Dr.

Zunera Jalil
Email: [email protected]
 What we are going to talk about today…. 2

o Digital evidence storage formats

o Acquisition methods
o Contingency planning for data acquisitions
o How to use acquisition tools
o How to validate data acquisitions
o Forensic tools available for data acquisitions
o Home Task: RAID acquisition methods……
 Data Acquisition 3

Data acquisition is the process of copying data.

A task of collecting digital evidence from

electronic media.
 Evidence Acquisition

• Static Acquisition
• Copying a hard drive from powered off system
• Does not alter the data, so its repeatable
 Live Acquisition
• Copying data from a running system
• Can not be repeated exactly- alters the data
• RAM data has no timestamp but may reveal
very useful information
 Evidence Data 5

o Terms used for a file containing evidence data

Bit-stream copy
Bit-stream image
Image
Mirror
Sector copy
Storage Formats for Digital Evidence
 Evidence Formats 7

o Three formats
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
 Raw Format 8

o Made using Linux dd command

 This copy technique creates simple sequential flat files of a suspect drive or data
set.
 The output of these flat files is referred to as a raw format.
 This format has unique advantages and disadvantages to consider when
selecting an acquisition format.

o Bit-by-bit copy of the drive to a file

o Advantages
 Fast data transfers
 Can ignore minor data read errors on source drive
 Most computer forensics tools can read raw format.
 Raw Format… 9

o Requires as much storage as original disk or data

o Tools might not collect marginal (bad) sectors
 Low threshold of retry reads on weak media spots
 Commercial tools use more retries than free tools

o Validation check must be stored in a separate file

 Message Digest 5 ( MD5)
 Secure Hash Algorithm ( SHA-1 or newer)
 Cyclic Redundancy Check ( CRC-32)
 Proprietary Format 10

o Most commercial forensics tools have their own Format

o Option to compress or not compress image files
 Can split an image into smaller segmented files
• Such as to CDs or DVDs
• With data integrity checks in each segment

 Can integrate metadata into the image file

• Hash data
• Date & time of acquisition
• Investigator name, case name, comments, etc.
 Proprietary Format 11

 Inability to share an image between different tools

 File size limitation for each segmented volume
• Typical segmented file size is 650 MB or 2 GB

o Expert Witness format is the unofficial standard

• Used by EnCase, FTK, X-Ways Forensics, and SMART
• Can produce compressed or uncompressed files
• File extensions .E01, .E02, .E03, …
 Advanced Forensics Format 12

o Developed as an open-source acquisition format

o Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files for metadata
 Simple design with extensibility
 Open source for multiple platforms and OS

o AFF is open source

 ProDiscover Image Format 13

o Consist of five parts

 16 byte image file header
• Signature and version no of image
 681 byte image data header
• Contains
• Image meta data
• Chain of custody information
 Image data
 Image compress blocks
 Error /logs
 EnCase Format 14

o Block based compression

o File pointers and jump tables are in headers or between block
o Random access
o Image size < 2GB
 File.e01,e02 etc.
 Forensics Format 15

o DEB (Digital Evidence Bags)

 A directory of multiple sources
• Tag files (Chain of custody info)
• Index files (references to each evidence files)
• Bag files (actual evidence files)
 FTK Supported Formats 16

o FTK Supported Formats

 EnCase
 SMART (ASR Expert Witness Compression Format)
 RAW
 Advanced Forensics Formats 17

o Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation

o Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files for metadata
 Open source for multiple platforms and Oss
 Internal consistency checks for self-authentication
 Advanced Forensics Formats… 18

• Freeware versions, might not collect marginal (bad) sectors on the

source drive, meaning they have a low threshold of retry reads on
weak media spots on a drive.

• File extensions include .afd for segmented image files and

.afm for AFF metadata
 Advanced Forensics Formats… 19

• AFF delivers on all these goals.

 Ability to store disk images with or without compression.
 Ability to store disk images of any size.
 Ability to store metadata within disk images or separately.
 Ability to store images in a single file of any size or split among
multiple files
 Arbitrary metadata as user-defined name/value pairs
 Advanced Forensics Formats… 20

• AFF delivers on all these goals (continued)

 Multiple platforms, open source implementation
 Freedom from intellectual property restriction
 Provisions for internal self-consistency checking, so that part of an
image can be recovered even if other parts are corrupted or
otherwise lost.
 Provisions for certifying the authenticity of evidence files with
traditional hash functions (e.g., MD5 and SHA-1) and advanced
digital signatures.
 Data Acquisition Layers 21

Rule of thumb:

Only image if you have to Logical/Sparse

Image

Full Image
 Acquisition Architectures 22

o How do we get data off the system?

o Removal of the hard disk
 Image elsewhere
 Plug in to investigation system as external disk
o Boot the system with a live CD
 OS lives in memory, hard disk image can be taken without the need to
dismantle the system
Traditional Acquisition 23
Live CD Network Acquisition 24
 Hardware Write blockers 25

Best way to ensure that the drive is not modified during image collection
Forensic Live DVD 26
 Write Blockers 27

o Monitor the commands given to the hard disk

o Do not allow data to be written
o Do not allow disk to be mounted with write access
o Read commands only
o Hardware and Software
o HPA and DCO Commands
o Host Protected Area (HPA)
o Device Configuration Overlay (DCO)
 HPA and DCO 28

o Host Protected Area (HPA) and Device Configuration Overlay (DCO)

o A portion of the disk hidden from the computers's OS

o Used for boot and recovery utilities
o Rootkits can also hide here
Some Write Blockers 29
30
Determining the best Acquisition
Method
 Types of Acquisition 32

o Simple duplication
 Copy selected data; file, folder, partition...
o Forensic duplication
 Every bit on the source is retained
 Including deleted files
 Goal: act as admissible evidence in court
proceedings
Acquisition Requirements 33
Acquisition Requirements… 34
 Types of Forensic Disk Images 35

o Complete disk
o Partition
o Logical
FTK Imager 36
 Acquisition Methods 37

o Types of acquisitions
 Static acquisitions and live acquisitions
o Four methods
 Bit-stream disk-to-image file
 Bit-stream disk-to-disk
 Logical disk-to-disk or disk-to-data file
 Sparse data copy of a file or folder
o Best method depends on the circumstances of the investigation
 Bit-stream disk-to-image file 38

o Most common method

o Can make more than one copy
o Copies are bit-for-bit replications of the original drive
o Tools:
o ProDiscover,
o EnCase,
o FTK,
o SMART,
o Sleuth Kit,
o X-Ways,
o iLook
 Bit-stream disk-to-disk 39

o Used when disk-to-image copy is not possible

• Because of hardware or software errors or incompatibilities
• This problem is more common when acquiring older drives
o Adjusts target disk’s geometry (cylinder, head, and track
configuration) to match the suspect's drive

o Tools: EnCase, SafeBack (MS-DOS), Snap Copy

 Types of Data 40

o Active data
 Files and folders in use, in the directory
o Unallocated Space
 Remnants of deleted files
o File slack
 Fragments of data left at the end of other files
 Partition Image 41

o Not a common technique

 May be required because of limited
scope of authority, or an excessively
large disk
o All allocation units from a partition
o Allows recovery of deleted files on
that partition only
 But not on unpartitioned space,
reserved areas, or other partitions
 Logical Image 42

o A simple copy of selected files or folders

o Active data only---no chance to recover deleted files
o If you are required to use a logical image, record the reason
for later reference
o When to go for logical image?
 Court order only allows certain files to be collected
 Only one user's files from a shared storage device, such as a NAS (Network
Attached Storage) or SAN (Storage Area Network)
 Files from a business-critical NAS or SAN that cannot be taken offline for
duplication
 Logical Acquisition and Sparse Acquisition 43

o When your time is limited, and evidence disk is large

o Logical acquisition captures only specific files of interest to the case
 Such as Outlook .pst or .ost files
o Collects fragments of unallocated (deleted) data
 Determining Acquisition Method 44

o When making a copy, consider:

 Size of the source disk
o Lossless compression might be useful
o Use verification methods
 When working with large drives, an alternative is using tape backup systems
 Whether you can retain the disk
o Create a duplicate copy of your evidence image file
o PKZip, WinZip, and WinRAR, use an algorithm referred to as “lossless
compression.”
o Compression algorithms for graphics files use “lossy compression,” which can change data.
For example, lossy compression is used with .jpeg files affect image quality when the file is
restored and viewed.
 Tape Backups 45

o When working with large drives, an alternative is using tape backup

systems
o No limit to size of data acquisition
o Just use many tapes
o But it’s slow
 Returning Evidence Drives 46

o In civil litigation, a discovery order may require you to return the

original disk after imaging it
o If you cannot retain the disk, make sure you make the correct type of
copy (logical or bitstream)
o Ask your client attorney or your supervisor what is required—you
usually only have one chance
Contingency Planning for Image
Acquisition
Imaging Considerations 48
 Contingency Planning for Image Acquisition 49

o Create a duplicate copy of your evidence image file

o Make at least two images of digital evidence
 Use different tools or techniques
o Copy host protected area of a disk drive as well
 Consider using a hardware acquisition tool that can access the drive at the BIOS
level
o Be prepared to deal with encrypted drives
 Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
 Encrypted Hard Drives 50

• Windows BitLocker
• TrueCrypt – [http://truecrypt.sourceforge.net/]

• If the machine is on, a live acquisition will capture the decrypted hard
drive
• Otherwise, you will need the key or passphrase
 The suspect may provide it … Really?
 There are some exotic attacks
• Cold Boot -is the process of powering on a computer from a powered-off state
• Passware - tool for decrypting files & quickly recovering passwords
• Electron microscope
 Windows BitLockers 51

BitLocker Drive Encryption is a data protection feature that

integrates with the operating system and addresses the threats
of data theft or exposure from lost, stolen, or inappropriately
decommissioned computers.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
 Using Acquisition Tools 52

• Acquisition tools for Windows

 Advantages
• Make acquiring evidence from a suspect drive more convenient
• Especially when used with hot-swappable devices
 Disadvantages
• Must protect acquired data with a well-tested write-blocking hardware
device
• Tools can’t acquire data from a disk’s host protected area
FTK Imager Demo
54
55
56
57
Validating Data Acquisition
 Windows Validation Methods 59

• Windows has no built-in hashing algorithm tools for computer

forensics
 Third-party utilities can be used
• Commercial computer forensics programs also have built-in
validation features
 Each program has its own validation technique
• Raw format image files do not contain metadata
 Separate manual validation is recommended for all raw acquisitions
 Image Integrity 60

• Hashes ensure that data is not changed after the time when the
hash was computed
 Also ensures that copies are accurate
• Drives with bad sectors give a different hash each time they are
imaged
• Document that if it happens
61
62
 Some links to explore 63

• https://www.discovermagazine.com/technology/heres-what-the-data-on-
your-hard-drive-looks-like
• https://www.dhs.gov/science-and-technology/nist-cftt-reports
• https://www.cfreds.nist.gov/
• https://www.nist.gov/programs-projects/digital-forensics
• https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-
testing-program-cftt
• https://toolcatalog.nist.gov/
 Reading Task- For QUIZ 2 64

• RAID Acquisitions in Digital Forensics: Definition & Process

 https://study.com/academy/lesson/raid-acquisitions-in-digital-forensics-definition-process.html

• Making Complex Issues Simple: A Unique Method To Extract

Evidence From RAID With Lost Configuration
 https://www.forensicfocus.com/articles/making-complex-issues-simple-a-unique-method-to-extract-
evidence-from-raid-with-lost-configuration/

• The Impact of RAID on Disk Imaging (Page No. 1-15)

 https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7276.pdf
ANY QUESTIONS