Guide to Computer Forensics

and Investigations
Fifth Edition

Chapter 3
Data Acquisition
 Objectives

• List digital evidence storage formats

• Explain ways to determine the best acquisition
method
• Describe contingency planning for data acquisitions
• Explain how to use acquisition tools

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 2
 Objectives

• Explain how to validate data acquisitions

• Describe RAID acquisition methods
• Explain how to use remote network acquisition
tools
• List other forensic tools available for data
acquisitions

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 3
 Data acquisition

• Data acquisition is the process of copying data.

• For digital forensics, it’s the task of collecting digital
evidence from electronic media.
• There are two types of data acquisition:
– Static acquisitions
• from magnetic disk media and flash drives.
– live acquisitions
• collecting any data that’s active in a suspect’s
computer RAM

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 4
 Data acquisition
• static acquisitions
– A data acquisition method used when a suspect drive is
write-protected and can’t be altered.
– If disk evidence is preserved correctly, static
acquisitions are repeatable.
• live acquisitions
– A data acquisition method used when a suspect
computer can’t be shut down to perform a static
acquisition.
– Captured data might be altered during the acquisition
because it’s not write-protected.
– Live acquisitions aren’t repeatable because data is
continually being altered by the suspect computer’s OS.
Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 5
 Understanding Storage Formats for
Digital Evidence

• Data in a forensics acquisition tool is stored as an

image file
• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 6
 Raw Format
• Makes it possible to write bit-stream data to files
• This copy technique creates simple sequential flat files of
a suspect drive or data set.
• The output of these flat files is referred to as a raw format
• Advantages
– Fast data transfers
– Ignores minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools (typically freeware versions) might not collect
marginal (bad) sectors © Cengage Learning 2015 7
 Proprietary Formats

• Most forensics tools have their own formats

• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume
• The Expert Witness format is unofficial standard
Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 8
 Advanced Forensics Format (AFF)

• Developed by Dr. Simson L. Garfinkel as an open-

source acquisition format
• Design goals
1. Provide compressed or uncompressed image files
2. No size restriction for disk-to-image files
3. Provide space in the image file or segmented files
for metadata
4. Simple design with extensibility
5. Open source for multiple platforms and Oss
6. Internal consistency checks for self-authentication
Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 9
 Advanced Forensics Format

• File extensions include .afd for segmented image

files and .afm for AFF metadata
• AFF is open source

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 10
 Determining the Best Acquisition
Method

• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods of data collection
– Creating a disk-to-image file
– Creating a disk-to-disk
– Creating a logical disk-to-disk or disk-to-data file
– Creating a sparse data copy of a file or folder
• Determining the best method depends on the
circumstances of the investigation
Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 11
Determining the Best Acquisition Method

• Creating a disk-to-image file

– It is the most common method and offers most flexibility
– Can make more than one copy
– Copies are bit-for-bit replications of the original drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-
Ways, iLookIX
• Creating a disk-to-disk
– When disk-to-image copy is not possible (because of
hardware or software errors or incompatibilities)
– Tools can adjust disk’s geometry (its cylinder, head, and
track configuration)
– EnCase, SafeBack, SnapCopy © Cengage Learning 2015 12
 Determining the Best Acquisition Method
• Collecting evidence from large drive can take several hours
• If your time is limited, consider using a logical acquisition or
sparse acquisition data copy method.
• Logical acquisition or sparse acquisition
– Logical acquisition captures only specific files of interest to
the case
– Sparse acquisition collects fragments of unallocated
(deleted) data
– For large disks
• An example of a logical acquisition is an e-mail investigation
that requires collecting only Outlook .pst or .ost files.
• Another example is collecting only specific records from server
with several exabytes (EB)
© Cengage Learning 2015 13
Determining the Best Acquisition Method
• When making a copy, consider:
– Size of the source disk
• Lossless compression (this algorithm is used by PKZip,
WinZip, and WinRAR) might be useful
• Use digital signatures for verification
– When working with large drives, an alternative is using
tape backup systems
– Whether you can retain the disk or must return it to the
owner
– how much time you have to perform the acquisition, and
– where the evidence is located.

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 14
Contingency Planning for Image Acquisitions
• You should also make contingency plans in case
software or hardware doesn’t work or you encounter a
failure during an acquisition.
• Create a duplicate copy of your evidence image file
– Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level

host protected area (HPA) An area of a disk drive reserved

for booting utilities and diagnostic programs. It’s not visible
to the computer’s OS.
© Cengage Learning 2015 15
Contingency Planning for Image Acquisitions
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows called
BitLocker makes static acquisitions more difficult
– May require user to provide decryption key

whole disk encryption: An encryption technique that

performs a sector-by-sector encryption of an entire drive.
Each sector is encrypted in its entirety, making it unreadable
when copied with a static acquisition method.

© Cengage Learning 2015 16

 Using Acquisition Tools
• Acquisition tools for Windows
– Advantages
• Make acquiring evidence from a suspect drive more
convenient
– Especially when used with hot-swappable devices (such
as USB-3, FireWire and SATA)
– Disadvantages
• Must protect acquired data with a well-tested write-blocking
hardware device
• Tools can’t acquire data from a disk’s host protected area
• Some countries haven’t accepted the use of write-blocking
devices for data acquisitions
write-blocker A hardware device or software program that prevents a
computer from writing data to an evidence drive
© Cengage Learning 2015 17
Mini-WinFE Boot CDs and USB Drives

• Mini-WinFE
– Enables you to build a Windows forensic boot
CD/DVD or USB drive so that connected drives are
mounted as read-only
• Before booting a suspect’s computer:
– Connect your target drive, such as a USB drive
• After Mini-WinFE is booted:
– You can list all connected drives and alter your target
USB drive to read-write mode so you can run an
acquisition program
Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 18
 Acquiring Data with a Linux Boot CD
• Linux can access a drive that isn’t mounted
• Windows OSs and newer Linux automatically
mount and access a drive
• Forensic Linux Live CDs don’t access media
automatically
– Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
– Forensic Linux Live CDs
• Contain additionally utilities

© Cengage Learning 2015 19

 Capturing an Image with ProDiscover
Basic
• Connecting the suspect’s drive to your workstation
– Document the chain of evidence for the drive
– Remove the drive from the suspect’s computer
– Configure the suspect drive’s jumpers as needed
– Connect the suspect drive to write-blocker device
– Create a storage folder on the target drive
• Using ProDiscover’s Proprietary Acquisition Format
– Follow the steps starting on page 108 to start
ProDiscover Basic and configure settings for
acquisition

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 20
 Capturing an Image with ProDiscover
Basic
• Using ProDiscover’s Proprietary Acquisition Format
(con’t)
– ProDiscover creates image files with an .eve
extension, a log file (.log extension), and a special
inventory file (.pds extension)
– If the compression option was selected, ProDiscover
uses a .cmp rather than an .eve extension on all
segmented volumes

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 21
 Capturing an Image with ProDiscover
Basic

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 22
 Capturing an Image with AccessData
FTK Imager Lite
• Included with AccessData Forensic Toolkit
• Designed for viewing evidence disks and disk-to-
image files
• Makes disk-to-image copies of evidence drives
– At logical partition and physical drive level
– Can segment the image file
• Evidence drive must have a hardware write-
blocking device
– Or run from a Live CD, such as Mini-WinFE

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 23
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 24
 Capturing an Image with AccessData
FTK Imager Lite

• FTK Imager can’t acquire a drive’s host protected

area
• Use a write-blocking device and follow these steps
– Boot to Windows
– Connect evidence disk to a write-blocker
– Connect target disk to write-blocker
– Start FTK Imager Lite
– Create Disk Image - use Physical Drive option
– See Figures on the following slides for more steps

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 25
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 26
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 27
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 28
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 29
 Capturing an Image with AccessData
FTK Imager Lite

Guide to Computer Forensics and Investigations Fifth Edition © Cengage Learning 2015 30