GUIDE TO COMPUTER FORENSICS

6TH EDITION

CHAPTER 3
DATA ACQUISITION
 List digital evidence storage formats

Explain ways to determine the best

acquisition method
OBJECTIVES
Describe contingency planning for data
acquisitions

Explain how to use acquisition tools

TYPES OF DATA ACQUISITION (1 OF 2)

Live acquisition
Static Acquisition
 File metadata, such as date and time
 capture data that’s not accessed by other
values, changes when read by an
processes that can change
acquisition tool
 if you have preserved the original media,
 Making a second live acquisition while a
making a second static acquisition should
computer is running collects new data
produce the same results
because of dynamic
 The data on the original disk isn’t altered, no changes in the OS
matter how many times an acquisition is
done
TYPES OF DATA ACQUISITION (2 OF 2)

The processes and data integrity requirements for Because of the use of whole disk encryption, data
static and live acquisitions are similar acquisitions are shifting toward
live acquisitions with newer operating systems (OSs)
UNDERSTANDIN  Data in a forensics acquisition
tool is stored as an image file
G STORAGE  Three formats

FORMATS FOR  Raw format

 Proprietary formats
DIGITAL  Advanced Forensics Format

EVIDENCE (AFF)
 Makes it possible to write bit-stream data to files

Creates sequential flat files

Several commercial acquisition tools can produce raw

format acquisitions and typically perform a validation
check
• CRC32
• MD5
• SHA
RAW FORMAT
Advantages

• Fast data transfers

• Ignores minor data read errors on source drive
• Most computer forensics tools can read raw format

Disadvantages

• Requires as much storage as original disk or data

• Tools might not collect marginal (bad) sectors
PROPRIETARY FORMATS
 Most forensics tools have their own formats
 Features offered
 Option to compress or not compress image files
 Can split an image into smaller segmented files
 Can integrate metadata into the image file

 Disadvantages
 Inability to share an image between different tools
 File size limitation for each segmented volume

 The Expert Witness Compression format is unofficial

standard (E01 format)
 • Developed by Dr. Simson L. Garfinkel as an
open-source acquisition format
• Design goals
• Provide compressed or uncompressed image files
• No size restriction for disk-to-image files
ADVANCED • Provide space in the image file or segmented files

FORENSICS for metadata

• Simple design with extensibility

FORMAT • Open source for multiple platforms and Oss

 Internal consistency checks for self-authentication

 File extensions include .afd for segmented

image files and .afm for AFF metadata
 AFF is open source
 Types of acquisitions
• Static acquisitions and live acquisitions
DETERMINING
THE BEST Four methods of data collection
ACQUISITION • Creating a disk-to-image file
METHOD (1 OF • Creating a disk-to-disk
4) • Creating a logical disk-to-disk or disk-to-data file
• Creating a sparse data copy of a file or folder
Determining the best method depends on
the circumstances of the investigation
 Creating
a disk- • Most common method and offers most flexibility
• Can make more than one copy
to-image • Copies are bit-for-bit replications of the original drive
DETERMINING file • Compatible with many commercial forensics tools

THE BEST
ACQUISITION
METHOD (2 OF
4) Creating • When disk-to-image copy is not possible
a disk- • Tools can adjust disk’s geometry configuration
to-disk • Tools: EnCase and X-Ways
DETERMINING THE BEST
ACQUISITION METHOD (3 OF 4)

 Logical acquisition or sparse

acquisition
 Can take several hours; use when your
time is limited
 Logical acquisition captures only
specific files of interest to the case
 Sparse acquisition collects fragments of
unallocated (deleted) data
 For large disks
 Examples:
 PST or OST mail files, RAID servers
 When making a copy, consider:
 Size of the source disk
 Lossless compression might be useful (use hash to verify)
 Use digital signatures for verification
 When working with large drives, an alternative is using lossless compression
 Whether you can retain the disk
 Time to perform the acquisition
 Where the evidence is located

DETERMINING THE BEST ACQUISITION METHOD (4 OF 4)

 Create Create a duplicate copy of your evidence image file

Make at least two images of digital evidence

CONTINGENCY Make • Use different tools or techniques

PLANNING FOR
IMAGE Copy host protected area of a disk drive as well

ACQUISITIONS Copy • Consider using a hardware acquisition tool that can access the drive at the BIOS level
• BelkaSoft
• ILookIX IXImager

Be prepared to deal with encrypted drives

Be • Whole disk encryption feature in Windows called BitLocker makes static acquisitions
more difficult
• May require user to provide decryption key
• Elcomsoft Forensic Disk Decryptor
 Acquisition tools for Windows
 Advantages
 Make acquiring evidence from a suspect drive more convenient
 Especially when used with hot-swappable devices
 Disadvantages
 Must protect acquired data with a well-tested write-blocking hardware device
 Tools can’t acquire data from a disk’s host protected area
 Some countries haven’t accepted the use of write-blocking devices for data
acquisitions

USING ACQUISITION TOOLS

MINI-WINFE BOOT CDS AND USB
DRIVES

 Mini-WinFE
 Enables you to build a Windows forensic boot CD/DVD or USB
drive so that connected drives are mounted as read-only
 Before booting a suspect’s computer:
 Connect your target drive, such as a USB drive

 After Mini-WinFE is booted:

 You can list all connected drives and alter your target USB
drive to read-write mode so you can run an acquisition
program
 Linux can access a drive that
isn’t mounted
Windows OSs and newer Linux
automatically mount and access
a drive
ACQUIRING
DATA WITH A Forensic Linux Live CDs don’t
access media automatically
LINUX BOOT CD • Which eliminates the need for a write-
(1 OF 6) blocker
Using Linux Live CD Distributions

• Forensic Linux Live CDs

• Contain additionally utilities
 ACQUIRING DATA WITH A LINUX BOOT CD (2 OF 6)

 Using Linux Live CD Distributions (cont’d)

 Forensic Linux Live CDs (cont’d)

 Configured not to mount, or to mount as read-only, any

connected storage media
 Well-designed Linux Live CDs for computer forensics

 Penguin Sleuth Kit

 CAINE
 Deft
 Kali Linux
 Knoppix
 SANS Investigative Forensic Toolkit (SIFT)
ACQUIRING DATA WITH A LINUX BOOT
CD (3 OF 6)

• Preparing a target drive for acquisition in Linux

• Current Linux distributions can create Microsoft FAT and NTFS
partition tables
• fdisk command lists, creates, deletes, and verifies partitions
in Linux
• mkfs.msdos command formats a FAT file system from Linux
ACQUIRING DATA WITH A LINUX BOOT
CD (4 OF 6)

• Acquiring data with dd in Linux

• dd (“data dump”) command
- Can read and write from media device and data file
- Creates raw format file that most computer forensics analysis tools
can read
• Shortcomings of dd command
- Requires more advanced skills than average user
- Does not compress data
• dd command combined with the split command
- Segments output into separate volumes
ACQUIRING DATA WITH A LINUX BOOT
CD (5 OF 6)

 Acquiring data with dd in Linux (cont’d)

 Follow the step starting on page 112 in the text to make an
image of an NTFS disk on a FAT32 disk
 Acquiring data with dcfldd in Linux
 The dd command is intended as a data management tool
 Not designed for forensics acquisitions
ACQUIRING DATA
WITH A LINUX
BOOT CD (6 OF 6)

 Acquiring data with dcfldd in Linux

(cont’d)
 dcfldd additional functions
 Specify hex patterns or text
for clearing disk space
 Log errors to an output file
for analysis and review
 Use several hashing options
 Refer to a status display
indicating the progress of the
acquisition in bytes
 Split data acquisitions into
segmented volumes with
numeric extensions
 Verify acquired data with
original disk or media data
 Included with AccessData Forensic Toolkit

CAPTURING AN Designed for viewing evidence disks and disk-

to-image files
IMAGE WITH
ACCESSDATA
Makes disk-to-image
FTK IMAGER copies of evidence
At logical partition and
physical drive level
LITE (1 OF 8) drives Can segment the image file

Evidence drive must

Or run from a Live CD, such
have a hardware write- as Mini-WinFE
blocking device
CAPTURING
AN IMAGE
WITH
ACCESSDAT
A FTK
IMAGER LITE
(2 OF 8)
CAPTURING AN IMAGE WITH ACCESSDATA FTK IMAGER
LITE (3 OF 8)

 FTK Imager can’t acquire a drive’s host protected area

 Use a write-blocking device and follow these steps
 Boot to Windows
 Connect evidence disk to a write-blocker
 Connect target disk to write-blocker
 Start FTK Imager Lite
 Create Disk Image - use Physical Drive option
 See Figures on the following slides for more steps
CAPTURING AN
IMAGE WITH
ACCESSDATA FTK
IMAGER LITE (4
OF 8)
CAPTURING AN
IMAGE WITH
ACCESSDATA FTK
IMAGER LITE (5 OF
8)
CAPTURING AN
IMAGE WITH
ACCESSDATA
FTK IMAGER
LITE (6 OF 8)
CAPTURING AN
IMAGE WITH
ACCESSDATA FTK
IMAGER LITE (7 OF
8)
CAPTURING AN
IMAGE WITH
ACCESSDATA
FTK IMAGER
LITE (8 OF 8)
VALIDATING DATA ACQUISITIONS

 Validating evidence may be the most critical aspect of computer forensics

 Requires using a hashing algorithm utility
 Validation techniques
 CRC-32, MD5, and SHA-1 to SHA-512