Risc OS Forensics
Sam (2215) 11 posts |
Hey guys, I am a final year student studying Forensic computing and am thinking of doing a forensic analysis of Risc OS. I have have a look online but could not see anything, but has a forensic analysis been done on this before? Lastly, has anyone got any ideas as to what I could do within Risc OS? Any sugested topics? Sorry if this is the wrong place for this post. Thanks, Sam |
Rick Murray (539) 13851 posts |
? My understanding of forensics is that it is a methodology used to gather evidence – for instance if a person is accused of a serious crime (say, illegal pictures of youngsters) and the computer systems were collected for information gathering, then searching for said pictures (and traces of) would be the forensics part. Or do you mean something different?
Well… Um… What would you like to do? |
William Harden (2174) 244 posts |
Final year of what level? If you want something which is useful, interesting and has plenty of scope – how about filetype analysis? ie. identifying or extracting image files from filesystems (corrupted or otherwise) or from within other files. You can test this by using an image filesystem to store the files, and then trying to retrieve them. The complexity then increases by how much you’d like to obfuscate them – obviously just finding stuff by the filetype is dull – so finding fingerprinted patterns is more useful. What if, for example – some of the JPEG header was intentionally degraded – can you use other clues in the file that it’s still a JPEG? That code in itself is useful (you’re also building a data integrity checker!) as well as useful project work. The other useful thing would be an ‘undelete’ tool. Obviously this has both forensic benefits and also RISC OS benefits! |
Sam (2215) 11 posts |
Sorry, I should have said Final year undergraduate stududent. I’ve taken an image and put it into Encase to examine it, and have a look at the file system to start off with. But I need to do something more specific. “but since RISC OS’s filing systems don’t maintain journalling” – What you mean? |
Steve Pampling (1551) 8172 posts |
http://en.wikipedia.org/wiki/Journaling_file_system I’m rather surprised that a final year student wouldn’t have covered journaling. |
Martin Bazley (331) 379 posts |
How about cutting the crap and telling us what? |
Sam (2215) 11 posts |
That’s the thing, I don’t know what I could do lol, that’s why I’m asking for advice. I want to analyse something within RISC OS. But do an forensic analysis of it. |
Rick Murray (539) 13851 posts |
Okay then – take apart the system to discover why people are reporting lethargic network transfers on the RaspberryPi… |
Neil Fazakerley (464) 124 posts |
“Okay then – take apart the system to discover why people are reporting lethargic network transfers on the RaspberryPi…” I think the USB stack could use a forensic analysis too. |
Theo Markettos (89) 919 posts |
There might be something in that. If RISC OS were a piece of malware, forensic analysis would involve taking it apart and seeing how it ticks. However it isn’t malware, but maybe doing the same analysis on something that isn’t still counts as forensic? Does having the source code detract from forensic-ness? Also perhaps other venerable parts of the OS like the Wimp, BBC BASIC, FileCore or FileSwitch – have a 25+ year history with layers of changes over the years, and few people understand how they work internally. While you have the source (and the version control commits), they’re in assembler so not so much different from working on disassembly. And there are no doubt lots of funky ARM tricks in there waiting to be discovered. |
jim lesurf (2082) 1438 posts |
Confess I find it odd that a final year student in “forensic computing” (no educational body mentioned) wouldn’t know about journalling or be so vague about what they have in mind. Talking about doing in on an OS in such a vague and sweeping manner also seems odd to me. Maybe he can clarify, but if not it will remain odd. Jim |
Sam (2215) 11 posts |
I’m thinking of doing filetype analysis. Thanks for your suggestions and sorry to be so broad and unclear. Sam. |
Sam (2215) 11 posts |
Ive just created a file in !StrongED and copied it onto my USB so I can analyse it. Opened it in Encase and it shows that the file was created 10:22PM and last modified 10:18PM hmm how does that work? lol !http://i.snag.gy/3ZdPS.jpg |
Glenn R (2369) 125 posts |
Does EnCase even support Filecore? It didn’t the last time I used it. Also, when looking for, say, indecent images, the “highly trained” police forensics technicians simply run a scan using EnCase to look for the JFIF headers etc. So, write a module that simply does EOR &FF on every byte read or written and you’ve defeated EnCase if it’s using raw mode on an unsupported file system. Actually there are many other ways to defeat EnCase, but I won’t mention them here. If someone has got a stack of, errm, “indecent images”, that they want to conceal, I will NOT be a party to helping them do this. In answer to your last question, 10:22pm would have been the time that you copied the file to the USB stick. You’d have saved it in StrongEd (WHY aren’t you using Zap, you infidel!) at 10:18pm. |
Sam (2215) 11 posts |
Aah makes sense. Durrr haha. And nope Encase doesn’t support FileCore. It just shows it as unallocated clusters when I image the SD card and try to analyse it :( This time I just took the file and viewed that single file in Encase which gave me that info. EOR &FF? Why? (Sorry Newbie) Haha yeah, and unfortunately, people like me will have to find evidence to prosecute those dirty minded criminals ha. Not used Zap before. I just picked the first one lol. |
Glenn R (2369) 125 posts |
That’s what happened when I attempted to analyse an acquired image from a Filecore disk using EnCase a few years back. If you scan the entire disk for deleted data it will pick up files though, but won’t be able to provide date stamps etc. Which means that Mr Glitter, on questioning, will simply say “it was a second-hand hard disk, I thought it was blank”. No way in hell is any charge going to stick, although his precious hard disk will be destroyed. EOR &FF simply bit-flips (inverts) everything, which means that scanning for the string “JFIF” (which is all EnCase does) will break. And because it doesn’t recognise the file system the disk will scan “clean”. Of course, like I said, there are much more nefarious ways of breaking EnCase. A quick Google should turn up some of them. ;-) |
Sam (2215) 11 posts |
Ooh cool, thanks. When I open it in a Hex Editor, I can see ‘stuff’ that has happened, ie websites visited. But because it’s in unallocated clusters its not in a friendly way to look at. Information everywhere. May be a silly question, is there anyway to PM you regarding this? |