Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 9Data Acquisition

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Determine the best acquisition method

• Plan data-recovery contingencies

• Use MS-DOS acquisition tools


Objectives (continued)Objectives (continued)

• Use GUI acquisition tools

• Use X-Ways Replica and other tools for data acquisition

• Recover data from PDAs


Determining the Best Acquisition Determining the Best Acquisition MethodMethod

• Three ways– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy of a file or folder

• Bit-stream disk-to-image file– Most common method– Can make more than one copy– EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook


Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)

• Bit-stream disk-to-disk– When disk-to-image copy is not possible– Consider disk’s geometry CHS configuration– SafeBack, SnapCopy, Norton Ghost 2002

• Sparse data copy– Creates exact copies of folders and files– For large disks– PST or OST mail files, RAID servers


Determining the Best Acquisition Determining the Best Acquisition Method (continued)Method (continued)

• When making a copy, consider:– Size of the source disk

• Lossless compression might be useful

• Use digital signatures for verification

– Whether you can retain the disk– How much time you have– Location of the evidence


Planning Data Recovery Planning Data Recovery ContingenciesContingencies

• Create a duplicate copy of your evidence image file

• Make at least two copies of digital evidence– Use different tools or techniques

• Copy host-protected area of a disk drive as well– Image MaSSter Solo

• HAZMAT and environment conditions


Using MS-DOS Acquisition ToolsUsing MS-DOS Acquisition Tools

• Original tools

• Fit on a forensic boot floppy disk– Require fewer resources

• DriveSpy– Data-preservation commands– Data-manipulation commands


Understanding How DriveSpy Understanding How DriveSpy Accesses Sector RangesAccesses Sector Ranges

• First method– Absolute starting sector, total number of sectors– Example 0:1000,100 (primary master drive)

• Second method– Absolute starting sector-ending sector– Example 0:1000-1100 (101 sectors)

• Moving data– CopySect 0:1000,100 1:2000,100


Understanding How DriveSpy Understanding How DriveSpy Accesses Sector Ranges (continued)Accesses Sector Ranges (continued)


Using DriveSpy Data-Preservation Using DriveSpy Data-Preservation CommandsCommands

• Work only on FAT16 and FAT32 disks

• SavePart– Acquires an entire partition– Even non-DOS partitions

• WritePart– Re-creates saved partition to its original format– Be careful when restoring non-DOS partitions


Using the SavePart CommandUsing the SavePart Command

• Creates an image file of a partition

• Uses lossless compression

• Copies image to target disk– Smaller disks– Removable media

• Generates an MD5 hash value

• Cannot be used with partition gaps


Using the WritePart CommandUsing the WritePart Command

• Re-create saved partition image files created with SavePart

• Decompresses the image file and writes it to the target disk– Checks if target disk is equal or larger than original

disk

• Prompts for all disks where image file is stored


Using the WritePart Command Using the WritePart Command (continued)(continued)


Using DriveSpy Data-Manipulation Using DriveSpy Data-Manipulation CommandsCommands

• Isolate specific areas of a disk for examination

• Commands:– SaveSect– WriteSect


Using the SaveSect CommandUsing the SaveSect Command

• Copies specific sectors on a disk to a file– Bit-stream copy

• Creates non-compressed files– Flat files

• For hidden or deleted partitions and gaps

• Drive and Partition modes

• Example:– SaveSect 1:40000-49999 c:\dir_name\file_name


Using the SaveSect Command Using the SaveSect Command (continued)(continued)


Using the WriteSect CommandUsing the WriteSect Command

• Re-creates data acquired with SaveSect

• Use it on DriveSpy’s Drive and Partition modes

• Example:– WriteSect c:\dir_name\file_name 2:10000

• Disadvantage:– Can overwrite data on target disk

• Useful for non-Microsoft FAT file systems


Using the WriteSect Command Using the WriteSect Command (continued)(continued)


Using Windows Acquisition ToolsUsing Windows Acquisition Tools

• Make job more convenient– Hot-swappable devices

• Drawbacks:– Windows can contaminate your evidence– Require write-blocking hardware devices– Cannot access host-protected areas


AccessData FTK ImagerAccessData FTK Imager

• Included on AccessData FTK

• View evidence disks and bit-stream image files

• Makes bit-stream disk-to-image copies– At logical partition and physical drive level– Can segment the image file


AccessData FTK Imager (continued)AccessData FTK Imager (continued)



• Steps:– Boot up Windows– Connect evidence disk to a write-blocker– Connect target disk to write-blocker– Start FTK Imager– Create Disk Image

• Use Physical Drive option


Using X-Ways ReplicaUsing X-Ways Replica

• Compact bit-streaming application program

• Fits on a forensic bootable floppy disk

• Produces a dd-like image– Disk-to-image copy– Disk-to-disk copy

• Can access host protected areas


Using ReplicaUsing Replica

• Create a forensic boot floppy disk

• Boot in MS-DOS

• Replica checks if HPA on BIOS is on– If yes, asks you to turn it off

• Reboot

• Copy information


PDA Data AcquisitionPDA Data Acquisition

• PDAs store, send, and receive data– PDA/cell phone

• Synch with host computers– Duplicate a host PC during an investigation

• Paraben Forensic Tool– Special tool– GUI-based tool


PDA Data Acquisition (continued)PDA Data Acquisition (continued)



• Seize all PDA components– Cables and power supplies

• Learn how to put PDA in debug mode


General Considerations for PDA General Considerations for PDA InvestigationsInvestigations

• Seize the PDA and host computer– PDA caddy and cables

• Collect documentation

• Get the power supply and recharge batteries– Leave it plugged into the PDA

• Create a bit-stream image and a backup copy of the host PC

• Obtain or locate password used on the PDA


Re-create the Host ComputerRe-create the Host Computer

• Steps:– Connect caddy, cables, and external cards– Install backup copy on new host– Install PDA software– Read documentation and synch PDA– Examine downloaded PDA content


Re-create the Host Computer Re-create the Host Computer (continued)(continued)


Using Other Forensics-Acquisition Using Other Forensics-Acquisition ToolsTools

• SnapBack DatArrest

• SafeBack

• EnCase


Exploring SnapBack DatArrestExploring SnapBack DatArrest

• Columbia Data Products

• Old, reliable MS-DOS tool

• Perform bit-stream copy in three ways:– Disk to SCSI drive– Disk to network drive– Disk to Disk

• Fits on a forensic boot floppy

• SnapCopy adjusts disk geometry


Exploring SafeBackExploring SafeBack

• Reliable MS-DOS tool

• Performs an SHA-256 calculation per sector copied

• Creates a log file


Exploring SafeBack (continued)Exploring SafeBack (continued)

• Functions:– Disk-to-image copy (image can be on tape)– Disk-to-disk copy (adjusts target geometry)

• Parallel port laplink can be used

– Copies a partition to an image file– Compresses acquire information


Exploring EnCaseExploring EnCase

• Windows Forensic Tool from Guidance Software

• Creates forensic boot floppy disks

• Load En.exe to the floppy– Implements the best compression algorithm

• Copy methods– Disk-to-disk– Disk-to-network server drive– Disk-to-drive on parallel port


Exploring EnCase (continued)Exploring EnCase (continued)


SummarySummary

• Data acquisition methods:– Bit-stream disk-to-image file– Bit-stream disk-to-disk– Sparse data copy

• Several tools available– Lossless compression is acceptable

• Plan your digital evidence contingencies

• Use tools that can read partition gaps


Summary (continued)Summary (continued)

• Be careful when using tools– Risk of overwrite previous data

• Windows data acquisition tools– Easy to use– Can modify data

• DriveSpy, FTK Imager, Replica, SnapBack, SafeBack

• Investigations might involve PDAs

Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.

Documents

Transcript of Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.