Digital Forensics

Evidence Collection

1. Digital Image Formats

2. Types of Acquisition
and Data Collection
Methods

3. Contingency planning

4. RAID Forensics

All rights reserved

 Objectives
 Reference Book !!!!!!
– Text Book 1: Guide to Computer Forensics and Investigations:
Processing Digital Evidence, 6th Edition
• Bill Nelson et. al. 2018

 We are covering Chapter 3 of this Book.

Digital Forensics- Riphah International University 2

All rights reserved
 Forensics Labs Layout
 Home based/Small

Digital Forensics- Riphah International University 3

All rights reserved
 Mid Size Digital Forensics Lab

Digital Forensics- Riphah International University 4

All rights reserved
 Regional Forensics lab

Digital Forensics- Riphah International University 5

All rights reserved
 Understanding Storage Formats for Digital Evidence
 Data in a forensics acquisition tool is stored as an image file
 Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

Digital Forensics- Riphah International University 6

All rights reserved
 Raw Format

 Makes it possible to write bit-stream data to files

 Advantages
– Fast data transfers
– Ignores minor data read errors on source drive
– Universal image format
 Disadvantages
– Requires disk size equals original disk size
– Marginally bad sectors can be skipped

Digital Forensics- Riphah International University 7

All rights reserved
 Proprietary Formats
 Most commercial forensics tools have their own formats
 Several features offered
– Compression & fragmentation into multiple images

– Metadata integration into the image file

• Date / time, hash value (for self-authentication), investigator
name and comments

 Disadvantages.
– Non-portable across different tools
– File size limitation for each segmented volume

Digital Forensics- Riphah International University 8

All rights reserved
 Advanced Forensics Format (AAF)
 Developed by Dr. Simson as an open-source acquisition format

 Design goals
– Offers compression & segmentation with metadata

– Simple design with extensibility

– Open source for multiple platforms and OS

– Internal consistency checks for self-authentication

– File extensions include .afd for segmented image files and .afm for AFF metadata

For more details please refer:

www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf

Digital Forensics- Riphah International University 9

All rights reserved
 Determining the Best Acquisition Method
 Types of acquisitions
– Static acquisitions and live acquisitions

 Four methods of data collection

A. Creating a disk-to-image file
• Most common & flexible

B. Creating a disk-to-disk
• When disk-to-image is not possible

 Target disk must be wiped before evidence acquisitions

• Privazer, file shredder etc.

Digital Forensics- Riphah International University 10

All rights reserved
 Determining the Best Acquisition Method
 Four methods of data collection
C. Creating a logical disk-to-data file
• Specific files of interest e.g. files from cloud / RAID systems
D. Creating a sparse data copy of a file or folder
• Recovery of deleted files
 Logical acquisition or sparse acquisition
– When your time is limited
– Logical acquisition captures only specific files of interest to the
case
– Sparse acquisition also collects fragments of unallocated
(deleted) data
– For large disks
– PST or OST mail files, RAID servers

Digital Forensics- Riphah International University 11

All rights reserved
 CONT….

 Determining the best method depends on the circumstances

of the investigation

 Tools: ProDiscover, EnCase, FTK, SMART, Sleuth Kit

(Autopsy), X-Ways, iLookIX

Digital Forensics- Riphah International University 12

All rights reserved
 Contingency Planning for Image Acquisitions
 Create two images of your “best evidence” image
– Preferably with different tools

 Encrypted drives is a real problem

 Use of write-blockers for protection of target drives data

– Use of write-blockers (software vs HW) may / may not be
legal

Digital Forensics- Riphah International University 13

All rights reserved
 Contingency Planning for Image Acquisitions
 Host Protected Area (HPA) may contain info
– Use tools which can access HPA

 The host protected area (HPA) is an area of HD invisible to OS

 HPA is useful only if some software or firmware is able to use it
 HPA can have
 A preloaded OS, malware / rootkits
Digital Forensics- Riphah International University 14
All rights reserved
 Using Acquisition Tools
 Write Blocking Tools
– Hardware & Software

 Software Tools
– Safe Block
• https://www.forensicsoft.com/safeblock.php
– NIST Software Write Blocker
• https://www.cftt.nist.gov/software_write_block.htm

Digital Forensics- Riphah International University 15

All rights reserved
 WinFE & Linux
 WinFE – Windows Forensic Environment
– A Windows bootable system which can be used for image
acquisition & analysis
• http://mistyprojects.co.uk/mistype/mini-winfe.docs/readme.files/intro.htm

 Forensic Linux Live DVDs / CDs don’t access media

automatically
– No need for a write-blocker – other utilities for analysis
• CAINE, KALI Linux, SIFT, Knoppix, F.I.R.E., Deft

Digital Forensics- Riphah International University 16

All rights reserved
 Validating Data Acquisitions
 Validating evidence may be the most critical aspect of
computer forensics
– Requires using a hashing algorithm utility

 Validation techniques
– CRC-32, MD5, and SHA-1 to SHA-512

Digital Forensics- Riphah International University 17

All rights reserved
 Windows Validation Methods
 Windows has no built-in hashing algorithm tools for
computer forensics
– Third-party utilities can be used

 Commercial computer forensics programs also have built-in

validation features
– Each program has its own validation technique

 Raw format image files don’t contain metadata

– Separate manual validation is recommended for all raw
acquisitions

Digital Forensics- Riphah International University 18

All rights reserved
RAID – Redundant Array of Independent Disks

 RAID – Redundant Array of Independent/Inexpensive

Disks

 Basic idea is to connect multiple disks together to

provide
– large storage capacity
– faster access to reading / writing data
– Cost effective redundant data solution

 Many different levels of RAID systems

– differing levels of redundancy, error checking, capacity,
and cost

Digital Forensics- Riphah International University 19

All rights reserved
 RAID Concepts - Striping
 Take file data and map it to different disks
 Allows for reading data in parallel

file data block 0 block 1 block 2 block 3

Disk 0 Disk 1 Disk 2 Disk 3

Digital Forensics- Riphah International University 20

All rights reserved
 RAID Concepts - Parity
 A mechanism for error checking and correction
 Add up all the bits that are 1
– if even number, set parity bit to 0
– if odd number, set parity bit to 1

 To actually implement this, do an exclusive OR of

respective bits
– Consider the following 2 bytes
Block (Disk 1) Block (Disk 2) Parity Block
10110011 00101010 10011001

Digital Forensics- Riphah International University 21

All rights reserved
 RAID Concepts - Mirroring
 Keep copies of data on two separate disks
– Gives good error recovery
• if some data is lost, get it from the other source
 Expensive
– requires twice as many disks

 Write performance can be slow

– have to write data to two different spots

 Read performance is enhanced

– can read data from disks in parallel
• Blocks read simultaneously, one from each disk

Digital Forensics- Riphah International University 22

All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
 RAID 5 & 6

Digital Forensics- Riphah International University 30

All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
Digital Forensics- Riphah International University
All rights reserved
 Performing RAID Data Acquisitions

 Acquisition of RAID drives can be challenging and

frustrating because of how RAID systems are
– Designed
– Configured
– Sized

 Size is the biggest concern

– Many RAID systems now have terabytes of data

Digital Forensics- Riphah International University 40

All rights reserved
 RAID Disk Imaging & Forensics
 Implementation styles of RAID
– Hardware based & Software-based RAID

 Early software-based RAID tended to be slow

– same CPU is used to execute RAID code

 Recent systems have high computing power

– Open source OS offer non-proprietary implementation of RAID
– Operating Systems like Windows provide it's own
implementation of RAID

Digital Forensics- Riphah International University 41

All rights reserved
 RAID Disk Imaging & Forensics
 Different ways of acquiring data from RAID
– Different tools for collection and reconstructing RAID

 How OS recognizes RAID?

– For hardware-based RAID, only the volume is visible to the OS
& BIOS

– For software-based RAID, volume as well as individual disks are

visible to OS

Digital Forensics- Riphah International University 42

All rights reserved
 Imaging of RAID
 In RAID, hard disk is visible as a normal disk

 First step in a forensic process is the collection of evidence

– Complete and correct Image of the hard disk

 How RAID image can be different?

– Image of the complete volume will be different than individual
disks

Digital Forensics- Riphah International University 43

All rights reserved
 Imaging of RAID
 RAID 0 / RAID 5 image hash
– Data is spread across multiple disks in both
• Hash depends whether disks are imaged independently or as a
volume

 RAID 1 image hash (Mirror images)

– If the acquired image is of data area, hash would be same for
both disks
• Image of the whole disk would be different as it also contains
some RAID specific information

Digital Forensics- Riphah International University 44

All rights reserved
 Imaging of RAID
 Accuracy & completeness are two key parameters in RAID
imaging

 RAID presents a transparent view of the data

– Tools must be able to create complete image of the target

 Hardware RAID presents a challenge

– Hard disks cannot be imaged independently

Digital Forensics- Riphah International University 45

All rights reserved
 Reconstruction of RAID image
 Reconstruction of the RAID depends upon acquisition mode

 Two cases
– If full RAID volume is imaged on non-RAID media, no
additional processing is required

– If RAID drives are imaged independently, reconstruction is

needed

Digital Forensics- Riphah International University 46

All rights reserved
 Reconstruction of RAID image
 Reconstruction of the RAID 5 requirements
– Disk order
– Data block size
– Data block arrangement
– Fragmentation

 RAID Tools
– RAID Reconstructor (Runtime Software)
– R-Studio

Digital Forensics- Riphah International University 47

All rights reserved
 Acquiring RAID Disks
 More tools for RAID
– Technology Pathways ProDiscover
– Guidance Software EnCase
– X-Ways Forensics
– AccessData FTK
– Runtime Software
– R-Tools Technologies
 RAID system may be too large for a static acquisition
– Retrieve only the data relevant to the investigation with
the sparse or logical acquisition method

Digital Forensics- Riphah International University 45

All rights reserved
 Using Remote Network Acquisition Tools
 You can remotely connect to a suspect computer via a
network connection and copy data from it
– Remote acquisition tools vary in configurations and
capabilities

 Drawbacks
– Antivirus, antispyware, and firewall tools can be
configured to ignore remote access programs
– Suspects could easily install their own security tools that
trigger an alarm to notify them of remote access
intrusions

Digital Forensics- Riphah International University 46

All rights reserved
 Creating image in Linux
 $ sudo dd if=/dev/sda bs=512 count=1 of=mbr.img
 DD command in Linux:

 Output:

Digital Forensics- Riphah International University 50

All rights reserved
 Skipping blocks when reading and writing
$ sudo dd if=/dev/sda of=hidden-data-after-mbr
count=2047 skip=1

In the opposite situation, when we want to restore the cloned

data and write it back in the same disk zone, we want to use
the seek option.

$ sudo dd if=hidden-data-after-mbr of=/dev/sda

seek=1

Compressing the data read by dd:

$ sudo dd if=/dev/sda bs=1M | gzip -c -9 > sda.dd.gz

Digital Forensics- Riphah International University 51

All rights reserved
 Wiping a block device

$ sudo dd if=/dev/zero bs=1M of=/dev/sda

–The command read from the /dev/zero device

–Provides null characters and write them to the devices until it is
completely filled

Digital Forensics- Riphah International University 52

All rights reserved
 Using DCFLDD Command
 It can provide Hashes also with data cloning.

 It also allows how much data is copied so far.

 Can use command: man dcfldd to know how the command

will be used with different switches/options.

 With dcfldd –help command will show you how to properly

use the syntax.

Digital Forensics- Riphah International University 53

All rights reserved
 Cont…
 To find the drive the DF command is used:

Digital Forensics- Riphah International University 54

All rights reserved
 Cont….
Second method is using the dmesg | grrp sd command:

Third method is using the dir /dev/sd* command:

Digital Forensics- Riphah International University 55

All rights reserved
 Cont…

 As we have a drive for taking the image in Forensics

Process.
 Use the dd command now for taking image:
dcfldd if=/dev/sdb1 of=/tmp/usb
 Image is copied bit by bit and it will take long time
depending upon the amount of data.

 We can check the file in temp folder with the below

Command:
ls –DF /tmp

Digital Forensics- Riphah International University 56

All rights reserved
 Making a forensically sound copy of image

mkdir /media/usb –fsc

mount /tmp/usb /media/usb/

Digital Forensics- Riphah International University 57

All rights reserved
 Assignment 2
 Do the same tasks as mentioned in Assignment 1.
 OS would be Kali linux.
 Acquisition of data from USB device should be done using dd
and dcfldd tool.
 Analyze the data with autopsy tool in kali linux.
 All the rest of the requirements of this assignment is same
as mentioned in Assignment 1

Digital Forensics- Riphah International University

All rights reserved
 Thanks
?

Digital Forensics- Riphah International University 59

All rights reserved