Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSN08101 Digital Forensics Lecture 6: Acquisition

Published bySantino Petre Modified over 10 years ago

Similar presentations

Presentation on theme: "CSN08101 Digital Forensics Lecture 6: Acquisition"— Presentation transcript:

1 CSN08101 Digital Forensics Lecture 6: Acquisition
Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

2 Objectives Storage Formats Acquisition Architecture
Acquisition Methods Tools

3 Data Acquisition Two types of data acquisition Static acquisition
Copying a hard drive from a powered-off system Used to be the standard Does not alter the data, so it's repeatable Live acquisition Copying data from a running computer Now the preferred type, because of hard disk encryption Cannot be repeated exactly—alters the data Also, collecting RAM data is becoming more important But RAM data has no timestamp, which makes it much harder to use

4 Three formats Storage Formats Raw format Proprietary formats
Advanced Forensics Format (AFF)

5 Raw Format Raw image format was originaly used by dd
Bit-by-bit copy of the drive to a file Advantages Fast data transfers Can ignore minor data read errors on source drive Most computer forensics tools can read raw format

6 Raw Format Disadvantages
Requires as much storage as original disk or data Tools might not collect marginal (bad) sectors Low threshold of retry reads on weak media spots Commercial tools use more retries than free tools Validation check must be stored in a separate file Message Digest 5 ( MD5) Secure Hash Algorithm ( SHA-1 or newer) Cyclic Redundancy Check ( CRC-32)

7 Proprietary Formats Features offered
Option to compress or not compress image files Can split an image into smaller segmented files Such as to CDs or DVDs With data integrity checks in each segment Can integrate metadata into the image file Hash data Date & time of acquisition Investigator name, case name, comments, etc.

8 Proprietary Formats Disadvantages
Inability to share an image between different tools File size limitation for each segmented volume Typical segmented file size is 650 MB or 2 GB Expert Witness format is the unofficial standard Used by EnCase, FTK, X-Ways Forensics, and SMART Can produce compressed or uncompressed files File extensions .E01, .E02, .E03, …

9 Advanced Forensics Format
Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Design goals Provide compressed or uncompressed image files No size restriction for disk-to-image files Provide space in the image file or segmented files for metadata Simple design with extensibility Open source for multiple platforms and OSs Internal consistency checks for self-authentication File extensions include: .aff data and metadata stored in single file, .afd data and metadata stored in multiple small files, .afm data stored in raw format and metadata stored in separate file

10 Data Acquisition Layers
Rule of thumb Only image what you have to Logical/Sparse Logical – grab files only Sparse: collects fragments of unallocated or deleted data Full Image

11 Acquisition Architectures
How do we get data off of the system? Removal of the hard disk Image elsewhere Plug in to investigation system as an external disk Boot the system with a live CD OS lives in memory, hard disk image can be taken without the need to dismantle the system

12 Traditional

13 Live CD Network Acquisition

14 Write Blockers Monitor the commands given to the Hard Disk
Do not allow data to be written Do not allow the disk to be mounted with write-access Read-commands only Hardware and Software HPA & DCO Commands Host Protected Area (HPA) Device Configuration Overlay (DCO)

15 Examples of Write Blockers
Tableau T3458is Forensic SATA/SCSI/IDE/USB Combo Bridge Tableau T35es-R2 Forensic eSATA/IDE Bridge UltraBlock Firewire - The First Portable Firewire Hardware Write Blocker

16 Software Write Blockers

17 Best Acquisition Method
Four methods Bit-stream disk-to-image file Bit-stream disk-to-disk Logical Sparse

18 Bit-stream disk-to-image file
Most common method Can make more than one copy Copies are bit-for-bit replications of the original drive Tools: ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

19 Bit-stream disk-to-disk
Used when disk-to-image copy is not possible Because of hardware or software errors or incompatibilities. This problem is more common when acquiring older drives. When you try to recover usernames and passwords for Web pages or user accounts Adjusts target disk’s geometry (cylinder, head, and track configuration) to match the suspect's drive Tools: EnCase, SafeBack (MS-DOS), Snap Copy

20 Logical and Sparse Acquisition
When your time is limited, and evidence disk is large Logical acquisition captures only specific files of interest to the case Such as Outlook .pst or .ost files Sparse acquisition captures fragments of data in unallocated space

21 Validating Data Acquisitions
Most critical aspect of computer forensics Requires using a hashing algorithm utility Validation techniques CRC-32, MD5, SHA-1 and SHA-2 MD5 has collisions, so it is not perfect, but it’s still widely used SHA-1 has some collisions but it’s better than MD5 A new hashing function will soon be chosen by NIST

22 Linux Validation Methods
Validating dd acquired data You can use md5sum or sha1sum utilities md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes Validating dcfldd acquired data Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 hashlog option outputs hash results to a text file that can be stored with the image files vf (verify file) option compares the image file to the original medium

23 Windows Validation Methods
Windows by default has no built-in hashing tools, such as md5sum, for computer forensics Third-party utilities can be used Commercial computer forensics programs also have built-in validation features Each program has its own validation technique Raw format image files don’t contain metadata Separate manual validation is recommended for all raw acquisitions

24 Tools Tool testing Proprietary Tools Open Source NIST EnCase
FTK (FTK Imager) ProDiscover Open Source DD DCFLDD D3DD Guymager

25

26

27

28

29 dd & dc3dd dd dc3dd & dcfldd Data Description
Allows low level copying of data dc3dd & dcfldd Variations of dd Error Handling Piecewise and overall hashing Wiping Split output Detailed Log Files and Appended

30 dcfldd options if = FILE of = FILE bs = SIZE hashlog = FILE (dc3dd)
Input File of = FILE Output File bs = SIZE Block Size hashlog = FILE (dc3dd) Output to FILE the hash value calculated md5log = FILE (dcfldd) conv=sync, noerror Tells the tool to ignore errors, and to write zero’s in place of the bad block.

31

32

33 Any Questions ...

34 Assessment: Short-Answer Examples
Question: What are the disadvantages of using Raw storage format? Answer:

35 Assessment: Short-Answer Examples
Question: What is a live CD acquisition method? Answer:

36 Assessment: Short-Answer Examples
Question: What is a sparse acquisition? Answer:

Download ppt "CSN08101 Digital Forensics Lecture 6: Acquisition"

Similar presentations

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.

COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
P ROCESSING ELECTRONIC RECORDS Handling removable and fixed media in manuscript collections Meghan Bannon, Center for the History of Medicine, Harvard.

P ROCESSING ELECTRONIC RECORDS Handling removable and fixed media in manuscript collections Meghan Bannon, Center for the History of Medicine, Harvard.
Working with Disks and Devices

Working with Disks and Devices
Lesson 9 Types of Storage Devices.

Lesson 9 Types of Storage Devices.
Types Of Storage Device

Types Of Storage Device
Write Blocking CSC 485/585.

Write Blocking CSC 485/585.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Guide to Computer Forensics and Investigations Fifth Edition

Guide to Computer Forensics and Investigations Fifth Edition
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.

File System Analysis.
Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802

Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
COS/PSA 413 Day 5. Agenda Questions? Assignment 1 due –Not corrected-still missing one submission Assignment 2 posted –Case project 2-1 on page 72 and.

COS/PSA 413 Day 5. Agenda Questions? Assignment 1 due –Not corrected-still missing one submission Assignment 2 posted –Case project 2-1 on page 72 and.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

Similar presentations

Ads by Google