in Acquisition is a systems problem Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  • 12. © 2016 Schatz Forensic Example: Forensic Duplicator 1TB Seagate Target Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 93.6MB/s SAS 6G 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 93.6MB/s = 2h 58m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 4h 21m SAS 6G 500MB/s
  • 13. © 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 45MB/s = 6h 10m TOTAL = 12h 20m
  • 14. © 2016 Schatz Forensic LiveCD Ancient Workstation Acquisition Target Storage Interconnect Hash Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s USB2 45MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 45MB/s = 6h 10m Verification 1TB @ 200MB/s = 1h 23m TOTAL = 7h 33m After copy, verify image on device with faster interconnect
  • 15. © 2016 Schatz Forensic Forensic Imaging v2.0: EWF Original design Source Hard Drive MD5 Deflate ACMECo.C1.D1.e01 Source Hard Drive # Linear BitStream Hash Linear Compressed Block Stream
  • 16. © 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 IO bound Low entropy 259 439 *Single core of quad core i7-4770 3.4Ghz measured with gzip
  • 17. © 2016 Schatz Forensic FTK Imager EWF Acquisition 1TB Seagate 75% full, 4 core i5-750 Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Spinning Disk 100MB/s SATA3 500MB/s SATA3 Spinning Disk 200MB/s Acquisition 1TB @ 67.8MB/s = 4h 06m Verification 1TB @ 106MB/s = 2h 36m TOTAL = 6h 42m Deflate 67.8 MB/s
  • 18. © 2016 Schatz Forensic Forensic Imaging v2.1: EWF Guymager (2008), X-Ways, recent ewfacquire MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
  • 19. © 2016 Schatz Forensic Lacklustre throughput reports (2013) • Practitioner reports – Low 100’s MB/s [Zimmerman 2013] • Research publications – FastDD <= 110 MB/s [Bertasi & Zago 2013] • Our experience – Low powered CPU’s give low throughtput
  • 20. Our approach to increasing I/O throughput
  • 21. © 2016 Schatz Forensic Scale to 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/s SATA3 Intel 720 SSD 500MB/s SATA3 500MB/s SATA3 Samsung 850 EVO Pro 500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
  • 22. © 2016 Schatz Forensic How about using a faster compression algorithm? Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable/MapReduce) 1,400 LZO (ZFS) 1,540
  • 23. © 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Open source implementation & specification
  • 24. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
  • 25. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Storage virtualisation
  • 26. © 2016 Schatz Forensic AFF4: Storage Virtualisation ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map) Inter –container referencing
  • 27. © 2016 Schatz Forensic Linear bitstream hashing isn’t parallelizable. Max. rate ~600 MB/s on current gen. CPU’s Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  • 28. © 2016 Schatz Forensic Our solution: Block based hashing. Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
  • 29. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 730 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
  • 30. How can we take advantage of these speeds?
  • 31. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to Source I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 4x SATA3 2GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Wirespeed (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min) Realistic? More likely USB3 or 1GbE
  • 32. © 2016 Schatz Forensic Idea: can we aggregate output I/O? Use 2x USB3 drives? Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/core SATA3 Intel 720 SSD 500MB/s 2x USB3 1GB/s 2x SATA3 2TB 400MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz
  • 33. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 Source blocks striped over multiple containers on multiple output disks
  • 34. © 2016 Schatz Forensic AFF4 Striping ACMECo.S1.D1.2.af4 ACMECo.S1.D1.1.af4 Virtual Storage Stream (Map) Disk 1 Disk 2 A copy of the map is stored in each container.
  • 35. How can we analyse while we acquire?
  • 36. © 2016 Schatz Forensic How can we reduce latency? While maximising completeness Latency Completeness Physical Acquisition Triage Increase I/O throughput? Live analysis while we acquire? Dynamic partial acquisition? Live forensics
  • 37. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools
  • 38. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Access is contended. Poor interactive performance (lag )
  • 39. © 2016 Schatz Forensic Acquire and access in parallel? dd + iSCSI access to target MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI Remote analysis tools Early termination may not have a complete filesystem
  • 40. © 2016 Schatz Forensic Idea: Start with a non-linear partial image and add from there Entire disk All allocated Interactive analysis artifacts High value files Volume & FS Metadata, Memory Analysis
  • 41. © 2016 Schatz Forensic Raw Image : Non-linear acquisition driven by live analysis? Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash iSCSI How do you generate a hash over a non-linear image?
  • 42. © 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
  • 43. © 2016 Schatz Forensic Partial, non-linear, block based hashing Hash Compress CompressCompress ACMECo.C1.D1.af4 Volume Metadata Filesystem Metadata Sparse Data File Content Unknown Hash Hash Block Hashes Compressed Block Stream # Block Hashes Hash Virtual Block Stream (Map) Source Hard Drive
  • 44. © 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Partial acquisition – Represent what we didn’t acquire vs. what we couldn’t acquire • Block based hashing
  • 45. © 2016 Schatz Forensic Partial acquisition brings reproducibility and elasticity to IR and triage Target Storage Interconnect Hash Compress Network Evidence storage SHA1 600 MB/s/core SATA3 Spinning disk 200MB/s 1GbE 100MB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Partial IR acquisition 21.9GiB @ 102MiB/s = 3m 39s Volume metadata, filesystem metadata, 16G pagefile, Registries, Logs, Link files, Jump lists, WMI CIM Repo, Prefetch, USN Journal, $Logfile, Scheduler artefacts
  • 46. How can I work with AFF4 images?
  • 47. © 2016 Schatz Forensic Why adopt this? My toolset doesn't support AFF4. • Wait for support from vendors? • Convert AFF4 to EWF on fast workstation – Can be done in near same time it takes to simply copy by only deflate compressing low entropy blocks • Emulate Raw image in the filesystem?
  • 48. © 2016 Schatz Forensic Emulation of AFF4 containers as RAW
  • 49. © 2016 Schatz Forensic Emulated raw is faster than native EWF. X-Ways processing task X-Ways Native EWF X-Ways w/ Wirespeed FS Bridge Verify 0:42 0:08 FS Data Recovery 3:35 3:20 Hashing & header validation 1:59:03 1:05:25 Carving unallocated 0:41 0:44 Total 3:25:43 2:02:09 Image: 1TB Macbook Pro i7, processed on 8 core i7
  • 50. How does this affect workflow?
  • 51. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge
  • 52. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Single Threaded EWF?
  • 53. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge Multi Threaded EWF
  • 54. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4
  • 55. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Copies in half the time due to striped acquisition over 2 x 200 MB/s spinning disks. EWF: I/O bound on single 200MB/s disk
  • 56. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Verification completes in 8m. I/O bound by RAID. EWF: CPU bound
  • 57. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4: Filesystem search in around ½ time. EWF: CPU bound?
  • 58. © 2016 Schatz Forensic Native EWF Acquisition vs AFF4 Native EWF Processing vs AFF4 FS Bridge AFF4 & EWF around the same throughput.
  • 59. Will the courts accept the AFF4 format?
  • 60. © 2016 Schatz Forensic Courts accept expert evidence Is it reliable? • Is the expert reliable? • Is the underlying theory reliable? – Reliable by way of the application of Scientific methods (eg. Daubert) – 4 scientifically peer reviewed papers, unrefuted • Are the methods implementing the theory reliable? – Tool testing (as always, the expert’s ultimate responsibility)
  • 62. © 2016 Schatz Forensic AFF4 is used in the following evimetry wirespeed
  • 64. © 2016 Schatz Forensic More information Implementations • https://evimetry.com/ • https://github.com/google/aff4 • http://www.rekall-forensic.com/docs/Tools/ • https://github.com/google/grr Ongoing specification and papers • http://www.aff4.org/ • http://dfrws.org/2009/proceedings/p57-cohen.pdf • http://dfrws.org/2010/proceedings/2010-314.pdf • http://dfrws.org/2015/proceedings/DFRWS2015-16.pdf
  • 66. © 2016 Schatz Forensic Conclusion • Optimising forensic workflow is a systems problem • Existing forensic formats are a bottleneck for todays systems • Existing forensic formats are incompatible with triage and reproducible live analysis • The Advanced Forensic Format 4 solves the above
  • 67. Contact Hard disk head by amckgill Footprints by kimba Dr Bradley Schatz http://schatzforensic.com.au/ [email protected] Schatz BL (2012) Digital Evidence (Chapter) in Expert Evidence, Freckelton & Selby Eds Available online via Westlaw AU and Thomson Legal Online

Editor's Notes

  • #25: Image two disks in a RAID separately as AFF4 volumes, then use a map to create a virtual image of that.
  • #26: Image two disks in a RAID separately as AFF4 volumes, then use a map to create a virtual image of that.
  • #27: Image two disks in a RAID separately as AFF4 volumes, then use a map to create a virtual image of that.