Digital forensics investigation framework for Raspberry Pi

Raspberry Pi is a Linux based embedded computer device in a palm hand size, with 512MB of RAM, 700MHz of ARM CPU and GPU Integrated in a single chipset with HDMI output, providing USB ports and Network plugs. In addition, this tiny computer device has a low price in the market and easily accessible for public. Different Linux distribution has been developed for Raspberry Pi from Media Center OS, Penetration Testing OSes such as W3afi Pi ('\v3af," 2013), ARM Kali Linux (Ofensive-Security, 2012) and PWNPI ("PwnPI," 2012) and web application security scanners such as Glasptopf Pi ("Honeypot Project," 2012) and Kippo Pi ("SSH Honeypot," 2009) as web application honeypot projects. Due to its open source characteristics, scientific industry people can easily develop application to use in robotics projects and smart home technologies. Since Raspberry is new in the market, the unknown data structure and lack of digital forensics methods for Raspberry Pi put digital forensics examiner in difficulties for data acquisition and analysis. This study focuses on developing a digital forensics framework to bypass the security mechanism, collect stored data of the SD card and volatile memory and then analyze and extracted the evidence from the captured data. This study has two main objectives. The first objective is to propose and develop a new method to bypass the security mechanism and gain privileged access for data acquisition. And the second objective is to propose and develop a tool to extract and analyze evidence from volatile memory. The scope of this research is bypassing the security mechanism of the Linux kernel, data collection of the volatile memory and SD card, and finally analyzing the dumped volatile memory. To perform this research, available data collection and analysis methods of ARM Linux based embedded devices has been studied and applied on the Raspberry Pi to find the best approach. Raspberry Pi Digital Forensics Investigation Framework (RPiDFIF) is proposed and development framework that has two major components. Data collection component bypasses the Security mechanism of the Linux kernel, dumps the volatile memory and SD card with minimum interaction and changing the integrity of the live Raspberry Pi. Second component analyzes the SD card content and volatile memory of the RAM. While there are available tools to extract and analyze the SD card data, the developed component with interaction of the Volatility framework extract the running process, established network connections, log files, encryption keys and many more. Forensics investigator by using these two independent automated components of RPiDFIF can easily investigate remotely or by having physical access of the Raspberry Pi in the crime scene. To evaluate RPiDFIF, three evaluations have been conducted. In the first evaluation experiment, data collection has been done separately to ensure if data collection works properly and independently and capture the whole data stored on the SD card and volatile memory. Then in the second evaluation, volatile memory investigation has been performed to extract evidence from captured volatile memory. Finally, in the last evaluation, we performed a real world attack case study based on one of the challenges of the Honeynet project has been selected. In this scenario, we compromised the Raspberry Pi as a Linux web server and using the RPiDFIF we bypassed the security mechanism and acquired data from both SD card and volatile memory, and using the Autopsy for SD card investigation and developed plugins and profile for Volatility framework. Based on the developed RPiDFIF framework, digital forensics investigator can easily examine the Raspberry Pi remotely or by having physical access to the device automatically and without learning new commands.

Text FSKTM 2015 26 ir.pdf Download (1MB)

Actions (login required)

View Item