Raspberry Pi Forensics Update

Intro

After working out some of the initial technical and software issues we faced, our project is progressing smoothly. Data generation is complete and all of the test drives have been imaged through the use of a write blocker, a computer, and the program FTK Imager. This allowed us to create a baseline speed to compare to, as well as a set of hashes to be used for checking data integrity later on in the process. We are currently in the testing stage and exploring modifications to simplify the process.

Analysis

To thoroughly test every option and set up available, the team has been working independently on individual drives of varying sizes. This enables each team member to focus on testing all the configurations with that particular size drive. Through this process we will be able to establish how speeds compare for each setup.

In order to streamline the process, we have been investigating ways to limit periphery devices needed to complete an image. As the Raspberry Pi has no input or output of its own, we had been previously using a full sized monitor connected to the Pi through a HDMI cable, along with a wireless mouse and keyboard. All of these devices can be eliminated through a touch screen interface that attaches directly to the Pi and an accompanying miniature keyboard about the size of the average TV remote. We have had success interfacing between the Pi and its new keyboard and screen. We hope to eventually have a script written that would allow a user in the field to enter a few simple variables, such as drive locations, and the command will be automatically executed from the screen.

With the same goal of reducing periphery devices, we are also investigating ways to eliminate the external dock that is currently being used to hold the storage media. One option is to use an external drive designed for mobile use, such as the Western Digital My Passport. This will only be feasible for use on large drives if we can establish a method of compressing the forensic image to reduce its footprint, a topic still under research by the team. There is the additional issue of power being drawn by the external drives. The Pi under normal circumstances simply can’t supply enough power. By continuing to find ways to reduce the number of extra pieces of equipment outside the Pi, we reach further towards our goal of a truly mobile and compact digital imaging system.

Conclusion

Please check back to see our progress. We are excited to share our findings with you. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu.

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education