Risc OS Forensics

Hey guys,

I am a final year student studying Forensic computing and am thinking of doing a forensic analysis of Risc OS.

I have have a look online but could not see anything, but has a forensic analysis been done on this before?

Lastly, has anyone got any ideas as to what I could do within Risc OS? Any sugested topics?

Sorry if this is the wrong place for this post.

Thanks,

Sam

am thinking of doing a forensic analysis of Risc OS.

? My understanding of forensics is that it is a methodology used to gather evidence – for instance if a person is accused of a serious crime (say, illegal pictures of youngsters) and the computer systems were collected for information gathering, then searching for said pictures (and traces of) would be the forensics part.
As such, you would not use RISC OS itself, but rather you would take an image of the media concerned and then examine the image. Any write activity to the media would compromise its ability to be used as evidence (same goes for Windows, etc).
Merely booting the machine could cause files to be written – okay, just config/boot stuff, but since RISC OS’s filing systems don’t maintain journalling, you cannot prove that nothing else was added, especially given that it is arbitrarily easy to fiddle date stamps, and unlike some systems, the native filing system keeps its files alphabetically sorted internally so it is actually trivially easy to place compromising data onto such a machine in a way that it would be rather difficult to prove wasn’t there before – and any half decent solicitor would argue that if the machine itself is used by the investigators at any stage…thus, potentially contaminating the evidence.
For these reasons, you wouldn’t want to conduct any examination from within the host operating system itself. Same goes for Windows, Linux, etc.

Or do you mean something different?

what I could do within Risc OS?

Well… Um… What would you like to do?

Final year of what level?

If you want something which is useful, interesting and has plenty of scope – how about filetype analysis?

ie. identifying or extracting image files from filesystems (corrupted or otherwise) or from within other files. You can test this by using an image filesystem to store the files, and then trying to retrieve them.

The complexity then increases by how much you’d like to obfuscate them – obviously just finding stuff by the filetype is dull – so finding fingerprinted patterns is more useful. What if, for example – some of the JPEG header was intentionally degraded – can you use other clues in the file that it’s still a JPEG?

That code in itself is useful (you’re also building a data integrity checker!) as well as useful project work.

The other useful thing would be an ‘undelete’ tool. Obviously this has both forensic benefits and also RISC OS benefits!

Sorry, I should have said Final year undergraduate stududent.

I’ve taken an image and put it into Encase to examine it, and have a look at the file system to start off with.

But I need to do something more specific.

“but since RISC OS’s filing systems don’t maintain journalling” – What you mean?

RISC OS’s filing systems don’t maintain journalling” – What you mean?

http://en.wikipedia.org/wiki/Journaling_file_system
http://searchsecurity.techtarget.com/definition/journaling-file-system

I’m rather surprised that a final year student wouldn’t have covered journaling.
Mind you Unix was but a child when I started playing with computer systems.
Some people round here may pre-date UNIX

But I need to do something more specific.

How about cutting the crap and telling us what?

That’s the thing, I don’t know what I could do lol, that’s why I’m asking for advice.

I want to analyse something within RISC OS. But do an forensic analysis of it.

I want to analyse something within RISC OS. But do an forensic analysis of it.

Okay then – take apart the system to discover why people are reporting lethargic network transfers on the RaspberryPi…

“Okay then – take apart the system to discover why people are reporting lethargic network transfers on the RaspberryPi…”

I think the USB stack could use a forensic analysis too.

There might be something in that. If RISC OS were a piece of malware, forensic analysis would involve taking it apart and seeing how it ticks. However it isn’t malware, but maybe doing the same analysis on something that isn’t still counts as forensic? Does having the source code detract from forensic-ness?
If that kind of project is feasible, USB is a good place to start, or maybe the network stack? Teasing apart the pieces that have been borrowed from BSD and how they interact with native parts would be interesting, and possibly useful in terms of how to make them easy to update to the latest BSD sources.

Also perhaps other venerable parts of the OS like the Wimp, BBC BASIC, FileCore or FileSwitch – have a 25+ year history with layers of changes over the years, and few people understand how they work internally. While you have the source (and the version control commits), they’re in assembler so not so much different from working on disassembly. And there are no doubt lots of funky ARM tricks in there waiting to be discovered.

Confess I find it odd that a final year student in “forensic computing” (no educational body mentioned) wouldn’t know about journalling or be so vague about what they have in mind. Talking about doing in on an OS in such a vague and sweeping manner also seems odd to me. Maybe he can clarify, but if not it will remain odd.

Jim

I’m thinking of doing filetype analysis.

Thanks for your suggestions and sorry to be so broad and unclear.

Sam.

Ive just created a file in !StrongED and copied it onto my USB so I can analyse it.

Opened it in Encase and it shows that the file was created 10:22PM and last modified 10:18PM hmm how does that work? lol

!http://i.snag.gy/3ZdPS.jpg

Does EnCase even support Filecore? It didn’t the last time I used it.

Also, when looking for, say, indecent images, the “highly trained” police forensics technicians simply run a scan using EnCase to look for the JFIF headers etc. So, write a module that simply does EOR &FF on every byte read or written and you’ve defeated EnCase if it’s using raw mode on an unsupported file system.

Actually there are many other ways to defeat EnCase, but I won’t mention them here. If someone has got a stack of, errm, “indecent images”, that they want to conceal, I will NOT be a party to helping them do this.

In answer to your last question, 10:22pm would have been the time that you copied the file to the USB stick. You’d have saved it in StrongEd (WHY aren’t you using Zap, you infidel!) at 10:18pm.

Aah makes sense. Durrr haha.

And nope Encase doesn’t support FileCore. It just shows it as unallocated clusters when I image the SD card and try to analyse it :(

This time I just took the file and viewed that single file in Encase which gave me that info.

EOR &FF? Why? (Sorry Newbie)

Haha yeah, and unfortunately, people like me will have to find evidence to prosecute those dirty minded criminals ha.

Not used Zap before. I just picked the first one lol.

That’s what happened when I attempted to analyse an acquired image from a Filecore disk using EnCase a few years back. If you scan the entire disk for deleted data it will pick up files though, but won’t be able to provide date stamps etc.

Which means that Mr Glitter, on questioning, will simply say “it was a second-hand hard disk, I thought it was blank”. No way in hell is any charge going to stick, although his precious hard disk will be destroyed.

EOR &FF simply bit-flips (inverts) everything, which means that scanning for the string “JFIF” (which is all EnCase does) will break. And because it doesn’t recognise the file system the disk will scan “clean”.

Of course, like I said, there are much more nefarious ways of breaking EnCase. A quick Google should turn up some of them. ;-)

Ooh cool, thanks.

When I open it in a Hex Editor, I can see ‘stuff’ that has happened, ie websites visited. But because it’s in unallocated clusters its not in a friendly way to look at. Information everywhere.

May be a silly question, is there anyway to PM you regarding this?