Documente Academic
Documente Profesional
Documente Cultură
2016
Narasimha Shashidhar
Sam Houston State University
Recommended Citation
Olson, Eric and Shashidhar, Narasimha (2016) "Low Budget Forensic Drive Imaging Using Arm Based Single Board Computers,"
Journal of Digital Forensics, Security and Law: Vol. 11 : No. 1 , Article 3.
DOI: https://doi.org/10.15394/jdfsl.2016.1373
Available at: https://commons.erau.edu/jdfsl/vol11/iss1/3
This Article is brought to you for free and open access by the Journals at
Scholarly Commons. It has been accepted for inclusion in Journal of Digital
Forensics, Security and Law by an authorized administrator of Scholarly
Commons. For more information, please contact commons@erau.edu.
(c)ADFSL
Low Budget Forensic Drive Imaging Using Arm-Based Single Board … JDFSL V11N1
Eric Olson
Department of Computer Science
Sam Houston State University
Huntsville, Texas
ero003@shsu.edu
Narasimha Shashidhar
Department of Computer Science
Sam Houston State University
Huntsville, Texas
karpoor@shsu.edu
ABSTRACT
Traditional forensic analysis of hard disks and external media typically involves a “dead analysis”
of a powered down machine. Forensic acquisition of hard drives and external media has
traditionally been accomplished by one of several means: standalone forensic duplicator; using a
hardware write-blocker or dock attached to a laptop, computer, workstation, etc.; forensic
operating systems that live boot from a USB, CD/DVD or virtual machines with preinstalled
operating systems. Standalone forensics acquisition and imaging devices generally cost thousands
of dollars. In this paper, we propose the use of single board computers as forensic imaging devices.
Single board computers can provide a low budget forensic imaging solution that can be used in a
lab, remote acquisition, or even be configured as portable imaging devices. This project tests
different ARM processor based single board computers and the software available at the present
time. The project includes image acquisition using a write-blocker, software write-blockers and
without write-blockers to test the various configurations. The final results demonstrate clearly
that ARM-based single board computers can serve as effective, low cost and low energy forensic
imaging devices.
Keywords: Forensic Imaging; Forensic Acquisition; Single Board Computers; Low Budget Digital
Forensics
Table 1
Single Board Computers Used for Testing
Full Testing Process Included in Acquisition Speeds Over Network
Raspberry Pi 2 ($29) Odroid XU4 ($74) Banana Pro ($40) Odroid C2 ($40)
900MHz quad-core ARM® Samsung Exynos5422 ARM® Cortex™-A7 Dual- Amlogic ARM®
Cortex-A7 Cortex™-A15 2Ghz, Core Cortex®- A53(ARMv8)
1GB RAM Cortex™-A7 Octa core 1GB DDR3 SDRAM 2Ghz quad core CPUs (64
4 x USB 2.0 ports 2Gbyte LPDDR3 RAM SATA 2.0 / 2 x USB 2.0 bit)
HDMI display port 2 x USB 3.0 / 1 x USB 2.0 MicroSD card 2GB DDR3 SDRAM
Ethernet 10/100 MicroSD card Gigabit Ethernet port 4 x USB 2.0 ports
Micro SD card Gigabit Ethernet port HDMI display port Gigabit Ethernet port
5V @ 2A MicroUSB HDMI display port 5V @ 2A MicroUSB HDMI display port
5V @ 4A MicroUSB MicroSD or eMMC flash
5V @ 2A MicroUSB
250 GB 3.5” IDE Maxtor (failed with a 3.0 cable and with the write block
head crash) switch on.
60 GB 2.5” IDE Toshiba (used for 2. Take a bit-stream image (dd) and
testing) expert witness format (e01) image of
160 GB 2.5” SATA II Western Digital the storage device attached to the
(used for testing) forensic workstation with a software
120 GB 2.5” SATA III SSD SanDisk write blocker. To further verify
(used for testing) software write blocking a Vantec
Nexstar SATA/IDE adapter is used
The hard drives below were used for that attaches via a USB 3.0 cable.
testing and storage purposes. This also allows for multiple devices to
1 TB 2.5” USB 3.0 Western Digital be run at once using hardware or
2 TB 2.5” USB 3.0 Seagate software write blocking
5 TB 3.5” USB 3.0 Seagate 3. Take a bit-stream image (dd) and
expert witness format (e01) image of
TESTING the storage device attached to the
FRAMEWORK device without using a hardware or
software write blocker. If the hash of
The testing framework was revised and closely the image changed from the original
follows the guidelines stated in (Carlton, 2014) verified result the original image was
with additional acquisition formats while loaded back onto the source drive for
including the ARM-based devices. As outlined use on the next device and verified.
in (Carlton, 2014) the testing process includes 4. Compare disk image results and
these steps with modifications. acquisition speed/time findings.
First, known data sets are prepared and At the end of testing all raw images are
written to verified wiped storage devices. verified using FTK Imager and e01 files further
After the data sets are prepared, the files are verified using Encase Imager.
hashed and the disk is hashed using Sumuri
Paladin. All hardware write-blocked and DEVICE AND
software write-blocked images were acquired SOFTWARE SETUP
first through Paladin with verified hashes.
Sumuri Paladin is not available for ARM
Each acquisition was first performed in based devices as it is only available for 32 or
Paladin (USB boot), followed by Windows 10 64 bit x86 devices. Windows only appears to
with FTK Imager. The process is then be available as a limited operating system such
repeated using the Odroid XU4 and the as Windows IoT for the internet of things and
Raspberry Pi 2 using dc3dd and ewfacquire. is not a full Windows OS at this time. There
The drives that are acquired are attached via are a multitude of Linux distributions available
USB cables and the following process is used: but Kali Linux was used on the Hardkernel
1. Take a bit-stream image (dd) and Odroid XU4 and Raspberry Pi 2 due to the
expert witness format (e01) image of ease of installing the forensic meta-packages.
the storage device attached to the
Sumuri Paladin (Version
device with a hardware write blocker.
6.08)
The hardware write blocker is the
CoolGear model that attaches via USB
Sumuri Paladin (Sumuri, 2016) was chosen as the images were loaded to the SD card using
the initial forensic acquisition operating system Win32DiskImager. This process could have
and hash verification tool. Paladin is also used dd/dc3dd to push the images to the
considered a forensically sound operating SD card in Linux.
system that can be booted into via a USB flash
During the first boot of Kali Linux an error
drive and is often used by law enforcement. It
regarding file permissions was encountered on
is available for free, or by donation, and can be
the Odroid XU4 and later on during the boot
downloaded from Sumuri’s website (Sumuri,
process of the Raspberry Pi 2. The devices
2016). Paladin was installed to a USB flash
refused to boot after this error and we fixed
drive using Universal USB Installer on
this with the following process:
Windows 10. The laptop was then booted from
the USB drive with Paladin installed and On the Raspberry Pi the file is called
forensics mode was chosen. Paladin has a commandline.txt and on the Odroid
utility labeled “Paladin Toolbox” which can be XU4 it is called boot.ini. After the
used for a variety of forensic tasks including following line “root=/dev/mmcblk0p2
imaging. Paladin Toolbox was used for this rootwait” there was a “ro” for read-only.
research and has the ability to output two This was changed to “rw” for read-write
different image formats at once. and the systems booted properly
(odroid XU4 with Kali 2, read only file
Windows 10 & FTK Imager system, 2015).
(Version 3.4.2.2)
After the first boot the following
FTK imager (AccessData, 2016) and Encase commands were issued through a terminal in
Forensic Imager (Guidance Software, 2016) are Kali Linux on the Odroid XU4 and Raspberry
considered forensically sound and have been Pi 2 (Kali Linux Official Documentation - Kali
used widely by law enforcement as well as Linux - Raspberry Pi, n.d.).
tested by NIST. This project tests the images
The default password and SSH keys were
acquired and compares the hashes to test the
changed using the following commands (default
forensic capabilities of the implemented
user is root and default password is toor)
software and hardware. Only FTK Imager is
used as the free version of Encase imager does sudo passwd
not include options for raw bit-stream images. rm /etc/ssh/ssh_host_*
FTK Imager is free, downloaded from dpkg-reconfigure openssh-server service
AccessData’s website (AccessData, 2016) and ssh restart
installed in Microsoft Windows by running the
The packages and software were updated
executable. FTK Imager outputs one image at
by using the following commands:
a time and the process is repeated using raw
(dd) and e01 formats as output. sudo apt-get update && sudo apt-get
dist-upgrade
Kali Linux (Version 2016.1 /
2.1.2) The Kali Linux forensic packages
(including dc3dd and ewfacquire) were
The Odroid XU4 and Raspberry Pi 2 Kali installed by entering the following:
Linux images were downloaded from Offensive
Security’s website (Offensive Security, 2016) 5. sudo apt-get install kali-linux-forensic.
and then unzipped. The SD Cards were
formatted as FAT32 using SDFormatter and
This process can take some time on the (DCCI), 2016) but DCFLDD is not listed on
Raspberry Pi 2 and significantly less time on the DC3 website.
the Odroid XU4.
The command line tool help pages can be
Forensic Utilities for SBC accessed by typing dc3dd --help or ewfacquire -
devices -help. The command line syntax used for
ewfacquire and dc3dd are shown below:
All tools listed below can be found on the
Forensics Wiki (Forensicswiki - Category: Disk fdisk -l and lsblk commands were used
Imaging, 2016): to find information about the attached
drives
DCFLDD – command line Linux To make an image of a hard drive,
DD – command line Linux USB drive, etc. with dc3dd:
DC3DD – command line Linux sudo dc3dd if=/dev/[device
DDRescue – command line Linux such as sda]
EWFAcquire – command line Linux of=/[location/filename]
tool for imaging to Expert Witness hash=md5 hash=sha1
Format (EWF/E01) log=[logname].log [bufsz=xx]
FTK Imager - command line Linux tool To verify the hashes of the acquired
does not appear to work for ARM image with dc3dd:
devices at this time sudo dc3dd if=/[filename]
Guymager – not available for ARM at hash=md5 hash=sha1
this time of=/dev/null log=[logname].log
AIR (Automated Image & Restore) – To make an image of a hard drive,
not available for ARM at this time USB Drive, etc. with ewfacquire:
AFFLIB/AFF4 – does not appear to ewfacquire /dev/[device such as
acquire images from devices at this sda] -l [logname].log -t
time but can convert image files using [filename]
affconvert or affcat tools Do not have to include -t
Aimage – image acquisition for (target) as ewfacquire will
AFFLIB but support has been dropped prompt for remaining
and it does not appear to work on information
ARM devices. To verify the hashes of the acquired
image with ewfacquire:
At this time, we were unable to find a
ewfverify -d sha1 [filename] -l
technique to acquire images in the AFF format
[logname].log
on ARM devices. The Linux based forensic
utilities used in this research are dc3dd and Powering external drives
ewfacquire. DCFLDD was not used due to a
The Odroid XU4 is able to power external 2.5
potential issue explained in a NIST test (NIST
inch hard drives or multiple USB flash drives
& US Department of Homeland Security, 2013)
without issue. The Raspberry Pi 2 needed
(12/2013) and DCFLDD does not appear to
modification to the config.txt file which is not
have been updated since 2006. DC3DD is also
available on Kali Linux for the Raspberry Pi 2.
listed as a forensic imaging tool on the
A valid config.txt file was copied from an
Department of Defense Cyber Crime Center’s
existing Raspbian installation. After the
website (DC3 / Defense Cyber Crime Institute
config.txt file was copied to the boot partition
the line “max_usb_current=0” was changed to drives and verifying the hashes of the drive in
“max_usb_current=1”. This modification Sumuri Paladin. The two drives were then
changed the available amperage to the four acquired using FTK Imager on Windows 10
USB ports to 1.2A compared to the 0.6A with the hardware write-blocker. The results
default (Raspberry Pi Forums - Any negative were confirmed with software write-blocking
impact with setting `max_usb_current=1`?, using FTK Imager in Windows 10. The
2015). The Raspberry Pi 2 was then able to hardware write blocker was then used to
power an external 2.5” drive attached via USB. acquire the images of the two drives using the
Odroid XU4 and Raspberry Pi 2. The hashes
HDD Setup
matched across the devices and in software
The project originally tested a 60GB and write blocking in Microsoft Windows 10.
250GB HDD’s as well as a 20GB HDD.
However, the 250GB HDD failed with a head Table 2
crash after testing the write-blocker while the Hardware Write-Blocker Test Hashes
20GB HDD failed with a head crash early on 60GB IDE 2.5”
in the project. The project continued with
three different hard drives including a 2.5’’ RAW MD5 6724c73173142678ace5eaaa4944b
60GB IDE HDD, 120GB 2.5” SSD SATA III 1db
HDD and a 160GB 2.5” SATA II HDD.
All drives were first wiped with Sumuri RAW SHA1 2ba89ebfb1e11c41252ad6dfa4056f
Paladin Toolbox’s wipe feature. The 60GB aedc25c45c
drive was formatted as NTFS and a known set
of hashed files were copied to the drive. The 250GB IDE 3.5”
120GB SSD drive was formatted as NTFS and
a known set of hashed files were copied to the RAW MD5 1927da90530d9e10098ba54e395a
drive. The files were then hashed again using df0a
Quickhash to verify there were no changes to
the files after they were copied to the drives. RAW SHA1 f3a78fe3d28251dc6d85f80071ffba
06e6577384
The 160GB drive was modified
significantly from the other two drives and was
formatted with four different file system
The CoolGear write blocker proved
partitions including NTFS, FAT32, EXT4 and
effective across all the devices tested.
HFS+. A known set of hashed files were
Additional attempts were made to wipe,
copied to each partition. The files were hashed
format, copy files, move files, etc. but the write
again using Quickhash (TedTechnology, 2016)
blocker would display various errors.
to verify there were no changes to the files
after they were copied to the drives. Hardware Write-Blocking
100Mb eth .1 12.5 .75 .045 Toshiba 60GB 2.5” IDE 30.0 30.0
USB 10 12 75 4.5
3.1 50
Default Testing Image
Acquisition Speed
Read and write speeds of the USB devices
and SD cards used in this research were The default speeds of the single board
obtained using DiskMark (NetworkDLS - computers were generally slow due to image
acquisition from one USB drive to another Additional research was conducted on how to
attached USB drive. The Raspberry Pi 2 make the image acquisition speeds faster and
barely passed speeds of 10 MB/s at times and potential solutions were found. A more
slowed to transfer speeds of 1.5 MB/s. The thorough test with a USB drive would more
Odroid XU4 would occasionally reach 20MB/s effective and quicker in helping us understand
but would then slow to speeds around 10 the acquisitions speeds. An 8GB Patriot USB
MB/s. The Windows laptop was generally 2-3 3.0 drive and Samsung 16GB USB drive were
times faster than the Odroid XU4 and up to 5 used to test acquisition speeds across the
times faster than the Raspberry Pi 2 at hard devices. The 8GB USB 3.0 drive had
drive image acquisitions of up to 60 MB/s. maximum read speeds of 150.8 MB/s and write
speeds of 30.1 MB/s as indicated by the
Acquisition Time in Minutes testing in section VI, A.
We also used faster SD cards including:
XU4 Pi2
Samsung Pro 32GB in the Odroid XU4 and
the Samsung Evo+ 32GB in the Raspberry Pi
2. We tried three different methods of
1000
acquiring an image of the USB drive including:
500 directly to the SD card, to the attached
Sandisk 120GB SSD drive formatted as EXT4
0 XU4
60GB HWB 60GB NWB 120GB SWB 160GB HWB 160GB NWB and to the attached Sandisk 120GB SSD drive
formatted as EXT4 with the root filesystem
running from the SSD drive. Ewfacquire was
not used at this time as it was unable to
Figure 1. Acquisition Time in Minutes of XU4 and Pi2 acquire the 8GB USB drive due to a known
issue with certain USB drives [25]. The
following tests involved using different buffer
Our research shows that the real-world
sizes in dc3dd by changing the bufsz= option.
forensic imaging speeds of the single board
Different buffer sizes appeared to increase
computers are relatively slow using default
acquisitions speeds. The chart below shows
settings. The Odroid XU4 allows the option of
the time in seconds each acquisition took using
using an SD card or eMMC card but the
different buffer sizes. The Laptop times are
eMMC card appears to be a significant price
shown for comparison. The test times in
increase over an SD card. Five 16GB UHS-I
seconds did not include verification of the
SD cards can be purchased for approximately
image. The image was hashed and compared
the same amount as one 8GB eMMC card.
with the other images using FTK Imager. The
However, higher quality micro SD cards,
hash of the 8GB flash drive did not change
eMMC modules for Odroid, and SSD drives
after all of the forensic imaging tests using
can significantly increase the acquisition speeds
dc3dd. We can see in Figure 2 that the
if used to directly acquire the image to the
Laptop was 1.5 -2 times faster than the Odroid
card.
XU4 and 4 - 5 times faster than the Raspberry
Increasing Image Acquisition Pi 2.
Speeds of SBC’s
We can see in Figure 2 above that the XU4 displayed speeds of around 60
Laptop was 1.5 - 2 times faster than the MB/s that would fluctuate and then
Odroid XU4 and 4 - 5 times faster than the drop in speed by 10-20 MB/s.
Raspberry Pi 2. The hash of the 8GB flash 2. SSD drive attached for storage - The
drive did not change after all of the forensic acquisition speeds remained relatively
imaging tests using dc3dd as shown below in the same as above using an attached
Table 9. SSD drive to image the USB drives to.
Table 9 The Odroid XU4 imaging speeds
USB 3.0 Drive Hashes reached approximately 60 MB per
8GB USB Flash Drive – Hash did not change second with an external SSD SATA III
drive attached to one of the USB 3.0
RAW MD5 d6ec1cbc01ecda2beb956d3a9dcd99 ports. The Raspberry Pi 2 again did
7d not cross 20MB/s imaging from the
USB flash drive to the attached SSD
RAW SHA1 eb59fbd1a75fc7e743baed035b5509 drive. The speeds did not fluctuate
53a65a1b1b much using this method compared to
acquisition straight to the SD card.
However, Raspberry Pi 2 would settle
1. SD Card as storage - Acquiring an at about 14 MB/s while the Odroid
image directly to the SD card of the XU4 would settle between 40-55 MB/s.
Raspberry Pi 2 yielded imaging speeds 3. SSD drive attached and running root
of under 20 MB/s that would drop file system - The Odroid XU4 and
approximately 5-10 MB/s. The Odroid Raspberry Pi 2 were unable to boot
directly from a USB drive and need the the new partition as the
boot partition (/dev/mmcblk0p1) on root file system at the
the SD or eMMC card. However, bottom as /dev/disk/by-
moving the root filesystem (rootfs on uuid/**** /
/dev/mmcblk0p2) of the SBC’s Linux ext4 defaults,noatime 0 1
operating system to an externally b. Odroid XU4
attached USB SSD drive increased The process is relatively the
image acquisition speeds up to same for the Odroid XU4 as
approximately 20 MB/s for the shown above with the
Raspberry Pi 2 and up to Raspberry Pi 2. However,
approximately 60 MB/s per second for instead of changing the
the Odroid XU4. However, the speeds cmdline.txt file, the boot.ini file
would again decrease as the acquisition was modified on the Odroid
progressed. XU4.
a. Raspberry Pi 2 Formatted the SSD
Attaching an external SSD drive drive as EXT4
and copying the root file system Rsync -ax root directory
from the SD card to the SSD / of the sd card from
drive. This can be done a few /dev/mmcblk0p2 to the
different ways but this project new formatted root
used the method below based on directory on the SSD
Bearnes’ tutorial (Bearnes, drive
2015). If the UUID method In terminal ran blkid to
does not work substitute UUID obtain UUID of
with /dev/sda1 as this is the /dev/sda1
partition that will first load as Modified the
the root file system. /boot/cmdline.txt file
Formatted the SSD drive as from
EXT4 root=/dev/mmcblk0p2
Rsync -ax root directory of to root=UUID=****
/ from /dev/mmcblk0p2 to rootdelay=5
the new formatted root Modified the /etc/fstab
directory on the SSD drive and commented (#) out
In terminal ran blkid to the rootfs associated
obtain UUID of /dev/sda1 with the
Modified the /dev/mmcblk0p2 but
/boot/cmdline.txt file from added the new partition
root=/dev/mmcblk0p2 as the root file system at
rootfstype=ext4 to the bottom as
root=UUID=**** /dev/disk/by-uuid/****
rootdelay=5 /
Modified the /etc/fstab and ext4 defaults,noatime
commented (#) out the 0 1
rootfs associated with the
/dev/mmcblk0p2 but added
Using the above method, the devices The e01 format would be a clear choice in
appeared noticeably quicker but the acquisition image acquisition using the single board
speeds did not change from the previous computers with limited space on the device. It
methods. However, it is easier to have the may not always be possible to use ewfacquire
device run from an SD card and use the entire to acquire an image as shown in the results of
storage capacity of the attached hard drive to the research. However, a raw/dd image can be
store image files if needed. There were a few converted later to e01 or aff format using
occasions where the devices refused to reboot ewfacquire, affconvert/affcat or other tools.
with the SSD drive attached as the root file
Energy Costs
system. It was sometimes necessary to change
the root file system back to the original SD Table 10
US Electricity Summary centers per kilowatt hour
card to boot the device.
U.S. Electricity Summary cents per kilowatt hour
ADDITIONAL (US Energy Information Administration, 2016)
RESULTS 2014 2015 2016 2017
Image Size and Compression Residential 12.52 12.67 12.58 12.87
The research conducted in this paper was Sector
limited to raw (dd) format and expert witness
Commercial 10.74 10.59 10.59 10.79
(e01) format due to limitations on the ARM Sector
based single board computers. At this time,
we were unable to find a way to acquire the Industrial 7.10 6.90 6.91 7.04
drives in AFF format on the Raspberry Pi 2 as Sector
well as the Odroid XU4. The affcat tool allows
for conversion of an image but not acquisition
The devices were then plugged into a Kill A
from a hard drive. However, the maximum
Watt EZ Power Monitor for twenty four hours
compression ratios were used in FTK Imager
to determine power consumption. The
on Windows 10 which yielded the following
Raspberry Pi 2 displayed .03 kWh, the Odroid
compression results (Figure 3) for dd and e01.
XU4 displayed .10 kWh and the ASUS laptop
e01 dd displayed .18 kWh over a 24-hour period.
The Raspberry Pi 2 uses a power adapter was used to ensure accuracy of the images that
with a maximum of 10 watts, the Odroid were acquired.
XU4’s power supply is a maximum of 20 watts
After obtaining the images and verifying
and the laptop power supply is a maximum of
the hashes the devices appeared to acquire
65 watts. Keep in mind the cost savings would
images that matched across devices. If only
increase significantly if using a desktop or even
using a few single board computers is needed
a high end forensic workstation with a power
they could be attached to a monitor with two
supply of over 1000 watts.
HDMI outputs and with a keyboard. The
BUILDING A process of switching back and forth is not too
time consuming.
USABLE MINI LAB
The Raspberry Pi 2 and Odroid XU4 both
During the research each device was have compatible touch screen displays to make
individually attached to a monitor via the them a standalone solution or even portable.
HDMI port and a wireless keyboard with However, the price may increase to a point at
touchpad was used for the devices. The process which a low budget laptop around $200 may
of switching the hard drives to each device, work as a portable solution. The single board
attached the USB dongle for the keyboard, computers are only the size of a credit card in
attaching the HDMI cable, and acquiring the width and length which makes them a space
image became slow and tedious. This method saving solution over a laptop
VNC was used in this process because we Each single board computer running Kali
wanted command line tools but this also Linux is automatically assigned the same
provided the option of using the GUI based hostname of kali. We modified the hostname
tools such as Sleuthkit/Autopsy. This also of each device to reflect the device used, color
leaves the option of creating our own GUI coded the network cable and changed the
based image acquisition tool for ease of use. background of the desktop to reflect the color
There are various pieces of open source of the network cable. This reduced confusion
software that can be used on these devices but when quickly trying to figure out which device
x11vnc (Runge, n.d.) was chosen due to its we were using with VNC and what drives were
ease of use and ability to view the X interface attached where.
on display 0. We could then attach a monitor Each single board computer can be
or view the same display through VNC. purchased with a case and there a variety of
However, there is no need to attach a keyboard cases to use or 3D print. However, we wanted
or monitor after initial setup so the use of any an open air type case where we could stack the
VNC software such as TightVNC server would devices, increase air flow and move them
work. around if needed. We located a stackable
solution for attaching the single board
X11VNC Setup
computers as a small tower and assembled.
Apt-get install x11vnc However, various other solutions exist and if a
Run x11vnc -display :0 and setup the 3D printer is available there is the possibility
password and choose yes to storing the of a completely customized design.
password
To stay with the theme of using ARM
Create a startup option by going to based devices we setup a small file server using
applications – session and startup – add an Odroid XU4 and a Cloudshell case (~$40)
Add an option with x11vnc, from (Hardkernel, n.d.). We also used the
auto start and command = freely available Linux operating system DietPi
x11vnc -forever -display :0 - (Knight, n.d.) to quickly create a samba file
geometry 1280x720 server using the Odroid XU4, Cloudshell and a
We then installed a VNC viewer on our 120GB SSD drive for testing Mini lab and file
Windows laptop and were able to start server shown below:
a VNC session with the “IP address”:0
We also wanted to reboot the ARM
devices without having to login or need
to attach a monitor. We edited the
following:
Figure 5. Digital Forensic Mini-Lab Figure 6.Odroid Cloudshell Server Running Dietpi
space and some devices such as the Raspberry papers including: (Carrier, 2003), (Morra,
Pi 2, Odroid C2, and Banana Pro can be 2013), and (Garrie, 2014)
powered by a USB hub, multi-port USB
charger or even a USB battery pack.
CONCLUSION
Digital Forensic Labs Standalone forensic imaging devices tend to
cost thousands of dollars. We found that there
These devices could allow a forensic technician were many options when researching
to have multiple imaging devices while working standalone forensic imager devices,
on other tasks on their main forensic workstations and low budget laptops.
workstation. An entire forensic lab of SBC However, low budget options such as laptops,
devices could be purchased at a fraction of the tablets and mini-pc’s around the $200 price
cost of standard computers, laptops, range were limited. We wanted to test the
workstations or standalone solutions. These possibility of using low cost (under $100) single
devices can be used as standalone forensic board computers as forensic imaging devices
imaging stations with a separate monitor or as and the process appears to be a success.
a headless solution using VNC or other remote Additional testing is always needed as the
connection tools. These devices may assist a digital forensic testing possibilities are
digital forensics lab in reducing backlogs of low overwhelming.
priority cases. A forensics technician can
install one or several of these without taking Four different drives were imaged using the
Raspberry Pi 2 and the Odroid XU4. The
up much space.
hash of each drive remained the same through
There is also the potential for single board the image acquisition process using hardware
computers to be used as a forensic workstation write-blocking and software write-blocking.
to conduct a full analysis of an external drive. The only time the hash of a drive appeared to
A report could be generated with the change was when using Windows 10 and FTK
additional software already installed. In brief imager without write-blocking. Even without
testing other programs such as Sleuthkit write-blocking the hash of the drives did not
Autopsy, Digital Forensic Framework, change on the single board computers.
LibreOffice and other open source tools could
We intentionally did not create a new
be used.
operating system or piece of hardware. This
Legal Issues and Court project used existing community supported
Admissibility resources and hardware. We believe this is
better for the digital forensics community as a
Our testing shows that the hashes of the hard
whole as the resources are already provided.
drives and USB drive did not change when
Since Windows is not available for these
using software write-blocking methods.
devices we used Kali Linux and other open
Further and independent testing is always
source software. Through trial and error, we
required with new or varied digital forensic
were able to obtain forensic images from
methods. We believe that with additional
various hard drives and a USB drive in
testing by other researchers, our methods
different manners. Further step by step
would be court admissible in legal proceedings.
processes can evolve to setup these devices in a
The argument for the validity of open source
forensically sound manner. We have also
tools has already been established by various
created a bash script which can install all the
necessary software with little user interaction.
REFERENCES
AccessData. (2016). AccessData Product Gladyshev, L. T. (2015). Open Forensic
Download. Retrieved from Devices. Journal of Digital Forensics,
http://accessdata.com/product-download Security and Law, 10(4), 97-104.
Bearnes, B. (2015, May 04). External Drive as Guidance Software. (n.d.). Encase Forensic
Raspberry Pi Root. Retrieved from Imager. Retrieved from Guidance Software:
Adafruit: https://www2.guidancesoftware.com/resour
https://learn.adafruit.com/external-drive- ces/Pages/doclib/Document-
as-raspberry-pi-root?view=all Library/EnCase-Forensic-Imager.aspx
Carlton, G. K. (2014). A Study of Forensic Hardkernel. (2015). Odroid-XU4. Retrieved
Imaging in the Absence of Write-Blockers. from Hardkernel:
Journal of Digital Forensics, Security and http://www.hardkernel.com/main/product
Law, 9(3), 51-58. s/prdt_info.php?g_code=G143452239825
Carrier, B. (2003, September). Open Source Hardkernel. (2016). Hardkernel Odroid C2.
Digital Forensic Tools - The Legal (Hardkernel) Retrieved from
Argument. Retrieved from Digital http://www.hardkernel.com/main/product
Evidance: http://www.digital- s/prdt_info.php
evidence.org/papers/opensrc_legal.pdf
Hardkernel. (n.d.). Hardkernel - Odroid XU4
Champlain College LCDI. (2016, February 16). Cloudshell. Retrieved from
Raspberry Pi Forensics. Retrieved from http://www.hardkernel.com/main/product
http://www.champlain.edu/Documents/Ra s/prdt_info.php?g_code=G143599699669
spberry%20Pi%20Forensics%20(1).pdf
Kali Linux Official Documentation - Kali
Convert-Me. (2016). Convert - Data Transfer Linux - Raspberry Pi. (n.d.). Retrieved
Rate. Retrieved from http://www.convert- from http://docs.kali.org/kali-on-
me.com/en/convert/data_transfer_rate/ arm/install-kali-linux-arm-raspberry-pi
DC3 / Defense Cyber Crime Institute (DCCI). Knight, D. (n.d.). DietPi. Retrieved from
(2016). DC3 Tools. Retrieved from DC3 / http://dietpi.com/
Defense Cyber Crime Institute (DCCI) /
LCDI, C. (2015, 12 13). Raspberry Pi
Tools: http://www.dc3.mil/tools
Forensics Update - Computer & Digital
Forensicswiki - Category: Disk Imaging. Forensics Blog. Retrieved from
(2016). Retrieved from http://computerforensicsblog.champlain.ed
http://forensicswiki.org/wiki/Category:Dis u/2015/12/13/1623/
k_Imaging
Lemaker. (2016). Lemaker Banana Pro
Foundation, R. P. (2016). Raspberry Pi 2 Specifications. (Lemaker) Retrieved from
Model B. Retrieved from RaspberryPi.org: http://www.lemaker.org/product-
https://www.raspberrypi.org/products/ras bananapro-specification.html
pberry-pi-2-model-b/
Morra, S. (2013, December). Confirming the
Integrity and Utility of Open Source
Forensic Tools. Retrieved from Utica Raspberry Pi Forums - Any negative impact
Online: with setting `max_usb_current=1`? (2015,
http://programs.online.utica.edu/pdf/Morr February 15). Retrieved from
a_6_Gonnella_Confirming_the_Integrity https://www.raspberrypi.org/forums/viewt
_and_Utility_of_Open_Source_Forensic opic.php?f=29&t=100244
_Tools_December.pdf
Runge, K. (n.d.). X11VNC. Retrieved from
Morrissy, D. B. (2014). Digital Forensic http://www.karlrunge.com/x11vnc/
Evidence in the Courtroom: Understanding
Sims, G. (2014, November 25). ARM vs X86 –
Content and Quality. Northwestern
Key differences explained! Retrieved from
Journal of Technology and Intellectual
Android Authority:
Property, 121-128.
http://www.androidauthority.com/arm-vs-
MSuhanov Linux Write Blocker. (2016). x86-key-differences-explained-568718/
Retrieved from Github:
Sumuri. (2016). Sumuri Paladin. Retrieved
https://github.com/msuhanov/Linux-
from http://www.sumuri.com/product-
write-blocker
category/paladin/
NetworkDLS - DiskMark. (n.d.). Retrieved
TedTechnology. (2016, March 21).
from
SourceForge - Quick Hash GUI.
http://www.networkdls.com/Software/Vie
(SourceForge) Retrieved from
w/DiskMark
https://sourceforge.net/projects/quickhash
NIST & US Department of Homeland Security. /
(2013, December 27). Test Results for
Tobin, L. (2013). Github Firebrick. Retrieved
Digital Data Acquisition Tool: DCFLDD
from https://github.com/leetobin/firebrick
1.3.4-1. Retrieved from
https://www.dhs.gov/sites/default/files/pu US Energy Information Administration.
blications/DCFLDD%201%203%204- (2016). Electricity. Retrieved from
1%20Test%20Report_updated.pdf EIA.gov:
https://www.eia.gov/forecasts/steo/report/
odroid XU4 with Kali 2, read only file system.
electricity.cfm
(2015, 8 2). Retrieved from Kali Linux
Forums: Webopedia. (2016). What is a Single Board
https://forums.kali.org/showthread.php?26 Computer (SBC)? Webopedia Definition.
431-odroid-XU4-with-Kali-2-read-only-file- Retrieved from
system/ http://www.webopedia.com/TERM/S/sbc
_single_board_computer.html
Offensive Security. (2016). Kali Linux Arm
Images. Retrieved from
https://www.offensive-security.com/kali-
linux-arm-images/
Polstra, D. P. (2016). PPolstra. Retrieved from
http://philpolstra.com/Home/
Polstra, P. (2014). Hacking and Penetration
Testing with Low Power Devices. Syngress.