Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objectives
Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools
Objectives (continued)
Use GUI acquisition tools Use X-Ways Replica and other tools for data acquisition Recover data from PDAs
Whether you can retain the disk How much time you have Location of the evidence
DriveSpy
Data-preservation commands Data-manipulation commands
Second method
Absolute starting sector-ending sector Example 0:1000-1100 (101 sectors)
Moving data
CopySect 0:1000,100 1:2000,100
10
WritePart
Re-creates saved partition to its original format Be careful when restoring non-DOS partitions
11
12
13
14
15
16
For hidden or deleted partitions and gaps Drive and Partition modes Example:
SaveSect 1:40000-49999 c:\dir_name\file_name
17
18
Disadvantage:
Can overwrite data on target disk
19
20
Drawbacks:
Windows can contaminate your evidence Require write-blocking hardware devices Cannot access host-protected areas
21
22
23
24
25
26
Using Replica
Create a forensic boot floppy disk Boot in MS-DOS Replica checks if HPA on BIOS is on
If yes, asks you to turn it off
27
28
29
30
31
Create a bit-stream image and a backup copy of the host PC Obtain or locate password used on the PDA
32
33
34
35
Exploring SafeBack
Reliable MS-DOS tool Performs an SHA-256 calculation per sector copied Creates a log file
37
38
Exploring EnCase
Windows Forensic Tool from Guidance Software Creates forensic boot floppy disks Load En.exe to the floppy
Implements the best compression algorithm
Copy methods
Disk-to-disk Disk-to-network server drive Disk-to-drive on parallel port
39
40
Summary
Data acquisition methods:
Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy
Plan your digital evidence contingencies Use tools that can read partition gaps
41
Summary (continued)
Be careful when using tools
Risk of overwrite previous data
DriveSpy, FTK Imager, Replica, SnapBack, SafeBack Investigations might involve PDAs
42