DFIR for good

December is typically the time of year we think of donating to charity. There are many ways we can help others, including with DFIR. The following is one of such tales authored by Assen Tasheff and copied with permission.

Once upon a time

Once upon a time there was a humanitarian aid organization. They had a limited budget to spend on commercial software therefore Linux was their operating system of choice. For DFIR they relied on a custom toolset that leveraged the Sleuth Kit (TSK) [1] in an EDR (live-response) solution. All was well.

The EDR solution functioned flawlessly for years until the day came that their hardware needed to be upgraded. This hardware upgrade also forced the organization to upgrade their version of Linux. This is where the organization was confronted with (Linux) Logical Volume Manager or LVM. As a result their custom developed EDR solution stopped working. Although the organization could now enjoy faster hardware, they were left without a functioning DFIR solution, essentially affecting millions of people and in a precarious life situation.

Stress levels rose exponentially. Lack of financial resources prevented them from redeveloping the EDR. Updating TSK with LVM support was an alternative possibility but could they find the right people to help?

After a long and perilous journey, talking to numerous freelancers, our humanitarian aid organization stumbled upon libvslvm [2], which offered them the format support they needed.

Since the need of the organization was dire, they reached directly out to the author of libvslvm, Joachim Metz, with a request to see if LVM support could be added to the Sleuth Kit (TSK). After a quest to find a spot on a busy schedule a representative of the organization was able to meet and explain their situation.

Seeing the situation was dire, there was no moment of hesitation to help. Joachim took on the quest and equipped his development environment of choice. In less than a week, there was a fork of TSK that was able to read a LVM created on top of a raw block device. The IT team assisting the organization tested the enhanced version and determined that they needed LVM within a GPT partition as well, which was added shortly thereafter. The organization again could ward off cyber threats.

It was not time to celebrate yet, with every new version of TSK the changes would have to be reapplied. Ideally the newly added LVM functionality in the fork would be integrated back into the main TSK project ensuring future updates. So in parallel a representative of the organization and Joachim reached out to Brian Carrier, one of the maintainers of TSK, to start this conversation.

After several weeks of negotiation Brian agreed to merge the changes and asked Mark McKinnon to help out evaluate the changes and author build instructions. The changes were merged and are now part of TSK and all is well again for the organization and the people they are helping.


So what is the morale of this story?

The role of humanitarian aid organizations nowadays is of huge importance for today's challenges. People struggling for access to basic supplies like food, water, electricity and medical supplies are becoming more and more frequent. These organizations have the ability to ease the burden of people who are unable to access these basic goods, as well as give them a sense of safety and security.

Like any other organization, the humanitarian aid ones rely heavily on IT infrastructure for creating, working with and storing information. A good part of this information is sensitive, such as Personal Identifiable Information (PII), investor data and names of volunteers. Therefore, security of information that is stored and handled in their servers should be taken very seriously.

DFIR plays an important role in humanitarian aid organizations as well. It provides safety and security in the digital space and is one of the needed practices to ensure the confidentiality, integrity and availability of data. Humanitarian aid organizations have to deal with a wide range of threats ranging from being targeted by nation state actors and ransomware.

The landscape of DFIR solutions today is rich in choices - the majority of them as commercial offerings and a smaller part as Free and Open Source (FOSS) tooling. Since humanitarian aid organizations are almost always lacking enough budget for commercial solutions, they significantly rely on volunteers and FOSS tooling.

One of such FOSS toolsets for DFIR is the Sleuth Kit (or TSK), initially released more than 20 years ago by Brian Carrier, with the mission "to create the leading open source file and volume system forensic analysis tools that run on all major platforms and allow access to common data types in methods that support standard analysis techniques".

As any other FOSS, TSK depends on available time and resources of its developers and contributors. In practice this can mean that FOSS DFIR tooling falls behind on supporting new formats. An example of this is adding that of LVM support in the previous story.

People like Brian Carrier, Joachim Metz and Mark McKinnon realize in practice the opportunity for DFIR in the form of FOSS to do good for humanity. But so can you, for example humanitarian aid organizations need volunteers to do DFIR and DFIR FOSS tooling needs volunteers to help with maintenance, testing and documentation. If you’re interested in discussing DFIR for good related topics, reach out on the Open Source DFIR Slack community (#dfir-for-good).

“Great opportunities to help others seldom come, but small ones surround us every day.” - Sally Koch


Popular posts from this blog

Incident Response in the Cloud

Parsing the $MFT NTFS metadata file

Container Forensics with Docker Explorer