Digital Forensies: ‘Tools and Techniques: Network-based Acquisition ‘The basic acquisition theory also allows you to create an image file on a remote computer by using a network. In this case, data are read from the source disk, transmitted to the destination host via a network and written to a file. This method of acquisition is convenient if you cannot get access to the suspect disk or do not have the correct adaptors or interface for the suspect disk. Many current tools support network-based acquisition of dead and live systems. Some offer encryption to provide confidentiality on the network. Compression can be useful for the transmission to reduce the amount of data sent over a slow network. Integrity Hashes One of the core concepts of an investigation is to calculate hash values for evidence so that we can later verify the integrity of the data. Some acquisition tools will calculate a hash while the data are being copied and others require a separate tool. In many cases, the hashes are stored in either an embedded image or an external file with a raw image. Having the hashes embedded in the image does not provide any additional security or integrity. It is important to note what the hashes actually do for you, Any hash that is stored with the image will not ensure that someone has not modified the data. After all, if someone modifies the image, they can also recalculate the hashes, even if they are embedded in the format. A program could be easily written to do this. To prove the integrity of an image file using digital hash, you will need to use @ cryptographic signature and a trusted time source. This requires a lot of overhead; therefore, a much easier method is to write the hash value down in your notebook. ‘Then someone will have to modify the image, recalculate the hash and rewrite ‘your notebook. ‘While hashes are important to later prove the integrity of an image, they can also be used to show the accuracy of an acquisition process and that the acquisition process did not modify the original disk. By calculating the hash of the disk before it is acquired and comparing that value with the hash of a raw image, you can show that the raw image contains the same data that were on the original disk. Ideally, the original hash should be calculated with a tool that is independent of the acquisition tools so that any errors are not applied to both the control case and the actual image, Note that the previous hashing process reads only the data that are available to the tool. If hardware or software problems prevent you from accessing all bytes in a disk, the hash of the disk can equal the hash of the image file even though the image-file does not represent all data on the disk. For example, if the tool can read only the first 8GB of a 12GB disk, the tool will compute the hash of the first 8GB of the disk, copy the first 8GB of data and then compute the hash of the 8GB image file. Another consideration for hashes is how often they are calculated. Hashes are ‘most commonly used to identify when a value in a chunk of data has been changed. If the hash shows that a value in the chunk has been changed, the chunk must not be used. Calculating hashes of smaller chunks can minimize the impact of an integrity failure. If any chunk of data fails an integrity test, then it will not be used but the rest of the image will. A Case Study Using dd To illustrate the acquisition process, I will describe how we can do an acquisition with the dd tool. dd is one of the most simple and flexible acquisition tools but it is command line-based and can be more complex to learn than other tools becauseand is available for Windows. For this example we will focus on running it in Tnformation Gathering Linux. tits core, dd copies a chunk of data from one file and writes it to another. It does not care what type of data it is copying and does not know about file systems or disks, only files. dd reads data from the input source in block-sized chunks and the default block size is 512 bytes. It reads data from an input source, which is specified with the if= flag. If the if= flag is.not given, it takes the standard input as the input source, which is typically the keyboard.dd writes the data to an output file, which is specified with the of flag, If that is not given, the data are written to standard ‘output, which is usually the display. As an example, to copy the contents of filel.dat, which is 1024 bytes, to file2.dat in 512-byte blocks, we use # dd if-filel.dat of-file2.dat bs=S12 240 records in 240 records out The final two lines show that two complete blocks were read from filel.dat and two complete blocks were written to file2.dat. If a full block was not used during the last read and write, the final two lines would have ended with “+1” instead of +0.’ For example, if file] dat were 1500 bytes instead of 1024 bytes, the following would have been seen: # dd iffilel dat of-file2.dat bs=S12 24+1 records in 2+1 records out Note that the resulting file will be the full 1500 bytes. dd will try to write in block-sized chunks, but if there is not enough data, it will only copy what it has, Input Sources In Linux, there is a device for each storage device and partition and it can be used as the input file. For example, the master ATA disk on the first channel is/dev/hda and we can use that device name with the if= flag to tell dd to copy data from the disk to a file Microsoft Windows does not have an actual device file for the hard disks but you ‘can use the \\\ syntax to reference a disk, \\\PhysicalDrive0, for example. ‘The default block size fs $12 bytes, but we can specify anything we want using the bs= flag. ‘We can copy 1 byte at a time or we can copy 1GB at a time. Any value will work, but some values will give you better performance than others. Most disks read a minimum of $12 bytes at a time and can easily read more at the same time. Using fa value that is too small is wasteful because the disk will need to be frequently read and time will be wasted in the copying process. If you choose a value that is too large, you will waste time filling up the buffer in dd before the copy is performed. I have found that values in the 2KB to 8KB range work well. Linux accesses the hard disk directly and does not use the BIOS, so we do not risk getting incorrect data from the BIOS about the size of the disk. That also means that there are not software write blockers for Linux, but you can use a hardware device if you want HPA ‘As previously stated, dd knows about only files and therefore does not know anything about ATA HPAs. There are several methods of detecting an ATA HPA in each feature and option can be specified. dd comes with many of the UNIX versions Data Acquisition and ™Digital Forensics ‘Tools and Techniques 56 Linux and we will cover those here. The scenario for this example is a 57GB disk with 120,103,200 sectors. We have placed the string “here i am” in sector 15,000, as seen here: ¥ dd if-/dev/hdb bs=S12 skip=15000 count=1 | xxd 140 records in 140 records out (0000000: 6865 7265 2069 2061 6d0a 0000 0000 0000 here i am. Next, We created an HPA in the final 120,091,200 sectors. In other words, there are only 12,000 sectors that the OS or an application can access. We can see this because we can no longer see the string in sector 15,000: # dd if-/dev/hdb bs=512 skip=15000 count=1 | xd 040 records in 0+0 records out No records were copied because it could not read the data. There are several ways of detecting an HPA in Linux. Newer versions of Linux display a message in the dmesg log. Note that this log has a limited size and entries will be overwritten if there is an application that is writing a lot of warning or error messages. Its output for our disk is as follows: # dimesg | less [REMOVED] hdb: Host Protected Area detected. current capacity is 12000 sectors (6 MB) native capacity is 120103200 sectors (61492 MB) Not all versions of Linux will display this message, though. Another method of detecting an HPA is using the hdparm tool that comes with Linux. It displays details about a hard disk and we need to use the -I flag to obtain the total number of sectors. We will compare this value with the value written on the disk or from the vendor's Web site, This output will also tell us if the drive supports HPA, which older disks do not. # hdparm -I /dev/hdb [REMOVED] CHS current addressable sectors: 11088 LBA user addressable sectors: 12000 LBA48 user addressable sectors: 12000 [REMOVED] Commands/features: Enabled Supported: * Host Protected Area feature set In this case, the label of my drive says that it has 120,103,200 sectors; therefore, ‘many sectors are not addressable. Lastly, you can use the diskstat tool from “The Sleuth Kit’. It displays the maximum native address and the maximum user address. # diskstat /dev/hdb Maximum Disk Sector: 120103199 Maximum User Sector: 11999 ** HPA Detected (Sectors 12000 - 120103199) **