Data Acquisition and Hashing

What is Forensic Acquisition?

• Duplication of digital data in such a way that
the ‘copy’ is a true and accurate
representation of the original digital data
• An exact sector level duplicate of data from
persistent storage
• The preparation of an “Evidence Copy” for
subsequent analysis and investigation
 Why is Forensic Acquisition Important?
• The creation of an ‘Evidence Copy’ allows
for analysis of the data without the risk of
contaminating the original seized evidence
• If the original evidence is compromised this
may limit its use in a courtroom
• If the forensic acquisition is not performed
correctly it may invalidate the results of any
later analysis
 Rules of Evidence
• Admissible
– Evidence must be relevant and reliable
• Authentic
– Evidence must be clearly linked to incident
• Complete
– Must tell the whole story not just a perspective
• Reliable
– Evidence you can trust
• Believable
– Understandable by the court
 Two Goals
1. Ensure original device AND data is not
compromised (or tampered with)
2. Ensure that the acquired data is an exact
copy of the original data

• We must be able to prove that the two

preceding goals were achieved successfully
 Data Acquisition Issues
• The inherent problem with digital media is
that it is readily modified; even just by
accessing files
• Simply attaching/connecting a persistent
storage device to our workstation to copy
the data can result irreversible changes
 Safest Seizure Process
Shut down the computer

Transport the computer to a secure location

Prepare the system

Document the hardware configuration of the
system
Mathematically validate data on all storage
devices
 To Shutdown or Not to Shutdown
• There are multiple schools of thought with
regards to shutting down the computer
– Historically, shutting down the computer
immediately was considered ideal
– Today, users use crypto, remotely accessible
drives etc. – live analysis may provide critical
intelligence for investigation
• Follow the guidelines as set by your
organisation
 Shutting Down the Computer
• Before shutting the computer down:
– Check for running processes
– In Windows, use Task Manager
• Take a picture of the screen for your records
• Check for live connections to the system:
– netstat
– net sessions
– open files
 Static (Traditional) vs. Live Acquisitions
• Static: Device is or can be powered down
prior to any data being acquired
• Live: Typically requires creating new or
modifying existing data on the device.
Beneficial when there is evidence of
decrypted folders/files on the disk. Live
acquisition of RAM may provide valuable
evidence
10
Partitions
 Acquisition Methods
• Bit stream disk <-> to an image file
• Bit stream disk <-> to a (physical) disk drive
• Logical copy
• Sparse data copy of a file or folder
 Bit Stream Disk To Image File
• Most common method
• A physical disk drive is duplicated to an
‘image’ file
– Think of an ‘image’ file as a JPG or PDF file,
that encompasses the ‘bits’ of a drive
• Copies are bit-for-bit replications of the
original drive
• Includes ‘free’ or ‘unallocated’ data
 Bit Stream Disk To Disk
• Duplicate physical drive to another physical
drive
• Requires a second drive of equal or greater
capacity with same configuration
• Allows investigator to access and operate
operating system
• Includes ‘free’ or ‘unallocated’ data
 Logical or Sparse Acquisition
• When time is limited
• Logical acquisition captures only specific
files of interest to the case
• Sparse acquisition also collects fragments
of unallocated (deleted) data
• Useful for large persistent storage drives
• PST or OST mail files, RAID servers etc.

15
 Things to Consider During Acquisition
• Size of the source storage drive
• Time to copy the data
• Required storage on destination drive
• Probability of errors occurring
• Uncontrolled factors effecting acquisition
• Whether you can retain the source drive

16
 Acquisition Data Storage Formats
• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

17
 Raw Format
• A sector for sector duplicate of the drive
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors

18
 Proprietary Formats
• A unique format specific to a particular tool
• Commercial forensic tools typically use their
own proprietary format
• Proprietary formats
– Allow acquired data (images) to be compressed
– Can split an image into small segmented files
– Can integrate metadata into the image file
– Can not be used between multiple tools
19
 Advanced Forensics Format (AFF)
• Developed by Dr. Simson L. Garfinkel
• Combination of raw and proprietary
– Compressed or uncompressed image files
– No size restriction for disk to image files
– Provide space in the image file or segmented files for
metadata
– Simple design with extensibility
– Open source for multiple platforms and OSs

20
 Acquisition Preparation
• Target media must be securely wiped
• Any existing data on target drive may
compromise the integrity of the analysis
• Keep a record of who wiped the media,
when it was done and how
 Windows Acquisition
• FTK Imager
• Encase
• X-ways

• Most commercial forensic applications will

incorporate an acquisition function
 Windows Acquisition
• Advantages
– Acquiring data from a suspect drive is more
convenient
– Typically easier for novice end-users
• Disadvantages
– Must protect acquired data with a well tested
write blocking hardware or software
– Tools can’t acquire data from a drive’s host
protected area
23
 AccessData FTK Imager
• Freely available from AccessData
• Built into the AccessData Forensic Toolkit
(commercial application)
• Can make physical and logical acquisition of a
hard drive
• Can be used to create a memory dump
• Cannot acquire a drive’s host protected area

24
 AccessData FTK Imager
• Evidence drive must have a hardware write
blocking device
– Or the USB write-protection registry feature enabled
• Create EnCase SMART, raw (dd) images and
AFF images
• Automatically creates and validates the
forensic copy

25
AccessData FTK Imager (1)

26
AccessData FTK Imager (2)

27
AccessData FTK Imager (3)

28
AccessData FTK Imager (4)

29
AccessData FTK Imager (5)

30
AccessData FTK Imager (6)

31
 Linux Acquisition
• dd
• dcfldd (Defense Computer Forensics Lab)
• ddrescue
• dc3dd (Defense Cyber Crime Centre)
 Locating the Suspect Device in Linux
• To create an image of your suspect drive
you first need to identify the source
• You can use the lsblk command to list block
devices
• A block device can be a hard drive, USB
drive, CD/DVD etc.
• Using the output of lsblk you can identify the
device any its partitions
lsblk Command With & Without USB Drive
 dd
• Input file (if) – what is the name of device/file?
– if = /device/partition
– Example: if=/dev/sda
• Output file – where does the output go?
– of = inameOfOutputFile.dd
– Example: of=/home/user/forensicCopy.dd
• Need help?
– dd --help
 dcfldd
• Hashing on-the-fly - dcfldd can hash the
input data as it is being transferred, helping
to ensure data integrity.
• Status output - dcfldd can update the user of
its progress in terms of the amount of data
transferred and how much longer operation
will take
 ddrescue
• ddrescue is a data recovery tool.
• It copies data from one file or block device
to another, trying to rescue the good parts
first in case of read errors
• Uses log files to try and recover data via
checkpoints
 Validating Data Acquisitions
• Most critical aspect of computer forensics
• Requires using a mathematical hashing
algorithm
• Common validation techniques
– MD5, SHA-1, SHA-512 etc.

38
 Windows Validation Methods
• Windows has no built-in hashing tools
– Third-party utilities can be used
– HashCalc (freely available)
• Commercial computer forensics programs
typically have built-in validation features

39
Linux Validation Methods
Linux Validation Methods

41
 Contingency Planning
• Create a copy of your evidence image file
• Make at least two images of digital evidence
• Use different tools or techniques
• Be prepared to deal with encrypted drives

42
 Forensic ‘copy’ of the ‘copy’
• It’s best practice to analyze a copy of the
forensic copy
• Any damage caused to the original forensic
copy would require the “original evidence”
AND a subsequent acquisition to take place
• The process puts ‘stress’ on the evidence
• Improper handling may also cause
unintentional damage
Forensic ‘copy’ of the ‘copy’
Using Remote Network Acquisition Tools
• You can remotely connect to a suspect computer via a
network connection and copy data from it
• Remote acquisition tools vary in configurations and
capabilities
• Drawbacks
– LAN’s data transfer speeds and routing table conflicts
could cause problems
– Gaining the permissions needed to access more secure
subnets
– Heavy traffic could cause delays and errors

45
 Linux Remote Acquisition
1. Forensically wipe the drive:
dd if=/dev/zero of=/dev/hdb1 bs=2048
2. Use netcat to set up the forensic server
to listen:
# nc –l –p 8888 > evidence.dd
3. Use the dd command to read the first
partition:
# dd if=/dev/hda1 | nc 192.168.0.2 8888
–w 3
 Do’s and Don’ts
• Power on a computer to examine its contents - BAD
• Remove storage drive from the system and examine that - GOOD

• Attach storage drive directly to a workstation for acquisition - BAD

• Attach storage drive via write blocking hardware - GOOD

• Immediately begin analysing the storage drive - BAD

• Perform a forensic acquisition of the storage drive - GOOD

• Assume the write blocking hardware has worked - BAD

• Perform hashes to verify the original data remains unchanged - GOOD

• Assume the acquisition was successful - BAD

• Perform hashes to verify the original is identical to the copy - GOOD
 Documentation
• Always document everything you do
• Someone with appropriate training should
be able to repeat the process and achieve
the exact same result
• Maintain chain of custody for all evidence
and working copies
• Perform hashes whenever chain of custody
for an item is updated. Record these hashes
to verify the integrity of the item