Scribd
Upload
35 views

Lec 2

The document discusses data acquisition methods for digital forensics investigations. It describes storage formats for digital evidence, considerations for determining the best acquisition method, and techniques like bit-stream copying, logical copying, compression, and using tape backups for large drives.

Uploaded by

aldd63502
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

Lec 2

The document discusses data acquisition methods for digital forensics investigations. It describes storage formats for digital evidence, considerations for determining the best acquisition method, and techniques like bit-stream copying, logical copying, compression, and using tape backups for large drives.

Uploaded by

aldd63502
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Lec.

2
Guide to Computer Forensics
and Investigations
Fourth Edition

Data Acquisition
Objectives

• List digital evidence storage formats


• Explain ways to determine the best acquisition method
• Describe contingency planning for data acquisitions
• Explain how to use acquisition tools
Objectives (continued)

• Explain how to validate data acquisitions


• Describe RAID acquisition methods
• Explain how to use remote network acquisition tools
• List other forensic tools available for data acquisitions
Understanding Storage Formats for
Digital Evidence
Understanding Storage Formats for Digital Evidence
• Two types of data acquisition
– Static acquisition
• Copying a hard drive from a powered-off system
• Used to be the standard
• Does not alter the data, so it's repeatable
– Live acquisition
• Copying data from a running computer
• Now the preferred type, because of hard disk encryption
• Cannot be repeated exactly—alters the data
• Also, collecting RAM data is becoming more important
– But RAM data has no timestamp, which makes it much harder to use
Storage Formats for Digital Evidence

• Terms used for a file containing evidence data


– Bit-stream copy
– Bit-stream image
– Image
– Mirror
– Sector copy
• They all mean the same thing
Storage Formats for Digital Evidence

• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)
Raw Format
• This is what the Linux dd command makes
• Bit-by-bit copy of the drive to a file
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
Raw Format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors
• Low threshold of retry reads on weak media spots
• Commercial tools use more retries than free tools
– Validation check must be stored in a separate file
• Message Digest 5 ( MD5)
• Secure Hash Algorithm ( SHA-1 or newer)
• Cyclic Redundancy Check ( CRC-32)
Types of Validation check

• The MD5 message-digest algorithm is a widely used


hash function producing a 128-bit hash value. MD5 can
be used as a checksum to verify data integrity
• SHA-1 (Secure Hash Algorithm 1) is a hash function
which takes an input and produces a 160-bit (20-byte)
hash value known as a message digest
• CRC-32 : is an error detecting code commonly used in
digital networks and storage devices to detect accidental
changes to digital data. Blocks of data entering these
systems get a short check value attached. error
correction Wikipedia
Proprietary Formats
• Most forensic tools have their own format
• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
• Such as to CDs or DVDs
• With data integrity checks in each segment
– Can integrate metadata into the image file
• Hash data
• Date & time of acquisition
• Investigator name, case name, comments, etc.
Proprietary Formats

• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume
• Typical segmented file size is 650 MB or 2 GB
• Expert Witness format is the unofficial standard
– Can produce compressed or uncompressed files
– File extensions .E01, .E02, .E03, …
Advanced Forensics Format
• AFF is open source acquisition format
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files
for metadata
– Simple design with extensibility
– Open source for multiple platforms and Oss
– Internal consistency checks for self-authentication
• File extensions include .afd for segmented image
files and .afm for AFF metadata
Determining the Best
Acquisition Method
Determining the Best Acquisition Method

• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods
– creating a bit stream disk-to-image file
– creating a bit stream disk-to-disk
– creating a Logical disk-to-disk or disk-to-data file
– creating a Sparse data copy file or folder
Bit-stream disk-to-image file

• Most common method and offers most flexibility


• Can make more than one copy
• Copies are bit-for-bit replications of the original drive
• Tools: ProDiscover, EnCase, FTK, SMART,
Sleuth Kit, X-Ways, iLook
Bit-stream disk-to-disk

• Used when disk-to-image copy is not possible


– Because of hardware or software errors or incompatibilities
– This problem is more common when acquiring older drives
• Adjusts target disk’s geometry (cylinder, head, and track
configuration) to match the suspect's drive
• Tools: EnCase, SafeBack (MS-DOS), Snap Copy
Logical Acquisition and Sparse Acquisition
• When your time is limited, and evidence disk is large
• Logical acquisition captures only specific files of
interest to the case
– Such as mail abuse cae .pst or .ost mail files or RAID
servers
• Sparse acquisition collects only some of fragments
of unlocated (deleted) data
Points into considerion when making a copy

➢ Size of a source disk.


- lossless compression might be useful
- use digital signatures for verification
➢ Whether you can retain the disk
➢ Time to perform acquisition
➢ Where the evidence exist.
Compressing Disk Images

• Lossless compression might compress a


disk image by 50% or more
• But files that are already compressed, like
ZIP files, won’t compress much more
• Use MD5 or SHA-1 hash to verify the image
Tape Backup

• When working with large drives, an alternative is using tape backup


systems
• No limit to size of data acquisition
– Just use many tapes
• But it’s slow
Returning Evidence Drives

• In civil litigation, a discovery order may require you to return the


original disk after imaging it
• If you cannot retain the disk, make sure you make the correct type of
copy (logical or bitstream)
– Ask your client attorney or your supervisor what is required—you usually
only have one chance

You might also like