guide to computer forensics and investigations, second edition chapter 9 data acquisition
TRANSCRIPT
![Page 1: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/1.jpg)
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 9Data Acquisition
![Page 2: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/2.jpg)
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Determine the best acquisition method
• Plan data-recovery contingencies
• Use MS-DOS acquisition tools
![Page 3: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/3.jpg)
Guide to Computer Forensics and Investigations, 2e 3
Objectives (continued)Objectives (continued)
• Use GUI acquisition tools
• Use X-Ways Replica and other tools for data acquisition
• Recover data from PDAs
![Page 4: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/4.jpg)
Guide to Computer Forensics and Investigations, 2e 4
Determining the Best Acquisition Determining the Best Acquisition MethodMethod
• Three ways– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy of a file or folder
• Bit-stream disk-to-image file– Most common method– Can make more than one copy– EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
![Page 5: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/5.jpg)
Guide to Computer Forensics and Investigations, 2e 5
Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)
• Bit-stream disk-to-disk– When disk-to-image copy is not possible– Consider disk’s geometry CHS configuration– SafeBack, SnapCopy, Norton Ghost 2002
• Sparse data copy– Creates exact copies of folders and files– For large disks– PST or OST mail files, RAID servers
![Page 6: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/6.jpg)
Guide to Computer Forensics and Investigations, 2e 6
Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)
• When making a copy, consider:– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– Whether you can retain the disk– How much time you have– Location of the evidence
![Page 7: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/7.jpg)
Guide to Computer Forensics and Investigations, 2e 7
Planning Data Recovery Planning Data Recovery ContingenciesContingencies
• Create a duplicate copy of your evidence image file
• Make at least two copies of digital evidence– Use different tools or techniques
• Copy host-protected area of a disk drive as well– Image MaSSter Solo
• HAZMAT and environment conditions
![Page 8: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/8.jpg)
Guide to Computer Forensics and Investigations, 2e 8
Using MS-DOS Acquisition ToolsUsing MS-DOS Acquisition Tools
• Original tools
• Fit on a forensic boot floppy disk– Require fewer resources
• DriveSpy– Data-preservation commands– Data-manipulation commands
![Page 9: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/9.jpg)
Guide to Computer Forensics and Investigations, 2e 9
Understanding How DriveSpy Understanding How DriveSpy Accesses Sector RangesAccesses Sector Ranges
• First method– Absolute starting sector, total number of sectors– Example 0:1000,100 (primary master drive)
• Second method– Absolute starting sector-ending sector– Example 0:1000-1100 (101 sectors)
• Moving data– CopySect 0:1000,100 1:2000,100
![Page 10: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/10.jpg)
Guide to Computer Forensics and Investigations, 2e 10
Understanding How DriveSpy Understanding How DriveSpy Accesses Sector Ranges (continued)Accesses Sector Ranges (continued)
![Page 11: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/11.jpg)
Guide to Computer Forensics and Investigations, 2e 11
Using DriveSpy Data-Preservation Using DriveSpy Data-Preservation CommandsCommands
• Work only on FAT16 and FAT32 disks
• SavePart– Acquires an entire partition– Even non-DOS partitions
• WritePart– Re-creates saved partition to its original format– Be careful when restoring non-DOS partitions
![Page 12: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/12.jpg)
Guide to Computer Forensics and Investigations, 2e 12
Using the SavePart CommandUsing the SavePart Command
• Creates an image file of a partition
• Uses lossless compression
• Copies image to target disk– Smaller disks– Removable media
• Generates an MD5 hash value
• Cannot be used with partition gaps
![Page 13: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/13.jpg)
Guide to Computer Forensics and Investigations, 2e 13
Using the WritePart CommandUsing the WritePart Command
• Re-create saved partition image files created with SavePart
• Decompresses the image file and writes it to the target disk– Checks if target disk is equal or larger than original
disk
• Prompts for all disks where image file is stored
![Page 14: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/14.jpg)
Guide to Computer Forensics and Investigations, 2e 14
Using the WritePart Command Using the WritePart Command (continued)(continued)
![Page 15: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/15.jpg)
Guide to Computer Forensics and Investigations, 2e 15
Using the WritePart Command Using the WritePart Command (continued)(continued)
![Page 16: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations, 2e 16
Using DriveSpy Data-Manipulation Using DriveSpy Data-Manipulation CommandsCommands
• Isolate specific areas of a disk for examination
• Commands:– SaveSect– WriteSect
![Page 17: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/17.jpg)
Guide to Computer Forensics and Investigations, 2e 17
Using the SaveSect CommandUsing the SaveSect Command
• Copies specific sectors on a disk to a file– Bit-stream copy
• Creates non-compressed files– Flat files
• For hidden or deleted partitions and gaps
• Drive and Partition modes
• Example:– SaveSect 1:40000-49999 c:\dir_name\file_name
![Page 18: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/18.jpg)
Guide to Computer Forensics and Investigations, 2e 18
Using the SaveSect Command Using the SaveSect Command (continued)(continued)
![Page 19: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/19.jpg)
Guide to Computer Forensics and Investigations, 2e 19
Using the WriteSect CommandUsing the WriteSect Command
• Re-creates data acquired with SaveSect
• Use it on DriveSpy’s Drive and Partition modes
• Example:– WriteSect c:\dir_name\file_name 2:10000
• Disadvantage:– Can overwrite data on target disk
• Useful for non-Microsoft FAT file systems
![Page 20: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/20.jpg)
Guide to Computer Forensics and Investigations, 2e 20
Using the WriteSect Command Using the WriteSect Command (continued)(continued)
![Page 21: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/21.jpg)
Guide to Computer Forensics and Investigations, 2e 21
Using Windows Acquisition ToolsUsing Windows Acquisition Tools
• Make job more convenient– Hot-swappable devices
• Drawbacks:– Windows can contaminate your evidence– Require write-blocking hardware devices– Cannot access host-protected areas
![Page 22: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/22.jpg)
Guide to Computer Forensics and Investigations, 2e 22
AccessData FTK ImagerAccessData FTK Imager
• Included on AccessData FTK
• View evidence disks and bit-stream image files
• Makes bit-stream disk-to-image copies– At logical partition and physical drive level– Can segment the image file
![Page 23: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/23.jpg)
Guide to Computer Forensics and Investigations, 2e 23
AccessData FTK Imager (continued)AccessData FTK Imager (continued)
![Page 24: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/24.jpg)
Guide to Computer Forensics and Investigations, 2e 24
AccessData FTK Imager (continued)AccessData FTK Imager (continued)
• Steps:– Boot up Windows– Connect evidence disk to a write-blocker– Connect target disk to write-blocker– Start FTK Imager– Create Disk Image
• Use Physical Drive option
![Page 25: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations, 2e 25
AccessData FTK Imager (continued)AccessData FTK Imager (continued)
![Page 26: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/26.jpg)
Guide to Computer Forensics and Investigations, 2e 26
Using X-Ways ReplicaUsing X-Ways Replica
• Compact bit-streaming application program
• Fits on a forensic bootable floppy disk
• Produces a dd-like image– Disk-to-image copy– Disk-to-disk copy
• Can access host protected areas
![Page 27: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/27.jpg)
Guide to Computer Forensics and Investigations, 2e 27
Using ReplicaUsing Replica
• Create a forensic boot floppy disk
• Boot in MS-DOS
• Replica checks if HPA on BIOS is on– If yes, asks you to turn it off
• Reboot
• Copy information
![Page 28: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/28.jpg)
Guide to Computer Forensics and Investigations, 2e 28
PDA Data AcquisitionPDA Data Acquisition
• PDAs store, send, and receive data– PDA/cell phone
• Synch with host computers– Duplicate a host PC during an investigation
• Paraben Forensic Tool– Special tool– GUI-based tool
![Page 29: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/29.jpg)
Guide to Computer Forensics and Investigations, 2e 29
PDA Data Acquisition (continued)PDA Data Acquisition (continued)
![Page 30: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/30.jpg)
Guide to Computer Forensics and Investigations, 2e 30
PDA Data Acquisition (continued)PDA Data Acquisition (continued)
• Seize all PDA components– Cables and power supplies
• Learn how to put PDA in debug mode
![Page 31: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/31.jpg)
Guide to Computer Forensics and Investigations, 2e 31
PDA Data Acquisition (continued)PDA Data Acquisition (continued)
![Page 32: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/32.jpg)
Guide to Computer Forensics and Investigations, 2e 32
General Considerations for PDA General Considerations for PDA InvestigationsInvestigations
• Seize the PDA and host computer– PDA caddy and cables
• Collect documentation
• Get the power supply and recharge batteries– Leave it plugged into the PDA
• Create a bit-stream image and a backup copy of the host PC
• Obtain or locate password used on the PDA
![Page 33: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations, 2e 33
Re-create the Host ComputerRe-create the Host Computer
• Steps:– Connect caddy, cables, and external cards– Install backup copy on new host– Install PDA software– Read documentation and synch PDA– Examine downloaded PDA content
![Page 34: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations, 2e 34
Re-create the Host Computer Re-create the Host Computer (continued)(continued)
![Page 35: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/35.jpg)
Guide to Computer Forensics and Investigations, 2e 35
Using Other Forensics-Acquisition Using Other Forensics-Acquisition ToolsTools
• SnapBack DatArrest
• SafeBack
• EnCase
![Page 36: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/36.jpg)
Guide to Computer Forensics and Investigations, 2e 36
Exploring SnapBack DatArrestExploring SnapBack DatArrest
• Columbia Data Products
• Old, reliable MS-DOS tool
• Perform bit-stream copy in three ways:– Disk to SCSI drive– Disk to network drive– Disk to Disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry
![Page 37: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/37.jpg)
Guide to Computer Forensics and Investigations, 2e 37
Exploring SafeBackExploring SafeBack
• Reliable MS-DOS tool
• Performs an SHA-256 calculation per sector copied
• Creates a log file
![Page 38: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/38.jpg)
Guide to Computer Forensics and Investigations, 2e 38
Exploring SafeBack (continued)Exploring SafeBack (continued)
• Functions:– Disk-to-image copy (image can be on tape)– Disk-to-disk copy (adjusts target geometry)
• Parallel port laplink can be used
– Copies a partition to an image file– Compresses acquire information
![Page 39: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/39.jpg)
Guide to Computer Forensics and Investigations, 2e 39
Exploring EnCaseExploring EnCase
• Windows Forensic Tool from Guidance Software
• Creates forensic boot floppy disks
• Load En.exe to the floppy– Implements the best compression algorithm
• Copy methods– Disk-to-disk– Disk-to-network server drive– Disk-to-drive on parallel port
![Page 40: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/40.jpg)
Guide to Computer Forensics and Investigations, 2e 40
Exploring EnCase (continued)Exploring EnCase (continued)
![Page 41: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/41.jpg)
Guide to Computer Forensics and Investigations, 2e 41
SummarySummary
• Data acquisition methods:– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy
• Several tools available– Lossless compression is acceptable
• Plan your digital evidence contingencies
• Use tools that can read partition gaps
![Page 42: Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition](https://reader030.vdocuments.us/reader030/viewer/2022032600/56649dd05503460f94ac4c33/html5/thumbnails/42.jpg)
Guide to Computer Forensics and Investigations, 2e 42
Summary (continued)Summary (continued)
• Be careful when using tools– Risk of overwrite previous data
• Windows data acquisition tools– Easy to use– Can modify data
• DriveSpy, FTK Imager, Replica, SnapBack, SafeBack
• Investigations might involve PDAs