HD Data Acquisition Chapter 3

1
Structure of Case File

• Case
• Case Files
• Image
• dd image
• Hash code
• Case Index
• FTK
• Report
• Doc
• Recovered files
• E-mails
• Photos
• Etc.

2
Forensic Work Station

• Clean install of the OS
• Clean install of all apps
• Clean install of all forensic packages
• Keep all evidence and case related info on an
  external clean hard drive
• After case is completed physically archive the
  external hard drive
• Wipe the operational hard drive

3
HD Data Acquisition Imaging the Hard Drive

1. Acquisition Layers
2. Write Blockers
3. Media Preparation
4. Imaging
5. Integrity Hashes

4
Imaging Digital Media

• Hash the media
• Make an exact copy of the media
• Everything
• Errors, deleted stuff
• Hash the image
• Prove it is an exact copy
• Compare with hash of the original
• MD5, SHA1, SHA256

5
Acquisition Layers

• Device Physical Layer
• Partition Logical Layer
• File Logical Layer
• Always acquire data at the lowest possible layer.
  Acquire every sector on the disk. Your tools
  can abstract the raw data at any level.

6
Acquisition Tools

• Know what your tools do
• Test them
• Validate them
• Test plan
• Test report
• NIST - http//www.cftt.nist.gov/disk_imaging.htm
• http//nij.ncjrs.gov/publications/Pub_search.asp?c
  ategory99searchtypebasiclocationtopPSID55s
  ortdatenijpubs

7
Imaging Hardware Setup
Forensics Workstation
Forensic Storage
Write Blocker
External
Suspect Media
8
Write Blockers

• Cannot touch the suspect media
• Evidence cannot be altered
• Important to verify
• Test, test, test
• Hardware and Software
• Always use hardware
• Be careful of read only and read/write blockers

9
Write Blockers

• HW
• Paraben
• 249.95 - 2000
• Tableau
• 249.95 - 2000
• SW
• Modifies interrupt table
• NIST Reports
• ttp//www.cftt.nist.gov/software_write_block.htm

10
Write BlockerTableau T8

• Inputs
• USB
• Outputs
• USB, Firewire

Write Blocker
On/Off Switch
USB Device
11

• Inputs
• IDE, SATA
• Outputs
• USB, Firewire

Write BlockerTableau T35e
Write Blocker
On/Off Switch
IDE Device
SATA Cable
12
Write BlockerParaben

• Inputs
• IDE
• Outputs
• USB, Firewire

Write Blocker
On/Off Switch
IDE Device
13
Case Storage Media Preparation

• External hard drive storage
• Zero all sectors
• 32 bit checksum 0
• 32 bit sum with carry bit added
• Use WinHex
• Partition
• Format NTFS

14
Particulars

• Start up Helix live CD
• Zero drive
• dd if/dev/zero of/dev/sdb
• Partition Drive
• fdisk /dev/sdb
• Etc.
• mkntfs /dev/sdb

15
Imaging

• Exact copy of drive
• Cannot be changed
• Must be verifiable
• HW/SW

16
Reading the Source

• Read device directly
• Extended INT13h
• Use the BIOS
• May lie about the size
• INT13h
• Dead vs Live acquisition
• Error handling
• logging, bad blocks

17
Imaging Apps

• FTK Imager
• Bootable memory stick
• EnCase
• WinHex
• Open Source
• dd Windows (Garner), linux
• Helix
• Defense Computer Forensic Labs
• dcfldd
• dc3dd

18
Output Format of Image

• Separate drive
• A single file ease of use
• Multiple files facilitate archiving on DVDs
• 160 Gbytes 27 DVDs
• Raw or Custom
• dd can be interpreted by every thing
• EnCase has imbedded info
• Hash codes errors
• Interlaced
• EnCase saves in a proprietary format
• Separate file
• dcfldd save hashes in a separate file
• Nothing
• dd save hash in a separate file
• Can calculate an MD5 hash

19
Image Formats

• dd Raw bit for bit copy
• .001
• E01 EnCase format
• Includes file description, hashes, etc.
• .e01
• Uses zLib compression
• AD1 AccessData Custom Content Logical Image
• S01 SMART linux formats
• SMART format

20
Integrity Hashes

1. CRC, MD5, SHA, SHA1, SHA256
2. By device
3. By partition
4. By sector

21
dd

• Standard on all linux distros
• Windows
• http//gmgsystemsinc.com/fau/
• Create a directory at root level
• C\bin
• Add that path to your path environment variable
• Control Panel\System Properties\environment
  variables\system variables\path edit
• Append C\bin
• Add sysinternals

22
Using dd
Unix command structure Included with all
Unix/Linux/BSD distros http//unxutils.sourceforge
.net/ Windows version is available http//www.gmgs
ystemsinc.com/fau/ dd input output options dd
ifsuspect.drive ofE\Case\image\captured
23
Input Sources

• Linux
• /dev/hda ATAPI device
• /dev/sda SCSI device
• /dev/fd0 - Floppy
• /dev/mem - RAM
• Windows
• \\.\PhysicalDevice0 IDE bus 0 master device
• \\.\PhysicalMemory - RAM

24
Output Sources
Windows F\Images\Case-08001 Linux on another
drive internal /dev/hdb1 Saved onto the slave
drive on IDE bus 1 Usually an external USB hard
drive is mounted /media/FlashDisk/hda-evidence.da
ta
25
Options
bsn, ibs, obs Block size is n bytes, in or out
or both skipn Skip n blocks countn Copy n
blocks Must declare block size prior to
skip/count dd if/dev/sda1 of/root/lynn.dd
bs4096 count1
26
Example
dd if/dev/sda1 of/home/lynn/example.dd bs512
count1 0000000 eb3c 904d 5344 4f53 352e 3000
0204 0100 .lt.MSDOS5.0..... 0000010 0200 0200
00f8 ff00 3f00 ff00 3f00 0000 ........?...?... 00
00020 dfe7 0300 8001 2905 8f93 804e 4f20 4e41
......)....NO NA 0000030 4d45 2020 2020 4641
5431 3620 2020 33c9 ME FAT16 3. 0000040
8ed1 bcf0 7b8e d9b8 0020 8ec0 fcbd 007c
........ ..... 0000050 384e 247d 248b c199
e83c 0172 1c83 eb3a 8N....lt.r... 0000060
66a1 1c7c 2666 3b07 268a 57fc 7506 80ca
f..f..W.u... 0000070 0288 5602 80c3 1073
eb33 c98a 4610 98f7 ..V....s.3..F... 0000080
6616 0346 1c13 561e 0346 0e13 d18b 7611
f..F..V..F....v. 0000090 6089 46fc 8956 feb8
2000 f7e6 8b5e 0b03 .F..V.. ...... 00000a0
c348 f7f3 0146 fc11 4efe 61bf 0000 e8e6
.H...F..N.a..... 00000b0 0072 3926 382d 7417
60b1 0bbe a17d f3a6 .r98-t....... 00000c0
6174 324e 7409 83c7 203b fb72 e6eb dca0 at2Nt...
.r.... 00000d0 fb7d b47d 8bf0 ac98 4074 0c48
7413 b40e ......_at_t.Ht... 00000e0 bb07 00cd
10eb efa0 fd7d ebe6 a0fc 7deb .............. 00
000f0 e1cd 16cd 1926 8b55 1a52 b001 bb00 00e8
......U.R...... 0000100 3b00 72e8 5b8a 5624
be0b 7c8b fcc7 46f0 .r..V.....F. 0000110
3d7d c746 f429 7d8c d989 4ef2 894e f6c6
.F.)...N..N.. 0000120 0696 7dcb ea03 0000
200f b6c8 668b 46f8 ....... ...f.F. 0000130
6603 461c 668b d066 c1ea 10eb 5e0f b6c8
f.F.f..f....... 0000140 4a4a 8a46 0d32 e4f7
e203 46fc 1356 feeb JJ.F.2....F..V.. 0000150
4a52 5006 536a 016a 1091 8b46 1896 9233
JRP.Sj.j...F...3 0000160 d2f7 f691 f7f6 4287
caf7 761a 8af2 8ae8 ......B...v..... 0000170
c0cc 020a ccb8 0102 807e 020e 7504 b442
...........u..B 0000180 8bf4 8a56 24cd 1361
6172 0b40 7501 4203 ...V..aar._at_u.B. 0000190
5e0b 4975 06f8 c341 bb00 0060 666a 00eb
.Iu...A...fj.. 00001a0 b04e 544c 4452 2020
2020 2020 0d0a 6720 .NTLDR ..g 00001b0
5379 7374 656d 206d 6973 7369 6e67 ff0d System
missing.. 00001c0 0a44 6973 6b20 6572 726f 72ff
0d0a 5072 .Disk error...Pr 00001d0 6573 7320
616e 7920 6b65 7920 746f 2072 ess any key to
r 00001e0 6573 7461 7274 0d0a 0000 0000 0000
0000 estart.......... 00001f0 0000 0000 0000
0000 0000 00ac bfcc 55aa ..............U.
27
Md5 Hash
dd if/dev/sda1 bs512 count1 md5sum gt
hash.txt cat hash.txt D41d8cd98f00b204e9800998e
cf8427e dd if/dev/sda1 bs512 count1
sha1sum gt hash.txt cat hash.txt d41d8cd98f00b20
4e9800998ecf8427e
28
dcfldd

• Very much like dd
• dcfldd if/dev/mem of/home/image convnoerror
  bs4096 \
• errlogerror_log1 \
• hashmd5 hashwindow4096 hashloghash_dmp1 \
• hashformat"hash" gtgt report

• However lets you make multiple copis of the image
• dcfldd if/dev/mem of/home/image
  of/media/storage/image2

29
Bad Sectors

• Bad Sectors are treated differently
• Hashes may be different
• Some imagers zero fill
• One hash is calculated by ignoring the sector
• The other using the zero fill after imaging
• Hard to explain in court

30
Remedies

• dclfdd
• convnoerror,sync
• This converts bad sectors to zeroes
• Continues if an error is encounter
• hashconvafter
• This calcs the hash after the conversion for the
  device hash
• Can be questioned in court
• Hard to explain in court
• Better solution
• Use small hash window
• Compare all the hashes of the small chuncks
• Hashwindow1M hashloghash-dump
• Show that on the bad sector hashes dont agree

31
dc3dd

• Makes dd similar to dcfldd
• Written Jesse Kornblum
• Maintained by DoD Cyber Crime Center
• dcfldd if/dev/mem of/home/image convnoerror
  bs4096 \
• errlogerror_log1 \
• hashmd5 hashwindow4096 hashloghash_dmp1 \
• hashformat"hash" gtgt report
• Pattern writes.
• Piecewise and overall hashing with multiple
  algorithms and variable size windows. Supports
  MD5, SHA-1, SHA-256, and SHA-512.
• Progress meter with automatic input/output file
  size probing
• Combined log for hashes and errors
• Error grouping. Produces one error message for
  identical sequential errors
• Verify mode.
• Ability to split the output into chunks with
  numerical or alphabetic extensions

32
dd_rescue

• Sort of like dd
• However some of the options are not called the
  same
• Ddrescue
• Copies data from one device to another
• Attempts to correct block errors
• Usually does a really good job
• Can take a long time if the drive is hosed
• Not forensically sound

33
ddrescue (GNU)

• Sort of like dd_rescue
• However some of the options are not called the
  same
• ddrescue
• Copies data from one device to another
• Attempts to correct block errors
• Usually does a really good job
• Can take a long time if the drive is hosed
• Not forensically sound

34
X-Ways Software Technology AG

• Builds WinHex
• Very good hexadecimal editor
• 300
• And X- Forensics Ways
• Excellent Forensics package
• 1000

35
Access Data Corp.

• FTK Forensics Tool Kit
• 1.70, 1.72, 1.80, 2.0, 2.2, 3.2
• 3000 - 4000
• PRTK Password Recovery Toolkit
• Registry Viewer
• FTK Imager
• Free

36
Spinrite

• Fast
• Accurate
• Does over write the drive
• Not forensically sound
• Great if you are desperate
• Recovers a lot of data off of an injured drive
• 89.00

37
Lab Today

• Dry Run
• Use dd on the hard drive in the workstation
• Only capture the first 100 sectors or so
• Look at the image in WinHex
• Save it, you will need it next week