1. Chapter 8 Forensic Duplication Spring 2016 - Incident Response & Computer Forensics

2. Introduction  Two types of duplications  Simple duplication: copying specific data  Forensic duplication: an accurate copy (image of every accessible bit)  The tool used to make the image must  Have the ability to copy every bit of accessible data  Create a forensic duplicate of the original storage medium  Handle the read errors in a robust and graceful manner  Not make any changes to the source  Generate results that are repeatable and verifiable

3. Forensic Image Formats  There are three primary types of forensic images  Complete disk  Partition A subset of complete disk image Contains all of the allocation units from a given partition including unallocated space and slack space in that partition May be required under special circumstances  Logical Simple duplication May be required under special circumstances

4. Image Integrity  Generate cryptographic checksums  Reasons  To verify that the result is an exact duplicate  To detect if that data is later modified

5. Traditional Duplication  Performed on static drives  Hardware write blockers  Image creation tools  dd and its variations (dcfldd, dc3dd)  FTK Imager by AccessData  EnCase by Guidance Software

6. dd and its Variations  Weaknesses of dd  No built-in capability to generate cryptographic checksum  Does not provide feedback during the process DCFLdd  Developed by US Department of Defense Computer Forensics Laboratory (DCFL)  Derived from the original dd  Available at: sourceforge.net/projects/dcfldd DC3dd  Developed by Defense Cyber Crime Center  Also derived from the original dd  Newer than DCFLdd – contains recent updates and features  Available at: sourceforge.net/projects/dc3dd

7. FTK Imager and EnCase  FTK Imager  Available for MS Windows, Linux, and Mac OS  Windows version is GUI based Full version Lite version: Portable – will run directly from a removable media Encase  Available for MS Windows and Linux

8. Live System Duplication  Imaging a system that is actively running  Not a preferred method  May be the only option available under some circumstances Riskier  No writer blocker to prevent overwriting the evidence The process will make minor changes to the source system The image may not be the exact duplicate  The source is dynamic

9. Live System Duplication  Never install anything on the source drive  Run tools from external media or network shares  Use software that is lightweight to minimize the impact on the source  Example: FTK Imager Lite