guide to computer forensics and investigations, second edition chapter 9 data acquisition

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 9Data Acquisition

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Determine the best acquisition method

• Plan data-recovery contingencies

• Use MS-DOS acquisition tools

Guide to Computer Forensics and Investigations, 2e 3

Objectives (continued)Objectives (continued)

• Use GUI acquisition tools

• Use X-Ways Replica and other tools for data acquisition

• Recover data from PDAs

Guide to Computer Forensics and Investigations, 2e 4

Determining the Best Acquisition Determining the Best Acquisition MethodMethod

• Three ways– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy of a file or folder

• Bit-stream disk-to-image file– Most common method– Can make more than one copy– EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

Guide to Computer Forensics and Investigations, 2e 5

Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)

• Bit-stream disk-to-disk– When disk-to-image copy is not possible– Consider disk’s geometry CHS configuration– SafeBack, SnapCopy, Norton Ghost 2002

• Sparse data copy– Creates exact copies of folders and files– For large disks– PST or OST mail files, RAID servers

Guide to Computer Forensics and Investigations, 2e 6

Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)

• When making a copy, consider:– Size of the source disk

• Lossless compression might be useful

• Use digital signatures for verification

– Whether you can retain the disk– How much time you have– Location of the evidence

Guide to Computer Forensics and Investigations, 2e 7

Planning Data Recovery Planning Data Recovery ContingenciesContingencies

• Create a duplicate copy of your evidence image file

• Make at least two copies of digital evidence– Use different tools or techniques

• Copy host-protected area of a disk drive as well– Image MaSSter Solo

• HAZMAT and environment conditions

Guide to Computer Forensics and Investigations, 2e 8

Using MS-DOS Acquisition ToolsUsing MS-DOS Acquisition Tools

• Original tools

• Fit on a forensic boot floppy disk– Require fewer resources

• DriveSpy– Data-preservation commands– Data-manipulation commands

Guide to Computer Forensics and Investigations, 2e 9

Understanding How DriveSpy Understanding How DriveSpy Accesses Sector RangesAccesses Sector Ranges

• First method– Absolute starting sector, total number of sectors– Example 0:1000,100 (primary master drive)

• Second method– Absolute starting sector-ending sector– Example 0:1000-1100 (101 sectors)

• Moving data– CopySect 0:1000,100 1:2000,100

Guide to Computer Forensics and Investigations, 2e 10

Understanding How DriveSpy Understanding How DriveSpy Accesses Sector Ranges (continued)Accesses Sector Ranges (continued)

Guide to Computer Forensics and Investigations, 2e 11

Using DriveSpy Data-Preservation Using DriveSpy Data-Preservation CommandsCommands

• Work only on FAT16 and FAT32 disks

• SavePart– Acquires an entire partition– Even non-DOS partitions

• WritePart– Re-creates saved partition to its original format– Be careful when restoring non-DOS partitions

Guide to Computer Forensics and Investigations, 2e 12

Using the SavePart CommandUsing the SavePart Command

• Creates an image file of a partition

• Uses lossless compression

• Copies image to target disk– Smaller disks– Removable media

• Generates an MD5 hash value

• Cannot be used with partition gaps

Guide to Computer Forensics and Investigations, 2e 13

Using the WritePart CommandUsing the WritePart Command

• Re-create saved partition image files created with SavePart

• Decompresses the image file and writes it to the target disk– Checks if target disk is equal or larger than original

disk

• Prompts for all disks where image file is stored

Guide to Computer Forensics and Investigations, 2e 14

Using the WritePart Command Using the WritePart Command (continued)(continued)

Guide to Computer Forensics and Investigations, 2e 15

Using the WritePart Command Using the WritePart Command (continued)(continued)

Guide to Computer Forensics and Investigations, 2e 16

Using DriveSpy Data-Manipulation Using DriveSpy Data-Manipulation CommandsCommands

• Isolate specific areas of a disk for examination

• Commands:– SaveSect– WriteSect

Guide to Computer Forensics and Investigations, 2e 17

Using the SaveSect CommandUsing the SaveSect Command

• Copies specific sectors on a disk to a file– Bit-stream copy

• Creates non-compressed files– Flat files

• For hidden or deleted partitions and gaps

• Drive and Partition modes

• Example:– SaveSect 1:40000-49999 c:\dir_name\file_name

Guide to Computer Forensics and Investigations, 2e 18

Using the SaveSect Command Using the SaveSect Command (continued)(continued)

Guide to Computer Forensics and Investigations, 2e 19

Using the WriteSect CommandUsing the WriteSect Command

• Re-creates data acquired with SaveSect

• Use it on DriveSpy’s Drive and Partition modes

• Example:– WriteSect c:\dir_name\file_name 2:10000

• Disadvantage:– Can overwrite data on target disk

• Useful for non-Microsoft FAT file systems

Guide to Computer Forensics and Investigations, 2e 20

Using the WriteSect Command Using the WriteSect Command (continued)(continued)

Guide to Computer Forensics and Investigations, 2e 21

Using Windows Acquisition ToolsUsing Windows Acquisition Tools

• Make job more convenient– Hot-swappable devices

• Drawbacks:– Windows can contaminate your evidence– Require write-blocking hardware devices– Cannot access host-protected areas

Guide to Computer Forensics and Investigations, 2e 22

AccessData FTK ImagerAccessData FTK Imager

• Included on AccessData FTK

• View evidence disks and bit-stream image files

• Makes bit-stream disk-to-image copies– At logical partition and physical drive level– Can segment the image file

Guide to Computer Forensics and Investigations, 2e 23

AccessData FTK Imager (continued)AccessData FTK Imager (continued)

Guide to Computer Forensics and Investigations, 2e 24

AccessData FTK Imager (continued)AccessData FTK Imager (continued)

• Steps:– Boot up Windows– Connect evidence disk to a write-blocker– Connect target disk to write-blocker– Start FTK Imager– Create Disk Image

• Use Physical Drive option

Guide to Computer Forensics and Investigations, 2e 25

AccessData FTK Imager (continued)AccessData FTK Imager (continued)

Guide to Computer Forensics and Investigations, 2e 26

Using X-Ways ReplicaUsing X-Ways Replica

• Compact bit-streaming application program

• Fits on a forensic bootable floppy disk

• Produces a dd-like image– Disk-to-image copy– Disk-to-disk copy

• Can access host protected areas

Guide to Computer Forensics and Investigations, 2e 27

Using ReplicaUsing Replica

• Create a forensic boot floppy disk

• Boot in MS-DOS

• Replica checks if HPA on BIOS is on– If yes, asks you to turn it off

• Reboot

• Copy information

Guide to Computer Forensics and Investigations, 2e 28

PDA Data AcquisitionPDA Data Acquisition

• PDAs store, send, and receive data– PDA/cell phone

• Synch with host computers– Duplicate a host PC during an investigation

• Paraben Forensic Tool– Special tool– GUI-based tool

Guide to Computer Forensics and Investigations, 2e 29

PDA Data Acquisition (continued)PDA Data Acquisition (continued)

Guide to Computer Forensics and Investigations, 2e 30

PDA Data Acquisition (continued)PDA Data Acquisition (continued)

• Seize all PDA components– Cables and power supplies

• Learn how to put PDA in debug mode

Guide to Computer Forensics and Investigations, 2e 31

PDA Data Acquisition (continued)PDA Data Acquisition (continued)

Guide to Computer Forensics and Investigations, 2e 32

General Considerations for PDA General Considerations for PDA InvestigationsInvestigations

• Seize the PDA and host computer– PDA caddy and cables

• Collect documentation

• Get the power supply and recharge batteries– Leave it plugged into the PDA

• Create a bit-stream image and a backup copy of the host PC

• Obtain or locate password used on the PDA

Guide to Computer Forensics and Investigations, 2e 33

Re-create the Host ComputerRe-create the Host Computer

• Steps:– Connect caddy, cables, and external cards– Install backup copy on new host– Install PDA software– Read documentation and synch PDA– Examine downloaded PDA content

Guide to Computer Forensics and Investigations, 2e 34

Re-create the Host Computer Re-create the Host Computer (continued)(continued)

Guide to Computer Forensics and Investigations, 2e 35

Using Other Forensics-Acquisition Using Other Forensics-Acquisition ToolsTools

• SnapBack DatArrest

• SafeBack

• EnCase

Guide to Computer Forensics and Investigations, 2e 36

Exploring SnapBack DatArrestExploring SnapBack DatArrest

• Columbia Data Products

• Old, reliable MS-DOS tool

• Perform bit-stream copy in three ways:– Disk to SCSI drive– Disk to network drive– Disk to Disk

• Fits on a forensic boot floppy

• SnapCopy adjusts disk geometry

Guide to Computer Forensics and Investigations, 2e 37

Exploring SafeBackExploring SafeBack

• Reliable MS-DOS tool

• Performs an SHA-256 calculation per sector copied

• Creates a log file

Guide to Computer Forensics and Investigations, 2e 38

Exploring SafeBack (continued)Exploring SafeBack (continued)

• Functions:– Disk-to-image copy (image can be on tape)– Disk-to-disk copy (adjusts target geometry)

• Parallel port laplink can be used

– Copies a partition to an image file– Compresses acquire information

Guide to Computer Forensics and Investigations, 2e 39

Exploring EnCaseExploring EnCase

• Windows Forensic Tool from Guidance Software

• Creates forensic boot floppy disks

• Load En.exe to the floppy– Implements the best compression algorithm

• Copy methods– Disk-to-disk– Disk-to-network server drive– Disk-to-drive on parallel port

Guide to Computer Forensics and Investigations, 2e 40

Exploring EnCase (continued)Exploring EnCase (continued)

Guide to Computer Forensics and Investigations, 2e 41

SummarySummary

• Data acquisition methods:– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy

• Several tools available– Lossless compression is acceptable

• Plan your digital evidence contingencies

• Use tools that can read partition gaps

Guide to Computer Forensics and Investigations, 2e 42

Summary (continued)Summary (continued)

• Be careful when using tools– Risk of overwrite previous data

• Windows data acquisition tools– Easy to use– Can modify data

• DriveSpy, FTK Imager, Replica, SnapBack, SafeBack

• Investigations might involve PDAs