Professional Documents
Culture Documents
and Investigations
Fourth Edition
CHAPTER 4
DATA ACQUISITION
Modified 9-23-10
Objectives
List digital evidence storage formats
Explain ways to determine the best acquisition method
Describe contingency planning for data acquisitions
Explain how to use acquisition tools
Objectives (continued)
Explain how to validate data acquisitions
Describe RAID acquisition methods
Explain how to use remote network acquisition tools
List other forensic tools available for data acquisitions
Understanding Storage
Formats for Digital
Evidence
What Is Data Acquisition in Digital Forensics?
The gathering and recovery of sensitive data during a digital forensic investigation is known as
data acquisition.
Cybercrimes often involve the hacking or corruption of data.
Digital forensic analysts need to know how to access, recover, and restore that data as well as
how to protect it for future management.
This involves producing a forensic image from digital devices and other computer technologies.
Static acquisition
Traditional digital forensics it is focused on examining a duplicate called copy of disk to take out memory
contents, like the files which are deleted, history of web browsing, file fragments, network connections,
opened files, user login history etc. to create a timeline which gives a view i.e. partial or summary statics about
the activities performed on the victim system before shutting it down.
In static analysis different kind of software and hardware tools like Fundl, RegCon are used for memory
dumping and sorting of evidentiary data for analysis and presentation purpose.
Forensic data is acquired by using different kinds of external devices like USBs, external hard derives etc. or
CD,DVDs and then this data is brought into the forensic lab for investigators to perform different kinds of
operations/steps to forensically analyze evidentiary data.
live digital forensics
Information is gathered, analyzed and reports are generated, while the compromised system
remains functional,
Tools used for live digital forensic analysis can provide very clear pictures of knowledge such as memory
dumps, running processes, open network connections and unencrypted versions of encrypted files,
while such memory contents cannot be acquired properly in static analysis.
It means that the live analysis provides the consistency and integrity of forensic data.
This gathered information can be used in different ways to produce forensic evidence or to represent
the forensically activities and actions performed by user directly or by remote login on that
compromised system.
Determining the Best Acquisition Method
As mentioned, there are two types of acquisitions: static acquisitions and live acquisitions.
Typically, a static acquisition is done on a computer seized during a police raid, for example.
If the computer has an encrypted drive, a live acquisition is done if the password or paraphrase is
available --the computer is powered on and has been logged on to by the suspect.
Static acquisitions are always the preferred way to collect digital evidence.
However, they do have limitations in some situations, such as an encrypted drive that’s readable only
when the computer is powered on or a computer that’s accessible only over a network.
Understanding Storage Formats for
Digital Evidence
Two types of data acquisition
◦ Static acquisition
◦ Copying a hard drive from a powered-off system
◦ Used to be the standard
◦ Does not alter the data, so it's repeatable
◦ Live acquisition
◦ Copying data from a running computer
◦ Now the preferred type, because of hard disk encryption
◦ Cannot be repeated exactly—alters the data
◦ Also, collecting RAM data is becoming more important
◦ But RAM data has no timestamp, which makes it much harder to use
Understanding Storage Formats for
Digital Evidence
Terms used for a file containing evidence data
◦ Bit-stream copy
◦ Bit-stream image
◦ Image
◦ Mirror
◦ Sector copy
File extensions include .afd for segmented image files and .afm for AFF metadata
AFF is open source
Determining the Best
Acquisition Method
Determining the Best Acquisition
Method
Types of acquisitions
◦ Static acquisitions and live acquisitions
Four methods
◦ Bit-stream disk-to-image file
◦ Bit-stream disk-to-disk
◦ Logical
◦ Sparse
Bit-stream disk-to-image file
What Is a Disk Image File
◦ Disk image files contain a copy of a data storage device such as a hard disk drive, CD-ROM, or DVD.
◦ These files are created as an exact duplicate of the original disk, where it captures all of its contents, including the file system structure,
◦ Because disk image files are exact copies of a disk, these types of files also act as actual physical disks, which need to be mounted and
unmounted before and after use. A disk image file’s byte-per-byte disk copy is what makes it the perfect format for storing data, making
◦ A sparse acquisition is similar but also collects fragments of unallocated (deleted) data
◦ An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files.
◦ Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID or storage
area network (SAN) server with several exabytes (EB) or more of data storage, the logical method might be the only way you c
acquire the evidence. In e-discovery for the purpose of litigation, a logical acquisition is becoming the preferred method,
FTK Imager can’t acquire drive’s host protected area (but ProDiscover can)
Capturing an Image with AccessData
FTK Imager (continued)
Capturing an Image with AccessData
FTK Imager (continued)
Steps
◦ Boot to Windows
◦ Connect evidence disk to a write-blocker
◦ Connect target disk
◦ Start FTK Imager
◦ Create Disk Image
◦ Use Physical Drive option
Capturing an Image with AccessData
FTK Imager (continued)
Capturing an Image with AccessData
FTK Imager (continued)
Capturing an Image with AccessData
FTK Imager (continued)
Capturing an Image with AccessData
FTK Imager (continued)
Validating Data
Acquisitions
Validating Data Acquisitions
Most critical aspect of computer forensics
Requires using a hashing algorithm utility
Validation techniques
◦ CRC-32, MD5, and SHA-1 to SHA-512
MD5 has collisions, so it is not perfect, but it’s still widely used
SHA-1 has some collisions but it’s better than MD5
A new hashing function will soon be chosen by NIST
Linux Validation
Validating dd acquired data
Methods
◦ You can use md5sum or sha1sum utilities
◦ md5sum or sha1sum utilities should be run on all suspect disks and volumes or
segmented volumes
RAID 6
◦ Redundant parity on each disk
Older hardware-firmware RAID systems can be a challenge when you’re making an image
Acquiring RAID Disks (continued)
Vendors offering RAID acquisition functions
◦ Technologies Pathways ProDiscover
◦ Guidance Software EnCase
◦ X-Ways Forensics
◦ Runtime Software
◦ R-Tools Technologies