Sunday, 13 September 2009

Experiment 11 on Similarity in Forensic Imaging between Ubuntu and Windows

This experiment was performed in order to seek similarity in forensic imaging between  applications running under Ubuntu and Windows XP. It was part of a big experiments related to class assignments at Strathclyde on December 2008.

This is the first thing to do in performing forensics analysis to the hard drive evidence. If this is not handled appropriately, so the next phases of forensics examination will be weak, even it can be refused by court, therefore to pay more attention on this phase is a compulsory for forensics investigators. Because it is very crucial, so there is a strict rule on forensics imaging, namely 'make an image with a bit stream copy'. It can be physical image from hard drive to hard drive or from hard drive to image file.

During imaging process, the forensics investigators have to be able to ensure that there is nothing changed either in the hard drive or image file. To process this, the investigators can use hash value checking such as md5 by comparing the md5 value between hard drive evidence and image file or cloned hard drive. If this is match, it means the forensics imaging has worked well, otherwise it fails and can not be accepted for next examination phases.

Windows XP and Ubuntu 8.10 have similarities on this point of view. Under Ubuntu 8.10, the forensics investigators can select what device or partition they would like to image by using 'fdisk -l' command, then perform imaging to the selected device or partition by using 'dcfldd' command. After imaging process finishes, they have to verify md5 hash value between the source and the target to ensure that there is nothing changed during imaging process.

Figure 1
The use of 'fdisk -l' command to ensure  about devices and partitions attached to the machine

Figure 2
The use of 'dcfldd' command to perform imaging and The use of 'md5sum' to gain md5 hash value

From the experiment which is described by the figures above, it was obtained that the md5 hash value of partition 1 is 0171fbb2536ccd6c5fe6607743c9de17. This value is same as the md5 value of partition1.dd. It means the imaging process can be accepted for forensics purpose.

Under Windows XP, FTK Imager from AccessData was run in order to perform imaging to the same partition1. There are three choices offered by FTK Imager for forensics investigators in making an image, namely Raw (dd), SMART and E01. In this case, Raw (dd) is more appropriate to image partition1. FTK Imager also provided a window to fulfil the miscellaneous about the case such as case number, evidence number, investigator name and so on. These data do not interfere the imaging process and the value of md5 hash.

Figure 3
FTK Imager showing a  number of partitions from the experimental flashdisk

After the imaging process finishes, FTK Imager runs verifying process to gain md5 hash value of the image and compare it to the md5 hash value of the source. From the experiment using FTK Imager above, the md5 hash value of the source (drive) of partition1 is  0171fbb2536ccd6c5fe6607743c9de17 is same as the md5 hash value of the image.

Figure 4
FTK Imager verifies hash value between drive and image by using MD5 and SHA1

The md5 hash value obtained from dcfldd under Ubuntu 8.10 and FTK Imager under Windows XP are the same. It means that there is similarity in forensics imaging process between Ubuntu 8.10 and Windows XP; therefore it depends on forensic investigators which way they prefer to perform.

No comments:

Post a Comment