Module -2

Understanding Storage Formats

for Digital Evidence
Data Acquisition
• Process of copying data
 Types
• Two types of data acquisition
• Static acquisition
• Copying a hard drive from a powered-off system
• Used to be the standard
• Does not alter the data, so it's repeatable
• Live acquisition
• Copying data from a running computer
• Now the preferred type, because of hard disk encryption
• Cannot be repeated exactly—alters the data
• Also, collecting RAM data is becoming more important
• But RAM data has no timestamp, which makes it much
harder to use
Static data recovered from a hard drive
includes:
• Temporary (temp) files
• System registries
• Event/system logs
• Boot sectors
• Web browser cache
• Cookies
• Hidden files
Terms used for a file containing evidence data
• Bit-stream copy
• Bit-stream image
• Sector copy
Three formats

•Raw format
•Proprietary formats
•Advanced Forensics Format (AFF)
 Raw Format
• This is what the Linux dd command makes
Example:
dd if=/dev/sdc1 of=/dev/sdd1 bs=128K conv=noerror,sync
Output:
15874+0 records in
15873+0 records out
1040252928 bytes transferred in 3.805977 secs (273320858 bytes/sec)

• Bit-by-bit copy of the drive to a file

• Advantages
• Fast data transfers
• Can ignore minor data read errors on source drive
• Most computer forensics tools can read raw format
Raw Format
• Disadvantages
• Requires as much storage as original disk or data
• Tools might not collect marginal (bad) sectors
• Low threshold of retry reads on weak media spots
• Commercial tools use more retries than free tools
• Validation check must be stored in a separate file
• Message Digest 5 ( MD5)
• Secure Hash Algorithm ( SHA-1 or newer)
• Cyclic Redundancy Check ( CRC-32)
Proprietary Formats
• Features offered
• Option to compress or not compress image files
• Example: ILookIX https://www.ilook-forensics.org/aboutus.html -
IDIF,IRBF,IEIF
• Can split an image into smaller segmented files
• Such as to CDs or DVDs
• With data integrity checks in each segment
• Can integrate metadata into the image file
• Hash data
• Date & time of acquisition
• Investigator name, case name, comments, etc.
Proprietary Formats
• Disadvantages
• Inability to share an image between different tools
• File size limitation for each segmented volume
• Typical segmented file size is 650 MB or 2 GB
• Expert Witness format (.EWF)
• Used by EnCase, FTK, X-Ways Forensics, and SMART
• Can produce compressed or uncompressed files
• File extensions .E01, .E02, .E03, …
(http://www.digitalforensicsworkbook.com/data-sets)
• Encase creates multiple E01 files of uniform size 640 MB for storing the
acquired digital data.
Advanced Forensics Format
• Developed by Dr. Simson L. Garfinkel of Basis
Technology Corporation
• Design goals
• Provide compressed or uncompressed image files
• No size restriction for disk-to-image files
• Provide space in the image file or segmented files for
metadata
• Simple design with extensibility
• Open source for multiple platforms and OSs
Advanced Forensics Format (continued)
• Design goals (continued)
• Internal consistency checks for self-authentication
• File extensions include .afd for segmented image files and .afm for
AFF metadata
• AFF is open source
https://cs.harvard.edu/malan/publications/aff.pdf
Determining the Best Acquisition Method
• Types of acquisitions
• Static acquisitions and live acquisitions
• Four methods
• Bit-stream disk-to-image file
• Bit-stream disk-to-disk
• Logical
• Sparse
Logical Acquisition and Sparse Acquisition
• When your time is limited, and evidence disk is large
• Logical acquisition captures only specific files of interest to the case
• Such as Outlook .pst or .ost files
• Sparse acquisition collects only some of the data (**Not proven)
Bit-stream disk-to-image file
• Most common method
• Can make more than one copy
• Copies are bit-for-bit replications of the original drive
• Tools: ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-
Ways, iLook
Bit-stream disk-to-disk
• Used when disk-to-image copy is not possible
• Because of hardware or software errors or incompatibilities
• This problem is more common when acquiring older drives
• Adjusts target disk’s geometry (cylinder, head, and track
configuration) to match the suspect's drive
• Tools: EnCase, SafeBack (MS-DOS), Snap Copy
Compressing Disk Images
• Lossless compression might compress a disk image by 50% or
more
• But files that are already compressed, like ZIP files, won’t
compress much more
• Error in textbook: JPEGs use lossy compression and degrade image
quality (p. 104)
• Use MD5 or SHA-1 hash to verify the image
Tape Backup
• When working with large drives, an alternative is using tape backup
systems
• No limit to size of data acquisition
• Just use many tapes
• But it’s slow
Returning Evidence Drives
• In civil litigation, a discovery order may require you to return the
original disk after imaging it
• If you cannot retain the disk, make sure you make the correct type of
copy (logical or bitstream)
• Ask your client attorney or your supervisor what is required—you usually only
have one chance