Tuesday, August 4, 2009

linuxsleuthing code project

Computers, iPods, Thumbdrives, oh My!

I've been busy with a major case during which many smaller cases have walked through my door. I began longing for a way for criminal investigators to be able to conduct preview examinations of digital storage devices without having to drop the devices off at the computer lab.

Many of the questions I receive are relatively simple to answer:
  • "Who owns this computer/iPod?"
  • "Does this computer have any illegal images/videos/files?"
  • "Are there any emails/chats between X and Y stored on this device?"
While I understand a preview examination of a digital storage device is not the equivalent of full forensic examination, the plethora of storage devices and the dwindling number of public sector forensic computer examiners begs for an intermediate solution. And, while forensically sound boot-discs exist, e.g., CAINE or the FBI's ImageScan, they do not lend themselves to criminal investigators with little or no computer forensics training (CAINE) and/or they only do one thing well (ImageScan).

My idea is to modify a disc like CAINE to include scripts accessible through a right-click menu that make basic digital storage device examination simpler. Virtually anyone who uses a computer understands the basics of navigating a file system with a file browser, and Nautilus is the file browser of choice in CAINE which utilizes the Gnome desktop. Nautilus has a built-in option for right-click scripts, and you'll find five already deployed in CAINE. The CAINE scripts have limitations and appear to have been obtained from g-scripts. When using them in a filtered file list (e.g., searching for documents in Nautilus), the scripts don't always work, nor are the scripts from a root Nautilus window.

My Solution

I created (and continue to create) a series of Nautilus scripts with which to remaster CAINE or add to an installed Linux distro. The problem has been that I do this across five different computer platforms, tweaking things as I go, to the point I'm not sure on which computer any particular script resides. Plus, no one else has access to them for use/testing/improvement, at least until I remaster CAINE and release. Therefore I have created a the LinuxSleuthing Google Code Project. I'll be populating the site with the scripts I create and encourage any feedback in the form of requests, bugs, suggestions, or improvement to the code.

The HTCIA Central California Chapter will be conducting training in September in the use of CAINE with many of these scripts, with primary focus on finding and previewing images, basic keyword searching, and iPod ownership identification, so the immediate focus of the scripts posted to the code project will be on these topics.

The scripts will follow the unix principle of "do one thing and do it well." They are not designed to run blind, finding all occurrences of index.dat, for example, and parsing them for histories. It will be up to the user to find the files and apply the parsing script. While this might sound labor intensive, it allows the user to surgically strike at desired data as time allows rather than wait for whole disk searches. That said, this concept may morph as real world trials expose flaws or beg enhancements.

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...