Authors: Alex Nelson, Ph.D. (NIST), Erik Steggall, Darrell Long
DFRWS USA 2014
Abstract
This work addresses the question of determining the correctness of forensic file system analysis software. Current storage systems are built on the theory that is robust but not invincible to faults, from software, hardware, or adversaries. Given a parsing of a storage system of unknown provenance, the lack of a sound and complete analytic theory means the parsing’s correctness cannot be proven. However, with recent advances in digital forensic theory, a measure of its incorrectness can be taken. We present FSNView, an N-Version programming utility. FSNView reports exhaustively the metadata of a single disk image, using multiple storage system parsers. Each parser reports its perspective of the metadata in Digital Forensics XML, a storage language used recently in a study on differential analysis. We repurpose the tools used for studying the changes in file systems from time to the changes in file systems from perspective. The differences in metadata summaries immediately note bugs in at least one of the tools employed. Diversity in tools and their analysis algorithms strengthens the analysis of a storage subject. We apply file system differencing to study the external storage of the Microsoft Xbox 360 game console. The console’s storage serves as an exemplary analysis subject; the described strategy is general to storage system analysis. The custom volume management and new though-familiar file system are features typical to embedded system analysis. Two open-source utilities developed solely for analyzing this game console, and a third developed for general file system forensics, are extended to compare storage system metadata perspectives. We present a new file system and revisions to the DFXML language, library, and differencing process, which were necessary to enable a principled, automatic evaluation of storage analysis tools