Data Acquisition and Preservation

using Tools
FTK Imager and dc3dd
Data Acquisition and Preservation procedure-
Summary
• Write protect the device you will copy data from
• Create hash of the device you copy data from
• Acquire a forensic disk image (file) of the device
• Create hash of disk image
• Compare hashes
• Put original device in secure storage
• Create copy of acquired disk image and work on copy with hash
verification
Tool - FTK Imager
• From Access Data
• Creates forensic images – both memory (RAM) and Disk
• Need separate write blocking capability
• FTK Imager download - https://www.exterro.com/ftk-imager
Create Disk Image
• Demo to create an Image
• Discuss
ØCase Naming
ØSegmentation
ØVerifying hash results
ØImage summary
ØText doc created along with final image
RAM Capture
• Demo RAM Capture
• Pagefile.sys - a system file in Windows set aside for (RAM), When
computer's RAM begins to run out of memory, it uses the pagefile to
offload data it doesn't need, such as files and apps
• So how does your computer’s RAM decide when to offload data –
minimized apps pgm files dumped to pagefile
• Size of pagefile – 1.5 to 2 times RAM
• Speed of access RAM-pagefile-SSD-HDD
Demo of Features in FTK Imager
• Identifying file details – Add evidence image
• Text vs Hex view
• Retrieving Deleted files
• Exporting Logical Images of selected folders
• Exporting hashes – entire drive, folder wise
• Image mounting using FTK Imager
Evidence Acquisition and preservation using
dc3dd
• A typical device in Linux can be addressed or recognized as /dev/sda,

• /dev: Refers to the path of all devices and drives, which can be read from
or written to, recognized by Linux

• /sda: Refers to the Small Computer System Interface (SCSI), SATA, and
USB devices

• The sd stands for SCSI Mass-Storage Driver, with the letter after it
representing the drive number:
• Drive to be connected via write blocker to workstation
Device identification using the fdisk command
• Filesystem: FAT32
ious example, the output of the md5sum command of the 2 GB flash drive
s 9f038....1c7d3
ample, the 2 GB flash /dev/sdb
drive that I'll .be
When
using performing
(named the acquisition
test_usb ) is or for
recognize
the Maintaining
drive using evidence
dc3dd, we integrity
should also in
have
the command I will be using is shown thethat exact result
following when hashing
screenshot:
age file output to ensure that both the original evidence and the copy are ex
hereby maintaining the integrity of the evidence.
eated an SHA-1 hash (which will be used for comparative purposes) using
yntax: Figure 5.3 – Creating an MD5 hash using md5sum
ious example, the output of the md5sum command of the 2 GB flash drive is
s 9f038....1c7d3 /dev/sdb. When performing the acquisition or foren
the drive using dc3dd, we should also have that exact result
Figure 5.4 – Creating an SHA1 hash using sha1sum
when hashing th
age file output to ensure that both the original evidence and the copy are exac
we can identify
hereby our devices
maintaining and create
the integrity of theMD5 and SHA-1 hashes in Kali Linu
evidence.
on to using dc3dd in the next section.
 • Forensic wiping of all data on hard disk drives

dc3dd was developed by the Department of Defense Cyber Crime Center and is updated
whenever DD updates. dc3dd offers the best of DD with more features, including the
following:

• On-the-fly hashing using more algorithm choices (MD5, SHA-1, SHA-256, and
SHA-512)
• Hash verification
• A meter to monitor progress and acquisition time
• Writing of errors to a file
• Splitting of output files (mix split and unsplit outputs)
• Verification of files
• Wiping of output files (pattern wiping)

Important note
 called dcfldd, which can be installed on Linux-based systems.
isition, which may tamper with the investigation:
e previous versions of Kali Linux,
more features than dc3dd
DD, which ismust now
why we'll beit. installed manually in Kali
dc3dd is a patch of DD and is regularly updated whenever there are updates to
DD. dc3dd offers be using
2019.3.Installing
First, we'll update dc3dd on
our version kali linux
of Kali Linux by using the apt-get
Unlike previous versions of Kali Linux, dc3dd must now be installed manually in Kali
te command:
Once
Linux 2019.3.Kali Linux
First, we'll update ourupdates, youby using
version of Kali Linux canthemanually
apt-get install dc3dd by
update command:
apt-get install dc3dd command. It is recommende
flash drive or SD card before performing any live acquisition
Figure 5.5 – Updating Kali Linux
acquisition, which
Figure 5.5 may tamper
– Updating Kaliwith
Linux the investigation:

Figure 5.6 – Installing dc3dd in Kali Linux

d is a CLI tool and can be easily run in Kali Linux by first opening a Terminal and
ng in dc3dd. To start with, I recommend using the dc3dd --help command,
h lists the available parameters used with dc3dd:
 ious example, I've used the following options:
Creating Forensic
In our previous Image
example, I've used the following options:

Figure 5.8 – Using dc3dd to create an MD5 hash and bit-stream copy of SDB
The code terms usedFigure
here are:
5.8 – Using dc3dd to create an MD5 hash and bit-stream copy of SDB
The code terms used here are:
Figure 5.8 – Using dc3dd to create an MD5 hash and bit-stream copy of SDB
• if: Specifies the input file, which is the device we will be imaging.
• if: Specifies the input file, which is the device we will be imaging.
erms
• used
hash: here
hashare:
•Specifies the type
: Specifies of of
the type hash
hashalgorithm
algorithm we we will
will be befor
using using forverification.
integrity integrity verification.
In this
In this case, case, I used
I have have used
thetheolder
older MD5
MD5 hash.
hash.
pecifies the input
• log file,
: Specifies thewhich
name of theis
logthe device
file that we
logs the details will
of be
the device
• log: Specifies the name of the log file that logs the details of the device and the
imaging.
and the
acquisition, including errors.
acquisition,
h: Specifies • the including
type the
of: Specifies errors.
ofoutput
hash algorithm
filename of the forensicwe will
image bebyusing
created for integrity veri
dc3dd. Although
a .dd image file type was specified in this example, other formats are also
• of:ISpecifies
is case, have the output
used
recognized bythe filename
older
dc3dd, includingMD5of the
.img forensic
, ashash.
seen image
in a later created by dc3dd. Although
example.
a .dd image file type was specified in this example, other formats are also
The device size (in sector and bytes) should be noted and later compared to the output
Specifiesresults
theforname
recognized bydevice
dc3dd, of including
field. the log file .img that logsinthe
, as seen details
a later example. of the device and t
isition, including
The device sizelast(in
The alsoerrors.
linesector and the
displays bytes) should
progress be of
and status noted and later
the acquisition compared
process, to the output
showing the
amount of data copied, the elapsed time in seconds, and the speed of the imaging process
 Important note
Important note
Important
The larger the drive note
When orcopying
file toanbe
imageacquired,
to a drive,the lengthierdrive
the destination thesizetime taken
should to do so.
be of equal
Might IThe
suggest
largeryou
theor
size get
driveyourself
larger or aimage
filetheto
than cup of coffeethe
be acquired,
file. or lengthier
other refreshing
the time beverage,
taken to doorso.
even have a look
Might at some
I suggest youother wonderful
get yourself a cuptitles available
of coffee from
or other Packt Publishing
refreshing beverage, or
Ashave
seen in the preceding
at https://www.packtpub.com/
even a look at somescreenshot, when
other wonderful . using the available
titles dc3dd --help command,
from Packt the
Publishing
typical usage looks as follows:
at https://www.packtpub.com/ .
dc3dd [option 1] [option 2] ... [option n]
Once the acquisition process has been completed, the input and output results are
Once
displayed the acquisition
as follows: process
In our previous has
example, I'vebeen completed,
used the the input and output results are
following options:
displayed as follows:
Figure 5.9 – Output of the dc3dd command
Figure 5.9 – Output of the dc3dd command
Figure 5.8 – Using dc3dd to create an MD5 hash and bit-stream copy of SDB
The code terms used here are:

• if: Specifies the input file, which is the device we will be imaging.
• hash: Specifies the type of hash algorithm we will be using for integrity verification.
In this case, I have used the older MD5 hash.
• log: Specifies the name of the log file that logs the details of the device and the
acquisition, including errors.
• of: Specifies the output filename of the forensic image created by dc3dd. Although
a .dd image file type was specified in this example, other formats are also
recognized
Figure 5.10 – Outputby dc3dd,
of theincluding .img, as seen
dc3dd command in a later example.
displaying the MD5 hash
Figure 5.10 – Output of the dc3dd command displaying the MD5 hash
The device size (in sector and bytes) should be noted and later compared to the output
Analyzing the results,
Analyzing the we canwesee
results, that the same amount of sectors (3913664) have
results for device can
field. see that the same amount of sectors (3913664) have
 122 Evidence Acquisition and Preservation with dc3dd and Guymager
122 Evidence Acquisition and Preservation with dc3dd and Guymager
Within my Home folder, the first file, 2GBdcedd.dd, is the output image created by
Within
dc3dd using the Home folder, the first
myof=test_usb.dd file, 2GBdcedd.dd
command. , isdc3ddusb
The last file, the output image
, is thecreated
log file,by
createddc3dd
when using thethe
we used command. The last file, dc3ddusb, is the log file,
5.11 – Output ofcommand:
of=test_usb.dd
log=dc3ddusb
Figure the ls command
created when we used the Figure 5.11 – Outputcommand:
log=dc3ddusb of the ls command
access our forensic image and log file, we can go to our /home directory by clicking
To access our forensic image and log file, we can go to our /home directory by clicking
places (top-left
on placescorner)
(top-leftand Home.
thenand
corner) then Home.

Figure 5.12 – Screenshot

Figure of the of
5.12 – Screenshot output file location
the output file location
It's important to keeptothis
It's important keeplogthis
filelog
to file
haveto ahave
record of theofacquisition
a record process
the acquisition andand
process its results,
its results,
which are
whichdisplayed on-screen
are displayed upon completion:
on-screen upon completion:
In keeping
As anwith proper
example, weand formal
could clonecase
themanagement,
forensic image theacquired
names ofpreviously
the image(test_usb.d
file and log
file should
onto be
• we could
a unique
clone
new drive to the
the forensic investigator
image
recognized
perform this task is as follows: as sdc and
acquired onto
. the
a new
The investigation
drive for
recognized as sdc.
command used to easy
The reference,
command
perform used to as you
this task is as fol
may find yourself with multiple images and log files later on. The location of the images
should also
dc3dd be stored on forensically of=/dev/sdc
if=test_usb.dd sound or sanitized drives and labeled accordingly.
log=drivecopy.log

File-splitting using dc3dd

Depending on the size of the evidence, manageability and portability can become an issue.
dc3dd has the ability to split forensically acquired images into multiple parts.
This is accomplished using the ofsz and ofs options:

• ofsz specifies the size of each output file part.

• ofs specifies the output files with numerical file extensions, typically
.000, .001, .002, and so on.

Tip
 Using
The the ls command
command used to once more,
achieve this we
is ascan see that the extensions of each of the four split
follows:
Figure 5.15 – The output of the sha1sum option using dc3dd
output files are all in numerical format, from .000 to .003:
Using the ls
dc3dd command once more,
if=/dev/sdb we can see that
hash=sha1 the extensions of eachofsz=500M
log=dd_split_usb of the four split
output files are all in numerical format, from .000 to .003:
ofs=split_test_usb.img.ooo

In the following screenshot, we can see the command as well as the output and status of
the process:
Figure 5.16 – The output of the ls command showing created acquisition images
All split parts of the image file can be found in the Home folder along with the log file:
Figure 5.16 – The output of the ls command showing created acquisition images
All split parts of the image file can be found in the Home folder along with the log file:
Figure 5.14 – The command used to split the acquired file size
 More on MD5 collisions can be found in this document, written by the researchers
Verifying
If we responsible
compare these hashes
hashes with
for discovering
of split
thethe onesimage
created
vulnerability,
files
using dc3dd we would have the exact
at http://merlot.usc.edu/csac-
MD5 To verify the hash
same f06/papers/Wang05a.pdf
and SHA-1 of theproving
outputs, split
. files, thethese
that following command
images can forensic
are exact be used: copies of the
original evidence.
cat split_test_usb.img.* | sha1sum
Verifying hashes of split image files
Compare the hashes in the following screenshots, created by dc3dd, with the ones in the
In the
To verify thefollowing screenshot,
hashcreated
of the split files,we
thecan see that command
following a lengthy SHA-1
can behash was created using the
used:
previous screenshots, by Guymager:
preceding command:
• cat split_test_usb.img.*
dc3dd MD5 hash: | sha1sum

In the following screenshot, we can see that a lengthy SHA-1 hash was created using the
preceding command:
Figure 5.22 – SHA1sum split-file verification output
This also matches the sha1sum output of the 2 GB flash drive itself, displayed by using
the following command:
Figure 5.20 – MD5 calculation output
• dc3ddsha1sum
SHA-1 hash:Figure 5.22 – SHA1sum split-file verification output
/dev/sdb
This also matches
Using the sha1sum
this command createsoutput of the 2 output:
the following GB flash drive itself, displayed by using
the following command:

sha1sum /dev/sdb
28 Evidence Acquisition and Preservation with dc3dd and Guymager

Erasing a drive using dc3dd

c3dd can wipe data and erase drives by overwriting data in three ways:

• Overwriting and filling the data and drives with zeroes. The command used is
dc3dd wipe=/dev/sdb:
134 Evidence Acquisition and Preservation with dc3dd and Guymager
Image acquisition using Guymager
• Size: 2.0GB

Figure 5.37 – Guymager interface displaying detected drives