Guide to Computer Forensics and Investigations Fourth Edition Chapter 4 Data Acquisition
Guide to Computer Forensics and Investigations Objectives Explain data acquisition Understand digital evidence storage formats and how to determine the best acquisition method Describe contingency planning for data acquisitions Explain the importance of data acquisition validation Guide to Computer Forensics and Investigations
Introducing Data Acquisition Data Acquisition is the process of copying data. In computer forensics, it’s the task of collecting digital evidence 2 Types of data acquisition Static acquisitions Live acquisitions First, we’ll describe the following 3 formats for digital evidenc. Examples page 103 Guide to Computer Forensics and Investigations
Introducing Data Acquisition (Cont.) Static acquisitions Copy a hard drive from a powered-off system when a suspect's drive is write-protected and can't be altered. Static acquisitions are repeatable if you have preserved the disk evidence. Establish integrity and can be used as evidence in court First, we’ll describe the following 3 formats for digital evidenc. Examples page 103 Guide to Computer Forensics and Investigations
Introducing Data Acquisition (Cont.) Source: http://grussell.org/df/slides/wk6.ppt
Introducing Data Acquisition (Cont.) Write Blockers Do not allow data to be written Read-commands only Source: http://grussell.org/df/slides/wk6.ppt
Introducing Data Acquisition (Cont.) Live acquisitions Acquire data (e.g. RAM data and any other volatile data) when a suspect computer can’t be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition because it’s not write-protected Live acquisitions are not repeatable Because data is continuously altered by the OS First, we’ll describe the following 3 formats for digital evidenc. Examples page 103 Guide to Computer Forensics and Investigations
Understanding Storage Formats for Digital Evidence Collected data by a computer forensics acquisition tool is stored as an image file (copy of the digital evidence) in one of three formats: Raw format (open source format) Proprietary formats Advanced Forensics Format (AFF) (open source format) First, we’ll describe the following 3 formats for digital evidence Guide to Computer Forensics and Investigations
Understanding Storage Formats for Digital Evidence (Cont.) Raw Format Bit-by-bit copy of the drive to a file (Linux dd command) Advantages Fast data transfers Can ignore minor data read errors on the source drive Most computer forensics tools can read raw format Disadvantages Requires as much storage space as original disk or data Some raw format tools (freeware versions) might not collect marginal (bad) sectors on the source drive Not all data is collected Guide to Computer Forensics and Investigations
Understanding Storage Formats for Digital Evidence (Cont.) Proprietary Formats Most commercial computer forensics tools have their own formats for collecting digital evidence. Offer features not available with Raw: Compress image file of a suspect drive and save space Can split an image into smaller segmented files to fit onto other media, such as to CDs or DVDs Can integrate meta data into the image file Date and time of the acquisition Hash value (for self-authentication) of the original disk or medium Investigator name, comments, case details, etc. Guide to Computer Forensics and Investigations
Understanding Storage Formats for Digital Evidence (Cont.) Proprietary Formats (Cont.) Disadvantages Inability to share an image between different vendors’ computer forensics analysis tools Proprietary file formats means you will convert from one format to another to use multiple tools Converting between formats may corrupt data if the formats are not well understood File size limitation for each segmented volume Guide to Computer Forensics and Investigations
Understanding Storage Formats for Digital Evidence (Cont.) Advanced Forensics Format (AFF) This open and extensible format (for multiple platforms and OSs) that stores image data and metadata. Design goals Provide compressed or uncompressed image files No size restriction for disk-to-image files Provide space in the image file or segmented files for metadata File extensions include .afd for segmented image files and .afm for AFF metadata Some kinds of metadata that are interesting in computer forensics: File system metadata (e.g. MAC times, access control lists, etc.) Digital image metadata. Although information such as the image size and number of colors are technically metadata, JPEG and other file formats store additional data about the photo or the device that acquired it. Document metadata, such as the creator of a document, it's last print time, etc. Guide to Computer Forensics and Investigations
Determining the Best Acquisition Method Four methods for acquiring data Bit-stream disk-to-image file copy Bit-stream disk-to-disk copy Logical disk-to-disk or disk-to-disk data Sparse data copy (of a file or folder) We’ll describe the following 2 types of data and 4 different methods for acquiring data Guide to Computer Forensics and Investigations
Determining the Best Acquisition Method (Cont.) Bit-stream disk-to-image file copy Most common method and offers the most flexibility for your investigation Can make more than one copy of a suspect drive Copies are bit-by-bit replications of the original drive You can use a variety of tools to read and analyze data (ProDiscover, EnCase, FTK, X-Ways, iLook) Guide to Computer Forensics and Investigations
Determining the Best Acquisition Method (Cont.) Bit-stream disk-to-disk copy Copy data from one drive to another when disk-to-image copy is not possible Because of hardware or software errors or incompatibilities (common issue when you have to acquire older drives) Consider disk’s geometry configuration to copy data exactly from an older disk to a newer disk The copied data matches the original suspect drive You can use EnCase, SafeBack, SnapCopy Guide to Computer Forensics and Investigations
Track Geometry of a Hard Drive Sector Allocated Unit sizes (per sector) 512 bytes 1024 bytes 2048 bytes 4096 bytes 8192 bytes 16 Kilobytes 32 Kilobytes 64 Kilobytes Cluster – Group of Sectors © Thomas Computer Forensics LLC
Determining the Best Acquisition Method (Cont.) Collecting evidence from a large drive can take several hours. If your time is limited, consider using a: Logical acquisition disk-to-disk or disk-to-data file Logical acquisition captures only specific types of files of interest to the case (e.g Outlook .pst files) Use this method when you don’t need to examine the entire drive Sparse acquisition Similar to logical acquisition In addition, it collects fragments of unallocated (deleted) data A relire et comprendre exemples page 103 Microsoft Outlook creates a “pst” file, which is a data file where electronic copies of email generated by Outlook is stored on a hard drive. ost files, created by Microsoft Exchange Server. Microsoft Outlook's offline usage email archive files get an extension of .OST (Offline Storage Table). If you are using Microsoft Exchange Server, all the email messages, calendar, tasks, notes and other items are delivered to and stored on the server. However if an user is not using Exchange Server, then all the email messages, calendar, and other items are delivered to and stored locally in a Personal Folders (.OST) file. Typically, when you use a Microsoft Exchange Server account, your email messages, calendar, and other items are delivered to and saved on the server. You can configure Outlook to keep a local copy of your items on your computer in an Outlook data file that is named an offline Outlook Data File (.ost). This allows you to use Cached Exchange Mode or to work offline when a connection to the Exchange computer may not be possible or wanted. The .ost file is synchronized with the Exchange computer when a connection is available. Your items can also be moved or archived to an Outlook Data File (.pst). Because a .pst file is kept on your computer, it is not subject to mailbox size limits on the mail server. By moving items to a .pst file on your computer, you can free up storage space in the mailbox on your mail server. Guide to Computer Forensics and Investigations
Determining the Best Acquisition Method (Cont.) Main considerations when acquiring data Size of the source (suspect) disk Lossless compression might compress a disk image by 50% or more Use MD5 or SHA-1 hash to verify the image Page 104 Lossless compression a class of data compression algorithm is used in cases where it is important that the original and the decompressed data be identical (used byt zip file format) Guide to Computer Forensics and Investigations
Determining the Best Acquisition Method (Cont.) Main considerations when acquiring data (Cont.) When working with large drives, an alternative is using tape backup systems No limit to size of data acquisition, just use many tapes But slow Whether or not you can retain the suspect’s disk In civil litigation, you may be asked to return the original disk after imaging it Page 104 Guide to Computer Forensics and Investigations
Contingency Planning for Image Acquisitions Create a duplicate copy of your evidence image file Make at least two images of digital evidence Use different tools or techniques Copy host protected area of a disk drive Consider using a hardware acquisition tool that can access the drive at the BIOS level Be prepared to deal with encrypted drives Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions meaning Page 105 Whole Disk Encryption: An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method. The host protected area is an area of a hard drive that is not normally visible to an operating system. Often used by manufacturers to hide a maintenance and recovery system for the computer. Guide to Computer Forensics and Investigations
Validating Data Acquisitions Most critical aspect of computer forensics Requires using a hashing algorithm utility Validation techniques CRC-32, MD5, and SHA-1 to SHA-512 MD5 has collisions, so it is not perfect, but it’s still widely used SHA-1 has some collisions but it’s better than MD5 Guide to Computer Forensics and Investigations
Validating Data Acquisitions (Cont.) Windows Validation Methods Windows has no built-in hashing algorithm tools for computer forensics Third-party utilities can be used Commercial computer forensics programs also have built-in validation features Each program has its own validation technique Raw format image files don’t contain metadata Separate manual validation is recommended for all raw acquisitions Guide to Computer Forensics and Investigations
Guide to Computer Forensics and Investigations Summary Data acquisition methods Plan your digital evidence contingencies Several tools available Use a physical write-blocker device for acquisitions Always validate acquisition Guide to Computer Forensics and Investigations