Professional Documents
Culture Documents
Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
What we are going to talk about today…. 2
• Static Acquisition
• Copying a hard drive from powered off system
• Does not alter the data, so its repeatable
Live Acquisition
• Copying data from a running system
• Can not be repeated exactly- alters the data
• RAM data has no timestamp but may reveal
very useful information
Evidence Data 5
o Three formats
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
Raw Format 8
o Design goals
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for metadata
Open source for multiple platforms and Oss
Internal consistency checks for self-authentication
Advanced Forensics Formats… 18
Rule of thumb:
Full Image
Acquisition Architectures 22
Best way to ensure that the drive is not modified during image collection
Forensic Live DVD 26
Write Blockers 27
o Simple duplication
Copy selected data; file, folder, partition...
o Forensic duplication
Every bit on the source is retained
Including deleted files
Goal: act as admissible evidence in court
proceedings
Acquisition Requirements 33
Acquisition Requirements… 34
Types of Forensic Disk Images 35
o Complete disk
o Partition
o Logical
FTK Imager 36
Acquisition Methods 37
o Types of acquisitions
Static acquisitions and live acquisitions
o Four methods
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-data file
Sparse data copy of a file or folder
o Best method depends on the circumstances of the investigation
Bit-stream disk-to-image file 38
o Active data
Files and folders in use, in the directory
o Unallocated Space
Remnants of deleted files
o File slack
Fragments of data left at the end of other files
Partition Image 41
• Windows BitLocker
• TrueCrypt – [http://truecrypt.sourceforge.net/]
• If the machine is on, a live acquisition will capture the decrypted hard
drive
• Otherwise, you will need the key or passphrase
The suspect may provide it … Really?
There are some exotic attacks
• Cold Boot -is the process of powering on a computer from a powered-off state
• Passware - tool for decrypting files & quickly recovering passwords
• Electron microscope
Windows BitLockers 51
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
Using Acquisition Tools 52
• Hashes ensure that data is not changed after the time when the
hash was computed
Also ensures that copies are accurate
• Drives with bad sectors give a different hash each time they are
imaged
• Document that if it happens
61
62
Some links to explore 63
• https://www.discovermagazine.com/technology/heres-what-the-data-on-
your-hard-drive-looks-like
• https://www.dhs.gov/science-and-technology/nist-cftt-reports
• https://www.cfreds.nist.gov/
• https://www.nist.gov/programs-projects/digital-forensics
• https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-
testing-program-cftt
• https://toolcatalog.nist.gov/
Reading Task- For QUIZ 2 64