Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition
Guide to Computer Forensics and Investigations, 2e2 Objectives Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools
Guide to Computer Forensics and Investigations, 2e3 Objectives (continued) Use GUI acquisition tools Use X-Ways Replica and other tools for data acquisition Recover data from PDAs
Guide to Computer Forensics and Investigations, 2e4 Determining the Best Acquisition Method Three ways –Bit-stream disk-to-image file –Bit-stream disk-to-disk –Sparse data copy of a file or folder Bit-stream disk-to-image file –Most common method –Can make more than one copy –EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Guide to Computer Forensics and Investigations, 2e5 Determining the Best Acquisition Method (continued) Bit-stream disk-to-disk –When disk-to-image copy is not possible –Consider disk’s geometry CHS configuration –SafeBack, SnapCopy, Norton Ghost 2002 Sparse data copy –Creates exact copies of folders and files –For large disks –PST or OST mail files, RAID servers
Guide to Computer Forensics and Investigations, 2e6 Determining the Best Acquisition Method (continued) When making a copy, consider: –Size of the source disk Lossless compression might be useful Use digital signatures for verification –Whether you can retain the disk –How much time you have –Location of the evidence
Guide to Computer Forensics and Investigations, 2e7 Planning Data Recovery Contingencies Create a duplicate copy of your evidence image file Make at least two copies of digital evidence –Use different tools or techniques Copy host-protected area of a disk drive as well –Image MaSSter Solo HAZMAT and environment conditions
Guide to Computer Forensics and Investigations, 2e8 Using MS-DOS Acquisition Tools Original tools Fit on a forensic boot floppy disk –Require fewer resources DriveSpy –Data-preservation commands –Data-manipulation commands
Guide to Computer Forensics and Investigations, 2e9 Understanding How DriveSpy Accesses Sector Ranges First method –Absolute starting sector, total number of sectors –Example 0:1000,100 (primary master drive) Second method –Absolute starting sector-ending sector –Example 0: (101 sectors) Moving data –CopySect 0:1000,100 1:2000,100
Guide to Computer Forensics and Investigations, 2e10 Understanding How DriveSpy Accesses Sector Ranges (continued)
Guide to Computer Forensics and Investigations, 2e11 Using DriveSpy Data-Preservation Commands Work only on FAT16 and FAT32 disks SavePart –Acquires an entire partition –Even non-DOS partitions WritePart –Re-creates saved partition to its original format –Be careful when restoring non-DOS partitions
Guide to Computer Forensics and Investigations, 2e12 Using the SavePart Command Creates an image file of a partition Uses lossless compression Copies image to target disk –Smaller disks –Removable media Generates an MD5 hash value Cannot be used with partition gaps
Guide to Computer Forensics and Investigations, 2e13 Using the WritePart Command Re-create saved partition image files created with SavePart Decompresses the image file and writes it to the target disk –Checks if target disk is equal or larger than original disk Prompts for all disks where image file is stored
Guide to Computer Forensics and Investigations, 2e14 Using the WritePart Command (continued)
Guide to Computer Forensics and Investigations, 2e15 Using the WritePart Command (continued)
Guide to Computer Forensics and Investigations, 2e16 Using DriveSpy Data-Manipulation Commands Isolate specific areas of a disk for examination Commands: –SaveSect –WriteSect
Guide to Computer Forensics and Investigations, 2e17 Using the SaveSect Command Copies specific sectors on a disk to a file –Bit-stream copy Creates non-compressed files –Flat files For hidden or deleted partitions and gaps Drive and Partition modes Example: –SaveSect 1: c:\dir_name\file_name
Guide to Computer Forensics and Investigations, 2e18 Using the SaveSect Command (continued)
Guide to Computer Forensics and Investigations, 2e19 Using the WriteSect Command Re-creates data acquired with SaveSect Use it on DriveSpy’s Drive and Partition modes Example: –WriteSect c:\dir_name\file_name 2:10000 Disadvantage: –Can overwrite data on target disk Useful for non-Microsoft FAT file systems
Guide to Computer Forensics and Investigations, 2e20 Using the WriteSect Command (continued)
Guide to Computer Forensics and Investigations, 2e21 Using Windows Acquisition Tools Make job more convenient –Hot-swappable devices Drawbacks: –Windows can contaminate your evidence –Require write-blocking hardware devices –Cannot access host-protected areas
Guide to Computer Forensics and Investigations, 2e22 AccessData FTK Imager Included on AccessData FTK View evidence disks and bit-stream image files Makes bit-stream disk-to-image copies –At logical partition and physical drive level –Can segment the image file
Guide to Computer Forensics and Investigations, 2e23 AccessData FTK Imager (continued)
Guide to Computer Forensics and Investigations, 2e24 AccessData FTK Imager (continued) Steps: –Boot up Windows –Connect evidence disk to a write-blocker –Connect target disk to write-blocker –Start FTK Imager –Create Disk Image Use Physical Drive option
Guide to Computer Forensics and Investigations, 2e25 AccessData FTK Imager (continued)
Guide to Computer Forensics and Investigations, 2e26 Using X-Ways Replica Compact bit-streaming application program Fits on a forensic bootable floppy disk Produces a dd-like image –Disk-to-image copy –Disk-to-disk copy Can access host protected areas
Guide to Computer Forensics and Investigations, 2e27 Using Replica Create a forensic boot floppy disk Boot in MS-DOS Replica checks if HPA on BIOS is on –If yes, asks you to turn it off Reboot Copy information
Guide to Computer Forensics and Investigations, 2e28 PDA Data Acquisition PDAs store, send, and receive data –PDA/cell phone Synch with host computers –Duplicate a host PC during an investigation Paraben Forensic Tool –Special tool –GUI-based tool
Guide to Computer Forensics and Investigations, 2e29 PDA Data Acquisition (continued)
Guide to Computer Forensics and Investigations, 2e30 PDA Data Acquisition (continued) Seize all PDA components –Cables and power supplies Learn how to put PDA in debug mode
Guide to Computer Forensics and Investigations, 2e31 PDA Data Acquisition (continued)
Guide to Computer Forensics and Investigations, 2e32 General Considerations for PDA Investigations Seize the PDA and host computer –PDA caddy and cables Collect documentation Get the power supply and recharge batteries –Leave it plugged into the PDA Create a bit-stream image and a backup copy of the host PC Obtain or locate password used on the PDA
Guide to Computer Forensics and Investigations, 2e33 Re-create the Host Computer Steps: –Connect caddy, cables, and external cards –Install backup copy on new host –Install PDA software –Read documentation and synch PDA –Examine downloaded PDA content
Guide to Computer Forensics and Investigations, 2e34 Re-create the Host Computer (continued)
Guide to Computer Forensics and Investigations, 2e35 Using Other Forensics-Acquisition Tools SnapBack DatArrest SafeBack EnCase
Guide to Computer Forensics and Investigations, 2e36 Exploring SnapBack DatArrest Columbia Data Products Old, reliable MS-DOS tool Perform bit-stream copy in three ways: –Disk to SCSI drive –Disk to network drive –Disk to Disk Fits on a forensic boot floppy SnapCopy adjusts disk geometry
Guide to Computer Forensics and Investigations, 2e37 Exploring SafeBack Reliable MS-DOS tool Performs an SHA-256 calculation per sector copied Creates a log file
Guide to Computer Forensics and Investigations, 2e38 Exploring SafeBack (continued) Functions: –Disk-to-image copy (image can be on tape) –Disk-to-disk copy (adjusts target geometry) Parallel port laplink can be used –Copies a partition to an image file –Compresses acquire information
Guide to Computer Forensics and Investigations, 2e39 Exploring EnCase Windows Forensic Tool from Guidance Software Creates forensic boot floppy disks Load En.exe to the floppy –Implements the best compression algorithm Copy methods –Disk-to-disk –Disk-to-network server drive –Disk-to-drive on parallel port
Guide to Computer Forensics and Investigations, 2e40 Exploring EnCase (continued)
Guide to Computer Forensics and Investigations, 2e41 Summary Data acquisition methods: –Bit-stream disk-to-image file –Bit-stream disk-to-disk –Sparse data copy Several tools available –Lossless compression is acceptable Plan your digital evidence contingencies Use tools that can read partition gaps
Guide to Computer Forensics and Investigations, 2e42 Summary (continued) Be careful when using tools –Risk of overwrite previous data Windows data acquisition tools –Easy to use –Can modify data DriveSpy, FTK Imager, Replica, SnapBack, SafeBack Investigations might involve PDAs