Guide to Computer Forensics and Investigations, Second Edition

1
Guide to Computer Forensics and Investigations,
Second Edition

• Chapter 9
• Data Acquisition

2
Objectives

• Determine the best acquisition method
• Plan data-recovery contingencies
• Use MS-DOS acquisition tools

3
Objectives (continued)

• Use GUI acquisition tools
• Use X-Ways Replica and other tools for data
  acquisition
• Recover data from PDAs

4
Determining the Best Acquisition Method

• Three ways
• Bit-stream disk-to-image file
• Bit-stream disk-to-disk
• Sparse data copy of a file or folder
• Bit-stream disk-to-image file
• Most common method
• Can make more than one copy
• EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

5
Determining the Best Acquisition Method
(continued)

• Bit-stream disk-to-disk
• When disk-to-image copy is not possible
• Consider disks geometry CHS configuration
• SafeBack, SnapCopy, Norton Ghost 2002
• Sparse data copy
• Creates exact copies of folders and files
• For large disks
• PST or OST mail files, RAID servers

6
Determining the Best Acquisition Method
(continued)

• When making a copy, consider
• Size of the source disk
• Lossless compression might be useful
• Use digital signatures for verification
• Whether you can retain the disk
• How much time you have
• Location of the evidence

7
Planning Data Recovery Contingencies

• Create a duplicate copy of your evidence image
  file
• Make at least two copies of digital evidence
• Use different tools or techniques
• Copy host-protected area of a disk drive as well
• Image MaSSter Solo
• HAZMAT and environment conditions

8
Using MS-DOS Acquisition Tools

• Original tools
• Fit on a forensic boot floppy disk
• Require fewer resources
• DriveSpy
• Data-preservation commands
• Data-manipulation commands

9
Understanding How DriveSpy Accesses Sector Ranges

• First method
• Absolute starting sector, total number of sectors
• Example 01000,100 (primary master drive)
• Second method
• Absolute starting sector-ending sector
• Example 01000-1100 (101 sectors)
• Moving data
• CopySect 01000,100 12000,100

10
Understanding How DriveSpy Accesses Sector Ranges
(continued)
11
Using DriveSpy Data-Preservation Commands

• Work only on FAT16 and FAT32 disks
• SavePart
• Acquires an entire partition
• Even non-DOS partitions
• WritePart
• Re-creates saved partition to its original format
• Be careful when restoring non-DOS partitions

12
Using the SavePart Command

• Creates an image file of a partition
• Uses lossless compression
• Copies image to target disk
• Smaller disks
• Removable media
• Generates an MD5 hash value
• Cannot be used with partition gaps

13
Using the WritePart Command

• Re-create saved partition image files created
  with SavePart
• Decompresses the image file and writes it to the
  target disk
• Checks if target disk is equal or larger than
  original disk
• Prompts for all disks where image file is stored

14
Using the WritePart Command (continued)
15
Using the WritePart Command (continued)
16
Using DriveSpy Data-Manipulation Commands

• Isolate specific areas of a disk for examination
• Commands
• SaveSect
• WriteSect

17
Using the SaveSect Command

• Copies specific sectors on a disk to a file
• Bit-stream copy
• Creates non-compressed files
• Flat files
• For hidden or deleted partitions and gaps
• Drive and Partition modes
• Example
• SaveSect 140000-49999 c\dir_name\file_name

18
Using the SaveSect Command (continued)
19
Using the WriteSect Command

• Re-creates data acquired with SaveSect
• Use it on DriveSpys Drive and Partition modes
• Example
• WriteSect c\dir_name\file_name 210000
• Disadvantage
• Can overwrite data on target disk
• Useful for non-Microsoft FAT file systems

20
Using the WriteSect Command (continued)
21
Using Windows Acquisition Tools

• Make job more convenient
• Hot-swappable devices
• Drawbacks
• Windows can contaminate your evidence
• Require write-blocking hardware devices
• Cannot access host-protected areas

22
AccessData FTK Imager

• Included on AccessData FTK
• View evidence disks and bit-stream image files
• Makes bit-stream disk-to-image copies
• At logical partition and physical drive level
• Can segment the image file

23
AccessData FTK Imager (continued)
24
AccessData FTK Imager (continued)

• Steps
• Boot up Windows
• Connect evidence disk to a write-blocker
• Connect target disk to write-blocker
• Start FTK Imager
• Create Disk Image
• Use Physical Drive option

25
AccessData FTK Imager (continued)
26
Using X-Ways Replica

• Compact bit-streaming application program
• Fits on a forensic bootable floppy disk
• Produces a dd-like image
• Disk-to-image copy
• Disk-to-disk copy
• Can access host protected areas

27
Using Replica

• Create a forensic boot floppy disk
• Boot in MS-DOS
• Replica checks if HPA on BIOS is on
• If yes, asks you to turn it off
• Reboot
• Copy information

28
PDA Data Acquisition

• PDAs store, send, and receive data
• PDA/cell phone
• Synch with host computers
• Duplicate a host PC during an investigation
• Paraben Forensic Tool
• Special tool
• GUI-based tool

29
PDA Data Acquisition (continued)
30
PDA Data Acquisition (continued)

• Seize all PDA components
• Cables and power supplies
• Learn how to put PDA in debug mode

31
PDA Data Acquisition (continued)
32
General Considerations for PDA Investigations

• Seize the PDA and host computer
• PDA caddy and cables
• Collect documentation
• Get the power supply and recharge batteries
• Leave it plugged into the PDA
• Create a bit-stream image and a backup copy of
  the host PC
• Obtain or locate password used on the PDA

33
Re-create the Host Computer

• Steps
• Connect caddy, cables, and external cards
• Install backup copy on new host
• Install PDA software
• Read documentation and synch PDA
• Examine downloaded PDA content

34
Re-create the Host Computer (continued)
35
Using Other Forensics-Acquisition Tools

• SnapBack DatArrest
• SafeBack
• EnCase

36
Exploring SnapBack DatArrest

• Columbia Data Products
• Old, reliable MS-DOS tool
• Perform bit-stream copy in three ways
• Disk to SCSI drive
• Disk to network drive
• Disk to Disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry

37
Exploring SafeBack

• Reliable MS-DOS tool
• Performs an SHA-256 calculation per sector copied
• Creates a log file

38
Exploring SafeBack (continued)

• Functions
• Disk-to-image copy (image can be on tape)
• Disk-to-disk copy (adjusts target geometry)
• Parallel port laplink can be used
• Copies a partition to an image file
• Compresses acquire information

39
Exploring EnCase

• Windows Forensic Tool from Guidance Software
• Creates forensic boot floppy disks
• Load En.exe to the floppy
• Implements the best compression algorithm
• Copy methods
• Disk-to-disk
• Disk-to-network server drive
• Disk-to-drive on parallel port

40
Exploring EnCase (continued)
41
Summary

• Data acquisition methods
• Bit-stream disk-to-image file
• Bit-stream disk-to-disk
• Sparse data copy
• Several tools available
• Lossless compression is acceptable
• Plan your digital evidence contingencies
• Use tools that can read partition gaps

42
Summary (continued)

• Be careful when using tools
• Risk of overwrite previous data
• Windows data acquisition tools
• Easy to use
• Can modify data
• DriveSpy, FTK Imager, Replica, SnapBack, SafeBack
• Investigations might involve PDAs