Friday, June 19, 2009

More toughts on Visualisation

The Brain, an iMindMapImage by charmainezoe via Flickr
Information visualisation is a rapidly growing research field and I see more and more people become interested in using visualisation techniques in the field of Digital Forensics. There were a series of discussions about "Visualisation" on computer forensic forums and digital forensics blogs. Last week I attended Australian High Tech Crime Centre (AHTCC) conference in Sydney where I met with a couple of researchers who were also interested in doing a research in this area.

Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.

There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.

Analysis

The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.

Presentation

The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.

Wednesday, June 10, 2009

Sparsing - New technology set to revolutionise digital forensics.

A sparse file: The empty bytes don't need to b...                         Image via Wikipedia
Periodically forensics examiners have to acquire large amounts of data and often facing a dilemma whether to compress it or not.

Using compression usually means a performance trade-off.

In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.

Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.

Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.

During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.

Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.

What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.