Toriality's Blog

COMPUTER FORENSICS STUDY - 05 SOURCES: INFOSECINSTITUTE.COM

EMBEDDED DEVICE ANALYSIS AND EXAMINATION STEPS:

INTRODUCTION

Nowdays, digital devices are everywhere and everything is connect via the internet. These devices include digital watches, gaming consoles, multimedia appliances, etc. The growing use of such devices brings greater attention to embedded devices forensics. This article is comcermed with forensic analysis of embedded devices and shows the examination steps that should be followed.

WHAT IS AN ENBEDDED DEVICE/SYSTEM?

Embedded systems, unlike multitasking personal computers, are whole computer systems dedicated to performing one precise function. In other words, they are designed to do one job and to do it well. These systems vary in size as well in complexity and function. They range form tiny portable devices like digital watches and MP3 players to large one like traffic light controllers or supervisory control and data acquistion (SCADA) controllers. They can have low complexity, like a single micro-controller chip used to open and close a gate, or a very high complexity, like multiple complex embedded systems gathered to automate an aircraft. Embedded systems are hugely widespread. They are surrounding us in every type of situation one can possibly imagine: consumer electronics, industrial control, military devices, networking systems, telecommunication, the medical industry, power plants, etc. As a matter of fact, they are used to control an enormous variety of situation on a regular daily basis. Thus, these systems can provide vast anmount and differents kinds of information and data that can be used for many purpose, such as crime investigations.

SOME TYPES OF EMBEDDED SYSTEMS:

GAMING CONSOLES:

    

Actually, their basic components can be very similar to those found in a desktop computer. They are even able to run traditional operating systems like Linux. These embedded systems contain a sizable internal hard drive capable of holding any type of data. In various cases, gaming consoles were used to host contraband images instead of games.

    
DIGITAL VIDEO RECORDERS (DVRs):

    

DVRs are not simply TV recording machines. They are a specfic kind of computer with large internal hard drives. Thus, these devices can easily be modified to hold any type of data, like pirated software, contraband image or any kind of illicit content.

    
GLOBAL POSITIONING SYSTEM DEVICES:

    

GPS devices keep trark logs, containing a serie of points that show the device's location at specific points of time. Often, these track logs are not accessbile or detectable. They can play the role of a secret detective undercover recording location data over the years, even after deleting user-accesible data. During the investigation, this location is crucial to revealing the location of suspects, victims, other potential crime scenes, other evidence, and to provide strong links between digital and physical evidence.

NETWORKING DEVICES:

    

Many network services are provided by small office and non-office routers. The routers maintain some level of logging that can be used to obtain crucial information in cases. The logs may reveal an external IP address of a hacker or provide evidence of unauthorized devices attached to the network. Data extraction from these devices depends on the media in place,e such as flash memory, disks or embedded hard drives.

    
RASPBERRY PI AND SYSTEMS ON A STICK:

    

The raspberry Pi is a credit card-sized board used to build an embedded system. The boards are available online and are accessible to a wide range of people for a wider range of uses: building arcade machines, tablet computers and home security systems. Live forensics can be performed whiel such systems are running.

    
PRINTERS:

    

Large networked printers also have hard disks. Print jobs are often saved in a TIFF image file format or sometimes in a PostScript format. Unallocated space on the hard disk might be very useful. File carving through it can recover old print jobs that could possibly be related to the case. Adding to that, some printers' log file contain data such as user names, IP addresses, and timestamps that could be of evidentiary value. Some of the alrge network printers run web services to receive scanned documents and faxes that might reveal valuable evidence.

    
SCANNERS:
    
    Big networked scanners contain hard drives that cache scanned documents before delivery. During the investigation, forged docuents can be obtained. A forensic examiner can link copied documents to the hardware that made the copy.
    
FAX MACHINES:

    

These devices save logs on internal flash storage or a hard drive capable of detailing the sender and receiver fax numbers, date/tiem stamp of transmission and even a copy of a transmitted document.

    
ANSWERING MACHINES AND VOICE RECORDS:

    

These devices provides recorded data. If the recording was deleted, recovering data is also possible. It requires removing the flash memory chip, reading the unallocated space and file carving for sound files.

FORENSIC ISSUES WITH VIRTUAL SYSTEMS

WHAT IS A VIRTUAL SYSTEM FORENSICS?

When something is virtual, it is almost the same as the original - but not quite. In computing, this emulation can be particularly handy, especially when it comes to experimenting with large, complex systems. In their many forms, virtual systems provide the same functionality as physical computers, OSs, applications, hardware and software but without the possibility of failure. Why? Because all of their abilities - from booting up to shooting down - are just an imitation of what a real, tangible machine or system would do. And as such, they offer a tremendous opportunity for users to beat up different OSs, play around with suspicious applications or hook up peripheral devices like USB flash drives without fear of negative consequences. If a problem comes up like a virus or a mismanagement of the network, a virtual system will behave just as a real system would. And as a result, they are the perfect tool for information security experimentation because they allow the user complete freedom to make mistakes, much like a child in a sandbox.

Because virtual machines can perform the same processes as actual systems, they are also able to track and record the activity trail of users. These capacibilities makes them incredibily useful tools in the quest to learn more about digital forensics, as they can produce evidence to be used to enhance understanding and application. For example, Virtual Forensic Computing (VFC) was first launched by the tech community in 2007 and has become essential software for forensic investigators, as it allows for seamless recreation of a digital crime scene using real, discovered evidence. It is the go-to software for lwa enforcement who use it to take images from a suspect's computer: launch a suspect machine in ts native environment; take screenshots of key evidence, and view files and data in its natural state.

WHAT ARE THE TYPES OF VIRTUAL STATES?

VIRTUAL MACHINES:

    

Visualisation of an OS or application environment is the most common form of virtualization, as it can save companies lots of money, resources, and time. Once installed on software, a virtual machine imitates dedicated hardware and offers users the saem experience as a real, tangible computer.

    
    This is one of the main benefits of a virtual machine, as their ability to operate on any underlying hardware and software configuration adds flexibility and creates an ease of sharing.
    
    One of the best thing about virtual hardware is the fact that it doesn't fail, which means administrators can take advantage of virtual environments to hone a succesful disaster recovery plan (DRP) and other such system administrator tasks. This documented, structured approach allow users to respond more effectively to unplanned and problematic incidents related to breaches in cybersecurity, thereby minimizing the effects of a disaster and allowing organizations to continue with business as usual.
    
SERVICE BASED SYSTEMS:

    

Service virtualization offers a way to mimic the workings of certain component-based applications and service-oriented architetures so as to remove constraints and increase developtment opportunities. As a virtual too, it assists in software development and testing while extending across all communication components using common messaging protocols.

THE CLOUD:

    

As software and services running on the internet, cloud services arae accessed through a Web Browser and allow users to access data on any device. Security is often cited as one of the biggest problems in cloud computing, mostly because it handles such a massive anmount of data and is an attractive target for malicious actor. And this large anmount of volatile data held on the cloud is often what make it such a forensic headache. The goal is to stop these breaches before they become reality. The use of Forensic Virtual Machines (FVMs) allow investigators to run numerous instances to find symptoms of hacking while potentially limiting attack vectors.

WHAT ARE THE TYPES OF VIRTUAL SYSTEM ARCHITETURES?

Most computers have multiple layers of both hardware and software that operate together as one system. These resources usually include a central processor, display, storage, networking, and other peripheral devicess. A virtualization architeture is typically based on hypervisor software which can isolate OSs and applications from the host computer so it can run on multiple virtual machines, sharing resoruces, memory space, network bandwidth, and so on. Virtual architecture differs from that of traditional computer in that it can run several OSses on top of the virtualization layer - something exclusive device ownership does not allow. Virtual machine technology compensates for this limitaion by redirecting interaction with device resources to lower system levels in a way that higher level application layers are not affected.

TYPE 1 HYPERVISORS:

    Know as "bare-metal", run right on top of the host system hardware and offer high availability and resoure management. This architecture fosters better performance, scalability and stability.
    
TYPE 2 HYPERVISORS:

    

Known as "hosted", are installed on top of the host OS which eases system configuration and simplifies management. That said, the addition of the OS layer can feasibly limit performance and reveal potential security flwas in the OS.

    
CONTAINERIZATION:

    

Also known as "container-based" is the main alternative to hypervisor based virtualization. It functions on the OS level and runs distributed applications without the need to launch an entire virtual machine for each one. Instead, it runs multiple isolated systems - fittingly known as containers - on a single control host while accesing a single kernel.

FORENSIC ISSUES WITH VIRTUAL SYSTEMS:

There are two common types of investigative analysis involved in digital forensics: live and dead. The former happens whiel a machine is running and often focuses on things like open files, running processes, network connections, and volatile malware. In many case, systems need to continue running ofr as long as possible to provide the insight authorities to find evidence. Dead analysis, in other hand, occurs while the machine is turned off and an indetical image of the machine's sotrage media is created and analyzed for relevant findings. This reduces the possiblity of source contamination and makes investigating static data from a system easier. Both approaches have inherent strengths in the way they approach and retrieve evidence in the form of data - but they also have a few weakness to keep in mind.

For example, when a forensic investigator accesses a live system to gather information they use third-party or bult-in forensic tools that can make interpretation more challenging because the native OS PI's are not available. That means information must be gathered by locating and looking at the internal data structures of the in-guest-application programming interface (API). This inability to get what is needed is known as the semantic gap problem and it characterizes the difference between two descriptions of the same thing - in this case, the data on the screen. In other words, it can get lost in translation. But fear not, there are some solution available.

VIRTUALBOX:

    

This cross-platform virtualization software can be installed on existing intel or AMD based computers, regardless of their OS. It helps users simultaneously run multiple OSes on existing computers, essentially creating a special environment where multiple virtual machines can run on a single physical machine. This tools helps iwth learning, testing and getting the most of computer performance.

    
VMWARE:

    

With this type of server virtualization, multiple virtual-machines can run on the same physical server by installing a hypervisor on the main device, each of whichh runs its own OS. This means many OSs can run on one physical server, thereby allowing virtual machines to share resources such as RAM.