1 Planning Your Investigation

!  A basic investigation plan should include the following

activities:
!  Acquire the evidence
!  Complete an evidence form and establish a chain of custody
!  Transport the evidence to a computer forensics lab
Acquisition and Tools !  Secure evidence in an approved secure container
!  Prepare a forensics workstation
!  Obtain the evidence from the secure container
COMP 2555: Principles of Computer Forensics !  Make a forensic copy of the evidence
Autumn 2014
http://www.cs.du.edu/2555 !  Return the evidence to the secure container
!  Process the copied evidence with computer forensics tools

L2: Aquisition and Tools

2 Understanding Bit-Stream Copies
3 Bit-stream Copies (contd.)

!  Bit-stream copy !  Copy image file to a target disk that matches the original
!  Bit-by-bit copy of the original storage medium disk’s manufacturer, size and model
!  Exact copy of the original disk
!  Different from a simple backup copy
!  Backup software only copy known files
!  Backup software cannot copy deleted files, e-mail messages or
recover file fragments
!  Bit-stream image
Original disk Disk with image Target disk
!  File containing the bit-stream copy of all data on a disk or
partition
!  Also known as forensic copy
L2: Aquisition and Tools

L2: Aquisition and Tools

4 Acquiring an Image of Evidence Media
5 Integrity of Digital Evidence

!  First rule of computer forensics !  Maintain the integrity of digital evidence in the lab
!  Preserve the original evidence !  As you do when collecting it in the field

!  Conduct your analysis only on a copy of the data !  First steps:

!  Create image files in a large drive
!  Tool !  Start your forensics tool to analyze the evidence
!  ProDiscover Basic !  Run a MD5 or SHA-1 hashing algorithm on the source and
the image files to get a digital hash (and match)
!  FTK Imager
!  Secure the original media in an evidence locker
!  Linux dd command

L2: Aquisition and Tools

L2: Aquisition and Tools

6 A Simple Hash Function
7 A Simple Hash Function (contd.)

HASH FUNCTION HASH FUNCTION

ASCII(F) = 070 ASCII(f) = 102

ASCII(o) = 111 ASCII(o) = 111
ASCII(r) = 114 ASCII(r) = 114
ASCII(e) = 101 ASCII(e) = 101
ASCII(n) = 110 ASCII(n) = 110
ASCII(s) = 115 ASCII(s) = 115
Forensics HASH FUNCTION
ASCII(i) = 105
0x3AC forensics HASH FUNCTION
ASCII(i) = 105
0x3CC
ASCII(c) = 099 ASCII(c) = 099
ASCII(s) = 115 ASCII(s) = 115
_________________ _________________
Sum 940 Sum 972
In Hex 0x3AC In Hex 0x3CC
L2: Aquisition and Tools

L2: Aquisition and Tools

8 Obtaining a Digital Hash
9 Another Hash Function

!  Cyclic Redundancy Check (CRC)

11010011 input
!  Mathematical algorithm that determines whether a file’s
contents have changed 11010011 000 input padded with 3 zero bits to the right

!  Most recent version is CRC-32 XOR 1011 random string of 4 bits, with highest order bit = 1

!  Not considered a forensic hashing algorithm 01100011 000

1011
!  Message Digest 5 (MD5)
00111011 000
!  Mathematical formula that translates a file into a hexadecimal
1011
code value, or a hash value
00010111 000
!  Also called a message digest
1011
!  If a bit or byte in the file changes, it alters the digital hash 00000001 000
1 011
00000000 011 3-bit hash value of the input 11010011

L2: Aquisition and Tools

L2: Aquisition and Tools

10 Another Hash Function (Contd.)
11 Obtaining a Digital Hash (contd.)

!  Three rules for forensic hashes:

10010011 input
!  Given the hash value, you can’t easily find the file or device
10010011 000 input padded with 3 zero bits to the right from which it was generated
XOR 1011 !  No two hash values can be the same
00100011 000 !  Called a collision if it happens
1011 !  If anything changes in the file or device, the hash value must
00001111 000 change
1011
00000100 000
101 1
00000001 100
1 011
00000000 111
L2: Aquisition and Tools

L2: Aquisition and Tools

12 Collisions
13 Obtaining a Digital Hash (contd.)

!  Secure Hash Algorithm version 1 (SHA-1)

!  A newer hashing algorithm
elvis HASH FUNCTION 0x223 !  Developed by the National Institute of Standards and
Technology (NIST)
collision

lives HASH FUNCTION 0x223 !  In both MD5 and SHA-1, collisions have occurred
!  Two different inputs producing the same hash value
!  But they are still used since the collisions are rare
!  Collisions make a hash function weak
!  Cannot always avoid but can make their occurrences
infrequent

L2: Aquisition and Tools

L2: Aquisition and Tools

14 Obtaining a Digital Hash (contd.)
15 Storage Formats for Digital Evidence

!  Most computer forensics hashing needs can be satisfied !  Three formats

with a nonkeyed hash function !  Raw format
!  A unique hash number generated by a software tool, such as !  Proprietary formats
the Linux md5sum command !  Advanced Forensics Format (AFF)
!  Keyed hash set
!  Created by an encryption utility’s secret key
!  Secret key is used by the hash function to generate the digest
!  You can use the MD5 function in FTK Imager to obtain
the digital signature of a file
!  Or an entire drive
L2: Aquisition and Tools

L2: Aquisition and Tools

16 Raw Format
17 Proprietary Formats

!  Makes it possible to write bit-stream data to files !  Features offered

!  Advantages !  Option to compress or not compress image files
!  Fast data transfers !  Can split an image into smaller segmented files
!  Can ignore minor data read errors on source drive !  Can integrate metadata into the image file
!  Most computer forensics tools can read raw format !  Disadvantages
!  Disadvantages !  Inability to share an image between different tools
!  Requires as much storage as original disk or data !  File size limitation for each segmented volume
!  Tools might not collect marginal (bad) sectors

L2: Aquisition and Tools

L2: Aquisition and Tools

18 Advanced Forensics Format
19 Data Acquisition Types

!  Developed by Dr. Simson L. Garfinkel of Basis !  Types of acquisitions

Technology Corporation !  Static acquisitions
!  Design goals !  Deriving a drive image without booting from it
!  Typically done on a seized computer
!  Provide compressed or uncompressed image files
!  No size restriction for disk-to-image files !  Live acquisitions
!  Deriving a drive image when it is being used
!  Provide space in the image file or segmented files for
!  Acquiring a network drive without bringing it down
metadata
!  Simple design with extensibility !  Four methods
!  Open source for multiple platforms and OSs !  Bit-stream disk-to-image file
!  Internal consistency checks for self-authentication !  Bit-stream disk-to-disk
!  Logical disk-to-disk or disk-to-data file
!  File extensions include .afd for split image files and .afm
L2: Aquisition and Tools

L2: Aquisition and Tools

for AFF metadata !  Sparse data copy of a file or folder
20 Data Acquisition Types (contd.)
21 Data Acquisition Types (contd.)

!  Bit-stream disk-to-image file !  Logical acquisition or sparse acquisition

!  Most common method !  When your time is limited
!  Can make more than one copy !  Logical acquisition captures only specific files of interest to
!  Copies are bit-for-bit replications of the original drive the case
!  ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook !  E.g. Outlook .pst or .ost files during an e-mail investigation
!  Sparse acquisition also collects fragments of unallocated
(deleted) data
!  Bit-stream disk-to-disk
!  Useful for large disks
!  When disk-to-image copy is not possible
!  RAID servers
!  Consider disk’s geometry configuration
!  EnCase, SafeBack, SnapCopy

L2: Aquisition and Tools

L2: Aquisition and Tools

22 Data Acquisition Types (contd.)
23 Contingency Planning

!  When making a copy, consider: !  Create a duplicate copy of your evidence image file
!  Size of the source disk !  Make at least two images of digital evidence
!  Lossless compression might be useful !  Use different tools or techniques
!  Use digital signatures for verification
!  Copy host protected area (HPA) of a disk drive as
!  When working with large drives, an alternative is using tape
well
backup systems
!  HPA is a part of the drive that is not visible to an operating
!  Whether you can retain the disk
system
!  Consider using a hardware acquisition tool that can access
the drive at the BIOS level
!  Be prepared to deal with encrypted drives
L2: Aquisition and Tools

L2: Aquisition and Tools

24 Using Acquisition Tools
25 Blocking USB Writes in Windows

!  Acquisition tools for Windows !  See Page 107 of book

!  Advantages !  Applies to current Windows versions as well
!  Make acquiring evidence from a suspect drive more convenient
!  Especially when used with hot-swappable devices
!  Back up the Registry
!  Disadvantages
!  E.g. use Windows System Restore feature to create a restore
!  Must protect acquired data with a well-tested write-blocking
hardware device
point
!  Tools can’t acquire data from a disk’s host protected area !  Modify the Registry with the write-protection feature
!  Create two desktop icons to automate switching
between enabling and disabling writes to USB device

L2: Aquisition and Tools

L2: Aquisition and Tools

26 Using a Write-Blocker
27 Using a Write-Blocker (contd.)

!  Write-blocker !  Can navigate to the blocked drive with any application

!  Prevents data writes to a hard disk !  Discards the written data
!  For the OS the data copy is successful
!  Software-enabled blockers
!  Software write-blockers are OS dependant
!  Example: PDBlock from Digital Intelligence
!  Connecting technologies
!  FireWire
!  Hardware options
!  Ideal for GUI forensic tools !  USB 2.0
!  Act as a bridge between the suspect drive and the forensic !  SCSI controllers
workstation
L2: Aquisition and Tools

L2: Aquisition and Tools

28 Acquiring Data with a Linux Boot CD
29 Acquiring with a Linux Boot CD (contd.)
!  Linux can access a drive that isn’t mounted !  Preparing a target drive for acquisition in Linux
!  Windows OSs and newer Linux automatically mount !  Linux distributions can create Microsoft FAT and NTFS
and access a drive partition tables
!  fdisk command lists, creates, deletes, and verifies partitions in
!  Forensic Linux Live CDs don’t access media
Linux
automatically
!  mkfs.msdos command formats a FAT file system from Linux
!  Which eliminates the need for a write-blocker
!  See Page 111 of book
!  Using Linux Live CD Distributions
!  Contain additional utilities
!  Configured not to mount, or to mount as read-only, any connected !  Acquiring data with dd in Linux
storage media !  dd (“data dump”) command
!  Well-designed Linux Live CDs for computer forensics !  Can read and write from media device and data file
DEFT Linux (http://www.deftlinux.net/download/)

L2: Aquisition and Tools

L2: Aquisition and Tools

! 
!  Creates raw format file that most computer forensics analysis tools
!  Helix3 Pro can read

30 Acquiring with a Linux Boot CD (contd.) 31 Acquiring with a Linux Boot CD (contd.)
!  Acquiring data with dd in Linux (contd.) !  Acquiring data with dcfldd in Linux (contd.)
!  Shortcomings of dd command !  dcfldd additional functions
!  Requires more advanced skills than average user !  Specify hex patterns or text for clearing disk space
!  Does not compress data !  Log errors to an output file for analysis and review
!  Use several hashing options
!  dd command combined with the split command !  Refer to a status display indicating the progress of the acquisition in
!  Segments output into separate volumes bytes
!  Acquiring data with dcfldd in Linux !  Split data acquisitions into segmented volumes with numeric
extensions
!  dd command is intended as a data management tool !  Verify acquired data with original disk or media data
!  Not designed for forensics acquisitions
!  Sample: man page available at http://linux.die.net/man/1/
dcfldd
!  dcfldd if=/dev/hd0 hash=md5,sha256 hashwindow=100M
md5log=md5.txt sha256log=sha256.txt hashconv=after
L2: Aquisition and Tools

L2: Aquisition and Tools

bs=512 conv=noerror,sync split=1G splitformat=aa
of=driveimage.dd
32 Validating Data Acquisitions
33 Linux Validation Methods

!  Most critical aspect of computer forensics !  Validating dd acquired data

!  Requires using a hashing algorithm utility !  You can use md5sum or sha1sum utilities
!  Validation techniques !  md5sum or sha1sum utilities should be run on all suspect
disks and volumes or segmented volumes
!  CRC-32, MD5, and SHA-1 to SHA-512
!  Validating dcfldd acquired data
!  Use the hash option to designate a hashing algorithm of md5,
sha1, sha256, sha384, or sha512
!  hashlog option outputs hash results to a text file that can be
stored with the image files
!  vf (verify file) option compares the image file to the original
medium
!  dcfldd if=/dev/sda vf=sda.img!

L2: Aquisition and Tools

L2: Aquisition and Tools

34 Windows Validation Methods
35 Types of Computer Forensics Tools

!  Windows has no built-in hashing algorithm tools for !  Hardware forensic tools
computer forensics !  Range from single-purpose components to complete
!  Third-party utilities can be used computer systems and servers
!  Commercial computer forensics programs also have !  Software forensic tools
built-in validation features !  Types
!  Each program has its own validation technique !  Command-line applications
!  GUI applications
!  Raw format image files don’t contain metadata
!  Commonly used to
!  Separate manual validation is recommended for all raw
!  copy data from a suspect’s disk drive to an image file
acquisitions
!  aid in evidence collection
L2: Aquisition and Tools

L2: Aquisition and Tools

36 Tasks Performed by Tools
37 Acquisition Tools

!  Five major categories: !  Acquisition

!  Acquisition !  Making a copy of the original drive
!  Validation and discrimination !  Subfunctions
!  Extraction !  Physical data copy
!  Reconstruction !  Logical data copy
!  Reporting !  Data acquisition format
!  Command-line acquisition
!  Many tools let you perform more than one of these !  GUI acquisition
tasks !  Remote acquisition
!  Verification

L2: Aquisition and Tools

L2: Aquisition and Tools

38 Acquisition Tools (contd.)
39 A Hexadecimal Editor

!  Two types of data-copying methods are used in software

acquisitions:
!  Physical copying of the entire drive
!  Logical copying of a disk partition
!  The formats for disk acquisitions vary
!  From raw data to vendor-specific proprietary compressed
data
!  You can view the contents of a raw image file with any
hexadecimal editor
L2: Aquisition and Tools

L2: Aquisition and Tools

40 Acquisition Tools (contd.)
41 Validation and Discrimination

!  Creating smaller segmented files is a typical feature in !  Validation

vendor acquisition tools !  Ensuring the integrity of data being copied

!  All computer forensics acquisition tools have a method !  Discrimination of data

for verification of the data-copying process !  Remove good data from suspicious data
!  That compares the original drive with the image !  Involves sorting and searching through all investigation data

L2: Aquisition and Tools

L2: Aquisition and Tools

42 Validation and Discrimination (contd.)
43 File Discrimination Using Header

!  Subfunctions a typical JPEG file header

!  Hashing
!  CRC-32, MD5, Secure Hash Algorithms
!  Filtering
!  Based on hash value sets
!  Analyzing file headers
!  Discriminate files based on their types

!  National Software Reference Library (NSRL) has

compiled a list of known file hashes
!  For a variety of OSs, applications, and images
L2: Aquisition and Tools

L2: Aquisition and Tools

44 Extraction
45 Extraction (contd.)

!  Extraction !  From an investigation perspective, encrypted files and

!  Recovery task in a computing investigation systems are a problem
!  Most demanding of all tasks to master !  Many password recovery tools have a feature for
!  Recovering data is the first step in analyzing an investigation’s generating potential password lists
data !  For a password dictionary attack
!  Subfunctions !  If a password dictionary attack fails, you can run a
!  Data viewing brute-force attack
!  Keyword searching
!  Decompressing
!  Carving
!  Decrypting

L2: Aquisition and Tools

L2: Aquisition and Tools

!  Bookmarking
!  Keyword search speeds up analysis for investigators

46 Reconstruction
47 Reporting

!  Reconstruction !  Reporting
!  Re-create a suspect drive to show what happened during a !  To complete a forensics disk analysis and examination, you
crime or an incident need to create a report
!  Subfunctions
!  Subfunctions
!  Disk-to-disk copy
!  Log reports
!  Image-to-disk copy
!  Report generator
!  Partition-to-partition copy
!  Image-to-partition copy !  Use this information when producing a final report for
!  Some tools that perform an image-to-disk copy: your investigation
!  SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover
L2: Aquisition and Tools

L2: Aquisition and Tools

48 Using Validation Protocols
49 References

!  Always verify your results !  Ch 4,7: B. Nelson, A. Phillips and C. Steuart, Guide to
!  Use at least two tools Computer Forensics and Investigations. ISBN:
!  Retrieving and examination 978-1-435-49883-9
!  Verification !  Useful links:
!  Understand how tools work (the reason why we are in this class) !  http://www.forensicswiki.org/wiki/Category:Live_CD
!  What is it that the tools do? !  http://www.deftlinux.net
!  Very helpful: http://www.deftlinux.net/deft-manual/
!  One way to compare results and verify a new tool is by !  http://linux.die.net/man/1/dcfldd
using a disk editor
!  Lets you do a little more than hex editors such as Hex
Workshop or WinHex

L2: Aquisition and Tools

L2: Aquisition and Tools