ROLL NO:-217504 CLASS:-TYCS SUBJECT:-CYBER FORENCIS Objectives
Determining the best acquisition method
Using Acqusition tools Validating Forensic Data Capturing an image with Pro Discover Basic and Access Data FTK Imager Lite Storage Format
Data in a Forensic Acquisition tool is stored as an image file
Three Format:- 1) Raw Format 2) Proprietary Formats 3) Advanced Forensics Format(AFF) Choice of Acquisition methods
Types of Acquisition:- 1. Static Acquisitions 2. Live Acquisitions Four methods of data collection:-
Creating a disk-to-image File
Creating a Disk-to-Disk Creating a logical disk-to-disk or disk-to-data file Creating a sparse data Data of a file or folder Creating a Disk-to-image file
Most common method and offers most flexibility.
Can make more than one copy Copies are bit-to-bit replicatioins of the original drive ProDiscover EnCase FTK Smart Creating a disk-to-disk
When disk-to-image copy is not possible
Tools can adjust disk’s geometry configuration. EnCase SafeBack SnapCopy Logical Acquisiton or sparse Acquisition
Can take several hours – use when your time is limited
Logical Acquisition captures only specific files of interest of the case. Sparse acquisition collects fragments of unllocated (deleted data) For Large Disks PST OR OST mail Files RAID Servers Use of Acquisition Tools
Acquisition tools For Windows
Advantages:- Make Acquiring evidence from suspect drive more Convinient Especially when used with hot-swappable devices Disdvantages:- Must Protect acquired data with a well-tested write-blocking hardware device. Tools can’t acquired data from disk’s host protected area Some countries haven’t accepted the use of writeBloking data acqusitions. Validating data Acquisitions
Validating evidence may be the most critical aspect of computer Forensics.
Requires using a hashing Algorithm utility validation Techniques. CRC-32 MD5 SHA-1 SHA-512 THANK YOU