Ubi est indicium? On forensic analysis of the UBI file system

IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Matthias Deutschmann, Harald Baier
{"title":"Ubi est indicium? On forensic analysis of the UBI file system","authors":"Matthias Deutschmann,&nbsp;Harald Baier","doi":"10.1016/j.fsidi.2023.301689","DOIUrl":null,"url":null,"abstract":"<div><p>Crimes involving Internet of Things (IoT) or embedded devices like drones are on the rise. A widespread class of file systems for storing data on embedded devices are flash file systems (FFS). FFS are optimized to manage conceptual limitations and characteristics of raw flash memory, i.e., memory that is not managed by an additional hardware controller that hides the characteristics of flash (called the Flash Translation Layer). Thus, FFS incorporate mechanisms and structures, which are not part of traditional block-based file systems like NTFS, APFS, or ExtX. Regarding analyses of FFS-based embedded devices, digital forensics tools handling FFS are needed. Unfortunately, currently available tools are not able to analyze FFS or raw flash images in general. In this paper, we provide a concept and an open-source implementation of a digital forensics tool bridging this gap for the widespread UBI File System. Our concept is inspired by the well-known Sleuth Kit and reflects the different abstraction layers of a digital forensics analysis (e.g., the storage device level, the volume level, the file system level). We provide an open-source tool of our concept, which we call UBI Forensic Toolkit (UBIFT). In contrast to previous work, UBIFT is able to parse file system structures like the directory tree or the UBIFS journal to recover deleted files including the respective metadata. We show the usefulness of UBIFT by a twofold evaluation: we first apply our tool to a publicly available Internet camera flash dump to perform a forensically sound analysis of the flash device. Our second evaluation comprises both a methodology for creating adaptable flash dumps in general and the comparison of our tool to competitors with similar functionality on the basis of self-generated flash dumps. Finally, we address the usability aspect of UBIFT by providing an Autopsy plugin of our tool.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281723002081/pdfft?md5=94fb7d24e3801fa777ccdbe6cc547b38&pid=1-s2.0-S2666281723002081-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281723002081","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Crimes involving Internet of Things (IoT) or embedded devices like drones are on the rise. A widespread class of file systems for storing data on embedded devices are flash file systems (FFS). FFS are optimized to manage conceptual limitations and characteristics of raw flash memory, i.e., memory that is not managed by an additional hardware controller that hides the characteristics of flash (called the Flash Translation Layer). Thus, FFS incorporate mechanisms and structures, which are not part of traditional block-based file systems like NTFS, APFS, or ExtX. Regarding analyses of FFS-based embedded devices, digital forensics tools handling FFS are needed. Unfortunately, currently available tools are not able to analyze FFS or raw flash images in general. In this paper, we provide a concept and an open-source implementation of a digital forensics tool bridging this gap for the widespread UBI File System. Our concept is inspired by the well-known Sleuth Kit and reflects the different abstraction layers of a digital forensics analysis (e.g., the storage device level, the volume level, the file system level). We provide an open-source tool of our concept, which we call UBI Forensic Toolkit (UBIFT). In contrast to previous work, UBIFT is able to parse file system structures like the directory tree or the UBIFS journal to recover deleted files including the respective metadata. We show the usefulness of UBIFT by a twofold evaluation: we first apply our tool to a publicly available Internet camera flash dump to perform a forensically sound analysis of the flash device. Our second evaluation comprises both a methodology for creating adaptable flash dumps in general and the comparison of our tool to competitors with similar functionality on the basis of self-generated flash dumps. Finally, we address the usability aspect of UBIFT by providing an Autopsy plugin of our tool.

Ubi est indicium?关于 UBI 文件系统的取证分析
涉及物联网 (IoT) 或无人机等嵌入式设备的犯罪呈上升趋势。用于在嵌入式设备上存储数据的一类广泛使用的文件系统是闪存文件系统(FFS)。闪存文件系统经过优化,可管理原始闪存的概念限制和特性,即未由隐藏闪存特性的附加硬件控制器(称为 "闪存转换层")管理的闪存。因此,FFS 包含了一些机制和结构,而这些机制和结构并不属于 NTFS、APFS 或 ExtX 等传统的基于块的文件系统。在对基于 FFS 的嵌入式设备进行分析时,需要能够处理 FFS 的数字取证工具。遗憾的是,目前可用的工具一般都无法分析 FFS 或原始闪存图像。在本文中,我们提供了一个数字取证工具的概念和开源实现,为广泛使用的 UBI 文件系统弥合了这一差距。我们的概念受到著名的 Sleuth Kit 的启发,反映了数字取证分析的不同抽象层(如存储设备层、卷层和文件系统层)。我们为我们的概念提供了一个开源工具,我们称之为 UBI 取证工具包(UBIFT)。与之前的工作不同,UBIFT 能够解析目录树或 UBIFS 日志等文件系统结构,从而恢复已删除的文件,包括相应的元数据。我们通过两方面的评估展示了 UBIFT 的实用性:首先,我们将工具应用于公开的互联网摄像头闪存转储,对闪存设备进行取证分析。我们的第二项评估包括创建适应性强的闪存转储的一般方法,以及在自生成闪存转储的基础上将我们的工具与具有类似功能的竞争对手进行比较。最后,我们通过提供工具的 Autopsy 插件来解决 UBIFT 的可用性问题。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
5.90
自引率
15.00%
发文量
87
审稿时长
76 days
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信