Sift Workstation
Sift Workstation
Sift Workstation
1. Introduction.............................................................................................................................................2
2.3 Acquisition........................................................................................................................................3
2.4 Examination.......................................................................................................................................3
2.5 Analysis.............................................................................................................................................3
2.6 Reporting...........................................................................................................................................4
3. Learning outcomes..................................................................................................................................4
4. Lab Setup.................................................................................................................................................4
6. References.............................................................................................................................................42
1. Introduction
With the advancement of technology mobile phones have become part of any criminal activity
committed in the whole world. The analysis of the data in the mobile phones is crucial for the
investigation of the criminal activities. This paper introduces the digital forensics modules and
also demonstrates how to use SIFT workstation to acquire and examine the android phone.
Digital forensics model refers to the methodology used to uncover the digital artifacts that can be
relied on in a court of law as evidence to punish the cybercrime offenders. The model defines the
procedure to be followed by the forensic examiners.
2.4 Examination
In the process of digital forensics, the examination phase is the most important and the most
laborious for the professional. Nist advise that a copy of all information collected in the data
collection phase should be made, so as not to alter the original state of the evidence, preserving
the integrity of the evidence found. In the exam, one should extract, locate and filter the
information found so that only the most important information remains, which will really help in
solving the crime. The forensic professional must examine the devices found during the
collection, and extract files that were eventually used in the crime, or that were purposely
excluded or hidden. The filtering work is important to speed up the expertise process.
2.5 Analysis
The analysis aims to examine the information collected in search of evidence, so that at the end
of the process the conclusion regarding the crime that originated the investigation can be
formulated. In the analysis, all sources of information should be investigated, so that it is
possible to identify criminal practices by the suspect or suspects.
It is important to recognize the way in which the criminal acted, this is essential for the
efficiency of the analysis stage, since it gives the expert a better ability to recognize evidence in
the collected material and draw a specific line of investigation.
After the work of extracting the data that are understood as important in the investigation
process, the professional in expertise must pay attention to his knowledge in the interpretation of
the information in order to identify suspects, places, events and observe the relationship between
them. It is usually necessary to correlate information that is from several different sources of
information. At this stage, attention is needed so that the professional does not make mistakes, as
it depends on his knowledge.
2.6 Reporting
The last step of the investigation is the elaboration of a report where the expert is free to describe
the incident, since he is solely responsible for the document and everything that is written in it.
There is no standard model for preparing the report, but guidelines for its preparation, and it must
be done with the greatest clarity so that it is easy to understand.
3. Learning outcomes
The following are the benefits upon completion of going through this paper
4. Lab Setup
VirtualBox Installation
This section details the steps and procedure to be taken to set up a forensic lab. The paper will
first give the procedure for setting up Virtual box which is an open source hypervisor.
Then we will follow with the setup of SIFT toolkit which is an open source collection of forensic
tools. SIFT workstation is a virtual preconfigured appliance that contains all the necessary tools
for performing forensic examination. The workstation is built on Ubuntu.
The paper will finally describe how you can use Sans Sift toolkit for mobile forensics.
Step 1
Access https://www.virtualbox.org/ and you will see the button name “download virtual box 6.1”
clink click on it
Step 2:
Once you click on the chosen host the download will start automatically. Once the download is
complete locate the downloaded file in your download destination.
Step 4:
Double click on the file and click on install, you will be prompted by the computer for the
installation permission click on run.
Step 5:
The following window will open, leave everything with the default settings and click on next
Step 7:
You can choose your preference like create a desktop icon and click on next make sure register
file associations is marked.
Step 8:
The following window will open up asking about resetting network connection click on yes since
its needed.
Step 9:
You will be prompted with an install window as shown below click on install
Step 10:
The installation will begin please be patient as the installation will take some time
Step 11:
The following window will open indicating the installation is complete please click on finish.
4.2 SIFT Install & Configuration
Now that we have successfully installed VirtualBox we can now install SIFT Workstation.
The following link will open for registration, enter your details and click join
Once you join the download link will be sent to your email, click on the link and the following
will open. The registration will allow you to receive sans white papers and access to open-source
tools. Enter your details and Click on login.
Once you login, click on digital forensics and incident response the following window will open,
click on download now.
The following window will open click on download arrow, Click on sift-worstation.ova
Once you click on the download will start the file is 4.7 GB so be patient
Once the download is finished, you can access the file in your download location
The following window opens displaying the features of the appliance to be imported click on
import.
The importation will start please be patient it will take sometime
Once the importation is complete click on the Sift workstation in VirtualBox to start.
Login: sansforensics
Password: forensics
It will indicate in the host operating system that it setting up the device once done follow the
following procedure.
While in Sift workstation click on the devices Icon then on USB then choose the device as
shown below
Once you click on it the device will be synchronized and it will be added and an icon of a phone
will be shown on the task bar as shown below after successful add
4.4 ADB Connection
Android Device Bridge (ADB), is the tool that allows communication between android devices
through the shell. The tool allows the device directories to be traversed, pushing files to the
device, getting files from the device, image backup of the device directories and files. The ADB
connection components include client, Daemon and server.
Some of the ADB commands are used below to demonstrate the objective of the lab
To start working with the commands starting the terminal in Sift workstation
Enter adb devices command to show the connected adb devices, it shows the device is available
as shown below.
Adb shell command
The adb shell command is used to connect to the devices, since only one device is listed, we used
the adb command direcly but if several devices are listed you specify the device name to be
connected to.
4.5 Android Device Directory Structure
This section will discuss the android operating system structure and show how its structured
through the use of adb shell, which will allow us to view how its displayed.
adb shell
shell@TECNO-W3:/ $ ls
acct
cache
charger
config
custom
d
data
default.prop
dev
enableswap.sh
etc
factory_init.project.rc
factory_init.rc
file_contexts
fstab.mt6580
init
init.aee.rc
init.common_svc.rc
init.environ.rc
init.lovelyfonts.rc
init.modem.rc
init.mt6580.rc
init.mt6580.usb.rc
init.nvdata.rc
init.project.rc
init.rc
init.trace.rc
init.usb.rc
init.xlog.rc
init.zygote32.rc
meta_init.modem.rc
meta_init.project.rc
meta_init.rc
mnt
nvdata
oem
persist
proc
property_contexts
protect_f
protect_s
Since the phone is not rooted I cant access the root files and hence I have to use an android
emulator.
For running the android emulator, it needs android virtual device which makes android to be
emulated. To create the android virtual device, we use the following command to launch SDK
manager.
~/android-sdks/tools/android
once its done locate to where the extracted file is and open in the terminal cd into tools
Start android emulator by entering the following commands, chmod allows the file to be
executable.
Once sdk download packages are done click on tools and create a device
Click on ok
To start the emulator, select in on the AVD manager and click on start
Launch options will be displayed as shown below just select the default
The emulator launch process will start as shown below
After the successful launch the device will be powered on as shown below
To get the super user please use su so that the access cant be denied
4.7 File Extraction & Uploading – File System Acquisition
After gaining the shell and getting the root access this section, we will describe the important
android file structure that is important to a forensic investigator.
Use the command ls to view the file systems. The android operating system root file structures
are listed below.
The following is the description of the important folders to the forensic examiner
dev – this defines the devices available to the installed applications as it contains
global device files accessible by all devices and a mount point for the temporary file
system.
acct – Acct control group mounting point, acct control group provides user
accounting.
• cache – Frequently used data is stored here just like on common OS’s to save access
time, so it may contain personal info recently accessed by apps, files, images or browser
viewing information. It also contains a “lost + found” folder which contains recovered
files.
• data – this contains general data pertaining to applications that are installed
• data/data – a sub folder of data that contains an applications private user information,
the type of information that might be worth investigating.
• mnt – this is the mount point for all media internally and external such as SD cards
and external HDD’s connected via OTG.
• sbin – binaries for all the systems main daemons are contained within this folder.
• System – the vendors preinstalled apps are contained in this folder along with the
systems libraries and binaries.
The folders can be accessed using the Linux commands like cd to change to a directory and ls
which lists the contents of the directory and also cp which copies contents.
The folder /data/data is the concern area for a forensic examiner while investigating android
phones, this folders stores the private user data, the data that is created by applications is stored
in this folder, the forensic examiner examining this folder will be able to get browser details,
contacts, emails, messages and camera.
The above lists the private user data we will be checking the messages and contacts
When your cd into the databases you will see contacts2.db, call log.db and profile.db
Profile.db contains phone owner details while contacts.db shows the contacts we created and
calllog.db
4.8 Logical Acquisition
For logical acquisition we have to mount the device so that it can be attached to the file system.
Use the “mount” command.
The data block is listed as shown below, the data partition occupies /dev/block/vdc
Df can be used to check the space occupied by each block see the following screenshot
Once mounting is done type exit to exit the adb shell
Adb pull command is capable of helping the forensic examiner pull folders and files to the
forensic workstation for further analysis. Logical acquisition entails the opening of files through
the file browser.
We used adb pull command as shown below to extract the data partition to the desktop of the
forensic workstation
The directory has been pulled as shown above
We can access the files by using sql light tool right click on it and choose open with The
database tables will look like this
Query messages and you will get the messages displayed as below
Available partitions
Used the TCP port 8888 to connect a route between the Sift workstation and the phone
Forensic workstation was used to connect to the phone and the dd command was used to direct
the phone data into android.dd output.
5. Conclusion
Sift workstation is an open-source forensic workstation containing a collection of different
forensic tools. As shown above in this paper SIFT tool kit can be used to acquire and analyses
the android phone just as the commercial tools. Through this practical was able to understand the
android file architecture tools and forensic process. The paper presented a logical and physical
extraction of data from the android phone and data analysis. With SIFT tool kit the forensic
examiners can use a freely available tool to examine and extract data for further investigation
freely.
6. References
https://digital-forensics.sans.org/
Hawthorne, E. K., & Shumba, R. K. (2014). Teaching digital forensics and cyber investigations
online: Our experiences. European Scientific Journal