CHFI v3 Module 12 Data Acquisition and Duplication

Computer Hacking
Forensic Investigator
Module XII
Data Acquisition and
Duplication
Scenario
Adams Central Band Director Jeremy Johnson, 26, of 227 West South St., was
formally charged on September 21,
21 2006 with seven counts of child seduction and 41
counts of possession of child pornography. Investigators found hundreds of images of
child pornography on Johnson’s home computer.
Johnson
h was accused
d off seducing
d i a senior
i ffemale
l student
d at Adams
d Centrall d
during
i the
h
previous school year. The girl was then 18. Johnson had been taking part in a special
sharing service over the Internet and appeared to have been trading child porn back
and
d forth
f th with
ith other
th collectors.
ll t
Det. Sgt. Steve Cale and Det. Gary Burkhart initiated the investigation and collected
Johnson’s desktop computer and laptop. During the investigation, they found that
there were over 500 images that appeared to be of children less than age 18 in a state
of nudity, engaged in various stages of sexual activity. They also found some emails
that consisted of pornographic messages.
Source: http://www.news-banner.com/index/news-app/story.4999
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~Determining the best data acquisition methods.
~ Understanding data recovery contingencies.
~ D t A
Data Acquisition
i iti T Tools.
l
~ The need for data duplication.
~ Data duplication tools.
Module Flow
Data acquisition methods Data recovery contingencies
Need for data duplication Data acquisition tools
Data duplication tools
Determining the Best Acquisition
Methods
~ Forensic investigators acquire digital evidence using the
following methods:
• Creating a bit-stream disk-to-image file.
• Making a bit-stream disk-to-disk copy.
• Creating a sparse data copy of a folder or file.
Data Recovery Contingencies
~ Investigators must make contingency plans when data acquisition

failure occurs.
~ To preserve digital evidence investigators need to create a duplicate
copy of the evidence files.
~ In case the original data recovered is corrupted investigators can make
use of the second copy.
~ Use of at least two data acquisition tools are preferred to create copy of
evidence incase the investigator
investigator’ss preferred tool does not properly
recover data.
Need for Data Duplication
~ Data duplication
p is essential for the p
proper
p
preservation of digital evidence.
~ D
Destructive
i devices
d i can b
be planted
l d iin the
h
system by the owner. Evidence can be
destroyed if the investigator is not careful.
~ Data fragments
g can be overwritten,, and data
stored in the Windows swap file can be altered
or destroyed.
destroyed
MS-DOS Data Acquisition Tool: DriveSpy
~ DriveSpy enables the investigator to direct data from

one particular
i l sector range to anotherh sector.
~ DriveSpy provides two methods in accessing disk sector
ranges:
• A built-in Sector (and Cluster) Hex Viewer, which can be used to

examine
i DOS and d non-DOS
DOS partitions.
ii
• Configurable logging capabilities to document the investigation
(keystroke-by-keystroke, if desired).
• The ability to create and restore compressed forensic images of
drive partitions.
• Full scripting capabilities to automate processing activities.
activities
Using Windows Data Acquisition Tools
~ Windows data acquisition tools allow the investigator to easily acquire

evidence
id from
f a disk
di k with
i h the
h hhelp
l off removable
bl media
di such h as USB
storage devices.
~ These tools also can use Firewire to connect hard disks to the forensic
lab systems.
~ Data acquisition tools in Windows cannot acquire data from the host
protected area of the disk.
FTK Imager
~ FTK Imager allows you to acquire physical device images and logically
view data from FAT, NTFS, EXT 2 and 3 as well as HFS and HFS+ file
systems.
~ http://www.accessdata.com
Acquiring Data on Linux
~ Forensic Investigators use the built-in Linux command “dd” to copy

data from a disk drive.
drive
~ This command can make a bit-stream disk-to-disk file, disk-to-image
file, block-to-block copy/ block-to-file copy.
~ The “dd” command can copy data from any disk that Linux can mount
and access.
~ Other forensic tools,, such as AccessData FTK and Ilook,, can read dd
image files.
~ Syntax:
~ dd if=/*source* of=/*destination*
where:
if = infile, or evidence you are copying (a hard disk, tape, etc.)
source = source of evidence of = outfile, or copy of evidence
d ti ti = where
destination h you wantt tto putt th
the copy
dd command
~ dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not

less than 512 bytes(ie,
y ( , 512,, 1024,
, 2048,
, 4096,
, 8192,
, 16384,
, but can be ANY
reasonable number.) skip= seek= conv=<conversion>
~ Let's say we have a 2GB hard disk seized as evidence. We will use DD to make a complete physical
backup of the hard disk:
• dd if=/dev/hda
if /dev/hda of=/dev/case5img1
of /dev/case5img1
~ Copy one hard disk partition to another hard disk:
• dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
~ Make an iso image of a CD:
• dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
~ Copy a floppy disk:
• dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
~ Restore a disk partition from an image file:
• dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096
conv=notrunc,noerror
~ Copy ram memory to a file:
• dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Extracting the MBR
~ To see the contents of MBR,, use this command:

# dd if=/dev/hda of=mbr.bin bs=512 count=1
# od -xa
xa mbr
mbr.bin
bin
~ The dd command, which needs to be run from root, reads
th first
the fi t 512 b
bytes
t ffrom /dev/hda
/d /hd (the
(th fi
firstt IIntegrated
t t d
Drive Electronics, or IDE drive) and writes them to the
b bi file.
mbr.bin file
~ The od command prints the binary file in hex and ASCII
formats.
Netcat Command
~ Source Machine
• dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
~ Target
g Machine
• netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
dd Command (Windows XP Version)
~ Linux dd utility ported to Windows.
dd.exe if=\\.\PhysicalDrive0
of=d:\images\PhysicalDrive0.img
f d \i \ h i l i 0 i --md5sum
d5 --verifymd5
if d5 --
md5out=d:\images\PhysicalDrive0.img.md5
Mount Image Pro
~ Mount Image Pro is a computer forensics tool for Computer Forensics

investigations It enables the mounting of:
investigations.
• EnCase.
• Unix/Linux DD images.
• SMART.
• ISO.
~ Image files as a drive letter under the Windows file system.
~ It fully maintains the MD5 HASH integrity, which can be tested by a
reacquisition
i i i off the
h mounted
d drive
d i and
d a comparison
i off MD
MD5
checksums.
~ It also will open
p EnCase p
password p
protected image
g files without the
password.
Mount Image Pro
Snapshot Tool
Snapshot is a data acquisition tool.
Snapback DatArrest
~ SnapBack Live allows DatArrest to perform a true image backup of a

server while
hil iit iis li
live and
d iin use.
~ DatArrest can recover all files, including deleted files. The DatArrest
Suite provides the ability to copy:
• Server hard drive to tape.
• PC hard drive to tape.
• Server or PC hard drive to removable media.
• Hard drive to hard drive.
• Tape to tape.
~ http://www.datarrest.com
ttp:// .data est.co
Data Acquisition Tool: SafeBack
~ SafeBack is the industry standard for making evidence grade bit-

stream backups of hard drives.
~ SafeBack is used to create mirror-image (bit-stream) backup files of
hard disks or to make a mirror-image copy of an entire hard disk drive
or partition.
~ S f B k creates
SafeBack t a llog fil
file off all
ll ttransactions
ti it performs.
f
~ http://www.forensics-intl.com/safeback.html
Hardware Tool: Image MASSter Solo-3
Forensic
~ Designed
g exclusivelyy for forensic
data acquisition.
~ Th ImageMASSter
The I MASS Solo-3
S l F
Forensic
i
data imaging tool is a light weight,
portable hand-held device that can
acquire data to one or two evidence
drives at speeds exceeding 3GB/min.
~ http://www ics iq com

http://www.ics-iq.com
Image MASSter Solo-3 Forensic (cont’d)
~Features: ~Software features:
• MD5 and CRC32 Hashing • Device Configuration Overlay

(DCO) Option
• Touch Screen User Interface • Host Protected Area (HPA)
• High Speed Operation Option
• Built in Write Protection • WipeOut DoD Option
• WipeOut Fast Option
• Built in FireWire 1394B and USB
• LinkMASSter Application
2.0 Interface
• Linux-DD
Linux DD Capture Option
• Captures to Two Evidence Drives
Simultaneously
• Multiple Capture Methods
• WipeOut
• Audit Trail and Logs
• Multiple Media Support
• Upgradeable
Hardware Tool: LinkMASSter-2
Forensic
~ The LinkMASSter II is a high-speed forensic
data acquisition device that provides the tools
necessary to seize data from a Suspect’s
unopened
p Notebook
b or PC using
g the FireWire
1394A/B or USB 1.0/2.0 interface.
~ The device supports the MD5, CRC32, or SHA1

hashing methods during data capture, ensuring
that the transferred data is an exact replica of
the Suspect’s
Suspect s data without modification.
modification
~ Seize data from P-ATA, S-ATA, SCSI or

Notebook drives.
~ Data transfer rates can exceed 3GB/min.

LinkMASSter-2 Forensic (cont’d)
~Features: ~Software Features:

• LinkMASSter Application
• FireWire 1394B and USB 2.0
• Hashing
Interface
• Single Capture Option
• MD5 and CRC32 and SHA1 • Linux-DD Capture Option
Hashing • Intelligent Capture Option
• Forensic Toolkit Graphical User • WipeOut DoD Option
Interface • WipeOut Fast Option
• High-speed Operation
• Multiple Capture Methods
• Write Protection
• Multiple Media Support
• WipeOut
• Audit Trail and Logs
Hardware Tool: RoadMASSter-2
~ The RoadMASSter II Forensics data

acquisition and analysis
anal sis tool is designed
to perform both as a fast and reliable hard
drive imaging and data analysis tool.
~ This computer forensic system is built for
the road with all the tools necessary to
acquire or analyze data from today’s
common interface technologies including
FireWire, USB, Flash, ATA, S-ATA, and
SCSI.
~ This computer forensic portable lab is
used by law enforcement agencies, as well
as corporate security to acquire data and
analyze data in the field.
RoadMASSter-2 (cont’d)
• MD5 and CRC32 and SHA1 • WipeOut DoD option
hashing • WipeOut fast option
• Forensic toolkit graphical user • LinkMASSter application
interface
• Li
Linux-DDDD capture mode
d
• High-speed Operation
• Single capture mode
• Multiple capture methods
• Intelligent capture mode
• Built
Built-in
in write protection
• Built in LinkMASSter
FireWire 1394B and USB 2.0
interface
• Multiple media support
• Preview and analyze
• WipeOut
• Audit trail and logs
Data Duplication Tool: R-drive Image
~ The R-Drive Image

g is an important
p tool that p
provides disk image
g files
creation for backup or duplication purposes.
~ A disk image file contains an exact, byte-by-byte copy of a hard drive,
partition
titi or llogical
i l di
disk.
k
~ R-Drive can create partitions with various compression levels freely without
stopping
pp g Windows OS.
~ These drive image files can then be stored in a variety of places, including
various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip, or
Jazz disks.
di k
R-drive Image
Data Duplication Tool: DriveLook
~ The DriveLook Tool has the following features:

• Indexes the hard drive for the text that was written to it.
• Searches through a list of all words stored on the drive.
• View the location of words in the disk editor.
• Switches between different views.
• Uses image file as input.
• Access
A remote
t drives
d i through
th h serial
i l cable
bl or TCP/IP
TCP/IP.
Drivelook
Data Duplication Tool: DiskExplorer
~ DiskExplorer aides examiners to investigate any drive and recover
data.
~ Two versions of DiskExplorer exist:
• DiskExplorer for FAT
• Disk Explorer for NTFS
~ The tool also has provisions to navigate through the drive by jumping
to the:
• Partition table.
• B
Boot record.
d
• Master file table.
• Root directory.
DiskExplorer
Save-N-Sync
~ The quickest, easiest, and most
economical way to synchronize
a small number of folders.
~ It allows you to synchronize and

backup files from a source
folder on one computer to a
target folder on a second
networked computer or storage
device.
Save-N-Sync
Hardware Tool: ImageMASSter
6007SAS
~ The ImageMASSter 6007SAS is the only
h dd
hard drive
i d duplication
li i unit i iin the
h
market that supports SAS (Serial Attach
SCSI) hard drives.
~ It copies simultaneously at very high
speed from SATA/SAS/SCSI/IDE hard
d i
drives, tto any 7 SAS/SATA/IDE target
t t
hard drives.
~ The ImageMASSter 6007SAS is a
Windows based machine with one giga-
bit network connection, which allows
d
downloading
l di or uploading
l di fil
files tto or
from drives, using network drives.
ImageMASSter 6007SAS (cont’d)

• MultiMASSter
• High-speed copy operation
• IQCOPY
• SAS and SATA duplicator
• Auto scale and format partitions
• SCSI duplicator • Image copy
• Server migration • WipeOut DoD
• All operating systems can be copied • WipeOut fast option

• Store log information
• Multiple copy modes
• Error detection and verification
• Supports any file system • Manage user defined settings
• Network connectivity
• WipeOut
• Mount and modify drives
• Hot swap drives
• S l partitions
Scale titi
• Windows based
Hardware Tool: Disk Jockey IT
~ Designed exclusively for IT data

duplication.
duplication
~ The Disk Jockey IT data imaging tool is
a light weight, portable hand-held
device that can copy data to one or two
target drives at speeds exceeding
2GB/min.
~ Mirror two hard disk drives for real-
time backup (RAID level 1), and data is
stored simultaneously on both drives.
drives
~ Data can be copied from one disk to
another, with no need for a computer,
at speeds of up to 2 GB/min.
Disk Jockey IT (cont’d)
~ Features:
• Standalone HD mode
• Mirroring
• Spanning
• Fast
F di
disk-to-disk
k di k copies
i
• Disk copy compare /

verification
• Hard disk read test
• Two levels of erase

SCSIPAK
~ SCSIPAK is a software and tape based data conversion-duplication
system.
t
~ It is a set of system tools which extend the support of tape drives
under Microsoft Windows NT and Windows 2000 operating systems.
systems
~ Data can be downloaded from a tape or optical disk and then written
simultaneouslyy to up
p to seven drives at once.
~ The image file from the tape or optical medium is stored under NT,
along with an index file which contains details of tape file and set
marks, directory partitions, or unused optical sectors.
~ This allows for the duplication of even complex format tapes and
optical disks.
IBM DFSMSdss
~ A reliable utility to quickly move, copy, and backup data.

~ Functions:
• Move and replicate data.
• Manage storage space efficiently.
efficiently
• Backup and recover data.
• Convert data sets and volumes.
~ FlashCopy in DFSMSdss:
• FlashCopy provides a fast data duplication capability.
• This option helps eliminate the need to stop applications for extended
periods of time in order to perform backups and restores.
Tape Duplication System: QuickCopy
~ QuickCopy is the premier tape duplication system

f d
for data/software
/ f di
distribution
ib i applications.
li i
~ QuickCopy is a complete production system for
software and data distribution.
~ Features:
• Duplicates a master tape to one or more target tapes.
• Duplicate from master images stored on hard drives.
• Multi-tasking for mixed jobs.
• 100% verification
ifi ti off all
ll copies
i made
d att user option.
ti
• Microsoft NT operating system and user interface
(GUI).
• Available CD-R copying with QuickCopy-CD option.
Summary
~ Investigators can acquire data in three ways: creating a bit-stream,

disk-to-image file, making a bit-stream disk-to-disk copy, or creating a
sparse data copy of a specific folder path or file.
~ Data duplication is essential for the proper preservation of digital
evidence.
~ Windows data acquisition
q tools allow the investigator
g to easilyy acquire
q
evidence from a disk with the help of removable media, such as USB
storage devices.
~ Forensic investigators use the built- in Linux command dd to copy data
from a disk drive.
~ The “SavePart”
SavePart command retrieves information about the partition
space in the hard disk.

CHFI v3 Module 12 Data Acquisition and Duplication

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHFI v3 Module 12 Data Acquisition and Duplication

Uploaded by

Copyright:

Available Formats

Computer Hacking

This module will familiarize you with the following:

~Determining the best data acquisition methods.

~ Understanding data recovery contingencies.

~ The need for data duplication.

~ Data duplication tools.

Data acquisition methods Data recovery contingencies

Need for data duplication Data acquisition tools

Data duplication tools

~ Investigators must make contingency plans when data acquisition

preservation of digital evidence.

system by the owner. Evidence can be

destroyed if the investigator is not careful.

stored in the Windows swap file can be altered

~ DriveSpy enables the investigator to direct data from

• A built-in Sector (and Cluster) Hex Viewer, which can be used to

~ Windows data acquisition tools allow the investigator to easily acquire

~ Forensic Investigators use the built-in Linux command “dd” to copy

~ dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not

~ To see the contents of MBR,, use this command:

• dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

• netcat -l -p 1234 | dd of=/dev/hdc bs=16065b

~ Mount Image Pro is a computer forensics tool for Computer Forensics

Snapshot is a data acquisition tool.

~ SnapBack Live allows DatArrest to perform a true image backup of a

~ SafeBack is the industry standard for making evidence grade bit-

~ http://www ics iq com

• MD5 and CRC32 Hashing • Device Configuration Overlay

~ The device supports the MD5, CRC32, or SHA1

~ Seize data from P-ATA, S-ATA, SCSI or

~ Data transfer rates can exceed 3GB/min.

~Features: ~Software Features:

~ The RoadMASSter II Forensics data

~ The R-Drive Image

~ The DriveLook Tool has the following features:

~ It allows you to synchronize and

~Features: ~Software Features:

• All operating systems can be copied • WipeOut fast option

~ Designed exclusively for IT data

• Disk copy compare /

• Hard disk read test

• Two levels of erase

~ A reliable utility to quickly move, copy, and backup data.

~ QuickCopy is the premier tape duplication system

~ Investigators can acquire data in three ways: creating a bit-stream,

You might also like