Professional Documents
Culture Documents
15
Things to Consider During Acquisition
• Size of the source storage drive
• Time to copy the data
• Required storage on destination drive
• Probability of errors occurring
• Uncontrolled factors effecting acquisition
• Whether you can retain the source drive
16
Acquisition Data Storage Formats
• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)
17
Raw Format
• A sector for sector duplicate of the drive
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors
18
Proprietary Formats
• A unique format specific to a particular tool
• Commercial forensic tools typically use their
own proprietary format
• Proprietary formats
– Allow acquired data (images) to be compressed
– Can split an image into small segmented files
– Can integrate metadata into the image file
– Can not be used between multiple tools
19
Advanced Forensics Format (AFF)
• Developed by Dr. Simson L. Garfinkel
• Combination of raw and proprietary
– Compressed or uncompressed image files
– No size restriction for disk to image files
– Provide space in the image file or segmented files for
metadata
– Simple design with extensibility
– Open source for multiple platforms and OSs
20
Acquisition Preparation
• Target media must be securely wiped
• Any existing data on target drive may
compromise the integrity of the analysis
• Keep a record of who wiped the media,
when it was done and how
Windows Acquisition
• FTK Imager
• Encase
• X-ways
24
AccessData FTK Imager
• Evidence drive must have a hardware write
blocking device
– Or the USB write-protection registry feature enabled
• Create EnCase SMART, raw (dd) images and
AFF images
• Automatically creates and validates the
forensic copy
25
AccessData FTK Imager (1)
26
AccessData FTK Imager (2)
27
AccessData FTK Imager (3)
28
AccessData FTK Imager (4)
29
AccessData FTK Imager (5)
30
AccessData FTK Imager (6)
31
Linux Acquisition
• dd
• dcfldd (Defense Computer Forensics Lab)
• ddrescue
• dc3dd (Defense Cyber Crime Centre)
Locating the Suspect Device in Linux
• To create an image of your suspect drive
you first need to identify the source
• You can use the lsblk command to list block
devices
• A block device can be a hard drive, USB
drive, CD/DVD etc.
• Using the output of lsblk you can identify the
device any its partitions
lsblk Command With & Without USB Drive
dd
• Input file (if) – what is the name of device/file?
– if = /device/partition
– Example: if=/dev/sda
• Output file – where does the output go?
– of = inameOfOutputFile.dd
– Example: of=/home/user/forensicCopy.dd
• Need help?
– dd --help
dcfldd
• Hashing on-the-fly - dcfldd can hash the
input data as it is being transferred, helping
to ensure data integrity.
• Status output - dcfldd can update the user of
its progress in terms of the amount of data
transferred and how much longer operation
will take
ddrescue
• ddrescue is a data recovery tool.
• It copies data from one file or block device
to another, trying to rescue the good parts
first in case of read errors
• Uses log files to try and recover data via
checkpoints
Validating Data Acquisitions
• Most critical aspect of computer forensics
• Requires using a mathematical hashing
algorithm
• Common validation techniques
– MD5, SHA-1, SHA-512 etc.
38
Windows Validation Methods
• Windows has no built-in hashing tools
– Third-party utilities can be used
– HashCalc (freely available)
• Commercial computer forensics programs
typically have built-in validation features
39
Linux Validation Methods
Linux Validation Methods
41
Contingency Planning
• Create a copy of your evidence image file
• Make at least two images of digital evidence
• Use different tools or techniques
• Be prepared to deal with encrypted drives
42
Forensic ‘copy’ of the ‘copy’
• It’s best practice to analyze a copy of the
forensic copy
• Any damage caused to the original forensic
copy would require the “original evidence”
AND a subsequent acquisition to take place
• The process puts ‘stress’ on the evidence
• Improper handling may also cause
unintentional damage
Forensic ‘copy’ of the ‘copy’
Using Remote Network Acquisition Tools
• You can remotely connect to a suspect computer via a
network connection and copy data from it
• Remote acquisition tools vary in configurations and
capabilities
• Drawbacks
– LAN’s data transfer speeds and routing table conflicts
could cause problems
– Gaining the permissions needed to access more secure
subnets
– Heavy traffic could cause delays and errors
45
Linux Remote Acquisition
1. Forensically wipe the drive:
dd if=/dev/zero of=/dev/hdb1 bs=2048
2. Use netcat to set up the forensic server
to listen:
# nc –l –p 8888 > evidence.dd
3. Use the dd command to read the first
partition:
# dd if=/dev/hda1 | nc 192.168.0.2 8888
–w 3
Do’s and Don’ts
• Power on a computer to examine its contents - BAD
• Remove storage drive from the system and examine that - GOOD