Tuesday, January 6, 2015

Validation of forensic images for assurance of digital evidence integrity

Here's an interesting paper from Murdoch University in Australia.

"The reliability of digital evidence is an important consideration in legal cases requiring sound validation. To ensure its reliability, digital evidence requires the adoption of reliable processes for the acquisition, preservation, and analysis of digital data. To undertake these tasks, the courts expect digital forensic practitioners to possess specialised skills, experience, and use sound forensic tools and processes. The courts require that the reliability of digital evidence can be verified with supporting documentation; notably acquisition process logs and a chain of custody register, confirming that the process of recovering and protecting the evidence was based on sound scientific principles.

In typical cases the digital evidence has been ‘preserved’ in a special file or ‘container’ that has been declared to be secure on the basis that it is not possible to tamper with the contents of the container or the information supporting the contents (metadata) without this act being discovered. However, through the use of a freely available open source library, libewf, it has been discovered that the most commonly used forensic container format, Encase Evidence File Format, also known by its file extension .E01, can be manipulated to circumvent validation by forensic tools. This digital forensic container contains an embedded forensic image of the acquired device and metadata fields containing information about the data that was acquired, the circumstances of the acquisition, and details about the device from which the forensic image was acquired. It has been found that both the forensic image and the metadata associated with that image can be freely altered using simple file editors and open source software.

Exploiting these weaknesses within the Encase Evidence File format results in a forensic container that can be altered but fails to provide any evidence that this has occurred. In practice the original device is often unavailable, damaged, or otherwise unable to provide independent validation of the data held in the container. In such situations, it would be difficult, if not impossible, to determine which of two forensic containers held the original record of the evidence.
As part of a proof of concept, existing libewf code was manipulated to allow for legitimate metadata to be attached to a compromised and altered forensic image with recalculated hashes and data integrity checksums. Without incontrovertible records of the original data’s hash value, this manipulation might only be detected by an independent third party holding a copy of the original forensic container’s metadata and hashes for comparison. While hashes and metadata held by an interested party could also potentially be altered or declared unreliable, an uninterested party would be able to provide a more reliable set of hashes that could be used to validate the unaltered container.

In order to add to the body of knowledge supporting digital forensics as a scientific discipline this research has brought into question a fundamental assumption about the reliability of a fundamental method currently used to collect and validate digital evidence. Further research is required to determine the whether processes can be designed to enhance the detection of contaminated images."

No comments: