Data Acquisition

objectives
Data Acquisition

• Data Acquisition, also known as imaging is the use of established methods to

extract Electronically Stored Information (ESI) from suspect computer or storage
media to gain insight into crime or an incident.

• Rules of Acquisition:
No changes to the original storage medium must be tolerated.
All acquired data must be authentic and relate in full integrity to its original
evidence.
The chain of custody must be protected at all the times.
Why create an Image?

• The computer/media is a crime scene and it should be protected to ensure that the evidence is
not contaminated.

• Acquired Image allows the following:

Preserve the original evidence.
Preserves the inadvertent alternation of original evidence during examination.
Allows recreation of the another image if necessary.
Types of Acquisition

Live Data Acquisition

One chance to collect
-After system is rebooted or shut down, its too late.
Live Data Acquisition

• Live data acquisition is the process of extracting volatile information from registries, cache
and RAM of digital devices through its normal interface.
• The volatile information is dynamic in nature and changes with time, therefore, the
investigators should collect the data in real time.
• Volatile information assists to in determining a logical timeline of the security incident, and
the possible users responsible.

• Types of Volatile Data:

System Information.
Network Information.
System Information: Includes, information about current configuration and running state of
the suspicious computer, current system date and time, command history, running processes,
open files, logged on users, clipboard data, etc.

• Network Information: Includes, information about the network state of suspicious computer
such as open connections and ports, routing information and configuration, shared files,
services accessed, etc.
Order of Volatility

1. Registers & Cache

2. Routing table, process table, kernel statistics & memory
3. Temporary file systems
4. Disk or other storage media
5. Remote logging & monitoring data that is relevant to the system in question
6. Physical configuration & network topology
7. Archival media
Static Data Acquisition

• Static data acquisition is defined as acquiring data that remains unaltered when the system is
powered off or shutdown.
• This type of data is termed as non-volatile data and is usually recovered from secondary
storage devices such as hard drives, thumb drives, CD-ROMs, etc.

• Static data recovered from hard disk includes:

Temporary (temp) files
System registries
Event/system logs
Boot sectors
Web browser cache
Cookies
Hidden files
Rules of Data Acquisition

• The better the quality of evidence, the better the analysis and likelihood of solving the
crime.

• Principle of Analysis: The analysis can be no better than sample analysed.

Improper sampling and contamination render the best analysis useless.

The principle emphasizes the correct sampling and correct packaging for effective use of
experts.
Rules of Data Acquisition

• Do not work on original digital evidence.

• Produce two copies of the digital media.
• If performing a drive-to-drive imaging, use clean media to copy to shrink wrapped new drives.
• Once the duplication of original media is done, verify the integrity of copies to the original.
Steps of Data Acquisition

• Prepare a chain of custody document.

• Enable the write protection on the evidence media.
• Sanitize the target media.
• Determine the data acquisition format.
• Determine the best acquisition method.
• Select the data acquisition tool.
• Acquire the data.
• Plan for contingency.
• Validate the acquired data.
Enable the Write Protection

• According to NIJ, write protection should be initiated to preserve and protect the original
evidence.
• The examiner should consider creating a known value for the subject evidence prior to
acquiring the evidence.
• Write blocker is a hardware or software application that allows data acquisition from storage
media without altering its contents.

Some of the hardware write blockers are CRU Weibtech USB Write blocker, Tableau Forensic
Bridges , etc.
Software write blocker examples include, SAFE Block, MacForensicLab Write Controller, etc.
Sanitize the Target Media

• A proper data sanitization method must be utilized to remove the previous information from
the target media before data duplication.
• According to NIST SP 800-88 guidelines, the categories of sanitization are defined as follows:

Clear applies logical techniques to sanitize data in all user-addressable storage locations for
protection against simple non-invasive data recovery techniques; typically applied through the
standard Read and Write commands to the storage device, such as by rewriting with a new value
or using a menu option to reset the device to the factory state (where rewriting is not supported).
Purge applies physical or logical techniques that render Target Data recovery infeasible using
state of the art laboratory techniques.
Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and
results in the subsequent inability to use the media for storage of data.
Determine the Data Acquisition Format

• There are three data acquisition formats:

Raw Format
Proprietary Formats
Advanced Forensics Format (AFF)
Raw Format

• Makes it possible to write bit-stream data to files. This copy technique creates
simple sequential flat files of a data set or suspect drive. The output of these flat
files is referred to as raw format.

• Advantages
Fast data transfers
Can ignore minor data read errors on source drive
Most computer forensics tools can read raw format

• Disadvantages
Requires as much storage as original disk or data
Tools (mostly freeware versions) might not collect marginal (bad) sectors
Proprietary Formats

• Commercial forensic tools have their own formats to collect digital evidence.
Proprietary formats usually offer features that counterpart vendors analysis tools
such as:
Option to compress or not compress image files
Ability to split an image into smaller segmented files
Can integrate metadata into the image file

• Disadvantages
Inability to share an image between different tools
File size limitation for each segmented volume
Advanced Forensics Format (AFF)
• Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation, AFF is
an open source acquisition format with the following design goals:

Provide compressed or uncompressed image files

No size restriction for disk-to-image files
Provide space in the image file or segmented files for metadata
Simple design with extensibility
Open source for multiple platforms and Oss
Internal consistency checks for self-authentication
• File extensions include .afd for segmented image files and .afm for AFF metadata.
Methods of Data Acquisition
• Bit-stream disk-to-image file
• Most common method
• Can make more than one copy
• Copies are bit-for-bit replications of the original drive
• Bit-stream disk-to-disk
• When disk-to-image copy is not possible
• Consider disk’s geometry configuration
• EnCase, SafeBack, SnapCopy
Methods of Data Acquisition
• Logical acquisition or sparse acquisition
• When your time is limited
• Logical acquisition captures only specific files of interest to the case
• Sparse acquisition also collects fragments of unallocated (deleted) data
• For large disks
• PST or OST mail files, RAID servers
Determining the Best Acquisition Method & Tool

Determining the best method & tool depends on the circumstances of the
investigation
• Size of the source disk.
• Time
• Whether you can retain the disk
• Tools available
• Volatile or non-volatile
• Skillset of the analyst
• Condition of the seized evidence
• Requirement of the investigation in terms of artifacts required and ultimate goal of
the investigation in progress.
Data Acquisition
• FTK
• EnCase Forensic
• Autopsy
• OSForensic
Data recovery Contingency:
• Investigators must make contingency plans when data acquisition fails.
• To preserve digital evidence, investigators need to create a duplicate copy of the
evidence files.
• In case the original data recovered is corrupted, investigators can make use of the
second copy.
• Use at least two data acquisition tool to create copy of the evidence incase the
investigator’s preferred tool does not properly recover data.
• Copy host protected area of a disk drive as well
• Consider using a hardware acquisition tool that can access the drive at the BIOS level.
• Be prepared to deal with encrypted drives
Validating the Data

• Most critical aspect of computer forensics

• Requires using a hashing algorithm utility

• Validation techniques
MD5, and SHA-1 to SHA-512, CRC 32

• Tools for calculation of Hash values are:

Hash Calc, Hash tool, HashMyFiles, etc
Hash values

• Hash values can be thought of as fingerprints for files.

• The contents of a file are processed through a cryptographic algorithm, and a unique numerical
value – the hash value - is produced that identifies the contents of the file.
• One of the main uses of Hash Values is to determine the Integrity of any Data (which can be a
file, folder, email, attachments, downloads etc.)
• Two algorithms that are currently widely used to produce hash values: the MD5 and SHA1
algorithms.
MD5: Message-Digest algorithm 5 is a widely used cryptographic hash function that results in a
128-bit hash value.
The 128-bit (16-byte) MD5 hashes typically are represented as 32-digit hexadecimal numbers, for
example, ec55d3e698d289f2afd663725127bace.

SHA-1: Secure Hash Algorithm 1 is a cryptographic hash function which takes an input and
produces a 160-bit (20-byte) hash value. It is 40 digits long.
Data Acquisition Tools:

• Hardware Tools:
Ultrakit
Forensic Falcon
XRY Office
Atola Insight Forensic
FRED
UFED Touch
UFED Pro Series
FRED, etc.

• Software Tools:
EnCase Forensic
AccessData FTK
X-Ways Forensic
OSForensic
Magnet Axiom
Belkasoft Acquisition Tool
Autopsy, etc.
Data Acquisition Tools:
• Linux Standard Tools:
Forensic investigators can use built in Linux commands dd & dcfldd to copy data from a disk
drive.
dd commands:
To create of hard disk: dd if =/dev/hda of/dev/case5img1
Make an ISO image of a CD: dd if/dev/ hdc of/home/sam/mycd.iso bs 2048 conv=not runc
Remote Data Acquisition

• Data can be copied from a suspect computer by connecting to it via a network connection.
• Drawbacks:
LANs data transfer speeds and routing table conflicts could cause problems.
Heavy traffic on the network could cause delays and errors during the acquisition.
Data Acquisition Mistakes

• An investigator may commit some common mistakes while collecting data from the system
that result in the loss of critical evidence. Common mistakes investigators commit include:

Choosing wrong resolution for data acquisition

Use of wrong cables and cabling techniques
Insufficient time for system development
Making wrong connections
Poor knowledge of the instrument