Raspberry Pi Forensics Update

raspberry pi

Intro

The Raspberry Pi Forensics team is gradually making its way to the end of the project, and is beginning the final report. The hash values from the initial tests are being compared to the image of the drive that was moved using the Pi. The 1TB drive was dropped from testing indefinitely due to time constraints as well as several other assorted issues encountered while attempting to test it. We also encountered problems with the hash values and  transferring images from drive to drive, but we are continuing to make forward progress.

Analysis

Each member of the team is now finished with the respective tests under their individual responsibility. The data from each of these tests will be compiled into a tabular format that will be included in our final report as a single large piece. Unfortunately, the results of these tests came with some problems:  the first one encountered was a read/write error that occurred as we tried to create an MD5 log after moving the image with the Raspberry Pi. After inputting the dd/dcfldd command,  the operation would fail almost immediately with an error message that read, “Read Only Filesystem”. This meant  that the destination drive could not create the log, but  the imaged could still moved. The fix we found was to reformat the drive with the file system set up in a way that allowed more compatibility with the Raspberry Pi. We also tested the drive by moving it into the “Read Only File System” without the log file. After the move, we verified the hash using FTK Imager, which confirmed that it matched the original.

Another issue that we encountered concerned  the commands being used. When trying to move the image of the 80GB drive, the hash either wasn’t being created at all in the log or was incorrect.  We tested to see if it could be as simple as a bad sector within  the drive, a bad command, or even an issue with the Pi itself. Eventually, the issue corrected itself; it is still unclear what the solution was. After completing that test, it was redone to ensure the issue did not persist and that the Pi will no longer boot into the GUI. It is also now experiencing the “Read Only File System” error.

We have been working with a micro keyboard and a touch screen on one of the Raspberry Pis in consideration of future work. It was running smoothly and nearly ready for implementation, but there are issues with both the kernel and the board. When we attempted a fix,  the kernel failed and the Pi died. We have yet to boot it back up, though we are going to continue to find a workaround. If we are successful, we can continue on the path to a mobile and compact digital imaging system.

Conclusion

With one hash correct, we are seeing results yet still working through some clear and present issues with some of these Raspberry Pis. We are looking forward to completing this project to create the mobile imaging station before we finalize the report. Please check back to see our progress. We are excited to share our findings with you. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu.

LCDI Twitter LCDI Facebook

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team