Chapter 2: Forensics Data

1. Overview
2. Data Handling
3. Types of Data
4. Data Integrity
5. Data Acquisition
6. Hard Drives and Disk Images

Reading: Textbook – Chapter 1

Overview

There are many kinds of digital forensics data.

In practice, tools (and practitioners) specialize:
■ Disk Images
■ RAM
■ Configuration Information
■ Network Data
■ Cell Phones
■ Office Documents (Word; PDF; etc.)
■ Multimedia Content (JPEGs, MPEGs, etc)

There are many commonalities: It’s really hard to work with this data:
■ Logical vs. Physical ■ Data extraction can be hard.
■ Overt vs. Hidden ■ Capacities are increasing — top-of-the-line
computers to analyze top-of-the-line.
■ Data is frequently corrupt.
Overview (ctd.)
- The forensics data is acquired, stored, transmitted and analyzed
in many different data formats.

Disk Images
■ Disk image files (MB to GB in size)

Packet Capture Files

■ libpcap files

Memory Images
■ raw files; debug files
■ Swap files
■ Hibernation Files 休眠文件
Data Handling Principles

• Main motivation: ensure data integrity

• Digital data can easily be modified

• Goal of data acquisition: save an accurate copy of a system while

modifying it as little as possible.

• Key recommendation: always keep a backup copy of the original data

and never analyze the original data.

4
 Types of Data
• Two types of data:
不稳定数据 – Volatile data: data that is lost when the system is powered off,
• e.g., a list of running processes and current users
– Nonvolatile data: data that is not lost when the power is removed,
• e.g., the hard disk.

Nonvolatile Data
-Consist of data that will exist after the system is powered off.
●In most cases, this includes only the hard disk.
●A copy of the entire disk, including unallocated, referred to as forensics image,
must be made.

5
 Volatile Data
•OS type and version
Volatile System Information •System installation date
•Registered owner
•System profile
•System directory
•Current system date and time
•Total amount of physical
•Command history
memory
•Current system uptime
•Pagefile location
•Running processes
• Installed physical hardware
•Open files, start up files, clipboard data
and configurations
•Logged on users
•Installed software applications
•DLLs or shared libraries
Dynamic-link Library

-System profile: baseline configuration of suspect system created

by network administrators (before the incident):

Volatile Network Information

•Open connections
•Open ports and sockets
•Routing information and configuration
•Network interface status and configuration
•ARP cache
6
 Volatile Data Acquisition
Various native tools are readily available to capture some of the volatile data items:

Volatile system Windows capture Linux capture

information tools/commands tools/commands
System profile systeminfo.exe cat, uname
Current system date/time date, time date, time
Current system uptime net statistics uptime
Running processes tasklist top, w, ps
Open and startup files dir ls, lsof
Logged on users net Who, last, w

Volatile network Windows capture Linux capture

information tools/commands tools/commands
Open connections and ports netstat, net nestat, ipconfig
Routing information netstat, arp netstat, arp
7
Data Integrity
– Data integrity
• Ensured by computing and storing cryptographic hashes during
data collection

• MD5 and SHA-1: most commonly used hash algorithms in the

forensics world

– The md5sum command from Linux can be used, but is limited

because it can analyze only one directory at a time.
– The md5deep tool (http://md5deep.sourceforge.net) can
generate hashes for recursive directories
– Many forensics imaging tools incorporate hash
generation/verification capabilities

8
 Data Integrity – Chain of Custody
Electronic Evidence -- Chain of Custody Form

- Integrity is further supported and Case ID Client

corroborated by maintaining the Drive Asset Tag Number Memory Image Encryption Applied Encryption Password
chain of custody
Computer Name Operating System Notes

- Chain of custody: Description of shipped hardware.

Contains forensic image(s) of computer(s)
- the process of maintaining
Type:
and documenting the handling Manufacturer:
of evidence Model:
- involves keeping a detailed Capacity:
P/N:
log showing who collected, S/N:
handled, transferred, or MD5 Hash:
analyzed evidence during an Image Name:
investigation. Comments :

Chain of custody
From location Date reason To location Signature

From location Date Reason To location Signature

Data Acquisition
• Two types of data acquisition processes: live and dead

• Live acquisition: when data is copied from a suspect system

using the suspect operating system
• Dead acquisition: when the suspect data is copied in trusted
environment
• occurs when the disk is moved to a trusted system and when the
suspect is booted from a trusted CD-ROM

• Dead acquisitions:
• preferred over live ones;
• However, some cases require a live acquisition, e.g., :
• critical server that cannot be shutdown
• shutdown would alert the attacker that he has been detected
• risk of losing the data when the power is removed.

10
Data Acquisition (ctd.)
• Data acquisition guidelines:

• Minimize writing to the disk of the suspect system

• Do not trust anything on the suspect system

• Do not install acquisition tools on the system

• Keep the Order Of Volatility (OOV) during acquisition, by starting with

the data that changes the fastest.

• Calculate a strong hash value for any collected data

• Document what tools you run and any modifications made to the system

• Use network logs to validate the findings on the system.

11
Data Acquisition (ctd.)
• Data Acquisition techniques:
• Three major techniques to copy data from the suspect system to
a trusted one:

• Using the network to copy data from the suspect system to a trusted
server:
• Can be used for both live and dead acquisitions.
• Can be performed, e.g., using netcat (command line) tool, which acts as
both client and server
• Can also be performed (alternatively) by mounting a network drive,
using Samba or NFS, on the trusted server and copying the data to it.

• Removing the disk from the suspect system and placing it in a

trusted system.

• Placing a new disk in the suspect system, then booting the system
from a trusted CD-ROM, and imaging the suspect disk into the new
disk.

12
Hard Drives and Disk Images
Hard drives and disk images are the most common
form of digital evidence.
A logical dump is a copy of all the files on the drive.
■ Typically 0-1M files, 0-2TB in size.
■ Frequently preserved as a ZIP or ZIP64 file.
■ Commonly used in e-discovery (electronic discovery).

A physical dump or disk image is sector-for-sector copy of the data.

■ Created with a disk imaging tool or dd.
■ Other tools: FTK Imager, Guymager, EnCase Imager

Easy to acquire:
■ Remove disk and image through a write blocker
■ Boot a Linux “live CD” (e.g., Cain) and image to an external drive.
■ Copy the diskname.VHD file from a Virtual Machine
 Hard Drives and Disk Images (cont.)
Disk Image Formats
There are many different disk image formats.
■ RAW (dd) — ■ AFF — compressed open source format
—easiest format to work with; fast; very big —Can store image as a single file (>2GB) or as
—Handled by all tools multiple files (.afd format)
—Many file systems (FAT32, ext2), cannot have files —Supports encryption and digital signatures;
larger than 4GB Extensible
—Poorly supported.
—Poor performance on certain Windows NTFS
■ Encase (.E01) — compressed format developed by disk images.
Expert Witness / Guidance Software
—Compressed
—Evidence split across multiple “volumes” (file.E01, ■ Split raw (file.000, file.001, file.002, etc.)
file.E02, etc.) —Not all tools can handle.
—Doesn't work with some tools (carvers, etc.)
—Supports "passwords" but not encryption.
Hard Drives and Disk Images (cont.)
If you mount a disk image,
you will only see the
allocated (“resident” or
“overt”) files.
Hard Drives and Disk Images (ctd.)

Data is on the disk that

is not in the file system.
It can only be recovered
with forensic tools.
 Hard Drives and Disk Images (ctd.)

Some sectors have

“no data” and are blank.