Module 2 Webinar Slides - Powerpoint

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 24

Digital Forensics Short Course

Based on the subject ITC597: Digital Forensics

Module 2: Data Acquisition


Slides edited from originals made by Dr. M. Arif Khan.
Outline

• Data acquisition introduction

• Data storage formats

• Data acquisition methods

• Determining the best data acquisition method

• Data acquisition from new platforms

• Data validation (hashing functions / algorithms)


Data storage formats for digital evidence

Three data storage formats for digital evidence:

1. Raw format

2. Proprietary formats

3. Advanced Forensics Format (AFF)


Types of Data Acquisition

Three types of data acquisition:

1. Static acquisition

2. Live acquisition

3. Logical acquisition and/or sparse acquisition


Static Acquisition Method

 Typically, a static acquisition is done on a computer seized during a police raid

 Static acquisitions are always the preferred way to collect digital evidence

 You have already acquired the system, know the passwords if any, and are

only interested in data on storage media such as hard disks, flash drives etc
 Static acquisition does not provide a clear picture of the running system, e.g.

you may be interested in RAM contents, or the web browser contents at a


particular instant of time
Live Acquisition Methods
Performing Live Acquisition:

When is it required/important to perform live acquisition?

• When you are dealing with active network intrusions and attacks or if you suspect employees
are accessing network areas they shouldn’t.

• When you think that attackers may wipe-off evidence if the system goes offline.

• Information in RAM is lost after you turn off suspects system.

• When you don’t know the password of the system.


Live Acquisition Steps
Steps required to perform a live acquisition:

1. Create or download a bootable forensic CD or USB drive

2. Make sure you keep a log of all your actions

3. A network drive is ideal as a place to send the information you collect

4. Copy the physical memory (RAM)

5. The next step varies, depending on the incident you’re investigating. For example, with
intrusion you might want to see whether a rootkit exists. You can also access the system’s
firmware to see whether it has changed, create an image of the drive over network, or shut
down the system and make a static acquisition later.

6. Be sure to get a forensic digital hash value of all files you recover during the live
acquisition.
Logical or sparse acquisition

 Can be done during static or live acquisitions

 Collecting evidence from large drives can take several hours; if your

time is limited, use logical or sparse acquisition


 Use this method when you do not need to examine the entire drive

 Logical acquisition captures only specific files of interest to the case

 Sparse acquisition collects fragments of unallocated (deleted) data

 For large disks

 For example, for e-mail investigation you will only need .pst or .ost files
Determining the Best Acquisition Method

For any type of acquisition, data can be collected with four methods.

1. Creating a disk-to-image file


2. Creating a disk-to-disk
3. Creating a logical disk-to-disk or disk-to-data file
4. Creating a sparse data copy of a file or folder

Determining the best method depends on the circumstances of the


investigation
Determining the Best Acquisition Method

Creating a disk-to-image file:


 Most common method and offers most flexibility

 Should make more than one copy – more the better!

 Copies are bit-for-bit replications of the original drive

 ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLookIX

Creating a disk-to-disk:
o When disk-to-image copy is not possible

o Tools can adjust disk’s geometry configuration

o EnCase, SafeBack, SnapCopy


Determining the Best Acquisition Method …

When making a copy, consider:

• Size of the source disk

– Lossless compression might be useful

– Use digital signatures for verification

• When working with large drives, an alternative is using lossless compression

– Whether you can retain the disk

– Time to perform the acquisition

– Where the evidence is located


Data acquisition from new & emerging platforms

 Data acquisition from clouds


 digital investigators should firstly locate relevant Cloud's data centres
 Legal and technical challenges related to Cloud Service Providers (CSP)

 Data acquisition from Online Social Networks (OSNs)

 Data acquisition from smart phones


 It can include acquiring messages, phone contacts, images / videos
stored in smart phones, web browsing history, OSN related data etc
Contingency Planning for Image Acquisitions

• Create a duplicate copy of your evidence image file


• Make at least two images of digital evidence
o Use different tools or techniques

• Copy host protected area (HPA) of a disk drive as well


o Consider using a hardware acquisition tool that can access the
drive at the BIOS level

• Be prepared to deal with encrypted drives


o Whole disk encryption feature in Windows called BitLocker
makes static acquisitions more difficult
o May require user to provide decryption key
Hashing the Data

• Ensuring the integrity of data collected is essential for presenting


evidence in court

• Most forensic tools offer hashing of image files

• Example – Autopsy’s hashing feature

• Using advanced hexadecimal editors ensures data integrity

• Raw format image files don’t contain metadata


• Separate manual validation is recommended for all raw acquisitions
Validating Data Acquisitions
• Validating evidence may be the most critical aspect of computer
forensics
• Requires using a hashing algorithm/function
• A hashing algorithm is a mathematical function that calculates a fix
length output
o CRC-32, MD5, and SHA-1 to SHA-512
Performing RAID Data Acquisitions

Acquisition of RAID (Redundant Array of Independent Disks) drives can


be challenging and frustrating because of how RAID systems are

• Designed

• Configured

• Sized
Size is the biggest concern

• Many RAID systems now have terabytes of data


Remote Network Acquisition Tools

• You can remotely connect to a suspect computer via a network


connection and copy data from it
• Remote acquisition tools vary in configurations and capabilities

• Drawbacks
o Antivirus, antispyware, and firewall tools can be configured to
ignore remote access programs
o Suspects could easily install their own security tools that trigger
an alarm to notify them of remote access intrusions
Validating with Hexadecimal Editors

• Advanced hex editors offer features not


available in some digital forensics tools,
such as:
Hashing specific files or sectors

• With the hash value in hand


You can use a forensics tool to search
for a suspicious file that might have had
its name changed to look like a safe file

• WinHex provides MD5 and SHA-1 hashing


algorithms
Using Acquisition Tools

Acquisition tools for Windows


• Advantages
• Make acquiring evidence from a suspect drive more
convenient
• Especially when used with hot-swappable devices
• Disadvantages
 Must protect acquired data with a well-tested write-blocking
hardware device
 Tools can’t acquire data from a disk’s host protected area
 Some countries haven’t accepted the use of write-blocking
devices for data acquisitions
Mini-WinFE Boot CDs and USB Drives

Mini-WinFE
• Enables you to build a Windows forensic boot
CD/DVD or USB drive so that connected drives are
mounted as read-only

Before booting a suspect’s computer:


• Connect your target drive, such as a USB drive

After Mini-WinFE is booted:


• You can list all connected drives and alter your target
USB drive to read-write mode so you can run an
acquisition program
Capturing an Image with AccessData FTK Imager Lite

• Included with AccessData Forensic Toolkit


• Designed for viewing evidence disks and disk-to-image
files
• Makes disk-to-image copies of evidence drives
o At logical partition and physical drive level
o Can segment the image file
• Evidence drive must have a hardware write-blocking
device
• Or run from a Live CD, such as Mini-WinFE
Approaching Digital Forensics Cases

Follow these basic steps for all digital forensics


investigations:
1. For target drives, use recently wiped media that have
been reformatted and inspected for viruses
2. Inventory the hardware on the suspect’s computer,
and note condition of seized computer
3. For static acquisitions, remove original drive and
check the date and time values in system’s CMOS
4. Record how you acquired data from the suspect
drive
5. Process drive’s contents methodically and logically
Approaching Digital Forensics Cases …

Follow these basic steps for all digital forensics


investigations:

6. List all folders and files on the image or drive


7. Examine contents of all data files in all folders
8. Recover file contents for all password-protected files
9. Identify function of every executable file that doesn’t
match hash values
10. Maintain control of all evidence and findings
Questions?

You might also like