Lecture-5&6 Data Acquisition
Lecture-5&6 Data Acquisition
Lecture-6
Data
Acquisition
in Digital
Forensics
Part-1
Prof Osama Abdel Raouf NEXT
Introduction to Digital Forensics
• Data Acquisition
• Definition: Collecting data from
digital devices to be used as
evidence.
• Purpose: Ensures data integrity
by preserving the original
evidence for analysis.
• Forensic Imaging: Creates an
exact copy (bit-by-bit) of storage
media, capturing all data,
including deleted or hidden files.
Data Acquisition
• Methods:
• Static Acquisition: Data collected
from a powered-off device, reducing
risk of alteration but may miss volatile
memory data.
• Live Acquisition: Data collected from
a running device, necessary for
capturing volatile data (e.g., RAM) but
riskier for data integrity.
• Tools for Acquisition: Use of write
blockers to prevent modifications and
forensic hardware to maintain chain of
custody.
Data Acquisition
• Forensic Tools
• Definition: Specialized software and hardware used in forensic investigations.
• Categories of Tools:
• Data Acquisition: Tools like EnCase, FTK Imager for forensic imaging.
• Analysis: Tools such as Autopsy for file analysis, and Wireshark for network
packet analysis.
• Memory Analysis: Volatility and Redline for analyzing RAM and system
processes.
• Data Recovery: Tools like R-Studio and Recuva for recovering deleted files.
• Importance: Ensures compliance with legal standards; each tool logs activities to
maintain evidence integrity.
• Selection Criteria: Tools chosen based on investigation requirements,
compatibility with file systems, and type of device.
File Systems
Recovery
Techniques:
Logical Recovery:
Definition: Process Forensic Retrieves files Specialized Tools: Challenges:
of retrieving Importance: Helps marked as deleted Use of tools like
deleted, lost, or retrieve potential without altering file Recuva for file
corrupted data. evidence from system structure. recovery, and
formatted or Sleuth Kit for data
damaged devices. Physical Recovery: carving. File Fragmentation:
Advanced methods When parts of files are
for devices with scattered across storage,
physical damage or making full recovery
data overwritten. complex.
Encryption and
Overwriting: Some files
are hard to recover if
overwritten or encrypted.
Legal Considerations in Data Acquisition
• 2. Static Acquisition
• Definition: Static acquisition is the process of collecting data from
devices that are powered off, commonly using a forensic image of
the storage device.
• Purpose: This method ensures data integrity, as the device remains
in a consistent state, minimizing the risk of accidental modification.
• Applications: It is most appropriate for storage media like hard
drives, USB drives, and other offline devices where the investigator
can create a bit-for-bit copy or image of the data for analysis.
• Challenges: While this approach is safer for preserving data, it may
not capture transient data (e.g., data in RAM) and can be limited if
the data on the device is encrypted or requires authentication not
accessible without system access.
Data Imaging and
Cloning
• Data Imaging
• Creates an exact, bit-by-bit replica of a digital
storage device (e.g., hard drive, SSD).
• Captures every byte, including deleted files,
hidden files, metadata, and slack space.
• Maintains the integrity of the original data by
preventing any modification.
• Allows investigators to analyze a copy,
preserving the original evidence in its unaltered
state.
• Essential in digital forensics for maintaining a
clear chain of custody and preventing
tampering.
Data Imaging and Cloning
Cloning
• Copies data from one storage device to another on a
sector-by-sector basis.
• Results in a physical duplicate drive that functions
identically to the original.
• Enables quick access to data, making it a practical
solution when immediate data retrieval is necessary.
• Less common in forensics, as it can be more challenging
to ensure data integrity and maintain the chain of
custody.
Data Imaging and Cloning
Key Differences
• Data Imaging is generally preferred in
forensic investigations due to its ability to
capture all data layers in a single file.
• Cloning creates a physical duplicate but may
not fully protect the original data's integrity,
making it less ideal for forensic purposes.
Process of Creating Forensic Images
Lecture-6
Data
Acquisition
in Digital
Forensics
part-2
Prof Osama Abdel Raouf NEXT
Challenges in Data Acquisition
1. Encrypted Storage
• Description: Encrypted storage adds a significant layer of
complexity to data acquisition. With encryption, data is
protected by cryptographic keys, which are designed to
prevent unauthorized access. Decrypting the data without the
key is challenging and often time-consuming.
• Forensics Impact: Forensic analysts may be unable to access
critical evidence if the encryption cannot be bypassed, which
can stall or even halt an investigation. Various methods, such
as brute force or utilizing legally obtained decryption keys, are
sometimes employed, but these approaches can be both
legally and technically challenging.
Challenges in Data Acquisition
1. Verifying Hashes
• Hashing is a method of generating a unique digital fingerprint of
data. By creating a hash value (using algorithms like MD5, SHA-1, or
SHA-256) at the time of data acquisition, forensic investigators
establish a baseline fingerprint for the acquired data.
• After acquisition, the hash can be recalculated and compared with
the original to ensure that the data has not been altered. This
process helps maintain data integrity by verifying that the
acquired data matches the original exactly.
• Rehashing throughout the forensic process also provides a clear
chain of custody and proof that the data has not been tampered
with, making it more admissible in court.
Best Practices in Data Acquisition
Mobile devices have become critical Acquiring data from these devices
sources of evidence in digital requires specialized forensic tools
investigations, often containing sensitive and techniques, particularly due to
data like messages, call records, emails,
and geolocation information.
the complexity and evolving nature
of mobile technology.
Case Example: Data Acquisition from Mobile
Devices
Unique Challenges
1. Data Encryption
• Modern mobile devices commonly implement advanced encryption standards, often with
hardware-based encryption keys.
• Encryption safeguards user data, but it presents a significant barrier in forensic investigations.
Forensic analysts must rely on methods like brute force attacks, social engineering, or utilizing
vulnerabilities to decrypt or bypass encryption.
• However, gaining access without the device’s PIN, passcode, or biometric lock can be
exceptionally difficult, making this a primary hurdle in mobile forensics.
2. Frequent OS Updates
• Mobile operating systems, especially iOS and Android, undergo frequent updates, with each
version potentially introducing new security features and altering file system structures.
• These updates can render previously effective forensic tools incompatible or limit access to
certain data types. As a result, forensic investigators must continuously update and test their tools
and methods to keep up with the latest OS versions and security patches, which requires
significant time and resources.
Case Example: Data Acquisition from Mobile
Devices
Unique Challenges
3. Complex Backup Systems
• Mobile devices typically employ complex, cloud-based backup
systems like iCloud for iOS and Google Drive for Android, which sync
data across devices.
• This introduces an additional layer of data acquisition, as investigators
must handle both the device’s internal storage and its cloud backups.
Accessing these backups legally and securely can be challenging,
especially if encryption and account-based protections restrict access.
• Forensic tools must be compatible with these cloud services and
comply with legal standards to retrieve and analyze this data.
Introduction to File Systems
Best Practices
NEXT
Example of data recovery
in ransomware attacks.
Students task
Integrating Forensic
Tools and Techniques
Students task
Importance of Documentation
• Documentation ensures reproducibility and integrity.
• Every step must be well-documented.
Students task
Maintaining Forensic
Integrity
• Forensic principles:
• - Use of write blockers
• - Hash verification
Students task
Ethical Issues in
Digital Forensics
• Privacy, legality, and ethical boundaries are
vital.
• Analysts must adhere to strict guidelines.
Students task
Case Example: Ethical
Dilemmas in Digital
Forensics
Students task
THANK YOU