Introduction to Information

Security & Forensics

Lecture # 30
Data Acquisition
 Understanding Storage Formats for
Digital Evidence

• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

Guide to Computer Forensics and Investigations 2

 Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors

Guide to Computer Forensics and Investigations 3

 Proprietary Formats

• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume

Guide to Computer Forensics and Investigations 4

 Advanced Forensics Format
• Developed by Dr. Simson L. Garfinkel of Basis
Technology Corporation
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files for
metadata
– Simple design with extensibility
– Open source for multiple platforms and Oss
• File extensions include .afd for segmented image files
and .afm for AFF metadata

Guide to Computer Forensics and Investigations 5

 Determining the Best Acquisition
Method

• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods
– Bit-stream disk-to-image file
– Bit-stream disk-to-disk
– Logical disk-to-disk or disk-to-disk data
– Sparse data copy of a file or folder

Guide to Computer Forensics and Investigations 6

 Determining the Best Acquisition
Method (continued)
• Bit-stream disk-to-image file
– Most common method
– Can make more than one copy
– Copies are bit-for-bit replications of the original drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-
Ways, iLook
• Bit-stream disk-to-disk
– When disk-to-image copy is not possible
– Consider disk’s geometry configuration
– EnCase, SafeBack, SnapCopy

Guide to Computer Forensics and Investigations 7

 Determining the Best Acquisition
Method (continued)

• Logical acquisition or sparse acquisition

– When your time is limited
– Logical acquisition captures only specific files of
interest to the case
– Sparse acquisition also collects fragments of
unallocated (deleted) data
– For large disks
– PST or OST mail files

Guide to Computer Forensics and Investigations 8

 Determining the Best Acquisition
Method (continued)

• When making a copy, consider:

– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– When working with large drives, an alternative is
using tape backup systems
– Whether you can retain the disk

Guide to Computer Forensics and Investigations 9

 Contingency Planning for Image
Acquisitions

• Create a duplicate copy of your evidence image file

• Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows Vista
Ultimate and Enterprise editions

Guide to Computer Forensics and Investigations 10

 Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive more
convenient
– Especially when used with hot-swappable devices
– Disadvantages
• Must protect acquired data with a well-tested write-
blocking hardware device
• Tools can’t acquire data from a disk’s host protected
area

Guide to Computer Forensics and Investigations 11

 Windows XP Write-Protection with
USB Devices
• USB write-protection feature
– Blocks any writing to USB devices
• Target drive needs to be connected to an internal
PATA (IDE), SATA, or SCSI controller
• Steps to update the Registry for Windows XP SP2
– Back up the Registry
– Modify the Registry with the write-protection feature
– Create two desktop icons to automate switching
between enabling and disabling writes to USB device

Guide to Computer Forensics and Investigations 12

 Acquiring Data with a Linux Boot CD

• Linux can access a drive that isn’t mounted

• Windows OSs and newer Linux automatically
mount and access a drive
• Forensic Linux Live CDs don’t access media
automatically
– Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
– Forensic Linux Live CDs
• Contain additionally utilities

Guide to Computer Forensics and Investigations 13

 Acquiring Data with a Linux Boot CD
(continued)
• Using Linux Live CD Distributions (continued)
– Forensic Linux Live CDs (continued)
• Configured not to mount, or to mount as read-only, any
connected storage media
• Well-designed Linux Live CDs for computer forensics
– Helix
– Penguin Sleuth
– FCCU
• Preparing a target drive for acquisition in Linux
– Linux distributions can create Microsoft FAT and NTFS
partition tables

Guide to Computer Forensics and Investigations 14

 Acquiring Data with a Linux Boot CD
(continued)
• Preparing a target drive for acquisition in Linux
(continued)
– fdisk command lists, creates, deletes, and verifies
partitions in Linux
– mkfs.msdos command formats a FAT file system from
Linux
• Acquiring data with dd in Linux
– dd (“data dump”) command
• Can read and write from media device and data file
• Creates raw format file that most computer forensics
analysis tools can read

Guide to Computer Forensics and Investigations 15

 Acquiring Data with a Linux Boot CD
(continued)
• Acquiring data with dd in Linux (continued)
– Shortcomings of dd command
• Requires more advanced skills than average user
• Does not compress data
– dd command combined with the split command
• Segments output into separate volumes
• Acquiring data with dcfldd in Linux
– dd command is intended as a data management tool
• Not designed for forensics acquisitions

Guide to Computer Forensics and Investigations 16

 Acquiring Data with a Linux Boot CD
(continued)
• Acquiring data with dcfldd in Linux (continued)
– dcfldd additional functions
• Specify hex patterns or text for clearing disk space
• Log errors to an output file for analysis and review
• Use several hashing options
• Refer to a status display indicating the progress of the
acquisition in bytes
• Split data acquisitions into segmented volumes with
numeric extensions
• Verify acquired data with original disk or media data

Guide to Computer Forensics and Investigations 17