Digital Forensics: Module 2: Data Acquisition and Recovery

Digital Forensics
Module 2: Data Acquisition and Recovery
Dr. Nagaraj S V & Prof Seshu Babu Pulagara,

VIT Chennai
2
Storage formats
 Three formats commonly used to store acquired
data as image files include
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)
Dr.Nagaraj S V & Prof Seshu Babu Pulagara, VIT Chennai

3
Raw Format
 Bit-stream data is written to files
 Benefits
1. Many digital forensics tools can handle raw format
2. Data transfers can be fast
3. Minor data read errors on source drives are overlooked
• Drawbacks
1. Bad sectors may be overlooked
2. Storage needed could be as much as original data
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
Proprietary Formats 4
 Many proprietary tools possess unique formats

 Capabilities
 Metadata can be included in the image file
 Image files may be compressed if needed
 Images can be divided into segmented files of more diminished size
 Drawbacks
 Not easy to share images with other tools due to usage of
proprietary format
 Size limitations for segmented volumes

5
The Expert Witness format (EWF)
 The Expert Witness file format is an industry standard format for

storing forensic images.
 It is currently widely used in the field of digital forensics in proprietary
tools such as EnCase and FTK
 The format permits a user to access discretional offsets in the
uncompressed data without requiring decompression of the full data
stream.

6
The Expert Witness format

 EnCase contains functionality to create forensic images of suspect
media. Images are stored in proprietary Expert Witness File format; the
compressible file format is prefixed with case data information
 The EWF format was succeeded by the Expert Witness Compression

Format version 2 in EnCase 7 (EWF2-Ex01 and EWF2-Lx01)

Exercises-Study 7
 Martin S. Olivier, Sujeet Shenoi, ed. (2006). Advances in digital

forensics II. Springer. ISBN 0-387-36890-6.
 https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.s
html
 Extending the advanced forensic format to accommodate multiple
data sources, logical evidence, arbitrary information and forensic
workflow Digital Investigation Volume 6, Supplement, September
2009, Pages S57-S68
https://www.sciencedirect.com/science/article/pii/S174228760900
0401

Advanced Forensics Format 8
 Advanced Forensics Format (AFF) is an open and extensible format

for the storage of disk images and related forensic metadata. It was
developed by Simson Garfinkel and Basis Technology Corp
 See https://sourceforge.net/p/afflib/wiki/Home/
 https://www.loc.gov/preservation/digital/formats/fdd/fdd000412.s
html

9
Exercise - Study
 Advanced Forensic Format: an Open Extensible Format for

Disk Imaging
https://link.springer.com/chapter/10.1007/0-387-36891-4_2
 https://cs.harvard.edu/malan/publications/aff.pdf

10
AFF
 Open source
 Works with several platforms and operating systems
 Simple extensible design
 Provision for including metadata in the image files or segmented files
 No size restriction for disk-to-image files
 Provision for compressed or uncompressed image files
 File extensions .afd for segmented image files and .afm for AFF
metadata

11
Acquisition Methods
 Static acquisitions
 Live acquisitions
 Logical acquisition
 Sparse acquisition
 Remote acquisition

12
Methods of data acquisition

 Making a sparse data copy of a file or folder
 Making a logical disk-to-disk or disk-to-data file
 Making a disk-to-disk copy
 Making a disk-to-image file

13
The Best Acquisition Method?
 The best acquisition method varies from case to case. It is

contingent upon the situation.

14
Making a disk to image file

 Many tools such as SANS Investigative Forensic Toolkit – SIFT,
CAINE, ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways
Forensics, Magnet Axiom, iLookIX support this
 Copies are bit-for-bit reproductions of the master or original drive
 More than one copy can be made if needed
 The most usually used method . It offers high adaptability

15
Making a disk to disk copy
 Tools can align a disk’s geometry conformation to do this

 It is often used when a disk-to-image copy is not feasible
 Many tools such as Encase support this

16
Exercise
Terms such as mirror image, exact copy, bit-stream image, disk
duplicating, disk cloning, and mirroring can confuse novices. Read
https://capsicumgroup.com/2-key-differences-between-digital-forensic-
imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-
case/
to understand why it is important to know the terminology clearly

17
 Read https://www.ncjrs.gov/pdffiles1/nij/199000.pdf
to see a report about the SafeBack forensic tool
 Read https://en.wikipedia.org/wiki/List_of_digital_forensics_tools for a
list of widely used digital forensic tools

18
Logical acquisition
 In some situations time for acquisition of data may be limited
 In such situations, we may acquire only specific files of interest or
specific types of files to the case being investigated
 Logical acquisition is feasible when the suspect drive is huge in size
(e.g. a RAID disk ) and when it is not feasible to make a full volume /
physical acquisition onsite

19
Sparse acquisition
 In case we have large disks to acquire data from such as RAID disks
and in case we don’t have much time to acquire then sparse
acquisition can be used
 Sparse acquisition collects fragments of unallocated /deleted data
 In this deleted data and fragments are also acquired
 Often used when performing static acquisition in RAID systems

20
What is a RAID System?
 RAID ("Redundant Array of Inexpensive Disks" or "Redundant

Array of Independent Disks") is a data storage
virtualization technology that combines multiple physical disk
drive components into one or more logical units for the purposes
of data redundancy, performance improvement, or both.
 See https://en.wikipedia.org/wiki/RAID

21
 Many tools such as EnCase, X-Ways forensics, AccessData FTK

ProDiscover can acquire data from RAID systems, However, this is a
time consuming process.

22
Exercise
 Investigate the difficulties in acquiring data from RAID systems, Storage
Area Networks (SANs), and Network Attached Storage (NAS) devices
See
https://en.wikipedia.org/wiki/RAID
https://en.wikipedia.org/wiki/Storage_area_network
https://en.wikipedia.org/wiki/Network-attached_storage
 Study different RAID levels

23
Planning for image acquisition

 Disks may be encrypted. The entire disk could be encrypted using whole
disk encryption. Only some sectors of a disk could be encrypted.
Decryption keys may be required
 It may be necessary to copy host protected area (HPA) of a disk drive as
well. The HPA is an area of a hard drive or solid-state drive that is not
normally visible to an operating system.
See https://en.wikipedia.org/wiki/Host_protected_area

24
 In digital forensics, it is necessary to analyze the data in the Host

Protected Area —a possibly enormous hidden region of the hard drive.
 A HPA is an area of a hard drive that is generally inaccessible to the user.
Its existence is not made known to the BIOS or even to the operating
system of the host computer.

25
 The HPA is a reserved area on a hard disk drive. It was designed by

manufacturers so that it could store data that could not be easily
accessed, changed, or modified by the normal user. It could contain
utilities, diagnostic tools, and perhaps even boot sector code.
 The HPA can be misused for e.g. by placing malware so it is of concern to

investigators

26
Device configuration overlays
 Like the HPA, the Device configuration overlay (DCO) is a hidden area on

many of today’s hard disk drives. It is usually not accessible to
the BIOS, OS, or the user. However, some tools can be used to modify
the DCO.
 This hidden area is also of concern to investigators due to the possibility
of misuse
 See https://en.wikipedia.org/wiki/Device_configuration_overlay

27
 The DCO can make a 60-gigabyte HDD appear as a 40-gigabyte HDD to

both the OS and the BIOS. HDDs of various sizes can be configured by
vendors to have same number of sectors
 The potential to hide data using DCOs is of concern to forensic
investigators .
 Another concern is imaging the HDD that has the HPA and/or DCO on it.
Some tools may not be able to properly image the HPA and/or the DCO.

28
 HPA can therefore be considered as a “hidden area of the hard drive

that can contain data in many formats, ranging from raw code or files
(possibly encrypted), to complete alternative system or data partitions,
and even disk images of operating systems. It can range in size from a
less than a megabyte to many gigabytes.” see Richard Leickly and David
K Angell, 2012 (PTO)

29
Exercise
 Read the article “Applications of Data Recovery Tools to Digital

Forensics: Analyzing the Host Protected Area with the PC-3000 “
by Richard Leickly and David K Angell, 2012
https://www.researchgate.net/publication/235984791_Applicatio
ns_of_Data_Recovery_Tools_to_Digital_Forensics_Analyzing_the_
Host_Protected_Area_with_the_PC-3000

30
Good practices
 Make a duplicate copy of the evidence image file
 It is safe to make at least two images of the digital evidence. This can
be done using dissimilar tools or techniques for safety.
 It is essential to create a duplicate copy of the evidence image file. In
digital forensics, the golden rule is to ensure that the original digital
evidence is not tampered with.

Acquisition tools for Windows OS 31
 Benefits
 Makes acquiring evidence from a suspect drive easy
 Particularly for hot-swappable devices
 Note: Hot swapping is the replacement or addition of components to a
computer system without stopping, shutting down, or rebooting the
system. For example, eSATA, FireWire, and USB are examples of interfaces
that are hot-swappable on computers

32
Drawbacks
 It is necessary to protect acquired data with a well-tested write-
blocking hardware device so that it does not get tampered
 Often some tools nay not acquire data from a disk’s host protected
area or DCO.
 The use of write-blocking devices for data acquisition has not been
universally accepted.

33
Exercise
 Explore the use of Mini-WinFE Boot CDs and USB Drives
 Read https://www.winfe.net/
 Read
The (Nearly) Perfect Forensic Boot CD – Windows Forensic Environment by
Brett Shavers
https://www.forensicfocus.com/articles/the-nearly-perfect-forensic-boot-cd-
windows-forensic-environment/

34
 WINFE see https://winfe.wordpress.com

 WinFE is a forensically sound version of WinPE, it is a bootable operating
system used by law enforcement agencies that conduct forensic
examinations.
 The Windows Pre-installation Environment (Windows PE, sometimes
called WinPE) is a mini–operating system with specific purposes
 WinPE is a bare bones operating system, based on the Windows XP
kernel, that provides the functionality required to automate Windows
Setup.

35
 Mini-WinFE is a minimalist 32 or 64-bit Windows Forensic

Environment (WinFE) with a GUI shell
 See
http://mistyprojects.co.uk/mistype/mini-
winfe.docs/readme.files/intro.htm

36
Acquiring Data with a Linux Boot CD
 Many Linux distributions offer an environment that you can boot your

computer into without having to install anything to a hard drive. For
some Linux distributions, this is actually their main purpose. This is
called a "live file system" and it allows you to boot into Linux like
normal from a CD, DVD, or USB drive.

37
Acquiring Data with a Linux Boot CD

 With a live file system, changes you make normally aren't saved after a
reboot. When you boot to a live CD/DVD/USB, system files and
everything else are stored temporarily in RAM, and RAM is always
cleared when a system shuts down or reboots.
 See https://linuxconfig.org/live-cd-dvd-linux-download for info about
Linux Live CD/DVD

38
 A live CD or live DVD is a CD-ROM or DVD-ROM containing a bootable

computer operating system. Live CDs /DVDS are unique in that they
have the ability to run a complete, modern operating system on a
computer lacking mutable secondary storage, such as a hard disk
drive.
 See https://en.wikipedia.org/wiki/List_of_live_CDs

39
 As CD and DVD drives have been steadily phased-out, live CDs have
become less popular, being replaced by live USBs, which are
equivalent systems written onto USB flash drives, which have the
added benefit of having write-able storage. The functionality of a live
CD is also available with a bootable live USB flash drive, or
an external hard disk drive connected by USB.

40
 Forensic Linux Live CDs are available

See
https://www.kali.org/docs/general-use/kali-linux-forensics-mode/ for
benefits of booting into the forensic boot mode.
 Forensic Linux Live CDs don’t approach media automatically so this
does away with the demand for a write-blocker

Forensic Linux Live CDs 41
 Forensic Hard Copy

 Penguin Sleuth
 F.I.R.E
 CAINE
 Deft
 Kali Linux
 Knoppix
 SANS Investigative Toolkit
 Ubuntu Rescue Remix
 Helix
 FCCU GNU/Linux Forensic Boot CD
 Parrot
 ForLex

42
 Windows OSs and recent Linux versions mechanically mount and

access a drive in an automatic manner
 Linux can get at a drive that isn’t mounted
 Many recent Linux distributions can create Microsoft FAT and NTFS
partition tables

43
Commands for acquiring data

 fdisk lists, creates, deletes, and verifies partitions in Linux
 https://www.tldp.org/HOWTO/Partition/fdisk_partitioning.html
 https://www.tecmint.com/fdisk-commands-to-manage-linux-disk-
partitions/
 mkfs.msdos Create an MS-DOS file system under Linux
Read more at: https://www.commandlinux.com/man-page/man8/

44
Acquiring data with dd command

 dd It is a command-line utility for Unix and Unix-like operating
systems, the primary purpose of which is to convert and copy files
 See https://www.gnu.org/software/coreutils/manual/html_node/dd-
invocation.html
 https://forensicswiki.xyz/wiki/index.php?title=Dd

45
The command dd
Drawbacks
 Requires more sophisticated skills than an ordinary user
 Has to be used with great caution. Can potentially wipe out the source
media the forensic examiner is trying to replicate
 Does not compress data
 Was not designed with forensics in mind

46
The command dd
Benefits
 Can produce the raw format file that most digital forensics tools can
read
 Can read and write from media instruments and data files

47
The command dcfldd

 dcfldd is an enhanced version of dd developed by the U.S. Department
of Defense Computer Forensics Lab. Hence, the acronym dcfldd. It has
some useful features for forensic investigators.
 dcfldd is based on an extremely old version of dd
 http://dcfldd.sourceforge.net

48
The command dcfldd

 The program only produces raw image files.
 This tool is not suitable for imaging faulty drives
 dcfldd can enter an infinite loop when a faulty sector is encountered

on the source drive, thus writing to the image over and over again until
there is no free space left.

49
Features of dcfldd
 On-the-fly hashing of the transmitted data.
 Progress bar of how much data has already been sent.
 Wiping of disks with known patterns.
 Verification that the image is identical to the original drive, bit-for-bit.
 Simultaneous output to more than one file/disk is possible.
 The output can be split into multiple files.
 Logs and data can be piped into external applications.

50
Tools for capturing images

 ProDiscover https://www.prodiscover.com
 ACCESSDATA FTK IMAGER LITE
https://accessdata.com/product-download/ftk-imager-lite-version-3-1-1
EnCase Forensic
https://www.guidancesoftware.com/encase-forensic

51
Validation of Data Acquisitions

 Validation is the act of finding or testing the truth of something
 Validation can be done using cyclic redundancy
checks, checksum functions, and cryptographic hash functions. E.g.
CRC-32, SHA-1 and SHA-512
 https://en.wikipedia.org/wiki/Hash_function
 https://en.wikipedia.org/wiki/List_of_hash_functions

52
Validation using Linux utilities

 For data acquired using dd
md5sum or sha1sum utilities
 For data acquired using dcfldd
 hash option to designate a hashing algorithm
 vf (verify file) option to compare the image file with the pilot
medium
 hashlog option to output hash to a text file

53
Validation using Windows OS

 Windows OS does not have in-built hashing utilities for digital forensics
 However, third part utilities may be used
 Raw data acquisitions have to be manually validated
 Forensic tools may have utilities for validation

54
Acquiring RAID data

 RAID systems are becoming commonplace
 RAID systems can store several TB of data and even more
 Size is thus a major worry
 Other challenges could be due to the configuration and design
 RAID was originally developed for data redundancy
 https://en.wikipedia.org/wiki/RAID

55
Typical Levels in RAID systems

 RAID 0
 RAID 1
 RAID 2
 RAID 3
 RAID 4
 RAID 5
 RAID 6
 RAID 10

56
Acquiring RAID data – Points to consider

 Data storage needed
 Type of RAID
 Suitable tool for acquiring
 Capability of tools for reading forensically copied RAID images
 Capability of tools for reading split data saved while acquiring
 Vendors
 Size of disks
 Use of sparse or logical acquisition if needed

57
Remote Acquisition
 Sometimes it may be necessary to remotely connect to a target
computer by means of a network connection and make a copy of data
 Drawbacks
Malware may hinder acquisition
Alarms could be set by the suspects to warn them of data being
acquired
Some tools may not support remote acquisition

58
Exercise
Study how data is acquired by tools such as
 ProDiscover https://www.prodiscover.com
 EnCase https://www.guidancesoftware.com/encase-forensic
 R-Studio https://www.r-studio.com/Data_Recovery_Technician.shtml
 USB Live Acquisition and Triage Tool. (US-
LATT) http://www.softwareasia.com/us-latt-pro

59
 F-Response https://www.f-response.com
 PassMark software ImageUSB
https://www.osforensics.com/tools/write-usb-images.html
 ILook Stand-Alone External Imager Iximager
http://www.ilook-forensics.org/iximager.html

60
 ASR Data SMART for Linux http://www.asrdata.com/forensic-

software/smart-for-linux/
 Runtime Software https://runtime.org/data-recovery-
products.htm

61
References
 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015.
 Wikipedia


Digital Forensics: Module 2: Data Acquisition and Recovery

Uploaded by

Copyright:

Available Formats

Digital Forensics: Module 2: Data Acquisition and Recovery

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Forensics: Module 2: Data Acquisition and Recovery

Uploaded by

Copyright:

Available Formats

Digital Forensics

Module 2: Data Acquisition and Recovery

Dr. Nagaraj S V & Prof Seshu Babu Pulagara,

Dr.Nagaraj S V & Prof Seshu Babu Pulagara, VIT Chennai

 Many proprietary tools possess unique formats

Dr.Nagaraj S V & Prof Seshu Babu

 The Expert Witness file format is an industry standard format for

Dr.Nagaraj S V & Prof Seshu Babu

The Expert Witness format

 The EWF format was succeeded by the Expert Witness Compression

Dr.Nagaraj S V & Prof Seshu Babu

 Martin S. Olivier, Sujeet Shenoi, ed. (2006). Advances in digital

Dr.Nagaraj S V & Prof Seshu Babu

 Advanced Forensics Format (AFF) is an open and extensible format

Dr.Nagaraj S V & Prof Seshu Babu

 Advanced Forensic Format: an Open Extensible Format for

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Methods of data acquisition

Dr.Nagaraj S V & Prof Seshu Babu

The Best Acquisition Method?

 The best acquisition method varies from case to case. It is

Dr.Nagaraj S V & Prof Seshu Babu

Making a disk to image file

Dr.Nagaraj S V & Prof Seshu Babu

Making a disk to disk copy

 Tools can align a disk’s geometry conformation to do this

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

What is a RAID System?

 RAID ("Redundant Array of Inexpensive Disks" or "Redundant

Dr.Nagaraj S V & Prof Seshu Babu

 Many tools such as EnCase, X-Ways forensics, AccessData FTK

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Planning for image acquisition

Dr.Nagaraj S V & Prof Seshu Babu

 In digital forensics, it is necessary to analyze the data in the Host

Dr.Nagaraj S V & Prof Seshu Babu

 The HPA is a reserved area on a hard disk drive. It was designed by

 The HPA can be misused for e.g. by placing malware so it is of concern to

Dr.Nagaraj S V & Prof Seshu Babu

Device configuration overlays

 Like the HPA, the Device configuration overlay (DCO) is a hidden area on

Dr.Nagaraj S V & Prof Seshu Babu

 The DCO can make a 60-gigabyte HDD appear as a 40-gigabyte HDD to

Dr.Nagaraj S V & Prof Seshu Babu

 HPA can therefore be considered as a “hidden area of the hard drive

Dr.Nagaraj S V & Prof Seshu Babu

 Read the article “Applications of Data Recovery Tools to Digital

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu

Dr.Nagaraj S V & Prof Seshu Babu