Module 2 Webinar Slides - Powerpoint
Module 2 Webinar Slides - Powerpoint
Module 2 Webinar Slides - Powerpoint
1. Raw format
2. Proprietary formats
1. Static acquisition
2. Live acquisition
Static acquisitions are always the preferred way to collect digital evidence
You have already acquired the system, know the passwords if any, and are
only interested in data on storage media such as hard disks, flash drives etc
Static acquisition does not provide a clear picture of the running system, e.g.
• When you are dealing with active network intrusions and attacks or if you suspect employees
are accessing network areas they shouldn’t.
• When you think that attackers may wipe-off evidence if the system goes offline.
5. The next step varies, depending on the incident you’re investigating. For example, with
intrusion you might want to see whether a rootkit exists. You can also access the system’s
firmware to see whether it has changed, create an image of the drive over network, or shut
down the system and make a static acquisition later.
6. Be sure to get a forensic digital hash value of all files you recover during the live
acquisition.
Logical or sparse acquisition
Collecting evidence from large drives can take several hours; if your
For example, for e-mail investigation you will only need .pst or .ost files
Determining the Best Acquisition Method
For any type of acquisition, data can be collected with four methods.
Creating a disk-to-disk:
o When disk-to-image copy is not possible
• Designed
• Configured
• Sized
Size is the biggest concern
• Drawbacks
o Antivirus, antispyware, and firewall tools can be configured to
ignore remote access programs
o Suspects could easily install their own security tools that trigger
an alarm to notify them of remote access intrusions
Validating with Hexadecimal Editors
Mini-WinFE
• Enables you to build a Windows forensic boot
CD/DVD or USB drive so that connected drives are
mounted as read-only