Data Acquisition

1
Data Acquisition

• Chapter 9

2
Learning Objectives

• Determine the Best Acquisition Method
• Plan Data Recovery Contingences
• Use MS-DOS Acquisition Tools
• Use GUI Acquisition Tools
• Acquire data on Linux Computers
• Use Other Data Acquisition Tools

3
Determining the Best Acquisition Method

• DoubleSpace (DriveSpace) An MS-DOS disk
  compression utility distributed with MS-DOS 6.0
  and 6.20.
• Algorithm A formula or set of steps for solving
  a particular problem. To be an algorithm, a set
  of rules must be unambiguous and have a clear
  stopping point.
• Lossless Compression (Lossy Compression) A
  compression technique that can lose data but not
  perceptible quality when a file is restored.
  Files that use lossy compression include JPEG and
  MPEG.

4
Planning Data Recovery Contingencies
HAZMAT concerns - Does the evidence location
have adequate electrical power? - Is there
enough light at the evidence location or do you
have to bring floodlights, flashlights, or other
kinds of lighting? - Is the temperature of the
evidence location too warm, too cold, or too
humid?
5
Using MS-DOS Acquisition Tools
Viewing Absolute and Logical Sectors 1. Navigate
to the Tools folder of the work folder. 2. Type
DriveSpy at the command prompt. 3. At the SYS
prompt, type D0. 4. Note the numbers for the
start and end sectors, and select a number
between those, such as 2344. 5. At the D0 prompt,
type Sector 2344. A sector map will appear.
6
Using MS-DOS Acquisition Tools
7
Using MS-DOS Acquisition Tools
Viewing Absolute and Logical Sectors
Continued... 6. Press Esc to return to the D0
prompt. 7. Type P1 to use the Partition mode. 8.
At the D0P1 prompt, type Sector 2344. 9. Pres Esc
to return to the D0P1 and then type exit.
8
Using MS-DOS Acquisition Tools
9
Using MS-DOS Acquisition Tools

• Saving a Partition with SavePart
• Navigate to the Tools folder and run
  Toolpath.bat. If necessary create a folder called
  Chapter in your work folder and a subfolder
  called Chapter inside Chap09.
• Change to the Chap09\Chapter folder.
• Type DriveSpy at the command prompt.
• At the SYS prompt, type DriveSpy to start
  DriveSpy.
• At the SYS prompt, type Drives.

10
Using MS-DOS Acquisition Tools
11
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued 6.
At the SYS prompt, type D0.
12
Using MS-DOS Acquisition Tools
13
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued... 7.
At the D0 prompt, type Part 1.
14
Using MS-DOS Acquisition Tools
15
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart Continued... 8.
Insert a floppy disk that contains a few files
into the floppy drive. At the D0P1 prompt, type
Drive A. 9. At the DA prompt, type Part 1 to
access the partition level. 10. At the DAP1
prompt, type SavePart C\work folder\Cha09\Chapter
\Case_9sp.ima to copy the partition to the floppy
disk to an image file Case_9sp.ima on your hard
disk.
16
Using MS-DOS Acquisition Tools
17
Using MS-DOS Acquisition Tools
Saving a Partition with SavePart
Continued... 11. At the DAP1 prompt, type exit
to Close DriveSpy.
18
Using MS-DOS Acquisition Tools
19
Using MS-DOS Acquisition Tools

• Restoring the Case_9sp.ima Image File
• At an MS-DOS prompt, navigate to the Tools folder
  on your work folder, type Toolpath.bat. Then type
  cd C\work folder\Chap09\Chapter and navigate to
  Chap09\Chapter folder in your work folder.
• AT the command prompt, type DriveSpy.
• At the SYS prompt, type Output Chap2rp2.txt to
  create the output file.

20
Using MS-DOS Acquisition Tools
Restoring the Case_9sp.ima Image File
Continued... 4. At the SYS prompt, type Drive A
to access the floppy drive. At the DA prompt,
type Part 1 to access the partition level of the
floppy disk. 5. At the DAP1 prompt, type
WritePart Case_9sp.ima to restore the image file
you created in Chap09\Chapter. When a warning
appears, type Y to continue. It will take a few
minutes to restore the image file.
21
Using MS-DOS Acquisition Tools
22
Using MS-DOS Acquisition Tools
23
Using MS-DOS Acquisition Tools
Restoring the Case_9sp.ima Image File
Continued... 6. At the DAP1 prompt, type exit to
close DriveSpy. Reboot to Windows.
24
Using MS-DOS Acquisition Tools

• Copying Sectors from One Drive to Another
• Access a command prompt, and navigate to the
  Tools folder.
• AT the command prompt, type DriveSpy to start
  DriveSpy.
• At the SYS prompt, type Output C\work
  folder\Chap09\Chapter\Chap09rp3.txt to record the
  commands you see and the results.
• At the SYS prompt, type Drives to connect to your
  workstation.

25
Using MS-DOS Acquisition Tools
26
Using MS-DOS Acquisition Tools
Copying Sectors from One Drive to Another
Continued... 5. At the SYS prompt, type Copy Sect
10,1665216 30 to copy Drive 1 from absolute
sectors 0 to 1665216 to Drive 3 starting at
absolute sector 0. 6. When a warning appears
showing the source and destination drives, verify
that they are correct by typing Y to continue.
Copying the sectors may take a few minutes. When
it has finished, DriveSpy displays Done! And
returns to the SYS prompt.
27
Using MS-DOS Acquisition Tools
28
Using MS-DOS Acquisition Tools
Copying Sectors from One Drive to Another
Continued... 7. At the SYS prompt, type exit to
close DriveSpy. Then reboot your computer.
29
Using MS-DOS Acquisition Tools

• Saving Sectors in DriveSpy
• Access a command prompt and navigate to the Tools
  folder of your work folder. At the command
  prompt, type DriveSpy.
• At the SYS prompt, type Output C\work
  folder\Chap09\Chapter\Chap9rp4.txt to create an
  output file to record your actions and results.
• At the SYS prompt, type Drives to determine which
  drive to copy.
• At the SYS prompt, type D3 to access the drive
  you want to copy. Substitute the number for your
  drive as necessary.

30
Using MS-DOS Acquisition Tools
Saving Sectors in DriveSpy Cont. 5. At the D3
prompt, type P1 to select the partition that
contains the sectors you want to copy. 6. At the
D3P1 prompt, type SaveSect 30-415232 C\work
folder\Chap09\Chapter\Case_9s.dat to copy sectors
0 to 415232 to a data file named Case_9s.dat. 7.
At the D3P1 prompt, type exit to close DriveSpy.
31
Using MS-DOS Acquisition Tools
32
Using MS-DOS Acquisition Tools

• Using the WriteSect Command
• Access a command prompt and navigate to the Tools
  folder of your work folder. At the command
  prompt, type DriveSpy.
• At the SYS prompt, type Output C\work
  folder\Chap09\Chapter\Chap9rp5.txt to record the
  commands you use and their results in an output
  file.
• At the SYS prompt, type Drives to list the system
  recognized drives. Select the drive to which you
  want to copy data from.
• At the SYS prompt, type D3 to access the drive.

33
Using MS-DOS Acquisition Tools
Using the WriteSect Command Cont. 5. At the SYS
prompt, type D3 to access the drive you want.
Substitute the number for your drive as
necessary. 6. At the D3 prompt, type WriteSect
C\work folder\Chap09\Chapter\Case_9s.dat 30 to
start transferring data to absolute sector 0 on
Dive 3. Substitute drive and folder names for
those on your system as necessary. 7. Type Y
when a warning appears. 8. At the D3 prompt,
type exit to close DriveSpy.
34
Using Windows Acquisition Tools

• Preparing for a Data Acquisition with FTK
  Explorer
• Boot a forensic workstation with Windows using an
  installed write-blocker such as Digital
  Intelligence FireChief.
• Connect the evidence disk to a write-blocking
  device or the FireChief write-block bay.
• Connect the target disk o the FireChief writeable
  bay.

35
Using Windows Acquisition Tools

• Acquiring Evidence With FTK Explorer
• Click the Start button, point to the Programs,
  point to AccessData, point to Forensic Toolkit,
  and then click FTK Explorer.
• Click File on the menu bar, and then click Image
  Drive. The Select Local Drive dialog box opens.

36
Using Windows Acquisition Tools
37
Using Windows Acquisition Tools
Continued 3. Click the Select a drive list
arrow, and then click the drive for which you
want to create an image, such as D
(MS-DOS_6_FAT). If your workstation is running
Windows 98 and the drive you are acquiring is an
NTFS or Ext2fs drive, click the Physical option
button to access the drive for acquisition. Then
click OK. The Export Disk Image dialog box opens.
38
Using Windows Acquisition Tools
39
Acquiring Data on Linux Computers
Disadvantages of using the dd command - You
need to know advanced UNIX shell scripting and
commands. - You must specify the number of
blocks per save-set volume to create a volume. -
You might not be able to use the dd command on
your PC, depending on the distribution and
version of Linux you are using. - You cannot use
the dd command to automatically adjust drive
geometry to the match the target drive, as with
the DriveSpy CopySect command.
40
Using Other Forensics Acquisition Tools
SafeBack does the following - Creates
disk-to-image files. - Copies from source disk
to an image on a tape drive. - Copies from a
source disk to a target disk, adjusting the
target drives geometry to match the source
drive. - Copies from a source disk to a target
disk using a parallel port laplink cable. -
Copies a partition to an image file.
41
Using Other Forensics Acquisition Tools
SafeBack does the following - Compresses
acquired files to reduce the volume save-set
sizes. SafeBack provides the following four
programs - Master.exe The main SafeBack
utility program. - Remote.exe For connecting
two computers and transferring data with a
parallel port laplink. - Restpart.exe For
restoring a partition that is saved separate from
the entire suspects disk. - Tapsi.exe For
connecting SCSI devices for your data acquisition.
42
Chapter Summary

• You can acquire digital evidence from disk drives
  in three ways creating a bit-stream
  disk-to-image file, making a bit-stream
  disk-to-disk copy, or creating a sparse data copy
  of a specific folder path or file.
• Several tools on the market allow you to restore
  disks that are larger or smaller than the
  suspects source drive.

43
Chapter Summary
- Lossless compression is an acceptable method
for computer forensics because it does not alter
the data in any way. Lossy compression alters the
data and is not acceptable.
44
Chapter Summary
- Because you are dealing with electronic data,
you need to protect your bit-stream digital
evidence and make contingency plans in case
software or hardware doesn't work, or you
encounter a failure during an acquisition. The
most common time-consuming technique to preserve
evidence is creating a duplicate copy of your
evidence image file. Also make sure that you make
at least two data acquisitions using two
different methods.
45
Chapter Summary
- The partition gap is an area where information
can be stored. DriveSpys SavePart command can
retrieve this information. - Some command-line
tools can be dangerous, such as the CopySect
command. It will not notify you that it is about
to write over critical information. You must keep
a careful log of what sectors you are writing to
and from.
46
Chapter Summary

• Windows data acquisition tools add convenience
  and ease of use to the forensics investigation.
  They also enable you to use hot-swappable devices
  such as Zip and Jaz drives. However, you must
  write-protect your evidence and access the
  host-protected area of a disk.

47
Chapter Summary

• You can use a built-in Linux command called dd to
  make a bit-stream disk-to-disk copy,
  disk-to-image file, block-to-block copy, or
  block-to-file copy. You can also use the dd
  command to write directly to a tape drive. You
  can use the gzip command to compress the image
  files and minimize your storage needs.

48
Chapter Summary

• In addition to DriveSpy, FTK Explorer, and the
  Linux dd command, you can use other data
  acquisition tools that are commercially
  available, including SnapBack DatArrest from
  Columbia Data Products and SafeBack from NTI.