Forensic Data

Acquisition
By

Dr. Patricia Ghann

What is Forensic Data
Acqusition
Forensic data acquisition can be defined as the process of
collecting digital evidence from electronic media by making
multiple copies of data being investigated.

There are two types of data acquisition methods

• Static acquisitions
• live acquisitions .
• Both methods and their data integrity requirements are similar.
Static Acquisitions

• In static acquisition, any data stored on digital media remains

the same regardless of the number of acquisitions being
performed upon it.

• i.e., making a second or third static acquisition for the preserved

original media should produce the same outcome.
Live Acquisitions.

• Making multiple copies of live acquisition while a computer is

running will collect new data instances because of the dynamic
nature of the system.

• By using live acquisition investigators cannot carry out

repeatable processes, and repeatability helps to validate digital
evidence.
Software Tools To Assist In The Analysis Process

Five broad categories of software tools:

• Data preservation, duplication, and verification tools
• Data recovery/extraction tools
• Data analysis tools
• Data reporting tools
• -Network utilities
 DATA FORMAT

There are three main generic formats being extensively used to

store data on a computer. Two of these formats are open source,

known as raw and Advanced Forensic Formats (AFF), and the

third is proprietary which is based on vendors’ unique features.

Raw Format

• This is the oldest version of data format that has been used.

• It mainly makes a duplicate copy of the disk by performing bit by

bit copying from one disk to another.

• Raw format outperforms other file formats (like AFF and EWF)
in terms of throughput, i.e., has high transfer data rate between
media.
Some of its disadvantages are:

• It is inefficient in using storage capacity; it needs high storage volumes

on disk with a minimum capacity equalling the size of the original
media.
• It has some efficiency issues when dealing with unhealthy sectors on
• the media. This means that, when applied on weak media it will have
• a low level of threshold of retry reads of raw data on these bad media
spots.
• Many commercial forensic tools have a higher threshold value of retry
reads to verify that all relevant data is gathered in a proper way
Advance Forensic Format(AFF)

• It is open source runs on multiple platforms

• Using this format, Investigators can create compressed or
• uncompressed image files
• It is scalable in storage capacity without any restrictions on file sizes.
• Provides a space in the created image file to store metadata
descriptions.
• Has an extendable design with simple concepts.
• Has several mechanisms to test internal consistency and self
authentication
Proprietary Formats

• Efficient in using Disk drive storage space by using options of

compressing image files

• Has built-in mechanisms to split an image into smaller pieces or

segments for archiving purposes.

• Has built-in mechanisms for checking data integrity

• Has metadata features that can be integrated into the image file,
such as timestamps
Their main disadvantages of AFF are:

• They are vendor proprietary formats, which means that its

unable to share an image between different vendor computer
forensics analysis tools.

• They have some limitations in file size. Typically, forensic tools

that use proprietary formats can produce a segmented file having
2 GB maximum segment size.
Acquisition Methods

Four methods are generally cited by the literature to acquire data

they are:
1) Disk-to-image file
2) Disk-to-disk copy
3) A logical disk-to-disk
4) A sparse copy of a folder or file
Acquisition Methods

• Four methods are generally used to acquire data, they are:

• 1) Disk-to-image file
• 2) Disk-to-disk copy
• 3) A logical disk-to-disk
• 4) A sparse copy of a folder or file
Disk-to-image
• Disk-to-image method is considered as the most common and flexible
method for doing investigations.
• By using it, investigators can create several copies of a suspect’s
media which are constructed by using bit-for-bit replications
mechanism.
• Moreover, they can also use other forensic tools, such as SMART,
ProDiscover, X-Ways Forensics, FTK, ILook, and Autopsy, to read the
most common types of disk-to-image files they created.

• These software tools treat the disk-to-image file as though it is the

original disk.
You are tasked with conducting a forensic investigation on a suspected compromised computer. Outline the steps
you would take to ensure a thorough and effective investigation

• Preparation:
a. Obtain proper authorization and documentation to conduct the investigation.
b. Identify and secure the compromised computer to prevent further tampering or data loss.
c. Assemble the necessary tools and software for forensic analysis, such as imaging tools, network sniffers, and malware analysis tools.
• Collection and Preservation:
a. Create a forensic image of the compromised computer's storage devices using write-blocking techniques to ensure data integrity.
b. Document the physical state of the computer, noting any external damage or signs of tampering.
c. Identify and preserve volatile data by collecting live system information, open network connections, and running processes.
• Analysis:
a. Conduct a comprehensive analysis of the forensic image, focusing on areas such as file systems, registry entries, and network artifacts.
b. Use forensic tools and techniques to recover deleted files, hidden data, and artifacts that may provide evidence of unauthorized access
or malicious activity.
c. Analyze system logs, event logs, and other relevant data sources to trace the actions of the intruder and identify potential entry points.
d. Employ malware analysis techniques to identify and analyze any malicious software present on the system.
You are tasked with conducting a forensic investigation on a suspected compromised computer. Outline the steps
you would take to ensure a thorough and effective investigation

• Reconstruction:
a. Reconstruct the timeline of events by correlating timestamps, log entries, and file system metadata to understand the sequence of activities.
b. Identify and analyse network traffic data, including packet captures and firewall logs, to determine the communication channels used by the intruder.
c. Piece together the evidence to build a coherent narrative of the incident, including the methods used, potential motives, and impact on the
compromised system.
• Reporting:
a. Document all findings, including the methods used, tools employed, and the evidence collected.
b. Provide a clear and concise report that outlines the details of the investigation, including the identified vulnerabilities, the actions taken by the
intruder, and recommendations for remediation and prevention.
c. Ensure that the report is accurate, objective, and suitable for legal purposes, if required.
• Follow-Up Actions:
a. Coordinate with relevant stakeholders, such as legal counsel or law enforcement, to determine the appropriate actions based on the findings of the
investigation.
b. Implement remediation measures to address identified vulnerabilities and prevent future incidents.
c. Conduct post-incident analysis to identify lessons learned and improve incident response procedures and security measures.
• It is important to note that the specific steps and techniques employed in a cyber forensic investigation may vary depending on the nature of the
incident, the available resources, and legal considerations. Professional expertise and adherence to best practices are crucial to ensure a thorough and
effective investigation.