Guide to Computer Forensics and Investigations, Second Edition

Chapter 9 Data Acquisition

Objectives
Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools

Guide to Computer Forensics and Investigations, 2e

Objectives (continued)
Use GUI acquisition tools Use X-Ways Replica and other tools for data acquisition Recover data from PDAs

Guide to Computer Forensics and Investigations, 2e

Determining the Best Acquisition Method

Three ways
Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy of a file or folder

Bit-stream disk-to-image file

Most common method Can make more than one copy EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

Guide to Computer Forensics and Investigations, 2e

Determining the Best Acquisition Method (continued)

Bit-stream disk-to-disk
When disk-to-image copy is not possible Consider disks geometry CHS configuration SafeBack, SnapCopy, Norton Ghost 2002

Sparse data copy

Creates exact copies of folders and files For large disks PST or OST mail files, RAID servers

Guide to Computer Forensics and Investigations, 2e

Determining the Best Acquisition Method (continued)

When making a copy, consider:
Size of the source disk
Lossless compression might be useful Use digital signatures for verification

Whether you can retain the disk How much time you have Location of the evidence

Guide to Computer Forensics and Investigations, 2e

Planning Data Recovery Contingencies

Create a duplicate copy of your evidence image file Make at least two copies of digital evidence
Use different tools or techniques

Copy host-protected area of a disk drive as well

Image MaSSter Solo

HAZMAT and environment conditions

Guide to Computer Forensics and Investigations, 2e

Using MS-DOS Acquisition Tools

Original tools Fit on a forensic boot floppy disk
Require fewer resources

DriveSpy
Data-preservation commands Data-manipulation commands

Guide to Computer Forensics and Investigations, 2e

Understanding How DriveSpy Accesses Sector Ranges

First method
Absolute starting sector, total number of sectors Example 0:1000,100 (primary master drive)

Second method
Absolute starting sector-ending sector Example 0:1000-1100 (101 sectors)

Moving data
CopySect 0:1000,100 1:2000,100

Guide to Computer Forensics and Investigations, 2e

Understanding How DriveSpy Accesses Sector Ranges (continued)

Guide to Computer Forensics and Investigations, 2e

10

Using DriveSpy Data-Preservation Commands

Work only on FAT16 and FAT32 disks SavePart
Acquires an entire partition Even non-DOS partitions

WritePart
Re-creates saved partition to its original format Be careful when restoring non-DOS partitions

Guide to Computer Forensics and Investigations, 2e

11

Using the SavePart Command

Creates an image file of a partition Uses lossless compression Copies image to target disk
Smaller disks Removable media

Generates an MD5 hash value Cannot be used with partition gaps

Guide to Computer Forensics and Investigations, 2e

12

Using the WritePart Command

Re-create saved partition image files created with SavePart Decompresses the image file and writes it to the target disk
Checks if target disk is equal or larger than original disk

Prompts for all disks where image file is stored

Guide to Computer Forensics and Investigations, 2e

13

Using the WritePart Command (continued)

Guide to Computer Forensics and Investigations, 2e

14

Using the WritePart Command (continued)

Guide to Computer Forensics and Investigations, 2e

15

Using DriveSpy Data-Manipulation Commands

Isolate specific areas of a disk for examination Commands:
SaveSect WriteSect

Guide to Computer Forensics and Investigations, 2e

16

Using the SaveSect Command

Copies specific sectors on a disk to a file
Bit-stream copy

Creates non-compressed files

Flat files

For hidden or deleted partitions and gaps Drive and Partition modes Example:
SaveSect 1:40000-49999 c:\dir_name\file_name

Guide to Computer Forensics and Investigations, 2e

17

Using the SaveSect Command (continued)

Guide to Computer Forensics and Investigations, 2e

18

Using the WriteSect Command

Re-creates data acquired with SaveSect Use it on DriveSpys Drive and Partition modes Example:
WriteSect c:\dir_name\file_name 2:10000

Disadvantage:
Can overwrite data on target disk

Useful for non-Microsoft FAT file systems

Guide to Computer Forensics and Investigations, 2e

19

Using the WriteSect Command (continued)

Guide to Computer Forensics and Investigations, 2e

20

Using Windows Acquisition Tools

Make job more convenient
Hot-swappable devices

Drawbacks:
Windows can contaminate your evidence Require write-blocking hardware devices Cannot access host-protected areas

Guide to Computer Forensics and Investigations, 2e

21

AccessData FTK Imager

Included on AccessData FTK View evidence disks and bit-stream image files Makes bit-stream disk-to-image copies
At logical partition and physical drive level Can segment the image file

Guide to Computer Forensics and Investigations, 2e

22

AccessData FTK Imager (continued)

Guide to Computer Forensics and Investigations, 2e

23

AccessData FTK Imager (continued)

Steps:
Boot up Windows Connect evidence disk to a write-blocker Connect target disk to write-blocker Start FTK Imager Create Disk Image
Use Physical Drive option

Guide to Computer Forensics and Investigations, 2e

24

AccessData FTK Imager (continued)

Guide to Computer Forensics and Investigations, 2e

25

Using X-Ways Replica

Compact bit-streaming application program Fits on a forensic bootable floppy disk Produces a dd-like image
Disk-to-image copy Disk-to-disk copy

Can access host protected areas

Guide to Computer Forensics and Investigations, 2e

26

Using Replica
Create a forensic boot floppy disk Boot in MS-DOS Replica checks if HPA on BIOS is on
If yes, asks you to turn it off

Reboot Copy information

Guide to Computer Forensics and Investigations, 2e

27

PDA Data Acquisition

PDAs store, send, and receive data
PDA/cell phone

Synch with host computers

Duplicate a host PC during an investigation

Paraben Forensic Tool

Special tool GUI-based tool

Guide to Computer Forensics and Investigations, 2e

28

PDA Data Acquisition (continued)

Guide to Computer Forensics and Investigations, 2e

29

PDA Data Acquisition (continued)

Seize all PDA components
Cables and power supplies

Learn how to put PDA in debug mode

Guide to Computer Forensics and Investigations, 2e

30

PDA Data Acquisition (continued)

Guide to Computer Forensics and Investigations, 2e

31

General Considerations for PDA Investigations

Seize the PDA and host computer
PDA caddy and cables

Collect documentation Get the power supply and recharge batteries

Leave it plugged into the PDA

Create a bit-stream image and a backup copy of the host PC Obtain or locate password used on the PDA

Guide to Computer Forensics and Investigations, 2e

32

Re-create the Host Computer

Steps:
Connect caddy, cables, and external cards Install backup copy on new host Install PDA software Read documentation and synch PDA Examine downloaded PDA content

Guide to Computer Forensics and Investigations, 2e

33

Re-create the Host Computer (continued)

Guide to Computer Forensics and Investigations, 2e

34

Using Other Forensics-Acquisition Tools

SnapBack DatArrest SafeBack EnCase

Guide to Computer Forensics and Investigations, 2e

35

Exploring SnapBack DatArrest

Columbia Data Products Old, reliable MS-DOS tool Perform bit-stream copy in three ways:
Disk to SCSI drive Disk to network drive Disk to Disk

Fits on a forensic boot floppy SnapCopy adjusts disk geometry

Guide to Computer Forensics and Investigations, 2e 36

Exploring SafeBack
Reliable MS-DOS tool Performs an SHA-256 calculation per sector copied Creates a log file

Guide to Computer Forensics and Investigations, 2e

37

Exploring SafeBack (continued)

Functions:
Disk-to-image copy (image can be on tape) Disk-to-disk copy (adjusts target geometry)
Parallel port laplink can be used

Copies a partition to an image file Compresses acquire information

Guide to Computer Forensics and Investigations, 2e

38

Exploring EnCase
Windows Forensic Tool from Guidance Software Creates forensic boot floppy disks Load En.exe to the floppy
Implements the best compression algorithm

Copy methods
Disk-to-disk Disk-to-network server drive Disk-to-drive on parallel port

Guide to Computer Forensics and Investigations, 2e

39

Exploring EnCase (continued)

Guide to Computer Forensics and Investigations, 2e

40

Summary
Data acquisition methods:
Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy

Several tools available

Lossless compression is acceptable

Plan your digital evidence contingencies Use tools that can read partition gaps

Guide to Computer Forensics and Investigations, 2e

41

Summary (continued)
Be careful when using tools
Risk of overwrite previous data

Windows data acquisition tools

Easy to use Can modify data

DriveSpy, FTK Imager, Replica, SnapBack, SafeBack Investigations might involve PDAs

Guide to Computer Forensics and Investigations, 2e

42