Order of Volatility Flashcards
Volatility
When examining digital evidence, it is important to understand the volatile nature of some of the evidence an examiner will want to look at. Volatile evidence is evidence that can be lost when a system is powered down. For network equipment, this could include active connections or log data that is stored on the device. For laptops and desktops, volatile data includes running memory or the Address Resolution Protocol (ARP) cache.
The Internet Engineering Task Force (IETF) has put together a document titled Guidelines for Evidence Collection and Archiving (RFC 3227) that addresses the order of volatility of digital evidence. You can view and download the document here.
Below we explore the different locations where potential evidence can be retrieved, and how volatile they are, with 1 being the most volatile, and 6 being the least volatile.
Order of Volatility
1 – Registers & Cache
The contents of the CPU cache and registers are extremely volatile since they are constantly changing. An investigator needs to retrieve data from the cache and register immediately before that evidence is lost.
2 – Memory
The information located on random access memory (RAM) can be lost if there is a power spike or if the system is disconnected from power. This is a fast, temporary, type of memory in which programs, applications and data are stored. This can include very useful data about running processes, network connections, and much more.
3 – Disk (HDD and SSD)
As we covered in the hard disk drive (HDD) and solid-state disk drive (SSD) basics lessons, we know that once data has been overwritten, it is impossible to recover it, and SSDs have the additional risk of Garbage Collection or TRIM deleting files that could be used as evidence. If the system is offline then the disk space can’t be overwritten and the disk is no longer considered volatile.
4 – Remote Logging and Monitoring Data
The potential for remote logging and monitoring data to change is much higher than data on a hard drive, but the information is not as vital. So, even though the volatility of the data is higher here, we still want that hard drive data first.
5 – Physical Configuration, Network Topology, Archival Media
Here we have items that are either not that vital in terms of the data or are not at all volatile. The physical configuration and network topology is information that could help an investigation but is likely not going to have a tremendous impact. Finally, archived data is usually going to be located on a separate physical device, such as a USB drive or external hard drive.
It is imperative that digital forensics examiners take volatility into account when starting the process of evidence collection. Methods should be employed to ensure that volatile evidence is collected and moved to a non-volatile medium, such as an external hard drive, as quickly as possible.
Metadata
This lesson is going to cover what metadata is and how it can contain valuable information, what file carving is, and how we can retrieve files that have been hidden inside other files. Metadata is “data about data”, which sounds confusing, but is relatively straightforward. If you have a Microsoft Word document that contains text, that text is data. Metadata is information that describes the data and can include details such as the author of the document, and in photos, it can contain the camera settings, GPS location, resolution, and much more. File carving is a process of searching for files in a data stream and is used to carve deleted files from disk images, so we can investigate files that have been deleted by a user, provided they haven’t been overwritten with new data.
Metadata2
Let’s take a look at some metadata by viewing file properties inside the Windows OS. By right-clicking on a Microsoft Word file and clicking on the ‘Details’ tab we can see some useful information including the author when the file was created, last saved, and the word count.
We can also retrieve metadata in a Linux system by using the same method as above, right-clicking on a file and viewing the properties, or using two commands, ls -lisap and stat , as shown below. In this case, we’re provided with information such as the read/write permissions we have, the file name and size, and the times for when the file was last accessed and modified.
A great command-line tool we can use in Kali Linux is exiftool, which works to retrieve metadata from files. Type “exiftool” to see if you have it installed, and if not, use sudo apt-get install exiftool to download and install the tool.
The tool is straightforward to use, just type exiftool and we can retrieve a ton of useful information, as shown in the GIF demonstration below.
File Carving
We’re going to show you how to retrieve deleted files using the Linux command-line tool scalpel. If you haven’t used this tool before, use the command man scalpel to see what it can do! When attempting to use scalpel on a disk image file (.img) the tool will communicate with it’s configuration file, which is located at /etc/scalpel/scalpel.conf by default. This configuration file allows us to define what file types we’re trying to search for. Let’s walk through an example where we believe a suspect has deleted a .jpg image file containing sensitive information, and we need to retrieve it as digital evidence. The hard drive appeared empty when collected from the crime scene, but a bit-by-bit disk image was taken, so we can identify any deleted files.
First things first, we need to edit the scalpel.conf file to tell scalpel that we want to identify and extract Microsoft Office Word files. You can use command-line text editors such as nano or vim, but it’s easier to use the file system GUI and navigate to the file yourself. The file path is /etc/scalpel/scalpel.conf.
Once you’ve found and opened the config file in your choice of text editor, you’ll be presented with a file that looks like the below screenshot, where we’re looking at the section for Microsoft Office document profiles. The “#” at the start of each line means they are commented out and are not read by the program when the .config file is called.
As we’re looking for .jpg image files, we need to locate the section of the .conf file that references jpg files. In the below screenshot you can see how we’re able to remove the hashtags to enable detection for this file type.
Now that we’ve configured scalpel to understand what files we’re looking for, we can summon the tool using the following command: scalpel -b -o
“scalpel” calls the tool we want to use
“-b” states we want to carve files out of the disk image file
“-o ” provides a directory for recovered files to be stored. This MUST be an empty directory, or the name of a non-existent directory, as scalpel will create one
“” tells scalpel the file we want to search for files inside
Example command: scalpel -b -o /root/Desktop/ScalpelOutput DiskImage1.img
Let’s run the command and watch scalpel recover any JPG image files for us!
In the above screenshot we can see that scalpel identified and retrieved one JPG file, based on the message at the bottom of the terminal “Scalpel is done, files carved = 1, elapsed = 0 seconds”! Let’s go see what Scalpel found in the output directory we listed. In the below screenshots we can see that Scalpel created a file audit.txt which contains information about the activity the tool has completed, and the jpg directory includes the deleted photo we have retrieved.
It’s worth mentioning that profiles in the scalpel.conf file can be created by a user if you need to search for specific or custom files, by altering the file extension, file header, and file footer values. The top of the .conf file has detailed information about writing custom detection profiles for file carving, so give it a read!
