SlideShare une entreprise Scribd logo

AFF4: The new standard in forensic imaging and why you should care

Télécharger en tant que PPTX, PDF
B
Bradley Schatz

This seminar will outline why a new forensic container standard is needed and outline recent efforts to standardize the Advanced Forensic Format 4 forensic container (AFF4). Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container supports a range of next generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontinuous images. Current AFF4 implementations include Rekall, The Pmem suite of Memory Acquisition tools, Evimetry Wirespeed, and Google Rapid Response. The seminar will present an introduction to the format, outline the current state of adoption within the forensic ecosystem, and announce the availability of open source implementations.

Sciences
1  sur  38
AFF4: The new standard in forensic imaging and why you should care Dr. Bradley Schatz Director, Schatz Forensic v1.1 – OSDFCon 2016 © Schatz Forensic 2016
© 2016 Schatz Forensic About me • Bradley Schatz – PhD, Digital Forensics (2007) ; BSc, Computer Science • Schatz Forensic / Evimetry (2009-) – Practitioner, R&D, tool vendor • Research affiliations – Journal of Digital Investigation (Editorial Board) – DFRWS Conference, Chair, Technical Program Committee (2016) • Practical contributions – Volatility Memory Forensics Framework (Vista & Windows 7 support) (2010) – Autopsy (index.dat support) • Queensland University of Technology – Adjunct associate professor, doctoral supervision
© 2016 Schatz Forensic Agenda • Why should I care about forensic formats? • What’s wrong with current forensic formats? • What is AFF4? • AFF4 Status Update
Why should I care about forensic formats?
© 2016 Schatz Forensic Limitations in forensic formats have profound effects on practice • The image as a linear bitstream – Triage: reliance on logical imaging and acceptance of loss of potentially relevant data • The usage of heavyweight compression – Significant delays due to CPU consumption • The usage of no compression – Significant delays due to hashing and copying sparse data • Inextensible metadata storage – Tool interoperability an ongoing problem
© 2016 Schatz Forensic AFF4 supports storing multiple streams per container Pmem aff4acquire = physical memory + mapped files Virtual address # pages Acquired mapped files & page files
© 2016 Schatz Forensic Time spent waiting for results Evidentiary Completeness Digital forensic best practice Triage & Incident Response Live forensics The AFF4 forensic format enables faster and new approaches to acquisition Increased speed Live analysis can occur during evidence preservation Non-linear partial images
© 2016 Schatz Forensic AFF4 shifts acquisition throughput to being CPU limited 1TB acquired in 20 minutes (~50 GB/min) Acquisition technique Acquire + Verify Evimetry Wirespeed 0:52:04 Xways + WinFE 2:48:00 Macquisition EWF 7:08:38 1TB NVMe (Core i7-4578U, 2 Cores) Macbook Pro A1502 (Evimetry 2.2.0a)
What’s wrong with current forensic formats?
© 2016 Schatz Forensic Forensic Imaging v1.0: RAW • Good – Universal tool support – 1:1 mapping – Easy to implement • Bad – No standardised metadata storage – Copying sparse regions (zero-filled) is a waste of time – Linear bitstream hash is a bottleneck at high speeds MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
© 2016 Schatz Forensic The linear bitstream hash is a bottleneck at high speeds Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Average Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
© 2016 Schatz Forensic Linear bitstream hashing is a bottleneck with current generation storage Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s Samsung 850 NVMe 1.5 – 2.5 GB/s
© 2016 Schatz Forensic Forensic Imaging v2.1: Threaded EWF • Good – Images are fast to copy (compressed) – Near universal tool support • Bad – Inextensible metadata storage – Poorly defined* – Copying & Compressing sparse regions (zero) is a waste of time** – Deflate compression is a bottleneck – Linear bitstream hash is a bottleneck at high speeds * Despite the excellent work of Metz ** Recent EWF supports sparse regions MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
© 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 439 Low entropy 259 IO bound *Single core of quad core i7-4770 3.4Ghz measured with gzip
© 2016 Schatz Forensic 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/ s SATA3 Intel 720 SSD ~500MB/s SATA3 600MB/ s SATA3 Samsung 850 EVO Pro ~500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
© 2016 Schatz Forensic What’s wrong with AFF (v1-3)? • Good – Well defined format – Open source – Extensible Name/Value pair metadata storage – Niche commercial tool support • Bad – Copying & Compressing sparse regions (zero) is a waste of time – Deflate compression is a bottleneck – Large compressed chunk sizes (16M by default) slow w/ NTFS MFT
What is AFF4?
© 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Extensible linked-data metadata storage • Inter-container reference scheme • 2-level indexing • Open source implementation
© 2016 Schatz Forensic AFF4 Storage Virtualisation: the Map ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
© 2016 Schatz Forensic Example uses of the AFF4 Map • Reconstructing RAID from images • Rearranging spare and data ranges in flash images • Zero storage carving • Storing discontiguous data ranges • Storing non-linear images • Representing sparse regions
© 2016 Schatz Forensic Linked data metadata storage <aff4://fd488f0f-95ad-45e4-a948-a36afcb03a08> aff4:contains <aff4://08b52fb6-fbae-45f3-967e-03502cefaf92> ; aff4:stored <aff4://0658d383-3984-42f5-b1aa-c39f8e0cdbae> ; aff4:systemBiosVendor "American Megatrends Inc."^^xsd:string ; aff4:systemBiosVersion "F3"^^xsd:string ; aff4:systemChassisAssetTag "To Be Filled By O.E.M."^^xsd:string ; aff4:systemChassisSerial ""^^xsd:string ; aff4:systemChassisType "3"^^xsd:string ; aff4:systemChassisVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemChassisVersion "To Be Filled By O.E.M."^^xsd:string ; aff4:systemEthernetAddress "94:DE:80:7C:EC:6C"^^xsd:string ; aff4:systemProductName "Z87X-UD3H"^^xsd:string ; aff4:systemProductSerial ""^^xsd:string ; aff4:systemProductUUID ""^^xsd:string ; aff4:systemProductVersion "To be filled by O.E.M."^^xsd:string ; aff4:systemVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemboardAssetTag "To be filled by O.E.M."^^xsd:string ; aff4:systemboardName "Z87X-UD3H-CF"^^xsd:string ; aff4:systemboardSerial ""^^xsd:string ; aff4:systemboardVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemboardVersion "x.x"^^xsd:string ; a aff4:ComputeResource . • Arbitrary information storage • Refer to data ranges and information • Inter-container references
© 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
© 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Lightweight compression • Block based hashing • Partial acquisition – what we didn’t acquire – what we couldn’t acquire
© 2016 Schatz Forensic Lightweight compression Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable) 1,400 LZO (ZFS) 1,540
© 2016 Schatz Forensic Block based hashing allows hashing to scale across all cores Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
© 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/cor e SATA3 Intel 730 SSD 500MB/s 4x SATA3 2.4GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Evimetry (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
© 2016 Schatz Forensic Generation of a single hash w/ block based hashing ACMECo.C1.D1.af4ACMECo.C1.D1.af4 Block Hashes Compressed Block Stream ## Virtual Block Stream (Map) Linear Block Hash Map Hash Block Hashes Hash ## ##
© 2016 Schatz Forensic Implementations • 4 scientifically peer reviewed papers over 6 years • 3 prototype implementations (2009 – 2013) – 3 languages, 4 revisions of the Map – Subtle implementation differences due to ambiguity – Heritage visible in Google Response Rig • 2 current implementations – Evimetry (Java) & Rekall/libaff4 (C and Python) • Convergence is required
© 2016 Schatz Forensic Convergence: AFF4 Standardisation Effort • AFF4 Working Group – Bradley Schatz (Evimetry), Michael Cohen (Google) chairing – Joe Sylve (Blackbag) – First meeting @ DFRWS 2016 • Intended outputs – Corpora of standard images [draft] – Specification (AFF4s) [draft] – Open source implementations (C, Python, Java) [pre-draft]
© 2016 Schatz Forensic AFF4 Standardisation Effort: Changes & Clarifications • Namespace change – Was http://afflib.org/ now http://aff4.org/ • Property naming made consistent • Image Stream Index (compressed block storage) – Was [offset0, offset1, offset2, offset3 .. offsetn] – Now [(offset0,length0), (offset1, length1) …] • Identification of Image in container
© 2016 Schatz Forensic Sleuthkit AFF4 support • Draft standard image (produced by Evimetry) • Read with libaff4 + AFF4s patches • Patches to sleuthkit and libaff4 coming very soon
© 2016 Schatz Forensic Sleuthkit AFF4 support • Draft standard image (produced by Evimetry) • Read with libaff4 + AFF4s patches • Patches to sleuthkit and libaff4 coming very soon
Next steps
© 2016 Schatz Forensic Volatile memory • Partial volatile memory acquisition – Multi-tenant considerations – Virtual machine host kernel memory • Live volatile memory analysis and acquisition
© 2016 Schatz Forensic Front-loaded pre-processing • File hashing during acquisition – Already implemented – Spinning disk – optimizing path across disk vs RAM (low seek) – SSD – not such an issue – No need for expensive processing for known files • Carving landmark and feature identification – No need for expensive disk scans
© 2016 Schatz Forensic AFF4 as an interchange format • Relationship with DFAX etc?
© 2016 Schatz Forensic More to come • Central point of communication – http://aff4.org/ • Updates to come – DFSci mailing list – sleuthkit-users • Interested in helping? – Send us an email – bradley@schatzforensic.com.au & scudette@google.com
Contact Dr Bradley Schatz https://evimetry.com/ bradley@evimetry.com @blschatz 'Hard Disk Drive X-Ray' image by Jeff Kubina

Recommandé

Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu YongUnlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu YongCeph Community
 
IPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media PlayerIPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media PlayerMasaaki Nabeshima
 
Ceph on rdma
Ceph on rdmaCeph on rdma
Ceph on rdmaSomnath Roy
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storageAnurag Dashputre
 
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph Community
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 

Recommandé

Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu YongUnlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu YongCeph Community
 
IPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media PlayerIPv4 IPv6 Multi Protocol Media Player
IPv4 IPv6 Multi Protocol Media PlayerMasaaki Nabeshima
 
Ceph on rdma
Ceph on rdmaCeph on rdma
Ceph on rdmaSomnath Roy
 
Decentralized storage
Decentralized storageDecentralized storage
Decentralized storageAnurag Dashputre
 
Ceph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph optimized Storage / Global HW solutions for SDS, David Alvarez
Ceph optimized Storage / Global HW solutions for SDS, David AlvarezCeph Community
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language ClientSayyaparaju Sunil
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolVikram G Hosakote
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionKaran Singh
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataYan Wang
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike ArchitecturePeter Milne
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopAll Things Open
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Community
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudMongoDB
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0J.B. Langston
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsAerospike, Inc.
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph SolutionsRed_Hat_Storage
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than everMasahiko Sawada
 
Ceph's journey at SUSE
Ceph's journey at SUSECeph's journey at SUSE
Ceph's journey at SUSECeph Community
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timeAerospike, Inc.
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike, Inc.
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...DataStax
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningAta Turk
 
Clemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data DelugeClemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data Delugeinside-BigData.com
 
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1DataStax Academy
 
Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageWebinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageAvere Systems
 
IBM Aspera overview
IBM Aspera overview IBM Aspera overview
IBM Aspera overview Carlos Martin Hernandez
 

Contenu connexe

Tendances

Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language ClientSayyaparaju Sunil
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolVikram G Hosakote
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionKaran Singh
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataYan Wang
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike ArchitecturePeter Milne
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopAll Things Open
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Community
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudMongoDB
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0J.B. Langston
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsAerospike, Inc.
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph SolutionsRed_Hat_Storage
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than everMasahiko Sawada
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timeAerospike, Inc.
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike, Inc.
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...DataStax
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningAta Turk
 
Clemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data DelugeClemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data Delugeinside-BigData.com
 
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1DataStax Academy
 

Tendances (20)

Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language Client
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye tool
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
 
Automation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure DataAutomation of Hadoop cluster operations in Arm Treasure Data
Automation of Hadoop cluster operations in Arm Treasure Data
 
Aerospike Architecture
Aerospike ArchitectureAerospike Architecture
Aerospike Architecture
 
Building the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for HadoopBuilding the Right Platform Architecture for Hadoop
Building the Right Platform Architecture for Hadoop
 
Aerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analyticsAerospike DB and Storm for real-time analytics
Aerospike DB and Storm for real-time analytics
 
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store Ceph Day Beijing: Big Data Analytics on Ceph Object Store
Ceph Day Beijing: Big Data Analytics on Ceph Object Store
 
High Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal CloudHigh Performance, Scalable MongoDB in a Bare Metal Cloud
High Performance, Scalable MongoDB in a Bare Metal Cloud
 
Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0Cassandra Troubleshooting 3.0
Cassandra Troubleshooting 3.0
 
Getting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDsGetting The Most Out Of Your Flash/SSDs
Getting The Most Out Of Your Flash/SSDs
 
Architecting Ceph Solutions
Architecting Ceph SolutionsArchitecting Ceph Solutions
Architecting Ceph Solutions
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than ever
 
Ceph's journey at SUSE
Ceph's journey at SUSECeph's journey at SUSE
Ceph's journey at SUSE
 
Predictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-timePredictable Big Data Performance in Real-time
Predictable Big Data Performance in Real-time
 
Aerospike: Key Value Data Access
Aerospike: Key Value Data AccessAerospike: Key Value Data Access
Aerospike: Key Value Data Access
 
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
Lessons Learned on Java Tuning for Our Cassandra Clusters (Carlos Monroy, Kne...
 
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData ProvisioningHot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
Hot Cloud'16: An Experiment on Bare-Metal BigData Provisioning
 
Clemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data DelugeClemson: Solving the HPC Data Deluge
Clemson: Solving the HPC Data Deluge
 
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
 

Similaire à AFF4: The new standard in forensic imaging and why you should care

Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageWebinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageAvere Systems
 
Ceph - High Performance Without High Costs
Ceph - High Performance Without High CostsCeph - High Performance Without High Costs
Ceph - High Performance Without High CostsJonathan Long
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCSheetal Dolas
 
Watson christofer j_180208
Watson christofer j_180208Watson christofer j_180208
Watson christofer j_180208IBM Sverige
 
Big data analysing genomics and the bdg project
Big data analysing genomics and the bdg projectBig data analysing genomics and the bdg project
Big data analysing genomics and the bdg projectsree navya
 
SkyhookDM - Towards an Arrow-Native Storage System
SkyhookDM - Towards an Arrow-Native Storage SystemSkyhookDM - Towards an Arrow-Native Storage System
SkyhookDM - Towards an Arrow-Native Storage SystemJayjeetChakraborty
 
040419 san forum
040419 san forum040419 san forum
040419 san forumThiru Raja
 
Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?Uwe Printz
 
Architecture at Scale
Architecture at ScaleArchitecture at Scale
Architecture at ScaleElasticsearch
 
Integração de Dados com Apache NIFI - Marco Garcia Cetax
Integração de Dados com Apache NIFI - Marco Garcia CetaxIntegração de Dados com Apache NIFI - Marco Garcia Cetax
Integração de Dados com Apache NIFI - Marco Garcia CetaxMarco Garcia
 
BDSE 2015 Evaluation of Big Data Platforms with HiBench
BDSE 2015 Evaluation of Big Data Platforms with HiBenchBDSE 2015 Evaluation of Big Data Platforms with HiBench
BDSE 2015 Evaluation of Big Data Platforms with HiBencht_ivanov
 
Data core overview - haluk-final
Data core overview - haluk-finalData core overview - haluk-final
Data core overview - haluk-finalHaluk Ulubay
 
[NetApp] Simplified HA:DR Using Storage Solutions
[NetApp] Simplified HA:DR Using Storage Solutions[NetApp] Simplified HA:DR Using Storage Solutions
[NetApp] Simplified HA:DR Using Storage SolutionsPerforce
 
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, BlazegraphDatabase Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph✔ Eric David Benari, PMP
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Odinot Stanislas
 
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]Kyle Hailey
 

Similaire à AFF4: The new standard in forensic imaging and why you should care (20)

Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageWebinar: Untethering Compute from Storage
Webinar: Untethering Compute from Storage
 
IBM Aspera overview
IBM Aspera overview IBM Aspera overview
IBM Aspera overview
 
Ceph - High Performance Without High Costs
Ceph - High Performance Without High CostsCeph - High Performance Without High Costs
Ceph - High Performance Without High Costs
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
Watson christofer j_180208
Watson christofer j_180208Watson christofer j_180208
Watson christofer j_180208
 
Big data analysing genomics and the bdg project
Big data analysing genomics and the bdg projectBig data analysing genomics and the bdg project
Big data analysing genomics and the bdg project
 
SkyhookDM - Towards an Arrow-Native Storage System
SkyhookDM - Towards an Arrow-Native Storage SystemSkyhookDM - Towards an Arrow-Native Storage System
SkyhookDM - Towards an Arrow-Native Storage System
 
040419 san forum
040419 san forum040419 san forum
040419 san forum
 
Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?
 
Architecture at Scale
Architecture at ScaleArchitecture at Scale
Architecture at Scale
 
Integração de Dados com Apache NIFI - Marco Garcia Cetax
Integração de Dados com Apache NIFI - Marco Garcia CetaxIntegração de Dados com Apache NIFI - Marco Garcia Cetax
Integração de Dados com Apache NIFI - Marco Garcia Cetax
 
Haystack + DASH7 Security
Haystack + DASH7 SecurityHaystack + DASH7 Security
Haystack + DASH7 Security
 
BDSE 2015 Evaluation of Big Data Platforms with HiBench
BDSE 2015 Evaluation of Big Data Platforms with HiBenchBDSE 2015 Evaluation of Big Data Platforms with HiBench
BDSE 2015 Evaluation of Big Data Platforms with HiBench
 
Data core overview - haluk-final
Data core overview - haluk-finalData core overview - haluk-final
Data core overview - haluk-final
 
[NetApp] Simplified HA:DR Using Storage Solutions
[NetApp] Simplified HA:DR Using Storage Solutions[NetApp] Simplified HA:DR Using Storage Solutions
[NetApp] Simplified HA:DR Using Storage Solutions
 
CERNBox: Site Report
CERNBox: Site ReportCERNBox: Site Report
CERNBox: Site Report
 
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, BlazegraphDatabase Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
Database Camp 2016 @ United Nations, NYC - Brad Bebee, CEO, Blazegraph
 
Ceph
CephCeph
Ceph
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
 
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
Oracle Open World 2014: Lies, Damned Lies, and I/O Statistics [ CON3671]
 

Dernier

Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisDiwakar Mishra
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...anilsa9823
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhousejana861314
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 sciencefloriejanemacaya1
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
Caco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionCaco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionPriyansha Singh
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxpradhanghanshyam7136
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physicsvishikhakeshava1
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfSumit Kumar yadav
 

Dernier (20)

Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhouse
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 science
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Caco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionCaco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorption
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptx
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physics
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
Engler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomyEngler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomy
 

AFF4: The new standard in forensic imaging and why you should care

  • 1. AFF4: The new standard in forensic imaging and why you should care Dr. Bradley Schatz Director, Schatz Forensic v1.1 – OSDFCon 2016 © Schatz Forensic 2016
  • 2. © 2016 Schatz Forensic About me • Bradley Schatz – PhD, Digital Forensics (2007) ; BSc, Computer Science • Schatz Forensic / Evimetry (2009-) – Practitioner, R&D, tool vendor • Research affiliations – Journal of Digital Investigation (Editorial Board) – DFRWS Conference, Chair, Technical Program Committee (2016) • Practical contributions – Volatility Memory Forensics Framework (Vista & Windows 7 support) (2010) – Autopsy (index.dat support) • Queensland University of Technology – Adjunct associate professor, doctoral supervision
  • 3. © 2016 Schatz Forensic Agenda • Why should I care about forensic formats? • What’s wrong with current forensic formats? • What is AFF4? • AFF4 Status Update
  • 4. Why should I care about forensic formats?
  • 5. © 2016 Schatz Forensic Limitations in forensic formats have profound effects on practice • The image as a linear bitstream – Triage: reliance on logical imaging and acceptance of loss of potentially relevant data • The usage of heavyweight compression – Significant delays due to CPU consumption • The usage of no compression – Significant delays due to hashing and copying sparse data • Inextensible metadata storage – Tool interoperability an ongoing problem
  • 6. © 2016 Schatz Forensic AFF4 supports storing multiple streams per container Pmem aff4acquire = physical memory + mapped files Virtual address # pages Acquired mapped files & page files
  • 7. © 2016 Schatz Forensic Time spent waiting for results Evidentiary Completeness Digital forensic best practice Triage & Incident Response Live forensics The AFF4 forensic format enables faster and new approaches to acquisition Increased speed Live analysis can occur during evidence preservation Non-linear partial images
  • 8. © 2016 Schatz Forensic AFF4 shifts acquisition throughput to being CPU limited 1TB acquired in 20 minutes (~50 GB/min) Acquisition technique Acquire + Verify Evimetry Wirespeed 0:52:04 Xways + WinFE 2:48:00 Macquisition EWF 7:08:38 1TB NVMe (Core i7-4578U, 2 Cores) Macbook Pro A1502 (Evimetry 2.2.0a)
  • 9. What’s wrong with current forensic formats?
  • 10. © 2016 Schatz Forensic Forensic Imaging v1.0: RAW • Good – Universal tool support – 1:1 mapping – Easy to implement • Bad – No standardised metadata storage – Copying sparse regions (zero-filled) is a waste of time – Linear bitstream hash is a bottleneck at high speeds MD5 Source Hard Drive ACMECo.C1.D1.raw ACMECo.C1.D1.raw.txt # Linear Bitstream Hash
  • 11. © 2016 Schatz Forensic The linear bitstream hash is a bottleneck at high speeds Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Algorithm Average Throughput MB/s SHA1 619.23 MD5 745.65 Blake2b 601.87
  • 12. © 2016 Schatz Forensic Linear bitstream hashing is a bottleneck with current generation storage Target Storage Interconnect Hash Filesystem Interconnect Evidence storage Target Storage Sustained Read 1TB Seagate 3.5” 7200rpm SATA 100 MB/s Current generation 3.5” 7200rpm SATA 200 MB/s Intel 730 SSD 550 MB/s Macbook Pro 1TB ~1 GB/s RAID 15000rpm SAS > 1 GB/s Samsung 850 NVMe 1.5 – 2.5 GB/s
  • 13. © 2016 Schatz Forensic Forensic Imaging v2.1: Threaded EWF • Good – Images are fast to copy (compressed) – Near universal tool support • Bad – Inextensible metadata storage – Poorly defined* – Copying & Compressing sparse regions (zero) is a waste of time** – Deflate compression is a bottleneck – Linear bitstream hash is a bottleneck at high speeds * Despite the excellent work of Metz ** Recent EWF supports sparse regions MD5 Deflate DeflateDeflate Source Hard Drive ACMECo.C1.D1.e01 # Linear Bitstream Hash
  • 14. © 2016 Schatz Forensic The deflate algorithm is a significant bottleneck Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage Data Deflate MB/s Inflate MB/s High entropy 40.4 439 Low entropy 259 IO bound *Single core of quad core i7-4770 3.4Ghz measured with gzip
  • 15. © 2016 Schatz Forensic 8-core i7 & uncontended IO? Threaded EWF is CPU bound Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600MB/ s SATA3 Intel 720 SSD ~500MB/s SATA3 600MB/ s SATA3 Samsung 850 EVO Pro ~500MB/s Acquisition 240GB @ 255MB/s = 14m 35s Verification 240GB @ 350MB/s = 10m 37s TOTAL = 25m 12s Deflate 31.9MB/s/core *8 core i7-5820k @ 3.20 GHz
  • 16. © 2016 Schatz Forensic What’s wrong with AFF (v1-3)? • Good – Well defined format – Open source – Extensible Name/Value pair metadata storage – Niche commercial tool support • Bad – Copying & Compressing sparse regions (zero) is a waste of time – Deflate compression is a bottleneck – Large compressed chunk sizes (16M by default) slow w/ NTFS MFT
  • 18. © 2016 Schatz Forensic Forensic Imaging v4.0: AFF4 (2009) • ZIP64 based container • Storage virtualization • Extensible linked-data metadata storage • Inter-container reference scheme • 2-level indexing • Open source implementation
  • 19. © 2016 Schatz Forensic AFF4 Storage Virtualisation: the Map ACMECo.S1.RAID0.af4 ACMECo.S1.D1.af4 # Linear Bitstream Hash ACMECo.S1.D2.af4 # Linear Bitstream Hash Compressed Block Storage Stream Virtual Storage Stream (Map)
  • 20. © 2016 Schatz Forensic Example uses of the AFF4 Map • Reconstructing RAID from images • Rearranging spare and data ranges in flash images • Zero storage carving • Storing discontiguous data ranges • Storing non-linear images • Representing sparse regions
  • 21. © 2016 Schatz Forensic Linked data metadata storage <aff4://fd488f0f-95ad-45e4-a948-a36afcb03a08> aff4:contains <aff4://08b52fb6-fbae-45f3-967e-03502cefaf92> ; aff4:stored <aff4://0658d383-3984-42f5-b1aa-c39f8e0cdbae> ; aff4:systemBiosVendor "American Megatrends Inc."^^xsd:string ; aff4:systemBiosVersion "F3"^^xsd:string ; aff4:systemChassisAssetTag "To Be Filled By O.E.M."^^xsd:string ; aff4:systemChassisSerial ""^^xsd:string ; aff4:systemChassisType "3"^^xsd:string ; aff4:systemChassisVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemChassisVersion "To Be Filled By O.E.M."^^xsd:string ; aff4:systemEthernetAddress "94:DE:80:7C:EC:6C"^^xsd:string ; aff4:systemProductName "Z87X-UD3H"^^xsd:string ; aff4:systemProductSerial ""^^xsd:string ; aff4:systemProductUUID ""^^xsd:string ; aff4:systemProductVersion "To be filled by O.E.M."^^xsd:string ; aff4:systemVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemboardAssetTag "To be filled by O.E.M."^^xsd:string ; aff4:systemboardName "Z87X-UD3H-CF"^^xsd:string ; aff4:systemboardSerial ""^^xsd:string ; aff4:systemboardVendor "Gigabyte Technology Co., Ltd."^^xsd:string ; aff4:systemboardVersion "x.x"^^xsd:string ; a aff4:ComputeResource . • Arbitrary information storage • Refer to data ranges and information • Inter-container references
  • 22. © 2016 Schatz Forensic Forensic Imaging v4.1: AFF4 (2010) • Non-linear acquisition • Hash based imaging (deduplication)
  • 23. © 2016 Schatz Forensic Forensic Imaging v4.2: AFF4 (2015) • Lightweight compression • Block based hashing • Partial acquisition – what we didn’t acquire – what we couldn’t acquire
  • 24. © 2016 Schatz Forensic Lightweight compression Target Storage Interconnect Hash Compress Interconnect Evidence storage Compression Algorithm Throughput MB/s/core* Deflate (ZIP, gzip) 31.9 Snappy (Google BigTable) 1,400 LZO (ZFS) 1,540
  • 25. © 2016 Schatz Forensic Block based hashing allows hashing to scale across all cores Hash Compress CompressCompress Source Hard Drive Hash Hash Block Hashes # Block Hashes Hash
  • 26. © 2016 Schatz Forensic Block hashing shifts the bottleneck from from CPU to I/O Target Storage Interconnect Hash Compress Filesystem Interconnect Evidence storage SHA1 600 MB/s/cor e SATA3 Intel 730 SSD 500MB/s 4x SATA3 2.4GB/s RAID0 4x SATA3 2TB 800MB/s Snappy Avg 1.5GB/s/core *8 core i7-5820k @ 3.20 GHz Acquisition application Linear Acquisition Verification X-Ways Forensics 14:35 255 MB/s (15.3 GB/min) 10:37 350 MB/s (21.0 GB/min) Evimetry (linear) 7:23 500 MB/s (30.3 GB/min) 4:12 888 MB/s (53.33 GB/min)
  • 27. © 2016 Schatz Forensic Generation of a single hash w/ block based hashing ACMECo.C1.D1.af4ACMECo.C1.D1.af4 Block Hashes Compressed Block Stream ## Virtual Block Stream (Map) Linear Block Hash Map Hash Block Hashes Hash ## ##
  • 28. © 2016 Schatz Forensic Implementations • 4 scientifically peer reviewed papers over 6 years • 3 prototype implementations (2009 – 2013) – 3 languages, 4 revisions of the Map – Subtle implementation differences due to ambiguity – Heritage visible in Google Response Rig • 2 current implementations – Evimetry (Java) & Rekall/libaff4 (C and Python) • Convergence is required
  • 29. © 2016 Schatz Forensic Convergence: AFF4 Standardisation Effort • AFF4 Working Group – Bradley Schatz (Evimetry), Michael Cohen (Google) chairing – Joe Sylve (Blackbag) – First meeting @ DFRWS 2016 • Intended outputs – Corpora of standard images [draft] – Specification (AFF4s) [draft] – Open source implementations (C, Python, Java) [pre-draft]
  • 30. © 2016 Schatz Forensic AFF4 Standardisation Effort: Changes & Clarifications • Namespace change – Was http://afflib.org/ now http://aff4.org/ • Property naming made consistent • Image Stream Index (compressed block storage) – Was [offset0, offset1, offset2, offset3 .. offsetn] – Now [(offset0,length0), (offset1, length1) …] • Identification of Image in container
  • 31. © 2016 Schatz Forensic Sleuthkit AFF4 support • Draft standard image (produced by Evimetry) • Read with libaff4 + AFF4s patches • Patches to sleuthkit and libaff4 coming very soon
  • 32. © 2016 Schatz Forensic Sleuthkit AFF4 support • Draft standard image (produced by Evimetry) • Read with libaff4 + AFF4s patches • Patches to sleuthkit and libaff4 coming very soon
  • 34. © 2016 Schatz Forensic Volatile memory • Partial volatile memory acquisition – Multi-tenant considerations – Virtual machine host kernel memory • Live volatile memory analysis and acquisition
  • 35. © 2016 Schatz Forensic Front-loaded pre-processing • File hashing during acquisition – Already implemented – Spinning disk – optimizing path across disk vs RAM (low seek) – SSD – not such an issue – No need for expensive processing for known files • Carving landmark and feature identification – No need for expensive disk scans
  • 36. © 2016 Schatz Forensic AFF4 as an interchange format • Relationship with DFAX etc?
  • 37. © 2016 Schatz Forensic More to come • Central point of communication – http://aff4.org/ • Updates to come – DFSci mailing list – sleuthkit-users • Interested in helping? – Send us an email – bradley@schatzforensic.com.au & scudette@google.com