Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 4
Data Acquisition
 Understanding Storage Formats for
Digital Evidence

• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

Guide to Computer Forensics and Investigations 2

 Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors

Guide to Computer Forensics and Investigations 3

 Proprietary Formats

• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume

Guide to Computer Forensics and Investigations 4

 Advanced Forensics Format

• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files
for metadata
– Simple design with extensibility
– Open source for multiple platforms and Oss
• File extensions include .afd for segmented image
files and .afm for AFF metadata

Guide to Computer Forensics and Investigations 5

 Determining the Best Acquisition
Method

• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods
– Bit-stream disk-to-image file
– Bit-stream disk-to-disk
– Logical disk-to-disk or disk-to-disk data
– Sparse data copy of a file or folder

Guide to Computer Forensics and Investigations 6

 Determining the Best Acquisition
Method (continued)
• Bit-stream disk-to-image file
– Most common method
– Can make more than one copy
– Copies are bit-for-bit replications of the original drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-
Ways, iLook
• Bit-stream disk-to-disk
– When disk-to-image copy is not possible
– Consider disk’s geometry configuration
– EnCase, SafeBack, SnapCopy
Guide to Computer Forensics and Investigations 7
 Determining the Best Acquisition
Method (continued)

• Logical acquisition or sparse acquisition

– When your time is limited
– Logical acquisition captures only specific files of
interest to the case
– Sparse acquisition also collects fragments of
unallocated (deleted) data
– For large disks
– PST or OST mail files, RAID servers

Guide to Computer Forensics and Investigations 8

 Determining the Best Acquisition
Method (continued)

• When making a copy, consider:

– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– When working with large drives, an alternative is
using tape backup systems
– Whether you can retain the disk

Guide to Computer Forensics and Investigations 9

 Contingency Planning for Image
Acquisitions

• Create a duplicate copy of your evidence image file

• Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows Vista
Ultimate and Enterprise editions

Guide to Computer Forensics and Investigations 10

 Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive more
convenient
– Especially when used with hot-swappable devices
– Disadvantages
• Must protect acquired data with a well-tested write-
blocking hardware device
• Tools can’t acquire data from a disk’s host protected
area

Guide to Computer Forensics and Investigations 11

 Windows XP Write-Protection with
USB Devices
• USB write-protection feature
– Blocks any writing to USB devices
• Target drive needs to be connected to an internal
PATA (IDE), SATA, or SCSI controller
• Steps to update the Registry for Windows XP SP2
– Back up the Registry
– Modify the Registry with the write-protection feature
– Create two desktop icons to automate switching
between enabling and disabling writes to USB device

Guide to Computer Forensics and Investigations 12

Capturing an Image with ProDiscover
Basic
• Connecting the suspect’s drive to your workstation
– Document the chain of evidence for the drive
– Remove the drive from the suspect’s computer
– Configure the suspect drive’s jumpers as needed
– Connect the suspect drive
– Create a storage folder on the target drive
• Using ProDiscover’s Proprietary Acquisition Format
– Image file will be split into segments of 650MB
– Creates image files with an .eve extension, a log file
(.log extension), and a special inventory file (.pds
extension)
Guide to Computer Forensics and Investigations 13
Capturing an Image with AccessData
FTK Imager
• Included on AccessData Forensic Toolkit
• View evidence disks and disk-to-image files
• Makes disk-to-image copies of evidence drives
– At logical partition and physical drive level
– Can segment the image file
• Evidence drive must have a hardware write-
blocking device
– Or the USB write-protection Registry feature enabled
• FTK Imager can’t acquire drive’s host protected
area
Guide to Computer Forensics and Investigations 14
Capturing an Image with AccessData
FTK Imager (continued)

Guide to Computer Forensics and Investigations 15

 Validating Data Acquisitions

• Most critical aspect of computer forensics

• Requires using a hashing algorithm utility
• Validation techniques
– CRC-32, MD5, and SHA-1 to SHA-512

Guide to Computer Forensics and Investigations 16

 Windows Validation Methods

• Windows has no built-in hashing algorithm tools for

computer forensics
– Third-party utilities can be used
• Commercial computer forensics programs also
have built-in validation features
– Each program has its own validation technique
• Raw format image files don’t contain metadata
– Separate manual validation is recommended for all
raw acquisitions

Guide to Computer Forensics and Investigations 17

 Performing RAID Data Acquisitions

• Size is the biggest concern

– Many RAID systems now have terabytes of data

Guide to Computer Forensics and Investigations 18

 Understanding RAID

• Redundant array of independent (formerly

“inexpensive”) disks (RAID)
– Computer configuration involving two or more disks
– Originally developed as a data-redundancy measure
• RAID 0
– Provides rapid access and increased storage
– Lack of redundancy
• RAID 1
– Designed for data recovery
– More expensive than RAID 0
Guide to Computer Forensics and Investigations 19
 Using Remote Network Acquisition
Tools
• You can remotely connect to a suspect computer
via a network connection and copy data from it
• Remote acquisition tools vary in configurations and
capabilities
• Drawbacks
– LAN’s data transfer speeds and routing table
conflicts could cause problems
– Gaining the permissions needed to access more
secure subnets
– Heavy traffic could cause delays and errors

Guide to Computer Forensics and Investigations 20

Remote Acquisition with ProDiscover

• With ProDiscover Investigator you can:

– Preview a suspect’s drive remotely while it’s in use
– Perform a live acquisition
– Encrypt the connection
– Copy the suspect computer’s RAM
– Use the optional stealth mode
• ProDiscover Incident Response additional
functions
– Capture volatile system state information
– Analyze current running processes
Guide to Computer Forensics and Investigations 21
 Remote Acquisition with ProDiscover
(continued)
• ProDiscover Incident Response additional
functions (continued)
– Locate unseen files and processes
– Remotely view and listen to IP ports
– Run hash comparisons
– Create a hash inventory of all files remotely
• PDServer remote agent
– ProDiscover utility for remote access
– Needs to be loaded on the suspect

Guide to Computer Forensics and Investigations 22

Guide to Computer Forensics
and Investigations
Fourth Edition

Chapter 5
Processing Crime and Incident
Scenes
 Identifying Digital Evidence

• Digital evidence
– Can be any information stored or transmitted in
digital form
• U.S. courts accept digital evidence as physical
evidence
– Digital data is a tangible object
• Some require that all digital evidence be printed out
to be presented in court

Guide to Computer Forensics and Investigations 24

 Identifying Digital Evidence
(continued)

• General tasks investigators perform when working

with digital evidence:
– Identify digital information or artifacts that can be
used as evidence
– Collect, preserve, and document evidence
– Analyze, identify, and organize evidence
– Rebuild evidence or repeat a situation to verify that
the results can be reproduced reliably
• Collecting computers and processing a criminal or
incident scene must be done systematically
Guide to Computer Forensics and Investigations 25
 Understanding Rules of Evidence

• Consistent practices help verify your work and

enhance your credibility
• Comply with your state’s rules of evidence or with
the Federal Rules of Evidence
• Evidence admitted in a criminal case can be used
in a civil suit, and vice versa
• Keep current on the latest rulings and directives on
collecting, processing, storing, and admitting digital
evidence

Guide to Computer Forensics and Investigations 26

 Understanding Rules of Evidence
(continued)
• Data you discover from a forensic examination falls
under your state’s rules of evidence
– Or the Federal Rules of Evidence
• Digital evidence is unlike other physical evidence
because it can be changed more easily
– The only way to detect these changes is to compare
the original data with a duplicate
• Most federal courts have interpreted computer
records as hearsay evidence
– Hearsay is secondhand or indirect evidence

Guide to Computer Forensics and Investigations 27

 Understanding Rules of Evidence
(continued)

• Business-record exception
– Allows “records of regularly conducted activity,” such
as business memos, reports, records, or data
compilations
• Generally, computer records are considered
admissible if they qualify as a business record
• Computer records are usually divided into:
– Computer-generated records
– Computer-stored records

Guide to Computer Forensics and Investigations 28

 Understanding Rules of Evidence
(continued)
• Computer records must be shown to be authentic
and trustworthy
– To be admitted into court
• Computer-generated records are considered
authentic
– If the program that created the output is functioning
correctly
• Collecting evidence according to the proper steps
of evidence control helps ensure that the computer
evidence is authentic

Guide to Computer Forensics and Investigations 29

 Understanding Rules of Evidence
(continued)

• When attorneys challenge digital evidence

– Often they raise the issue of whether computer-
generated records were altered
• Or damaged after they were created
• One test to prove that computer-stored records are
authentic is to demonstrate that a specific person
created the records
– The author of a Microsoft Word document can be
identified by using file metadata

Guide to Computer Forensics and Investigations 30

 Understanding Rules of Evidence
(continued)

• The process of establishing digital evidence’s

trustworthiness originated with written documents
and the best evidence rule
• Best evidence rule states:
– To prove the content of a written document,
recording, or photograph, ordinarily the original
writing, recording, or photograph is required
• Federal Rules of Evidence
– Allow a duplicate instead of originals when it is
produced by the same impression as the original
Guide to Computer Forensics and Investigations 31
 Understanding Rules of Evidence
(continued)

• As long as bit-stream copies of data are created

and maintained properly
– The copies can be admitted in court, although they
aren’t considered best evidence

Guide to Computer Forensics and Investigations 32

 Collecting Evidence in Private-Sector
Incident Scenes (continued)

• A special category of private-sector businesses

includes ISPs and other communication companies
• ISPs can investigate computer abuse committed by
their employees, but not by customers
– Except for activities that are deemed to create an
emergency situation
• Investigating and controlling computer incident
scenes in the corporate environment
– Much easier than in the criminal environment
– Incident scene is often a workplace
Guide to Computer Forensics and Investigations 33
 Collecting Evidence in Private-Sector
Incident Scenes (continued)

• Typically, businesses have inventory databases of

computer hardware and software
– Help identify the computer forensics tools needed to
analyze a policy violation
• And the best way to conduct the analysis
• Corporate policy statement about misuse of
computing assets
– Allows corporate investigators to conduct covert
surveillance with little or no cause
– And access company systems without a warrant
Guide to Computer Forensics and Investigations 34
 Collecting Evidence in Private-Sector
Incident Scenes (continued)

• Companies should display a warning banner or

publish a policy
– Stating that they reserve the right to inspect
computing assets at will
• Corporate investigators should know under what
circumstances they can examine an employee’s
computer
– Every organization must have a well-defined process
describing when an investigation can be initiated

Guide to Computer Forensics and Investigations 35

 Collecting Evidence in Private-Sector
Incident Scenes (continued)

• If a corporate investigator finds that an employee is

committing or has committed a crime
– Employer can file a criminal complaint with the police
• Employers are usually interested in enforcing
company policy
– Not seeking out and prosecuting employees
• Corporate investigators are, therefore, primarily
concerned with protecting company assets

Guide to Computer Forensics and Investigations 36

 Collecting Evidence in Private-Sector
Incident Scenes (continued)

• If you discover evidence of a crime during a

company policy investigation
– Determine whether the incident meets the elements
of criminal law
– Inform management of the incident
– Stop your investigation to make sure you don’t
violate Fourth Amendment restrictions on obtaining
evidence
– Work with the corporate attorney to write an affidavit
confirming your findings

Guide to Computer Forensics and Investigations 37

 Processing Law Enforcement Crime
Scenes

• You must be familiar with criminal rules of search

and seizure
• You should also understand how a search warrant
works and what to do when you process one
• Law enforcement officer may search for and seize
criminal evidence only with probable cause
– Facts or circumstances that lead a reasonable
person to believe a crime has been committed or is
about to be committed

Guide to Computer Forensics and Investigations 38

 Processing Law Enforcement Crime
Scenes (continued)

• With probable cause, a police officer can obtain a

search warrant from a judge
– That authorizes a search and seizure of specific
evidence related to the criminal complaint
• The Fourth Amendment states that only warrants
“particularly describing the place to be searched,
and the persons or things to be seized” can be
issued

Guide to Computer Forensics and Investigations 39

 Understanding Concepts and Terms
Used in Warrants

• Innocent information
– Unrelated information
– Often included with the evidence you’re trying to
recover
• Judges often issue a limiting phrase to the
warrant
– Allows the police to separate innocent information
from evidence

Guide to Computer Forensics and Investigations 40

 Understanding Concepts and Terms
Used in Warrants (continued)

• Plain view doctrine

– Objects falling in plain view of an officer who has the
right to be in position to have that view
• Are subject to seizure without a warrant and may be
introduced in evidence
• “Knock and announce”
– With few exceptions, warrants require that officers
knock and announce their identity
• When executing a warrant

Guide to Computer Forensics and Investigations 41

 Preparing for a Search

• Preparing for a computer search and seizure

– Probably the most important step in computing
investigations
• To perform these tasks
– You might need to get answers from the victim and
an informant
• Who could be a police detective assigned to the case,
a law enforcement witness, or a manager or coworker
of the person of interest to the investigation

Guide to Computer Forensics and Investigations 42

 Identifying the Nature of the Case

• When you’re assigned a computing investigation

case
– Start by identifying the nature of the case
• Including whether it involves the private or public
sector
• The nature of the case dictates how you proceed
– And what types of assets or resources you need to
use in the investigation

Guide to Computer Forensics and Investigations 43

 Identifying the Type of Computing
System

• For law enforcement

– This step might be difficult because the crime scene
isn’t controlled
• If you can identify the computing system
– Estimate the size of the drive on the suspect’s
computer
• And how many computers to process at the scene
• Determine which OSs and hardware are involved

Guide to Computer Forensics and Investigations 44

Determining Whether You Can Seize a
Computer

• The type of case and location of the evidence

– Determine whether you can remove computers
• Law enforcement investigators need a warrant to
remove computers from a crime scene
– And transport them to a lab
• If removing the computers will irreparably harm a
business
– The computers should not be taken offsite

Guide to Computer Forensics and Investigations 45

Determining Whether You Can Seize a
Computer (continued)

• An additional complication is files stored offsite that

are accessed remotely
• If you aren’t allowed to take the computers to your
lab
– Determine the resources you need to acquire digital
evidence and which tools can speed data acquisition

Guide to Computer Forensics and Investigations 46

 Determining Who Is in Charge

• Corporate computing investigations

– Require only one person to respond
• Law enforcement agencies
– Handle large-scale investigations
– Designate lead investigators

Guide to Computer Forensics and Investigations 47

 Using Additional Technical Expertise

• Look for specialists

– OSs
– RAID servers
– Databases
• Finding the right person can be a challenge
• Educate specialists in investigative techniques
– Prevent evidence damage

Guide to Computer Forensics and Investigations 48

 Determining the Tools You Need

• Prepare tools using incident and crime scene

information
• Initial-response field kit
– Lightweight
– Easy to transport
• Extensive-response field kit
– Includes all tools you can afford

Guide to Computer Forensics and Investigations 49

Guide to Computer Forensics and Investigations 50
Guide to Computer Forensics and Investigations 51
Guide to Computer Forensics and Investigations 52
 Preparing the Investigation Team

• Review facts, plans, and objectives with the

investigation team you have assembled
• Goals of scene processing
– Collect evidence
– Secure evidence
• Slow response can cause digital evidence to be
lost

Guide to Computer Forensics and Investigations 53

 Securing a Computer Incident or
Crime Scene

• Goals
– Preserve the evidence
– Keep information confidential
• Define a secure perimeter
– Use yellow barrier tape
– Legal authority
• Professional curiosity can destroy evidence
– Involves police officers and other professionals who
aren’t part of the crime scene processing team

Guide to Computer Forensics and Investigations 54

 Seizing Digital Evidence at the Scene

• Law enforcement can seize evidence

– With a proper warrant
• Corporate investigators rarely can seize evidence
• When seizing computer evidence in criminal
investigations
– Follow U.S. DoJ standards for seizing digital data
• Civil investigations follow same rules
– Require less documentation though
• Consult with your attorney for extra guidelines

Guide to Computer Forensics and Investigations 55

 Processing an Incident or Crime
Scene
• Guidelines
– Keep a journal to document your activities
– Secure the scene
• Be professional and courteous with onlookers
• Remove people who are not part of the investigation
– Take video and still recordings of the area around
the computer
• Pay attention to details
– Sketch the incident or crime scene
– Check computers as soon as possible

Guide to Computer Forensics and Investigations 56

 Processing an Incident or Crime
Scene (continued)

• Guidelines (continued)
– Don’t cut electrical power to a running system unless
it’s an older Windows 9x or MS-DOS system
– Save data from current applications as safely as
possible
– Record all active windows or shell sessions
– Make notes of everything you do when copying data
from a live suspect computer
– Close applications and shut down the computer

Guide to Computer Forensics and Investigations 57

 Processing an Incident or Crime
Scene (continued)

• Guidelines (continued)
– Bag and tag the evidence, following these steps:
• Assign one person to collect and log all evidence
• Tag all evidence you collect with the current date and
time, serial numbers or unique features, make and
model, and the name of the person who collected it
• Maintain two separate logs of collected evidence
• Maintain constant control of the collected evidence
and the crime or incident scene

Guide to Computer Forensics and Investigations 58

 Processing an Incident or Crime
Scene (continued)

• Guidelines (continued)
– Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
– Collect documentation and media related to the
investigation
• Hardware, software, backup media, documentation,
manuals

Guide to Computer Forensics and Investigations 59

 Processing Data Centers with RAID
Systems

• Sparse acquisition
– Technique for extracting evidence from large
systems
– Extracts only data related to evidence for your case
from allocated files
• And minimizes how much data you need to analyze
• Drawback of this technique
– It doesn’t recover data in free or slack space

Guide to Computer Forensics and Investigations 60

 Using a Technical Advisor

• Technical advisor
– Can help you list the tools you need to process the
incident or crime scene
– Person guiding you about where to locate data and
helping you extract log records
• Or other evidence from large RAID servers
– Can help create the search warrant by itemizing
what you need for the warrant

Guide to Computer Forensics and Investigations 61

Using a Technical Advisor (continued)

• Responsibilities
– Know aspects of the seized system
– Direct investigator handling sensitive material
– Help secure the scene
– Help document the planning strategy
– Conduct ad hoc trainings
– Document activities

Guide to Computer Forensics and Investigations 62

 Processing and Handling Digital
Evidence

• Maintain the integrity of digital evidence in the lab

– As you do when collecting it in the field
• Steps to create image files:
– Copy all image files to a large drive
– Start your forensics tool to analyze the evidence
– Run an MD5 or SHA-1 hashing algorithm on the
image files to get a digital hash
– Secure the original media in an evidence locker

Guide to Computer Forensics and Investigations 63

 Storing Digital Evidence
• The media you use to store digital evidence usually
depends on how long you need to keep it
• CD-Rs or DVDs
– The ideal media
– Capacity: up to 17 GB
– Lifespan: 2 to 5 years
• Magnetic tapes
– Capacity: 40 to 72 GB
– Lifespan: 30 years
– Costs: drive: $400 to $800; tape: $40

Guide to Computer Forensics and Investigations 64

 Obtaining a Digital Hash

• Cyclic Redundancy Check (CRC)

– Mathematical algorithm that determines whether a
file’s contents have changed
– Most recent version is CRC-32
– Not considered a forensic hashing algorithm
• Message Digest 5 (MD5)
– Mathematical formula that translates a file into a
hexadecimal code value, or a hash value
– If a bit or byte in the file changes, it alters the digital
hash
Guide to Computer Forensics and Investigations 65
 Obtaining a Digital Hash (continued)

• Three rules for forensic hashes:

– You can’t predict the hash value of a file or device
– No two hash values can be the same
– If anything changes in the file or device, the hash
value must change
• Secure Hash Algorithm version 1 (SHA-1)
– A newer hashing algorithm
– Developed by the National Institute of Standards
and Technology (NIST)

Guide to Computer Forensics and Investigations 66

 Obtaining a Digital Hash (continued)

• In both MD5 and SHA-1, collisions have occurred

• Most computer forensics hashing needs can be
satisfied with a nonkeyed hash set
– A unique hash number generated by a software tool,
such as the Linux md5sum command
• Keyed hash set
– Created by an encryption utility’s secret key
• You can use the MD5 function in FTK Imager to
obtain the digital signature of a file
– Or an entire drive
Guide to Computer Forensics and Investigations 67
 Sample Civil Investigation

• Most cases in the corporate environment are

considered low-level investigations
– Or noncriminal cases
• Common activities and practices
– Recover specific evidence
• Suspect’s Outlook e-mail folder (PST file)
– Covert surveillance
• Its use must be well defined in the company policy
• Risk of civil or criminal liability
– Sniffing tools for data transmissions
Guide to Computer Forensics and Investigations 68
 Sample Criminal Investigation
(continued)

Guide to Computer Forensics and Investigations 69