Computer/Cyber/

Digital Forensics
BSc Computer
Science/IT
LECTURER

DR. PATRICIA GHANN

Guide to Computer Forensics
and Investigations
Third Edition

Data Acquisition
What is Digital Forensic

“The use of scientifically derived and proven

methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation and presentation of digital
evidence derived from digital sources for the
purpose of facilitating or furthering the
reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown
to be disruptive to planned operations.”

Source: (2001). Digital Forensic Research Workshop (DFRWS)

3
Where is it Predominantely
been used
There are at least 3 distinct communities
within Digital Forensics
Law Enforcement
Military
Business & Industry
Possibly a 4th – Academia

4
Digital Forensic Science

5
Community Objectives

6
What Constitute Cyber
Forensics?

• Includes:
• Networks (Network Forensics)
• Small Scale Digital Devices
• Storage Media (Computer forensics)
• Code Analysis

7
Cyber Forensics

• The scientific examination and analysis of digital

evidence in such a way that the information can be

used as evidence in a court of law.

8
Activities Involved in Cyber
Forensic
Cyber forensics activities commonly
include:
1. the secure collection of computer data
2. the identification of suspect data
3. the examination of suspect data to
determine details such as origin and
content
4. the presentation of computer-based
information to courts of law
5. the application of a country's laws to
computer practice.
9
Remember The 3 As

The basic methodology consists of the 3 As:

– Acquire the evidence without altering or damaging the original

– Authenticate the image

– Analyze the data without modifying it

10
 Context of Cyber Forensics

• Homeland Security
Information Security
Corporate Espionage

Digital Forensics
• White Collar Crime
• Child Pornography
• Traditional Crime Cyber Forensi
• Incident Response
Employee Monitoring
• Privacy Issues
• ????

11
Crime Scenes

Physical Crime Scenes vs.

Cyber/Digital Crime Scenes
1. Overlapping principals
2. The basics of criminalistics are
constant across both physical and
cyber/digital
3. Locard’s Principle applies
“When a person commits a crime something is
always left at the scene of the crime that was not
present when the person arrived
12
Digital Crime Scene
 Digital Evidence
• Digital data that establish that a crime has been committed,
can provide a link between a crime and its victim, or can
provide a link between a crime and the perpetrator (Carrier &
Spafford, 2003)

 Digital Crime Scene

• The electronic environment where digital evidence can
potentially exist (Rogers, 2005)
• Primary & Secondary Digital Scene(s) as well

13
Characteristics of
Digital Evidence
 Digital/ Electronic evidence is
extremely volatile!
 Once the evidence is contaminated it
cannot be de-contaminated!
 The courts acceptance is based on
the best evidence principle
With computer data, printouts or other output
readable by sight, and bit stream copies
adhere to this principle.
 Chain of Custody is crucial
14
7 Principles of Forensic Science

• Law of Individuality: Individuality implies that every

entity, whether person or object, can only be identical to
itself and so is unique”.
• For example, a white powder might otherwise be taken as
table salt or sand particles. But the same powder at the
crime scene comes under the radar for intoxicating drugs.
The law of individuality regards the specific characteristics
of such material and helps in identification.

• Principle of Comparison: “Only the likes can be

compared”. Like samples should be referred to
comparison for the purposes of confirmation. In case it is a
blood sample from the crime scene, it has to be clinically
compared whether it belongs to a human or any other
organism.
15
7 Principles of Forensic
Science(2)
• Law of Circumstantial Facts: There is a popular statement that “Facts
cannot be wrong, they cannot lie, and can not be wholly absent.

• Law of Probability: The occurrence of a crime is identified based on the

forensic application of probabilistic inference and reasoning.

• Principle of Exchange: By Edmond Locard. It states that “Whenever two

entities come in contact with each other, they exchange the traces
between them.”

• Law of Progressive Change: Change is the only constant” Time is of

essence

• Principle of Analysis: The principle of analysis lays that “The quality of

any analysis would be better by collection of the correct sample and its
correct preservation in the prescribed manner ”

16
Cyber Forensic Principles
• The 6 Principles are:
1. When dealing with digital evidence, all of the general
forensic and procedural principles must be applied.
2. Upon seizing digital evidence, actions taken should not
change that evidence.
3. When it is necessary for a person to access original digital
evidence, that person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or
transfer of digital evidence must be fully documented,
preserved and available for review.
5. An Individual is responsible for all actions taken with
respect to digital evidence whilst the digital evidence is in
their possession.
6. Any agency, which is responsible for seizing, accessing,
storing or transferring digital evidence is responsible for
compliance with these principles.
17
Process/Phases

1. Identification
2. Collection
Bag & Tag
3. Preservation
4. Examination
5. Analysis
6. Presentation/Report

18
Identification(1)

The first step is identifying evidence and potential

containers of evidence

More difficult than it sounds

Small scale devices

Non-traditional storage media

Multiple possible crime scenes

19
Devices Identification(2)

20
Identification(3)

 Context of the investigation is very important

 Do not operate in a vacuum!
 Do not overlook non-electronic sources of
evidence
 Manuals, papers, printouts, etc.

21
Collection

Care must be taken to minimize contamination

Collect or seize the system(s)

Create forensic image

 Live or Static?

 Do you own the system

 What does your policy say?

22
23
Collection: Documentation

24
Collection: Documentation
• Take detailed photos and notes of the computer / monitor
• If the computer is “on”, take photos of what is displayed on the monitor – DO
NOT ALTER THE SCENE

25
Collection: Documentation
Make sure to take photos and notes of all
connections to the computer/other devices

26
Collection: Imaging
• Rule of Thumb: make 2 copies and don’t
work from the original (if possible)
• A file copy does not recover all data areas
of the device for examination
• Working from a duplicate image
• Preserves the original evidence
• Prevents inadvertent alteration of original evidence
during examination
• Allows recreation of the duplicate image if
necessary

27
Collection: Imaging
•Digital evidence can be duplicated with no
degradation from copy to copy
• This is not the case with most other forms of
evidence

28
Collection: Imaging
Write blockers
Software
Hardware
Hardware write blockers are becoming the industry
standard
USB, SATA, IDE, SCSI, SIM, Memory Cards
Not BIOS dependent
But still verify prior to usage!

29
Collection: Imaging

Forensic Copies (Bitstream)

Bit for Bit copying captures all the data on the copied
media including hidden and residual data (e.g., slack
space, swap, residue, unused space, deleted files etc.)
Often the “smoking gun” is found in the residual
data.
Imaging from a disk (drive) to a file is becoming the
norm
Multiple cases stored on same media
No risk of data leakage from underlying media
Remember avoid working from the original
Use a write blocker even when examining a copy!

30
Examination
Higher level look at the file system representation of the
data on the media
Verify integrity of image
• MD5, SHA1 etc.
Recover deleted files & folders
Determine keyword list
• What are you searching for
Determine time lines
• What is the timezone setting of the suspect system
• What time frame is of importance
• Graphical representation is very useful

31
Examination
Examine directory
tree
• What looks out of Search for relevant
place
evidence types
• Stego tools installed
• Evidence Scrubbers • Hash sets can be useful
Perform keyword
searches • Graphics
• Indexed
• Spreadsheets
• Slack & unallocated
space • Hacking tools

• Etc.

Look for the

obvious first

When is enough
enough??
32
Issues

 lack of certification for tools

 Lack of standards
 lack of certification for professionals
 lack of understanding by Judiciary
 lack of curriculum accreditation
 Rapid changes in technology!
 Immature Scientific Discipline

33
Paths to Careers in CF

Certifications
Associate Degree
Bachelor Degree
Post Grad Certificate
Masters
Doctorate

34
Job Functions

CF Technician
CF Investigator
CF Analyst/Examiner (lab)
CF Lab Director
CF Scientist

35
Professional Opportunities
Law Enforcement
Private Sector
Intelligence Community
Military
Academia

36
AIMS
• List digital evidence storage formats
• Explain ways to determine the best acquisition method
• Describe contingency planning for data acquisitions
• Explain how to use acquisition tools
• Explain how to validate data acquisitions
• Describe RAID acquisition methods
• Explain how to use remote network acquisition tools
• List other forensic tools available for data acquisitions

37
Understanding Storage Formats for
Digital Evidence
• Three formats
• Raw format
• Proprietary formats
• Advanced Forensics Format (AFF)

38
Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
• Fast data transfers
• Can ignore minor data read errors on source drive
• Most computer forensics tools can read raw format
• Disadvantages
• Requires as much storage as original disk or data
• Tools might not collect marginal (bad) sectors

39
Proprietary Formats

• Features offered
• Option to compress or not compress image files
• Can split an image into smaller segmented files
• Can integrate metadata into the image file
• Disadvantages
• Inability to share an image between different tools
• File size limitation for each segmented volume

40
Advanced Forensics Format
• Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation
• Design goals
• Provide compressed or uncompressed image files
• No size restriction for disk-to-image files
• Provide space in the image file or segmented files for metadata
• Simple design with extensibility
• Open source for multiple platforms and OSs

41
Advanced Forensics Format

• Design goals (continued)

• Internal consistency checks for self-authentication
• File extensions include .afd for segmented image files and .afm for
AFF metadata
• AFF is open source

42
Determining the Best Acquisition
Method
• Types of acquisitions
• Static acquisitions and live acquisitions
• Four methods
• Bit-stream disk-to-image file
• Bit-stream disk-to-disk
• Logical disk-to-disk or disk-to-disk data
• Sparse data copy of a file or folder

43
Determining the Best Acquisition
Method (continued)
• Bit-stream disk-to-image file
• Most common method
• Can make more than one copy
• Copies are bit-for-bit replications of the original drive
• ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
• Bit-stream disk-to-disk
• When disk-to-image copy is not possible
• Consider disk’s geometry configuration
• EnCase, SafeBack, SnapCopy

44
Determining the Best Acquisition
Method (continued)
• Logical acquisition or sparse acquisition
• When your time is limited
• Logical acquisition captures only specific files of interest to the case
• Sparse acquisition also collects fragments of unallocated (deleted) data
• For large disks
• PST or OST mail files, RAID servers

45
Determining the Best Acquisition
Method (continued)
• When making a copy, consider:
• Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
• When working with large drives, an alternative is using tape backup systems
• Whether you can retain the disk

46
Contingency Planning for Image
Acquisitions
• Create a duplicate copy of your evidence image file
• Make at least two images of digital evidence
• Use different tools or techniques
• Copy host protected area of a disk drive as well
• Consider using a hardware acquisition tool that can access the drive at the
BIOS level
• Be prepared to deal with encrypted drives
• Whole disk encryption feature in Windows Vista Ultimate and Enterprise
editions

47
Using Acquisition Tools
• Acquisition tools for Windows
• Advantages
• Make acquiring evidence from a suspect drive more convenient
• Especially when used with hot-swappable devices
• Disadvantages
• Must protect acquired data with a well-tested write-blocking hardware device
• Tools can’t acquire data from a disk’s host protected area

48
Windows XP Write-Protection with
USB Devices
• USB write-protection feature
• Blocks any writing to USB devices
• Target drive needs to be connected to an internal PATA (IDE), SATA, or
SCSI controller
• Steps to update the Registry for Windows XP SP2
• Back up the Registry
• Modify the Registry with the write-protection feature
• Create two desktop icons to automate switching between enabling and
disabling writes to USB device

49
Windows XP Write-Protection with
USB Devices (continued)

50
Acquiring Data with a Linux Boot CD

• Linux can access a drive that isn’t mounted

• Windows OSs and newer Linux automatically mount and access a drive
• Forensic Linux Live CDs don’t access media automatically
• Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
• Forensic Linux Live CDs
• Contain additionally utilities

51
Acquiring Data with a Linux Boot CD

• Using Linux Live CD Distributions (continued)

• Forensic Linux Live CDs (continued)
• Configured not to mount, or to mount as read-only, any connected storage media
• Well-designed Linux Live CDs for computer forensics
• Helix
• Penguin Sleuth
• FCCU

• Preparing a target drive for acquisition in Linux

• Linux distributions can create Microsoft FAT and NTFS partition tables

52
Acquiring Data with a Linux Boot CD

• Preparing a target drive for acquisition in Linux (continued)

• fdisk command lists, creates, deletes, and verifies partitions in Linux
• mkfs.msdos command formats a FAT file system from Linux
• Acquiring data with dd in Linux
• dd (“data dump”) command
• Can read and write from media device and data file
• Creates raw format file that most computer forensics analysis tools can read

53
Acquiring Data with a Linux Boot CD

• Acquiring data with dd in Linux (continued)

• Shortcomings of dd command
• Requires more advanced skills than average user
• Does not compress data
• dd command combined with the split command
• Segments output into separate volumes
• Acquiring data with dcfldd in Linux
• dd command is intended as a data management tool
• Not designed for forensics acquisitions

54
Acquiring Data with a Linux Boot CD

• Acquiring data with dcfldd in Linux (continued)

• dcfldd additional functions
• Specify hex patterns or text for clearing disk space
• Log errors to an output file for analysis and review
• Use several hashing options
• Refer to a status display indicating the progress of the acquisition in bytes
• Split data acquisitions into segmented volumes with numeric extensions
• Verify acquired data with original disk or media data

55
Capturing an Image with ProDiscover
Basic
• Connecting the suspect’s drive to your workstation
• Document the chain of evidence for the drive
• Remove the drive from the suspect’s computer
• Configure the suspect drive’s jumpers as needed
• Connect the suspect drive
• Create a storage folder on the target drive
• Using ProDiscover’s Proprietary Acquisition Format
• Image file will be split into segments of 650MB
• Creates image files with an .eve extension, a log file (.log extension), and a
special inventory file (.pds extension)

56
Capturing an Image with
ProDiscover Basic (continued)

57
58
Capturing an Image with
ProDiscover Basic (continued)
• Using ProDiscover’s Raw Acquisition Format
• Select the UNIX style dd format in the Image Format list box
• Raw acquisition saves only the image data and hash value

59
Capturing an Image with
AccessData FTK Imager
• Included on AccessData Forensic Toolkit
• View evidence disks and disk-to-image files
• Makes disk-to-image copies of evidence drives
• At logical partition and physical drive level
• Can segment the image file
• Evidence drive must have a hardware write-blocking device
• Or the USB write-protection Registry feature enabled
• FTK Imager can’t acquire drive’s host protected area

60
Capturing an Image with
AccessData FTK Imager (continued)

61
Capturing an Image with
AccessData FTK Imager (continued)
• Steps
• Boot to Windows
• Connect evidence disk to a write-blocker
• Connect target disk to write-blocker
• Start FTK Imager
• Create Disk Image
• Use Physical Drive option

62
Capturing an Image with
AccessData FTK Imager (continued)

63
Capturing an Image with
AccessData FTK Imager (continued)

64
Capturing an Image with
AccessData FTK Imager (continued)

65
Capturing an Image with
AccessData FTK Imager (continued)

66
Validating Data Acquisitions

• Most critical aspect of computer forensics

• Requires using a hashing algorithm utility
• Validation techniques
• CRC-32, MD5, and SHA-1 to SHA-512

67
Linux Validation Methods
• Validating dd acquired data
• You can use md5sum or sha1sum utilities
• md5sum or sha1sum utilities should be run on all suspect disks and volumes or
segmented volumes
• Validating dcfldd acquired data
• Use the hash option to designate a hashing algorithm of md5, sha1, sha256,
sha384, or sha512
• hashlog option outputs hash results to a text file that can be stored with the
image files
• vf (verify file) option compares the image file to the original medium

68
Windows Validation Methods

• Windows has no built-in hashing algorithm tools for computer

forensics
• Third-party utilities can be used
• Commercial computer forensics programs also have built-in
validation features
• Each program has its own validation technique
• Raw format image files don’t contain metadata
• Separate manual validation is recommended for all raw acquisitions

69
Performing RAID Data Acquisitions
• Size is the biggest concern
• Many RAID systems now have terabytes of data

70
Understanding RAID
• Redundant array of independent (formerly “inexpensive”) disks (RAID)
• Computer configuration involving two or more disks
• Originally developed as a data-redundancy measure
• RAID 0
• Provides rapid access and increased storage
• Lack of redundancy
• RAID 1
• Designed for data recovery
• More expensive than RAID 0

71
Understanding RAID (continued)
• RAID 2
• Similar to RAID 1
• Data is written to a disk on a bit level
• Has better data integrity checking than RAID 0
• Slower than RAID 0
• RAID 3
• Uses data stripping and dedicated parity
• RAID 4
• Data is written in blocks

72
Understanding RAID (continued)

73
Understanding RAID (continued)

74
Understanding RAID (continued)

75
Understanding RAID (continued)

• RAID 5
• Similar to RAIDs 0 and 3
• Places parity recovery data on each disk
• RAID 6
• Redundant parity on each disk
• RAID 10, or mirrored striping
• Also known as RAID 1+0
• Combination of RAID 1 and RAID 0

76
Understanding RAID (continued)

77
Acquiring RAID Disks

• Concerns
• How much data storage is needed?
• What type of RAID is used?
• Do you have the right acquisition tool?
• Can the tool read a forensically copied RAID image?
• Can the tool read split data saves of each RAID disk?
• Older hardware-firmware RAID systems can be a challenge when
you’re making an image

78
 Acquiring RAID Disks (continued)
• Vendors offering RAID acquisition functions
• Technologies Pathways ProDiscover
• Guidance Software EnCase
• X-Ways Forensics
• Runtime Software
• R-Tools Technologies
• Occasionally, a RAID system is too large for a static acquisition
• Retrieve only the data relevant to the investigation with the sparse or logical
acquisition method

79
 Using Remote Network Acquisition
Tools
• You can remotely connect to a suspect computer via a network
connection and copy data from it
• Remote acquisition tools vary in configurations and capabilities
• Drawbacks
• LAN’s data transfer speeds and routing table conflicts could cause problems
• Gaining the permissions needed to access more secure subnets
• Heavy traffic could cause delays and errors

80
Remote Acquisition with ProDiscover

• With ProDiscover Investigator you can:

• Preview a suspect’s drive remotely while it’s in use
• Perform a live acquisition
• Encrypt the connection
• Copy the suspect computer’s RAM
• Use the optional stealth mode
• ProDiscover Incident Response additional functions
• Capture volatile system state information
• Analyze current running processes

81
Remote Acquisition with ProDiscover

• ProDiscover Incident Response additional functions (continued)

• Locate unseen files and processes
• Remotely view and listen to IP ports
• Run hash comparisons
• Create a hash inventory of all files remotely
• PDServer remote agent
• ProDiscover utility for remote access
• Needs to be loaded on the suspect

82
Remote Acquisition with ProDiscover

• PDServer installation modes

• Trusted CD
• Preinstallation
• Pushing out and running remotely
• PDServer can run in a stealth mode
• Can change process name to appear as OS function

83
Remote Acquisition with ProDiscover

• Remote connection security features

• Password Protection
• Encryption
• Secure Communication Protocol
• Write Protected Trusted Binaries
• Digital Signatures

84
Remote Acquisition with EnCase
Enterprise
• Remote acquisition features
• Remote data acquisition of a computer’s media and RAM data
• Integration with intrusion detection system (IDS) tools
• Options to create an image of data from one or more systems
• Preview of systems
• A wide range of file system formats
• RAID support for both hardware and software

85
Remote Acquisition with R-Tools R-
Studio
• R-Tools suite of software is designed for data recovery
• Remote connection uses Triple Data Encryption Standard (3DES)
encryption
• Creates raw format acquisitions
• Supports various file systems

86
Remote Acquisition with Runtime
Software
• Utilities
• DiskExplorer for FAT
• DiskExplorer for NTFS
• HDHOST
• Features for acquisition
• Create a raw format image file
• Segment the raw format or compressed image
• Access network computers’ drives

87
Using Other Forensics-Acquisition
Tools
• Tools
• SnapBack DatArrest
• SafeBack
• DIBS USA RAID
• ILook Investigator IXimager
• Vogon International SDi32
• ASRData SMART
• Australian Department of Defence PyFlag

88
SnapBack DatArrest

• Columbia Data Products

• Old MS-DOS tool
• Can make an image on three ways
• Disk to SCSI drive
• Disk to network drive
• Disk to disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry

89
NTI SafeBack

• Reliable MS-DOS tool

• Small enough to fit on a forensic boot floppy
• Performs an SHA-256 calculation per sector copied
• Creates a log file

90
NTI SafeBack (continued)

• Functions
• Disk-to-image copy (image can be on tape)
• Disk-to-disk copy (adjusts target geometry)
• Parallel port laplink can be used
• Copies a partition to an image file
• Compresses image files

91
DIBS USA RAID
• Rapid Action Imaging Device (RAID)
• Makes forensically sound disk copies
• Portable computer system designed to make disk-to-disk images
• Copied disk can then be attached to a write-blocker device

92
ILook Investigator IXimager
• Iximager
• Runs from a bootable floppy or CD
• Designed to work only with ILook Investigator
• Can acquire single drives and RAID drives

93
Vogon International SDi32
• Creates a raw format image of a drive
• Write-blocker is needed when using this tool
• Password Cracker POD
• Device that removes the password on a drive’s firmware card

94
ASRData SMART
• Linux forensics analysis tool that can make image files of a suspect
drive
• Capabilities
• Robust data reading of bad sectors on drives
• Mounting suspect drives in write-protected mode
• Mounting target drives in read/write mode
• Optional compression schemes

95
Australian Department of Defence
PyFlag
• PyFlag tool
• Intended as a network forensics analysis tool
• Can create proprietary format Expert Witness image files
• Uses sgzip and gzip in Linux

96
Summary
• Data acquisition methods
• Disk-to-image file
• Disk-to-disk copy
• Logical disk-to-disk or disk-to-data file
• Sparse data copy
• Several tools available
• Lossless compression is acceptable
• Plan your digital evidence contingencies
• Write-blocking devices or utilities must be used with GUI acquisition
tools

97
Summary (continued)
• Always validate acquisition
• A Linux Live CD, such as Helix, provides many useful tools for computer
forensics acquisitions
• Preferred Linux acquisition tool is dcfldd (not dd)
• Use a physical write-blocker device for acquisitions
• To acquire RAID disks, determine the type of RAID
• And then which acquisition tool to use

98