This page is dedicated to my research in computer forensics and computer security. If you think you're in the wrong place, you may be looking for my personal web site instead.
J. Kornblum
Auditing Hash Sets: Lessons Learned from Jurassic Park,
Journal of Digital Forensic Practice,
2008
Auditing a set of cryptographic hashes allows a forensic examiner to determine the state of a target directory as compared to those hashes. Unlike traditional hash comparison methods, an audit takes into account all of the files in the target directory and their relative paths. Not taking these data into account can impair examinations and tool certifications. An audit examines each file in the target directory, computes its hash, and compares it to a file containing the known hash values. Any file not in the set of known hashes is flagged as being inserted. When all of the files in the target directory have been examined, any known hashes that have not been matched are flagged as being missing. The result is a complete picture comparing the set of known hashes and the target directory.
E. Libster and J. Kornblum,
A Proposal for an Integrated Memory Acquisition Mechanism,
Operating Systems Review,
42(3):14-20, April 2008
Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed. of data recovered from a memory image, and would thus enable the first responder or forensic investigator to be more effective.
J. Kornblum,
Using Every Part of the Buffalo in Windows Memory Analysis
Digital Investigation,
4(1):24-29, March 2007
All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called "invalid" pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging.
J. Kornblum,
Exploiting the Rootkit Paradox with Windows Memory Analysis
International Journal of Digital Evidence, 5(1), Fall 2006.
Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for rootkits and even without discovering one directly, infer the presence of one. This paper explores how an examiner can create such a memory image and use the inherent properties of rootkits to find them in those memory images.
B. Carrier, E. Casey, S. Garfinkel, J. Kornblum, C. Hosmer, M. Rogers, and P. Turner,
Standardizing Digital Evidence Storage
Communications of the ACM, February 2006.
Investigators have an increasing need to share digital evidence between different organizations and analysis tools. But today's investigators are hindered by a variety of independently devel- oped and incompatible formats used to store digital evidence. Problems arise when dealing with different disk image formats, and the difficulties are exacerbated when dealing with diverse kinds of evidence, such as nework logs and the contents of mobile devices. Without standards that are both open and technically sound, the risk is that evidence may be lost, cases may be compromised, and innocent people may be improperly convicted or guilty parties let free.
J. Kornblum,
The Linux Kernel and the Forensic Acquisition of Hard Disks with an Odd Number of Sectors
International Journal of Digital Evidence, 3(2), Fall 2004.
No official version of the Linux kernel, up through and including version 2.4, allowed a user land process to access the last sector of a hard disk or hard disk partition with an odd number of sectors. Although the inability to access this last sector did not affect normal operation of the system, it did prevent the complete forensic acquisition of such a disk. The author repeats an earlier experiment to verify the issue in version 2.4 of the kernel and then shows that the issue has been resolved in version 2.6. Systems using version 2.6 of the Linux kernel can completely forensically acquire disks or partitions with an odd number of sectors.
J. Kornblum,
Using JPEG Quantization Tables to Identify Imagery Processed by Software
Digitial Investigation, 5(S):21-25,
Proceedings of the Digital Forensic Workshop, August 2008.
The quantization tables used for JPEG compression can also be used to help separate images that have been processed by software from those that have not. This loose classification is sufficient to greatly reduce the number of images an examiner must consider during an investigation. As illicit imagery prosecutions depend on the authenticity of the images involved, this capability is an advantage for forensic examiners. This paper explains how quantization tables work, how they can be used for image source identification, and the implications for computer forensics.
J. Kornblum,
Identifying Almost Identical Files Using Context Triggered Piecewise Hashing
Digital Investigation, 3(S):91-97, Proceedings of the Digital Forensic Workshop, August 2006.
Homologous files share identical sets of bits in the same order. Because such files are not completely identical, traditional techniques such as cryptographic hashing cannot be used to identify them. This paper introduces a new technique for constructing hash signatures by combining a number of traditional hashes whose boundaries are determined by the context of the input. These signatures can be used to identify modified versions of known files even if data has been inserted, modified, or deleted in the new files. The description of this method is followed by a brief analysis of its performance and some sample applica- tions to computer forensics. Homologous files share identical sets of bits in the same order. Because such files are not completely identical, traditional techniques such as cryptographic hashing cannot be used to identify them. This paper introduces a new technique for constructing hash signatures by combining a number of traditional hashes whose boundaries are determined by the context of the input. These signatures can be used to identify modified versions of known files even if data has been inserted, modified, or deleted in the new files. The description of this method is followed by a brief analysis of its performance and some sample applications.
J. Kornblum
Preservation of Fragile Digital Evidence by First Responders
Digital Forensic Research Workshop, Syracuse, NY, August 2002.
The nature of computer based evidence makes it inherently fragile. Data can be erased or changed without a trace, impeding an investigator's job to find the truth. The efforts of first responders are critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. This paper describes the challenges first responders face and some strategies for dealing with them. As an example, the paper also details a sample tool for first responders to incidents on Windows based computers.