0% found this document useful (0 votes)
56 views17 pages

IS & F Lecture #29 30 - Computer Forensics-Data Acquisition

The document discusses three main formats for storing digital evidence: raw format, proprietary formats, and Advanced Forensics Format (AFF). It also discusses different methods for acquiring data from a drive including bit-stream disk-to-image/disk, logical disk-to-disk, and sparse data copy. When acquiring data, considerations include the drive size, using alternative tools like Linux, and making duplicate copies for verification and contingency.

Uploaded by

Sadiholic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
56 views17 pages

IS & F Lecture #29 30 - Computer Forensics-Data Acquisition

The document discusses three main formats for storing digital evidence: raw format, proprietary formats, and Advanced Forensics Format (AFF). It also discusses different methods for acquiring data from a drive including bit-stream disk-to-image/disk, logical disk-to-disk, and sparse data copy. When acquiring data, considerations include the drive size, using alternative tools like Linux, and making duplicate copies for verification and contingency.

Uploaded by

Sadiholic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 17

Introduction to Information

Security & Forensics

Lecture # 30
Data Acquisition
Understanding Storage Formats for
Digital Evidence

• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

Guide to Computer Forensics and Investigations 2


Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors

Guide to Computer Forensics and Investigations 3


Proprietary Formats

• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume

Guide to Computer Forensics and Investigations 4


Advanced Forensics Format
• Developed by Dr. Simson L. Garfinkel of Basis
Technology Corporation
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files for
metadata
– Simple design with extensibility
– Open source for multiple platforms and Oss
• File extensions include .afd for segmented image files
and .afm for AFF metadata

Guide to Computer Forensics and Investigations 5


Determining the Best Acquisition
Method

• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods
– Bit-stream disk-to-image file
– Bit-stream disk-to-disk
– Logical disk-to-disk or disk-to-disk data
– Sparse data copy of a file or folder

Guide to Computer Forensics and Investigations 6


Determining the Best Acquisition
Method (continued)
• Bit-stream disk-to-image file
– Most common method
– Can make more than one copy
– Copies are bit-for-bit replications of the original drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-
Ways, iLook
• Bit-stream disk-to-disk
– When disk-to-image copy is not possible
– Consider disk’s geometry configuration
– EnCase, SafeBack, SnapCopy

Guide to Computer Forensics and Investigations 7


Determining the Best Acquisition
Method (continued)

• Logical acquisition or sparse acquisition


– When your time is limited
– Logical acquisition captures only specific files of
interest to the case
– Sparse acquisition also collects fragments of
unallocated (deleted) data
– For large disks
– PST or OST mail files

Guide to Computer Forensics and Investigations 8


Determining the Best Acquisition
Method (continued)

• When making a copy, consider:


– Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
– When working with large drives, an alternative is
using tape backup systems
– Whether you can retain the disk

Guide to Computer Forensics and Investigations 9


Contingency Planning for Image
Acquisitions

• Create a duplicate copy of your evidence image file


• Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows Vista
Ultimate and Enterprise editions

Guide to Computer Forensics and Investigations 10


Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive more
convenient
– Especially when used with hot-swappable devices
– Disadvantages
• Must protect acquired data with a well-tested write-
blocking hardware device
• Tools can’t acquire data from a disk’s host protected
area

Guide to Computer Forensics and Investigations 11


Windows XP Write-Protection with
USB Devices
• USB write-protection feature
– Blocks any writing to USB devices
• Target drive needs to be connected to an internal
PATA (IDE), SATA, or SCSI controller
• Steps to update the Registry for Windows XP SP2
– Back up the Registry
– Modify the Registry with the write-protection feature
– Create two desktop icons to automate switching
between enabling and disabling writes to USB device

Guide to Computer Forensics and Investigations 12


Acquiring Data with a Linux Boot CD

• Linux can access a drive that isn’t mounted


• Windows OSs and newer Linux automatically
mount and access a drive
• Forensic Linux Live CDs don’t access media
automatically
– Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
– Forensic Linux Live CDs
• Contain additionally utilities

Guide to Computer Forensics and Investigations 13


Acquiring Data with a Linux Boot CD
(continued)
• Using Linux Live CD Distributions (continued)
– Forensic Linux Live CDs (continued)
• Configured not to mount, or to mount as read-only, any
connected storage media
• Well-designed Linux Live CDs for computer forensics
– Helix
– Penguin Sleuth
– FCCU
• Preparing a target drive for acquisition in Linux
– Linux distributions can create Microsoft FAT and NTFS
partition tables

Guide to Computer Forensics and Investigations 14


Acquiring Data with a Linux Boot CD
(continued)
• Preparing a target drive for acquisition in Linux
(continued)
– fdisk command lists, creates, deletes, and verifies
partitions in Linux
– mkfs.msdos command formats a FAT file system from
Linux
• Acquiring data with dd in Linux
– dd (“data dump”) command
• Can read and write from media device and data file
• Creates raw format file that most computer forensics
analysis tools can read

Guide to Computer Forensics and Investigations 15


Acquiring Data with a Linux Boot CD
(continued)
• Acquiring data with dd in Linux (continued)
– Shortcomings of dd command
• Requires more advanced skills than average user
• Does not compress data
– dd command combined with the split command
• Segments output into separate volumes
• Acquiring data with dcfldd in Linux
– dd command is intended as a data management tool
• Not designed for forensics acquisitions

Guide to Computer Forensics and Investigations 16


Acquiring Data with a Linux Boot CD
(continued)
• Acquiring data with dcfldd in Linux (continued)
– dcfldd additional functions
• Specify hex patterns or text for clearing disk space
• Log errors to an output file for analysis and review
• Use several hashing options
• Refer to a status display indicating the progress of the
acquisition in bytes
• Split data acquisitions into segmented volumes with
numeric extensions
• Verify acquired data with original disk or media data

Guide to Computer Forensics and Investigations 17

You might also like