1. CSE 4482: Computer Security Management: Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition.
4/17/2017

2. GFCI Ch 1: Computer Forensics
Objectives
Define computer forensics
Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations
Explain the importance of maintaining professional conduct 2 2

3. What is Computer Forensics?
Definition: Involves obtaining and analyzing digital information, often as evidence in civil, criminal, or administrative cases
Computer forensics:
Investigates data that can be retrieved from a computer’s hard disk or other storage media
Task of recovering data that users have hidden or deleted and using it as evidence
Evidence can be inculpatory (“incriminating”) or exculpatory 3 3

4. Computer Forensics Versus Other Related Disciplines
Network forensics
Yields information about how a perpetrator or an attacker gained access to a network
Data recovery
Recovering information that was deleted by mistake, or lost during a power surge or server crash
Typically you know what you’re looking for 4 4

5. Computer Forensics Versus Other Related Disciplines (continued)
Disaster recovery
Uses computer forensics techniques to retrieve information their clients have lost
Investigators often work as a team to make computers and networks secure in an organization 5 5

6. Digital Evidence Locard’s principle: “every contact leaves a trace”
any information, stored or transmitted in digital form, that a party to a court case may use at a trial
To be accepted in court, digital evidence must meet certain criteria …
Admissibility
Authenticity

7. Case study
In this case, American Express (Amex) claimed that Mr. Vinhnee had failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence. Among other problems, the court said that Amex failed to provide adequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records.
The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“

8. Lessons
Document your access control and backup procedures and policies and test effectiveness of your controls.
Have the changes to your databases and content/record management system routinely recorded and logged.
Protect your electronic record from post-archival tampering with modern data integrity and trusted time-stamping technologies.
Document the audit procedures you use to provide assurance of the continuing authenticity of the records.

9. The Investigations Triad9 9

10. Computer Forensics: A Brief History
By the 1970s, electronic crimes were increasing, especially in the financial sector
Most law enforcement officers didn’t know enough about computers to ask the right questions
Or to preserve evidence for trial
1980s
PCs gained popularity and different OSs emerged
Disk Operating System (DOS) was available
Forensics tools were simple, and most were generated by government agencies 10 10

11. A Brief History (1980s) Mid-1980s 1987 Apple Mac SE -
Xtree Gold appeared on the market
Recognized file types and retrieved lost or deleted files
Norton DiskEdit soon followed
And became the best tool for finding deleted file
1987 Apple Mac SE -
A Macintosh with an external EasyDrive hard disk with 60 MB of storage 11 11

12. A Brief History (1990s) Tools for computer forensics were available
International Association of Computer Investigative Specialists (IACIS)
Training on software for forensics investigations
IRS created search-warrant programs
ExpertWitness for the Macintosh
First commercial GUI software for computer forensics
Created by ASR Data
Recovers deleted files and fragments of deleted files
Large hard disks posed problems for investigators
Other software
iLook
AccessData Forensic Toolkit (FTK) 12 12

13. Understanding Case Law
Technology is evolving at a very rapid pace
Existing laws and statutes cannot keep up
Case law used when statutes or regulations don’t exist
Case law allows legal counsel to use previous cases similar to the current one
Because the laws don’t yet exist
Each case is evaluated on its own merit and issues
Computer Crime & Intellectual Property document at US DoJ: 13 13

14. Case study case law does not involve creating new criminal offenses
“… an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes.”
case law does not involve creating new criminal offenses

15. Developing Computer Forensics Resources
know more than one computing platform
Such as DOS, Windows 9x, Linux, Macintosh, and current Windows platforms
Join many computer user groups - Computer Technology Investigators Network (CTIN)
Meets monthly to discuss problems that law enforcement and corporations face
High Technology Crime Investigation Association (HTCIA)
Exchanges information about techniques related to computer investigations and security 15 15

16. Developing Computer Forensics Resources (continued)
User groups can be helpful
Build a network of computer forensics experts and other professionals
And keep in touch through
Outside experts can provide detailed information you need to retrieve digital evidence 16 16

17. Case Study
A user group helped convict a child molester in Pierce County, Washington, in The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The investigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard commands and other information needed to gain access to the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over the past 15 years, including the molestation of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child.

18. Investigating Computers
Typically includes
collecting computer data securely,
examining suspect data to determine details such as origin and content,
presenting compute-based information to courts, and
applying laws to computer practice.
Two distinct categories
Public investigations
Private or corporate investigations

19. Public investigations
Involve government agencies responsible for criminal investigations and prosecution
Organizations must observe legal guidelines
Law of search and seizure: Protects rights of all people, incl. suspects 19 19

20. Private Investigations
Private or corporate investigations
Deal with private companies, non-law-enforcement government agencies, and lawyers
Aren’t governed directly by criminal law or Fourth Amendment issues
Governed by internal policies that define expected employee behavior and conduct in the workplace
Private corporate investigations also involve litigation disputes
Investigations are usually conducted in civil cases 20 20

21. Understanding Law Enforcements Agency Investigations
In a criminal case, a suspect is tried for a criminal offense
Such as burglary, murder, or molestation
Computers and networks are only tools that can be used to commit crimes
Many states have added specific language to criminal codes to define crimes involving computers
Following the legal process
Legal processes depend on local custom, legislative standards, and rules of evidence 21 21

22. Understanding LEA Investigations (continued)
Criminal case follows three stages: The complaint, the investigation, and the prosecution 22 22

23. Understanding LEA Investigations (continued)
A criminal case begins when someone finds evidence of an illegal act
Complainant makes an allegation, an accusation or supposition of fact
A police officer interviews the complainant and writes a report about the crime
Police blotter provides a record of clues to crimes that have been committed previously
Investigators delegate, collect, and process the information related to the complaint 23 23

24. Understanding LEA Investigations (continued)
After a case is built, the information is turned over to the prosecutor
Affidavit
Sworn statement of support of facts about or evidence of a crime
Submitted to a judge to request a search warrant
Have the affidavit notarized under sworn oath
Judge must approve and sign a search warrant, it can be used to collect evidence 24 24

25. Understanding LEA Investigations (continued)25 25

26. Understanding Corporate Investigations
Private or corporate investigations Involve private companies and lawyers who address company policy violations and litigation disputes
Corporate computer crimes can involve:
harassment
Falsification of data
Gender and age discrimination
Embezzlement
Sabotage
Industrial espionage 26 26

27. Preventive measures Establishing company policies
One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow
Published company policies provide a line of authority
For a business to conduct internal investigations
Well-defined policies
Give computer investigators and forensic examiners the authority to conduct an investigation
Displaying Warning Banners
Another way to avoid litigation
Usually appears when a computer starts or connects to the company intranet, network, or virtual private network 27 27

28. Preventive measures (continued)
Warning banner
Informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Establishes the right to conduct an investigation
As a corporate computer investigator
Make sure company displays well-defined warning banner 28 28

29. More on Corporate Investigations
Designating an authorized requester
Authorized requester has the power to conduct investigations
Policy should be defined by executive management
Groups that should have direct authority to request computer investigations
Corporate Security Investigations
Corporate Ethics Office
Corporate Equal Employment Opportunity Office
Internal Auditing
The general counsel or Legal Department 29 29

30. Ch 2: Understanding Computer Investigations
Objectives:
Explain how to prepare a computer investigation
Apply a systematic approach to an investigation
Describe procedures for corporate high-tech investigations
Explain requirements for data recovery workstations and software
Describe how to conduct an investigation
Explain how to complete and critique a case

31. Preparing a Computer Investigation
Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy
Collect evidence that can be offered in court or at a corporate inquiry
Investigate the suspect’s computer
Preserve the evidence on a different computer
Follow an accepted procedure to prepare a case
Chain of custody: Route the evidence takes from the time you find it until the case is closed or goes to court 31

32. Case study: CD Universe Prosecution Failure
“An extortion attempt involving credit card numbers stolen from the computers of Internet retailer CD Universe occurred in January Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcement had found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. The chain of custody had not been properly established.
Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learn how Maxim got into the company’s network, FBI agents and employees from three computer security firms accessed original files instead of working from a forensic copy. …”

33. An Overview of a Computer Crime
Computers can contain information that helps law enforcement determine:
Chain of events leading to a crime
Evidence that can lead to a conviction
Law enforcement officers should follow proper procedure when acquiring the evidence
Digital evidence can be easily altered by an overeager investigator
Information on hard disks might be password protected
Guidelines: Ch 1, 2 in 33

34. Examining a Computer Crime34

35. An Overview of a Company Policy Violation
Employees misusing resources can cost companies millions of dollars
Misuse includes:
Surfing the Internet
Sending personal s
Using company computers for personal tasks
Example: Two employees have gone missing… 35

36. Taking a Systematic Approach
Steps for problem solving
Make an initial assessment about the type of case you are investigating
Determine a preliminary design or approach Create a detailed checklist
Determine the resources you need
Obtain and copy an evidence disk drive
Identify the risks
Mitigate or minimize the risks
Test the design 36

37. Taking a Systematic Approach II
Steps for problem solving (continued)
Analyze and recover the digital evidence
Investigate the data you recover
Complete the case report
Critique the case 37

38. Assessing the Case Systematically outline the case details
Situation
Nature of the case
Specifics of the case
Type of evidence
Operating system
Known disk format
Location of evidence
Based on case details, you can determine the case requirements
Computer forensics tools
Special operating systems 38

39. Planning an Investigation
A basic investigation plan should include:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport the evidence to a computer forensics lab
Secure evidence in an approved secure container
Prepare a forensics workstation
Obtain the evidence from the secure container
Make a forensic copy of the evidence
Return the evidence to the secure container
Process the copied evidence with computer forensics tools 39

40. Securing Your Evidence
Use evidence bags to secure and catalog the evidence
Use computer safe products
Antistatic bags
Antistatic pads
Use well padded containers
Use evidence tape to seal all openings
Floppy disk or CD drives
Power supply electrical cord
Write your initials on tape to prove that evidence has not been tampered with
Consider computer specific temperature and humidity ranges 40

41. Procedures for Corporate High-Tech Investigations
Develop formal procedures and informal checklists, to cover all issues important to high-tech investigations
Majority of investigative work for termination cases involves employee abuse of corporate assets 41

42. Internet abuse investigations
To conduct an investigation you need:
Organization’s Internet proxy server logs
Suspect computer’s IP address
Suspect computer’s disk drive
Your preferred computer forensics analysis tool
Recommended steps
Use standard forensic analysis techniques and procedures
Use appropriate tools to extract all Web page URL information
Contact the network firewall administrator and request a proxy server log
Compare the data recovered from forensic analysis to the proxy server log
Continue analyzing the computer’s disk drive data 42

43. E-mail abuse investigations
To conduct an investigation you need:
An electronic copy of the offending that contains message header data
If available, server log records
For systems that store users’ messages on a central server, access to the server
Access to the computer for performing forensic analysis
Your preferred computer forensics analysis tool
Recommended steps
Use the standard forensic analysis techniques
Obtain an electronic copy of the suspect’s and victim’s folder or data
For Web-based investigations, use tools such as FTK’s Internet Keyword Search option to extract all related address information
Examine header data of all messages of interest 43

44. Attorney-Client Privilege Investigations
Under attorney-client privilege (ACP) rules for an attorney
You must keep all findings confidential
The extra secrecy introduces additional problems 44

45. Media Leak Investigations
In the corporate environment, controlling sensitive data can be difficult
Consider the following for media leak investigations
Examine
Examine Internet message boards
Examine proxy server logs
Examine known suspects’ workstations
Examine all company telephone records
Steps to take for media leaks
Interview management privately
To get a list of employees who have direct knowledge of the sensitive data
Identify media source that published the information
Review company phone records
Obtain a list of keywords related to the media leak
Perform keyword searches on proxy and servers 45

46. Media Leak Investigations II
Steps to take for media leaks (continued)
Discreetly conduct forensic disk acquisitions and analysis
From the forensic disk examinations, analyze all correspondence
And trace any sensitive messages to other people
Expand the discreet forensic disk acquisition and analysis
Consolidate and review your findings periodically
Routinely report findings to management 46

47. Industrial Espionage Investigations
All suspected industrial espionage cases should be treated as criminal investigations
Staff needed
Computing investigator who is responsible for disk forensic examinations
Technology specialist who is knowledgeable of the suspected compromised technical data
Network specialist who can perform log analysis and set up network sniffers
Threat assessment specialist (typically an attorney)
Many guidelines in the text. 47

48. Understanding Data Recovery Workstations and Software
Investigations are conducted on a computer forensics lab (or data-recovery lab)
Computer forensics and data-recovery are related but different
Computer forensics workstation
Specially configured personal computer
Loaded with additional bays and forensics software
To avoid altering the evidence use:
Forensics boot floppy disk
Write-blockers devices 48

49. Setting Up your Computer for Computer Forensics
Basic requirements
A workstation running Windows XP or Vista
A write-blocker device
Computer forensics acquisition tool
Computer forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools 49

50. Bit-Stream Copies Bit-stream copy Bit-stream image
Bit-by-bit copy of the original storage medium
Exact copy of the original disk
Different from a simple backup copy
Backup software only copy known files
Backup software cannot copy deleted files, messages or recover file fragments
Bit-stream image
File containing the bit-stream copy of all data on a disk or partition
Also known as forensic copy
Copy image file to a target disk that matches the original disk’s manufacturer, size and model 50

51. Bit-stream Copies (continued)51

52. Acquiring an Image of Evidence Media
First rule of computer forensics: Preserve the original evidence
Conduct your analysis on a copy of the data
Using ProDiscover Basic to acquire a thumb drive
Create a work folder for data storage
Steps
On the thumb drive locate the write-protect switch and place the drive in write-protect mode
Start ProDiscover Basic 52

53. ProDiscover use (continued)53

54. ProDiscover use (continued)
Using ProDiscover Basic to acquire a thumb drive (continued)
Steps (continued)
In the main window, click Action, Capture Image from the menu
Click the Source Drive drop-down list, and select the thumb drive
Click the >> button next to the Destination text box
Type your name in the Technician Name text box
ProDiscover Basic then acquires an image of the USB thumb drive
Click OK in the completion message box 54

55. ProDiscover use (continued)55

56. Analyzing Digital Evidence
Your job is to recover data from:
Deleted files
File fragments
Complete files
Deleted files linger on the disk until new data is saved on the same physical location
Tool
ProDiscover Basic 56

57. Analyzing Digital Evidence (contd)
Steps
Start ProDiscover Basic
Create a new case
Type the project number
Add an Image File
Steps to display the contents of the acquired data
Click to expand Content View
Click All Files under the image filename path 57

58. Analyzing Digital Evidence (continued)58

59. Analyzing Digital Evidence (contd)
Analyze the data
Search for information related to the complaint
Data analysis can be most time-consuming task 59

60. ProDiscover Basic can Search for keywords of interest in the case
Display the results in a search results window
Click each file in the search results window and examine its content in the data area
Export the data to a folder of your choice
Search for specific filenames
Generate a report of your activities 60

61. ProDiscover Basic - contd61

62. ProDiscover Basic - contd62

63. Completing the Case You need to produce a final report
State what you did and what you found
Include ProDiscover report to document your work
Repeatable findings
Repeat the steps and produce the same result
If required, use a report template
Report should show conclusive evidence
Suspect did or did not commit a crime or violate a company policy 63

64. Critiquing the Case Ask yourself the following questions:
How could you improve your performance in the case?
Did you expect the results you found? Did the case develop in ways you did not expect?
Was the documentation as thorough as it could have been?
What feedback has been received from the requesting source?
Did you discover any new problems? If so, what are they?
Did you use new techniques during the case or during research? 64

65. Next: Ch 4 - Data Acquisition
Objectives
List digital evidence storage formats
Explain ways to determine the best acquisition method
Describe contingency planning for data acquisitions
Explain how to use acquisition tools
Explain how to validate data acquisitions
Describe RAID acquisition methods
Explain how to use remote network acquisition tools
List other forensic tools available for data acquisitions

66. Understanding Storage Formats for Digital Evidence
Three formats
Raw format
Proprietary formats
Advanced Forensics Format (AFF) 66

67. Raw Format Makes it possible to write bit-stream data to files
Advantages
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format
Disadvantages
Requires as much storage as original disk or data
Tools might not collect marginal (bad) sectors 67

68. Proprietary Formats Features offered Disadvantages
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
Disadvantages
Inability to share an image between different tools
File size limitation for each segmented volume 68

69. Advanced Forensics Format
Open source, developed by Dr. Simson L. Garfinkel of Basis Technology Corporation
Design goals
Provide compressed or uncompressed image files
No size restriction for disk-to-image files
Provide space in the image file or segmented files for metadata
Simple design with extensibility
Internal consistency checks for self-authentication
File extensions include .afd for segmented image files and .afm for AFF metadata 69

70. Types of Data Acquisition
Static acquisitions and live acquisitions
Four methods
Bit-stream disk-to-image file
Bit-stream disk-to-disk
Logical disk-to-disk or disk-to-disk data
Sparse data copy of a file or folder 70

71. Bit stream copy Bit-stream disk-to-image file Bit-stream disk-to-disk
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Bit-stream disk-to-disk
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy 71

72. Logical acquisition or sparse acquisition
When your time is limited
Logical acquisition captures only specific files of interest to the case
Sparse acquisition also collects fragments of unallocated (deleted) data
For large disks
PST or OST mail files, RAID servers 72

73. Determining the Best Acquisition Method (continued)
When making a copy, consider:
Size of the source disk
Lossless compression might be useful
Use digital signatures for verification
When working with large drives, an alternative is using tape backup systems
Whether you can retain the disk 73

74. Contingency Planning for Image Acquisitions
Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
Use different tools or techniques
Copy host protected area of a disk drive as well
Consider using a hardware acquisition tool that can access the drive at the BIOS level
Be prepared to deal with encrypted drives
Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions 74

75. Using Acquisition Tools
Acquisition tools for Windows
Advantages
Make acquiring evidence from a suspect drive more convenient
Especially when used with hot-swappable devices
Disadvantages
Must protect acquired data with a well-tested write-blocking hardware device
Tools can’t acquire data from a disk’s host protected area 75

76. Windows XP Write-Protection with USB Devices
USB write-protection feature
Blocks any writing to USB devices
Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller
Steps to update the Registry for Windows XP SP2
Back up the Registry
Modify the Registry with the write-protection feature
Create two desktop icons to automate switching between enabling and disabling writes to USB device 76

77. Windows XP Write-Protection with USB Devices (continued)77

78. Acquiring Data with a Linux Boot CD
Linux can access a drive that isn’t mounted
Windows OSs and newer Linux automatically mount and access a drive
Forensic Linux Live CDs don’t access media automatically
Which eliminates the need for a write-blocker
Using Linux Live CD Distributions
Forensic Linux Live CDs
Contain additionally utilities 78

79. Acquiring Data with a Linux Boot CD (continued)
Using Linux Live CD Distributions (continued)
Forensic Linux Live CDs (continued)
Configured not to mount, or to mount as read-only, any connected storage media
Well-designed Linux Live CDs for computer forensics
Helix
Penguin Sleuth
FCCU
Preparing a target drive for acquisition in Linux
Linux distributions can create Microsoft FAT and NTFS partition tables 79

80. Acquiring Data with a Linux Boot CD (continued)
Preparing a target drive for acquisition in Linux (continued)
fdisk command lists, creates, deletes, and verifies partitions in Linux
mkfs.msdos command formats a FAT file system from Linux
Acquiring data with dd in Linux
dd (“data dump”) command
Can read and write from media device and data file
Creates raw format file that most computer forensics analysis tools can read 80

81. Acquiring Data with dd (contd)
Shortcomings of dd command
Requires more advanced skills than average user
Does not compress data
dd command is intended as a data management tool, not designed for forensics acquisitions
dd command combined with the split command: Segments output into separate volumes
Acquiring data with dcfldd in Linux
dcfldd additional functions
Specify hex patterns or text for clearing disk space
Log errors to an output file for analysis and review
Use several hashing options
Refer to a status display indicating the progress of the acquisition in bytes
Split data acquisitions into segmented volumes with numeric extensions
Verify acquired data with original disk or media data 81

82. Capturing an Image with ProDiscover Basic
Connecting the suspect’s drive to your workstation
Document the chain of evidence for the drive
Remove the drive from the suspect’s computer
Configure the suspect drive’s jumpers as needed
Connect the suspect drive
Create a storage folder on the target drive
Using ProDiscover’s Proprietary Acquisition Format
Image file will be split into segments of 650MB
Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension) 82

83. Capturing an Image with ProDiscover Basic (continued)83

84. 84

85. Capturing an Image with ProDiscover Basic (continued)
Using ProDiscover’s Raw Acquisition Format
Select the UNIX style dd format in the Image Format list box
Raw acquisition saves only the image data and hash value 85

86. Capturing an Image with AccessData FTK Imager
Included on AccessData Forensic Toolkit
View evidence disks and disk-to-image files
Makes disk-to-image copies of evidence drives
At logical partition and physical drive level
Can segment the image file
Evidence drive must have a hardware write-blocking device
Or the USB write-protection Registry feature enabled
FTK Imager can’t acquire drive’s host protected area 86

87. Capturing an Image with AccessData FTK Imager II87

88. Capturing an Image with AccessData FTK Imager III
Steps
Boot to Windows
Connect evidence disk to a write-blocker
Connect target disk to write-blocker
Start FTK Imager
Create Disk Image
Use Physical Drive option 88

89. Capturing an Image with AccessData FTK Imager IV89

90. Validating Data Acquisitions
Most critical aspect of computer forensics
Requires using a hashing algorithm utility
Validation techniques
CRC-32, MD5, and SHA-1 to SHA-512 90

91. Linux Validation Methods
Validating dd acquired data
You can use md5sum or sha1sum utilities
md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes
Validating dcfldd acquired data
Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512
hashlog option outputs hash results to a text file that can be stored with the image files
vf (verify file) option compares the image file to the original medium 91

92. Windows Validation Methods
Windows has no built-in hashing algorithm tools for computer forensics
Third-party utilities can be used
Commercial computer forensics programs also have built-in validation features
Each program has its own validation technique
Raw format image files don’t contain metadata
Separate manual validation is recommended for all raw acquisitions 92

93. Performing RAID Data Acquisitions
Size is the biggest concern
Many RAID systems now have terabytes of data
What is RAID and what is it used for?
Redundant array of independent (formerly “inexpensive”) disks (RAID)
Computer configuration involving two or more disks
Originally developed as a data-redundancy measure 93