COS/PSA 413 Day 11
Agenda Lab 4 Write-ups Corrected –2 A’s, 2 B’s and 1 C –Some need more attention to detail Lab 5 write-ups due Oct 19 Wednesday Lab 6 tomorrow in OMS –Projects 7-1, 7-2, 7-3, and 7-4 (same projects in Chap 6 of 2e) –For Project 7-2 create the excel file before you get to the lab Next week we have two labs (7&8 on data acquisition) Assignment 3 posted (due Oct 21) Capstone Proposals Over due –See guidelines in WebCT –9 require some modifications ( s sent) –First Progress report Due on October 21 –Timing of proposal and progress reports is 10% of Grade Exam 2 on Oct 21 (Friday) –Chaps 5-8, 10 M/C (30 Points), 10 Short Answer (30 points), 5 Essays (40 points) Open Book, Open Notes, 70 min. time limit. Today we will discuss Data Acquisition –Chap 9 in both books (has significant changes!)
Data Acquisition Chapter 9
Learning Objectives Determine the Best Acquisition Method Plan Data Recovery Contingences Use MS-DOS Acquisition Tools Use GUI Acquisition Tools Acquire data on Linux Computers Use Other Data Acquisition Tools
Determining the Best Acquisition Method Three ways –Bit-stream disk-to-image file –Bit-stream disk-to-disk –Sparse data copy of a file or folder Bit-stream disk-to-image file –Most common method –Can make more than one copy –EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Determining the Best Acquisition Method (continued) Bit-stream disk-to-disk –When disk-to-image copy is not possible –Consider disk’s geometry CHS configuration –SafeBack, SnapCopy, Norton Ghost 2002 Sparse data copy –Creates exact copies of folders and files –For large disks –PST or OST mail files, RAID servers
Determining the Best Acquisition Method (continued) When making a copy, consider: –Size of the source disk Lossless compression might be useful Use digital signatures for verification –Whether you can retain the disk –How much time you have –Location of the evidence
Determining the Best Acquisition Method DoubleSpace (DriveSpace) – An MS-DOS disk compression utility distributed with MS-DOS 6.0 and Algorithm – A formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point. Lossless Compression (Lossy Compression) – A compression technique that can lose data but not perceptible quality when a file is restored. Files that use lossy compression include JPEG and MPEG.
Planning Data Recovery Contingencies Create a duplicate copy of your evidence image file Make at least two copies of digital evidence –Use different tools or techniques Copy host-protected area of a disk drive as well –Image MaSSter Solo HAZMAT and environment conditions
Planning Data Recovery Contingencies HAZMAT concerns: - Does the evidence location have adequate electrical power? - Is there enough light at the evidence location or do you have to bring floodlights, flashlights, or other kinds of lighting? - Is the temperature of the evidence location too warm, too cold, or too humid?
Using MS-DOS Acquisition Tools Original tools Fit on a forensic boot floppy disk –Require fewer resources DriveSpy –Data-preservation commands –Data-manipulation commands
Using MS-DOS Acquisition Tools Viewing Absolute and Logical Sectors 1. Navigate to the Tools folder of the work folder. 2. Type DriveSpy at the command prompt. 3. At the SYS prompt, type D0. 4. Note the numbers for the start and end sectors, and select a number between those, such as At the D0 prompt, type Sector A sector map will appear.
Using MS-DOS Acquisition Tools
Viewing Absolute and Logical Sectors Continued Press Esc to return to the D0 prompt. 7. Type P1 to use the Partition mode. 8. At the D0P1 prompt, type Sector Pres Esc to return to the D0P1 and then type exit.
Using MS-DOS Acquisition Tools
Understanding How DriveSpy Accesses Sector Ranges First method –Absolute starting sector, total number of sectors –Example 0:1000,100 (primary master drive) Second method –Absolute starting sector-ending sector –Example 0: (101 sectors) Moving data –CopySect 0:1000,100 1:2000,100
Using MS-DOS Acquisition Tools Saving a Partition with SavePart 1.Navigate to the Tools folder and run Toolpath.bat. If necessary create a folder called Chapter in your work folder and a subfolder called Chapter inside Chap09. 2.Change to the Chap09\Chapter folder. 3.Type DriveSpy at the command prompt. 4.At the SYS prompt, type DriveSpy to start DriveSpy. 5.At the SYS prompt, type Drives.
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued… 6. At the SYS prompt, type D0.
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued At the D0 prompt, type Part 1.
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued Insert a floppy disk that contains a few files into the floppy drive. At the D0P1 prompt, type Drive A. 9. At the DA prompt, type Part 1 to access the partition level. 10. At the DAP1 prompt, type SavePart C:\work folder\Cha09\Chapter\Case_9sp.ima to copy the partition to the floppy disk to an image file Case_9sp.ima on your hard disk.
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued At the DAP1 prompt, type exit to Close DriveSpy.
Using MS-DOS Acquisition Tools
Restoring the Case_9sp.ima Image File 1.At an MS-DOS prompt, navigate to the Tools folder on your work folder, type Toolpath.bat. Then type cd C:\work folder\Chap09\Chapter and navigate to Chap09\Chapter folder in your work folder. 2.AT the command prompt, type DriveSpy. 3.At the SYS prompt, type Output Chap2rp2.txt to create the output file.
Using MS-DOS Acquisition Tools Restoring the Case_9sp.ima Image File Continued At the SYS prompt, type Drive A to access the floppy drive. At the DA prompt, type Part 1 to access the partition level of the floppy disk. 5. At the DAP1 prompt, type WritePart Case_9sp.ima to restore the image file you created in Chap09\Chapter. When a warning appears, type Y to continue. It will take a few minutes to restore the image file.
Using MS-DOS Acquisition Tools
Restoring the Case_9sp.ima Image File Continued At the DAP1 prompt, type exit to close DriveSpy. Reboot to Windows.
Using MS-DOS Acquisition Tools Copying Sectors from One Drive to Another: 1.Access a command prompt, and navigate to the Tools folder. 2.AT the command prompt, type DriveSpy to start DriveSpy. 3.At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap09rp3.txt to record the commands you see and the results. 4.At the SYS prompt, type Drives to connect to your workstation.
Using MS-DOS Acquisition Tools
Copying Sectors from One Drive to Another Continued At the SYS prompt, type Copy Sect 1:0, :0 to copy Drive 1 from absolute sectors 0 to to Drive 3 starting at absolute sector When a warning appears showing the source and destination drives, verify that they are correct by typing Y to continue. Copying the sectors may take a few minutes. When it has finished, DriveSpy displays Done! And returns to the SYS prompt.
Using MS-DOS Acquisition Tools
Copying Sectors from One Drive to Another Continued At the SYS prompt, type exit to close DriveSpy. Then reboot your computer.
Using MS-DOS Acquisition Tools Saving Sectors in DriveSpy 1.Access a command prompt and navigate to the Tools folder of your work folder. At the command prompt, type DriveSpy. 2.At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp4.txt to create an output file to record your actions and results. 3.At the SYS prompt, type Drives to determine which drive to copy. 4.At the SYS prompt, type D3 to access the drive you want to copy. Substitute the number for your drive as necessary.
Using MS-DOS Acquisition Tools Saving Sectors in DriveSpy: Cont. 5. At the D3 prompt, type P1 to select the partition that contains the sectors you want to copy. 6. At the D3P1 prompt, type SaveSect 3: C:\work folder\Chap09\Chapter\Case_9s.dat to copy sectors 0 to to a data file named Case_9s.dat. 7. At the D3P1 prompt, type exit to close DriveSpy.
Using MS-DOS Acquisition Tools
Using the WriteSect Command: 1.Access a command prompt and navigate to the Tools folder of your work folder. At the command prompt, type DriveSpy. 2.At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp5.txt to record the commands you use and their results in an output file. 3.At the SYS prompt, type Drives to list the system recognized drives. Select the drive to which you want to copy data from. 4.At the SYS prompt, type D3 to access the drive.
Using MS-DOS Acquisition Tools Using the WriteSect Command: Cont. 5. At the SYS prompt, type D3 to access the drive you want. Substitute the number for your drive as necessary. 6. At the D3 prompt, type WriteSect C:\work folder\Chap09\Chapter\Case_9s.dat 3:0 to start transferring data to absolute sector 0 on Dive 3. Substitute drive and folder names for those on your system as necessary. 7. Type Y when a warning appears. 8. At the D3 prompt, type exit to close DriveSpy.
Using Windows Acquisition Tools Preparing for a Data Acquisition with FTK Explorer 1.Boot a forensic workstation with Windows using an installed write-blocker such as Digital Intelligence FireChief. 2.Connect the evidence disk to a write-blocking device or the FireChief write-block bay. 3.Connect the target disk o the FireChief writeable bay.
Using Windows Acquisition Tools Acquiring Evidence With FTK Explorer (Imager) 1.Click the Start button, point to the Programs, point to AccessData, point to Forensic Toolkit, and then click FTK Explorer. (Imager)= 2.Click File on the menu bar, and then click Image Drive. The Select Local Drive dialog box opens.
Using Windows Acquisition Tools
Continued… 3. Click the Select a drive list arrow, and then click the drive for which you want to create an image, such as D: (MS-DOS_6_FAT). If your workstation is running Windows 98 and the drive you are acquiring is an NTFS or Ext2fs drive, click the Physical option button to access the drive for acquisition. Then click OK. The Export Disk Image dialog box opens.
Using Windows Acquisition Tools
Acquiring Data on Linux Computers Disadvantages of using the dd command; - You need to know advanced UNIX shell scripting and commands. - You must specify the number of blocks per save- set volume to create a volume. - You might not be able to use the dd command on your PC, depending on the distribution and version of Linux you are using. - You cannot use the dd command to automatically adjust drive geometry to the match the target drive, as with the DriveSpy CopySect command.
Using Other Forensics Acquisition Tools SafeBack does the following: - Creates disk-to-image files. - Copies from source disk to an image on a tape drive. - Copies from a source disk to a target disk, adjusting the target drive’s geometry to match the source drive. - Copies from a source disk to a target disk using a parallel port laplink cable. - Copies a partition to an image file.
Using Other Forensics Acquisition Tools SafeBack does the following: - Compresses acquired files to reduce the volume save-set sizes. SafeBack provides the following four programs: - Master.exe – The main SafeBack utility program. - Remote.exe – For connecting two computers and transferring data with a parallel port laplink. - Restpart.exe – For restoring a partition that is saved separate from the entire suspect’s disk. - Tapsi.exe – For connecting SCSI devices for your data acquisition.
Chapter Summary -You can acquire digital evidence from disk drives in three ways: creating a bit-stream disk- to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file. -Several tools on the market allow you to restore disks that are larger or smaller than the suspect’s source drive.
Chapter Summary - Lossless compression is an acceptable method for computer forensics because it does not alter the data in any way. Lossy compression alters the data and is not acceptable.
Chapter Summary - Because you are dealing with electronic data, you need to protect your bit-stream digital evidence and make contingency plans in case software or hardware doesn't work, or you encounter a failure during an acquisition. The most common time-consuming technique to preserve evidence is creating a duplicate copy of your evidence image file. Also make sure that you make at least two data acquisitions using two different methods.
Chapter Summary - The partition gap is an area where information can be stored. DriveSpy’s SavePart command can retrieve this information. - Some command-line tools can be dangerous, such as the CopySect command. It will not notify you that it is about to write over critical information. You must keep a careful log of what sectors you are writing to and from.
Chapter Summary -Windows data acquisition tools add convenience and ease of use to the forensics investigation. They also enable you to use hot-swappable devices such as Zip and Jaz drives. However, you must write-protect your evidence and access the host-protected area of a disk.
Chapter Summary -You can use a built-in Linux command called dd to make a bit-stream disk-to-disk copy, disk-to- image file, block-to-block copy, or block-to-file copy. You can also use the dd command to write directly to a tape drive. You can use the gzip command to compress the image files and minimize your storage needs.
Chapter Summary -In addition to DriveSpy, FTK Explorer, and the Linux dd command, you can use other data acquisition tools that are commercially available, including SnapBack DatArrest from Columbia Data Products and SafeBack from NTI.