Digital Forensics Unit 2

Data Acquisition Introduction:

Data acquisition in digital forensics involves collecting digital evidence
from electronic media.
Two main types of data acquisition are static acquisitions and live
acquisitions.
Static acquisitions involve copying data from storage media like
magnetic disks and flash drives.
Live acquisitions involve collecting data from active RAM and disks,
becoming more prevalent due to whole disk encryption.
With static acquisitions, the goal is to preserve digital evidence as the
original data on the disk remains unchanged.
Live acquisitions capture dynamic changes in data due to OS activity,
necessitating real-time capturing of RAM and disk states.
Similar integrity requirements exist for both static and live acquisitions,
emphasizing data fidelity and reliability.
Despite the reliability of data acquisition tools, failures can occur,
underlining the importance of using multiple tools for redundancy and
verification.
It's crucial to stay updated with the latest tools and techniques in digital
forensics to maintain the integrity of forensic acquisitions.
Various tools compatible with different operating systems are available,
emphasizing the importance of exploring newer and more advanced
tools for enhanced forensic capabilities.

Data Acquisition formats

• Raw Formats :
Key Points:

• What it is: A bit-by-bit copy of a drive or data set as a single file.

• Advantages:
◦ Fast data transfers.
◦ Ignores minor read errors.
◦ Universal format for most forensic tools.
• Disadvantages:
◦ Requires large storage space (equal to original data).
◦ Freeware versions may not capture bad sectors.
• Validation:
◦ Commercial tools often use hashing (CRC32, MD5, SHA-1+) for
validation.
 ◦ Validation creates a separate file with hash value.
Additional Notes:

• Raw format is a practical way to preserve digital evidence.

• Consider storage space limitations and potential data loss from bad sectors
when choosing this format.
• Commercial tools may offer better data capture and validation compared to
freeware.

• Proprietary Formats:
• Commercial forensics tools often utilize proprietary formats for collecting digital
evidence.

• Advantages:

- Compression: This reduces storage space requirements for evidence

files, which can be crucial when dealing with large datasets.
- Segmentation: Splitting images into smaller segments facilitates archiving
and transferring data across different media (CDs, DVDs) while ensuring
data integrity through built-in checks within each segment.
- Metadata Integration: Embedding acquisition details like date, time, hash
values, investigator information, and case notes simplifies evidence tracking
and management.

• Disadvantages:
- Vendor Lock-in: The primary drawback is incompatibility with other
vendors' tools. Sharing evidence acquired in a proprietary format becomes
difficult unless converted, potentially compromising data integrity or
requiring specific software purchase.
- File Size Limitations: Segmented files often have maximum size
limitations, typically around 2GB per segment. This can be restrictive for
very large drives or data sets.

• The Expert Witness format is widely regarded as the unofficial standard for image
acquisitions, offering both compressed and uncompressed image files and supported
by various forensics analysis tools such as X-Ways Forensics, AccessData Forensic
Toolkit (FTK), and SMART.

• Advanced Forensic Format:

• Four Methods of Data Collection:
1. Disk-to-Image File Creation:

• This method involves creating a bit-for-bit replication of the original disk,

storing it as an image file.

• It offers flexibility as you can make one or multiple copies of the suspect drive.

• Various forensic tools like ProDiscover, EnCase, FTK, Sleuth Kit, etc., can read
these disk-to-image files.

• It's the most common method used and allows for easy analysis without
needing to access the original disk.

2. Disk-to-Disk Copy Creation:

• This method copies data exactly from one disk to another, adjusting the target
disk's geometry to match the original.

• Useful when disk-to-image file creation isn't possible due to hardware or

software errors or incompatibilities.

• Imaging tools like EnCase and X-Ways Forensics facilitate this process.

3. Logical Disk-to-Disk or Disk-to-Data File Creation:

• Logical acquisition captures specific files or types of files relevant to the

investigation.
 • Suitable when examining the entire drive isn't necessary, such as in email
investigations or when collecting specific records from large RAID servers.

4. Sparse Copy of a Folder or File Creation:

• Similar to logical acquisition, it involves copying only specific data of interest.

• Sparse acquisition, a type of logical acquisition, collects fragments of

unallocated (deleted) data.

• Useful for scenarios where only certain files or folders need to be preserved or
analyzed.

These methods cater to different circumstances in digital forensics investigations, allowing

forensic analysts to choose the most appropriate method based on factors like the size of
the source disk, time constraints, retention of the original evidence, and the location of the
evidence.

Choosing the Right Method:

The choice of method depends on various factors:

• Drive size: Large drives favor logical/sparse or compressed disk-to-image.

• Evidence retention: Returning the disk requires considering logical
acquisition.
• Time constraints: Logical/sparse methods are faster for large drives.
• Investigation type: Targeted investigations benefit from logical acquisition.
• Legal requirements: Verify if logical acquisition is acceptable for evidence.
Remember, these methods have different applications and limitations. Consider
your specific needs and choose the method that best preserves evidence while
meeting your time and resource constraints.

• Contingency Planning for Image Acquisitions :

Contingency planning for image acquisition involves preparing for potential failures or
challenges that may arise during the process of creating duplicate copies of disk-to-image
files. Here's an explanation in points:

Importance of Contingency Planning:

• It's crucial to prepare for software or hardware failures during image acquisition to
mitigate the risk of data loss.
 Creating Duplicate Disk-to-Image Files:
• Making duplicate copies of disk-to-image files is a standard practice to preserve digital
evidence.

• Despite time constraints, it's essential to allocate resources and effort to create duplicate
copies to ensure redundancy.

Using Multiple Imaging Tools:

• If multiple imaging tools are available (e.g., ProDiscover, FTK, X-Ways Forensics), it's
recommended to use different tools for each copy.

• This approach enhances redundancy and minimizes the risk of failure due to tool-
specific issues or limitations.

Considerations for Single Tool Usage:

• If only one imaging tool is available, consider creating two images of the drive using the
same tool.

• This redundancy is particularly important for critical investigations where the integrity
of the acquired data is paramount.

Addressing Host Protected Area (HPA) Challenges:

• Some imaging tools may not copy data from the host protected area (HPA) of a disk
drive.

• Contingency planning involves using hardware acquisition tools that can access the
drive at the BIOS level to ensure comprehensive data capture, including the HPA.

Dealing with Whole Disk Encryption:

• Contingency planning also includes strategies for dealing with challenges posed by whole
disk encryption, such as BitLocker.

• This may involve decrypting encrypted drives, which requires the user's cooperation for
the decryption key.

• Tools like Elcomsoft Forensic Disk Decryptor may assist in recovering decryption keys,
but obtaining the key can be challenging in criminal investigations due to suspects
withholding it.

By incorporating these contingency planning measures into image acquisition procedures,

forensic investigators can enhance the reliability and integrity of digital evidence collection,
thereby strengthening the overall forensic analysis process.
• Using Windows Acquisition Tools:
Convenience of Windows Acquisition Tools:

• Forensics software vendors have developed acquisition tools that run on Windows,
making it convenient to acquire evidence from suspect drives.

• These tools are particularly useful when used with hot-swappable devices like
USB-3, FireWire 1394A and 1394B, or SATA connections, enabling easy
connectivity to workstation systems.

Drawbacks of Windows Acquisition Tools:

• Windows can contaminate an evidence drive when it mounts it, potentially altering
metadata such as the most recent access time.

• To prevent contamination, it's essential to use well-tested write-blocking hardware

devices to protect the evidence drive.

• Most Windows tools are unable to acquire data from a disk's host protected area,
limiting their functionality in certain scenarios.

• In some countries, the use of write-blocking devices for data acquisitions may not be
universally accepted. Legal counsel should be consulted to ensure compliance with
evidence standards in the respective community or country.

Considerations for Use:

• It's crucial to be aware of the limitations and potential risks associated with using
Windows acquisition tools.

• Proper precautions, such as employing write-blocking hardware devices and

consulting legal counsel, should be taken to ensure the integrity and admissibility of
acquired evidence.

Overall, while Windows acquisition tools offer convenience for forensic data collection, it's
essential to mitigate their drawbacks and adhere to best practices to maintain the integrity of
the evidence acquisition process.

• Acquiring Data from Computer’s Disk Drive using Mini-WinFE

Boot CDs and USB Drives :
Challenges in Direct Disk Access:
 • Accessing a computer's disk drive directly may be impractical due to factors such as
the design of a laptop making it difficult to remove the disk drive or lacking the
appropriate connector for the drive.

Solution with Forensic Boot CD/DVD or USB Drive:

• Forensic boot CD/DVDs or USB drives provide a method to acquire data from a
suspect computer while ensuring write-protection for the disk drive.

• These bootable drives can be based on either Windows or Linux operating systems.

Example: Mini-WinFE:

• Mini-WinFE is a forensically sound Windows boot utility that allows the creation of
a forensic boot CD/DVD or USB drive.

• It modifies the Windows Registry file to mount connected drives as read-only,

ensuring the integrity of acquired data.

Creating Mini-WinFE Boot CD/DVD or USB Drive:

• To create a Mini-WinFE boot CD or USB drive, documentation and software can be

obtained from various websites.

• Instructions for creating Mini-WinFE boot media are provided on these websites,
along with download links.

Requirements and Tools:

• Requirements include a Windows installation DVD (version 8 or later) and the

installation of FTK Imager Lite or X-Ways Forensics on the workstation.

• Tools such as ISO to USB can be used to transfer the Mini-WinFE ISO image to a
USB drive if needed.

• Different Types of RAID(Redundant Array of Independent

Disks):
RAID 0 (Striping):
• In RAID 0, two or more disks are combined into one large volume, distributing data across
them for increased speed and storage capacity.

• There is no redundancy, meaning if one disk fails, data may be lost.

• Advantage: Increased speed and storage capability.

• Disadvantage: Lack of redundancy.

RAID 1 (Mirroring):
• RAID 1 consists of two disks, with data mirrored on each disk.

• When data is written, it is simultaneously written to both disks, providing redundancy.

• Advantage: Data redundancy and prevention of downtime in case of disk failure.

• Disadvantage: Requires twice as many disks, doubling the cost of storage.

 RAID 2:
- RAID 2 configures multiple disks into one volume, with data written on a bit level.

- Uses error-correcting codes (ECC) for data integrity checking.

- Slower than RAID 0 due to bit-level writes and ECC usage.

RAID 3:
- Uses data striping across all disks with dedicated parity.

- Parity is stored on a separate disk, ensuring data recovery in case of corruption.

- Similar to RAID 0 but with dedicated parity.

RAID 4:
- Similar to RAID 3 but uses block-level writing instead of byte-level writing.
 RAID 5:
- Distributes data and parity across all disks in the array.

- Provides automatic data recovery by using parity data if a disk fails.

- Parity data is distributed across all disks, improving fault tolerance.

RAID 6:
- Similar to RAID 5 but includes redundant parity on each disk.

- Can recover from the failure of any two disks due to the additional parity redundancy.

RAID 10 (or RAID 1+0):

- Combines mirroring (RAID 1) and striping (RAID 0).

- Provides both fast access and redundancy.

- Data is mirrored and then striped across multiple disks.

RAID 15 (or RAID 1+5):

- Combines mirroring (RAID 1) and distributed parity (RAID 5).

- Offers robust data recovery capability and fast access.

- Provides redundancy and fault tolerance but is more costly due to additional redundancy.

Each RAID level offers different trade-offs in terms of speed, redundancy, and cost, allowing users
to choose the configuration that best fits their specific requirements and budget.

• Acquiring RAID Disks:

The text discusses the challenges and considerations involved in acquiring a forensics image of a
RAID server's disks, as well as the tools and methods available for RAID acquisition. Here's an
explanation of the main points:
 Determining Data Storage Needs:
• It's crucial to assess the amount of storage required to acquire all data for a forensics image,
considering the size of the RAID system and the RAID configuration in use.

Identifying RAID Configuration:

• Understanding the type of RAID used (e.g., RAID 0, RAID 1, RAID 5, RAID 10, RAID 15)
is essential for selecting the appropriate acquisition method and tools.

Selecting an Acquisition Tool:

• Choosing an acquisition tool capable of accurately copying RAID data is crucial. Several
forensics vendors offer RAID acquisition features, each specializing in specific RAID
formats.

Capability to Read RAID Images:

• The selected acquisition tool should be capable of reading a forensic copy of a RAID image
and combining split data saves of each RAID disk into one virtual RAID drive for analysis.

RAID Acquisition Methods:

• Forensics tools like ProDiscover, EnCase, and X-Ways Forensics offer RAID acquisition
functions. ProDiscover, for example, can acquire RAID disks at the physical level and
create a ProDiscover Group file (.pdg) for managing image data.

Segmenting RAID Images:

• Tools like ProDiscover allow segmentation of each physical disk into smaller save sets,
eliminating the need for one large drive for storing acquired data. This reduces storage
requirements and simplifies the acquisition process.

Use of Data Recovery Tools:

• While not primarily intended for forensics, tools like Runtime Software and R-Tools
Technologies offer features for recovering corrupted RAID data and performing raw format
acquisitions.

Handling Large RAID Systems:

• In cases where the RAID system is too large for static acquisition, methods like sparse or
logical acquisition may be necessary to retrieve relevant data. Alternatively, renting portable
RAIDBanks can be a solution for large-scale acquisitions.

• Steps for Preparing Target Drive for Acquisition in Linux:

1. First, boot Linux on your computer.

2. Connect the USB, FireWire, or SATA external drive to the Linux computer and
power it on.

3. If a shell window isn’t already open, start one.

4. At the shell prompt, type su and press Enter to log in as the superuser (root).
Then type the root password and press Enter.

5. To list the current disk devices connected to the computer, type fdisk -l (lowercase
L) and press Enter.

6. Type fdisk/dev/sda and press Enter to partition the disk drive as a FAT file system.

7. Display fdisk menu options by typing m and pressing Enter.

8. Determine whether there are any partitions on /dev/sda by typing p and pressing
Enter.

9. Next, you create a new primary partition on /dev/sda. To use the defaults and select
the entire drive, type n and press Enter. To create a primary partition table, type p
and press Enter, and then type 1 (the numeral) to select the first partition and press
Enter. At the remaining prompts, press Enter.

10. List the newly defined partitions by typing p and pressing Enter

11. To list the menu again so that you can select the change partition ID, type m and
press Enter.

12. To change the newly created partition to the Windows 95 FAT32 file system, first
type t and press Enter

13. List available file systems and their code values by typing l (lowercase L) and
pressing Enter.
 14. Change the newly created partition to the Windows 95 FAT32 file system by typing
c and pressing Enter.

15. To display partitions of the newly changed drive, type p and press Enter

16. Save (write) the newly created partition to the /dev/sda drive by typing w and
pressing Enter.

17. Show the known drives connected to your computer by typing fdisk -l and pressing
Enter

18. To format a FAT file system from Linux, type mkfs.msdos -vF32 /dev/sda1 and
press Enter

19. Close the shell window for this session by typing exit and pressing Enter.

• Data Acquisition on Linux:

To perform a data acquisition on a suspect computer, all you need are the following:
• A forensics Linux Live CD

• A USB, FireWire, or SATA external drive with cables

• Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux
Live CD

• Knowledge of which shell commands to use for the data acquisition

“dd” command in Linux:

• The `dd` command, short for "data dump," is a powerful utility available on UNIX and
Linux distributions.

• It facilitates reading from and writing to media devices and data files, offering various
functions and switches for versatile use.

• `dd` operates independently from a logical file system's data structures, allowing it to
function without the need for the drive to be mounted.

• Despite its capabilities, `dd` requires more advanced skills compared to what the average
computer user possesses.

• One limitation of `dd` is its lack of built-in compression functionality, requiring the target
drive to be at least equal to or larger than the source drive.
 • To address large data volumes, `dd` can be combined with the `split` command, which
divides the output into separate volumes.

• Users can adjust the size of segmented volumes created by `dd` using the `-b` switch with
the `split` command.

• For archival purposes, it's recommended to create segmented volumes that fit onto a CD or
DVD.

• Users can refer to the manual pages of `dd` and `split` for further details and additional
information on their usage.

Follow these steps to make an image of an NTFS disk on a FAT32 disk by using the
dd command:

1. Assuming that your workstation is the suspect computer and is booted from a
Linux Live CD, connect the USB, FireWire, or SATA external drive containing the
FAT32 target drive, and turn the external drive on.

2. If you’re not at a shell prompt, start a shell window, switch to superuser (su) mode,
type the root password, and press Enter.

3. At the shell prompt, list all drives connected to the computer by typing fdisk -l and
pressing Enter.

4. To create a mount point for the USB, FireWire, or SATA external drive and
partition, make a directory in /mnt by typing mkdir /mnt/sda5 and pressing Enter.

5. To mount the target drive partition, type mount -t vfat /dev/sda5 /mnt/ sda5 and
press Enter.

6. To change your default directory to the target drive, type cd /mnt/sda5 and press
Enter.

7. List the contents of the target drive’s root level by typing ls -al and pressing Enter.

8. To make a target directory to receive image saves of the suspect drive, type mkdir
case01 and press Enter.
 9. To change to the newly created target directory, type cd case01 and press Enter.
Don’t close the shell window.

To adjust the segmented volume size, change the value for the -b switch from the 650 MB
used in the following example to 2000 MB.

1. Type dd if=/dev/sdb | split -b 650m - image_sdb. and press Enter.

2. List the raw images that have been created from the dd and split commands by typing
ls -l and pressing Enter.

3. To complete this acquisition, dismount the target drive by typing umount /dev/sda5
and pressing Enter.

“dcfldd” Command in Linux:

The dcfldd command, works similarly to the dd command but has many features designed
for forensics acquisitions. The following are important functions dcfldd offers that aren’t
possible with dd:
• Specify hexadecimal patterns or text for clearing disk space.

• Log errors to an output file for analysis and review.

• Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with
logging and the option of specifying the number of bytes to hash, such as
specific blocks or sectors.

• Refer to a status display indicating the acquisition’s progress in bytes.

• Split data acquisitions into segmented volumes with numeric extensions (unlike
dd’s limit of 99).

• Verify the acquired data with the original disk or media data.

• The following examples show how to use the dcfldd command to acquire data
from a 64 MB USB drive :

• To acquire an entire media device in one image file, type the following command
at the shell prompt:
dcfldd if=/dev/sda of=usbimg.dat
 • If the suspect media or disk needs to be segmented, use the dcfldd command with
the split command, placing split before the output file field (of=), as
shown here:

dcfldd if=/dev/sda hash=md5 md5log=usbimgmd5.txt bs=512

conv=noerror,sync split=2M of=usbimg

• This command creates segmented volumes of 2 MB each. To create

segmented volumes that fit on a CD of 650 MB, change the
split=2M to split=650M. This command also saves the MD5 value of
the acquired data in a text file named usbimgmd5.txt.

Text

• Validating Data Acquisitions:

Significance of Validation:
• Validating digital evidence is crucial as it ensures the integrity of the data collected
during an investigation.

• The integrity of collected data is the weakest point of any digital investigation, making
validation essential.

Hashing Algorithm Utility:

• A hashing algorithm utility creates a binary or hexadecimal number known as a "digital
fingerprint," representing the uniqueness of a data set such as a file or disk drive.

• Any alteration in the data set results in a completely different hash value, ensuring the
integrity of the data.

Understanding Collisions:
• Collisions, though rare, occur when two different data sets produce the same hash value.

• For forensic examinations, collisions are generally of little concern as tools can perform
byte-by-byte comparisons to detect differences between files with the same hash value.

Tools for Data Comparison:

• Several tools, such as X-Ways Forensics, X-Ways WinHex, and IDM Computing
Solution’s UltraCompare, can analyze and compare data files, performing byte-by-byte
comparisons.

• These tools are useful for detecting differences between files with identical hash values.
 Validation Techniques for Imaging:
• Many imaging tools offer validation techniques including CRC-32, MD5, SHA-1, and
SHA-512 for imaging evidence drives.

• These hashing algorithm utilities may be standalone programs or integrated into

acquisition tools.

• Windows Validation Method:

Absence of Built-in Hashing Tools in Windows:

• Unlike Linux, Windows lacks built-in hashing algorithm tools specifically tailored
for digital forensics.

Third-Party Programs with Built-in Tools:

• Many third-party programs in Windows offer a range of built-in tools for digital
forensics.

• These programs include hexadecimal editors like X-Ways WinHex or Breakpoint

Software Hex Workshop, as well as dedicated forensics programs like ProDiscover,
EnCase, and FTK.

Commercial Forensics Programs' Validation Features:

• Commercial forensics programs often include built-in validation features specific to

their proprietary formats.

• For example, ProDiscover's .eve files contain metadata with hash values for the
suspect drive or partition, allowing automatic validation with the "Auto Verify Image
Checksum" function.

• FTK Imager provides validation options for Expert Witness (.e01) or SMART (.s01)
formats, displaying validation reports with MD5 and SHA-1 hash values.

Manual Validation for Raw Format Image Files:

• In some forensics tools like ProDiscover, raw format image files may lack metadata,
necessitating separate manual validation at the time of analysis.

• A previously generated validation file is essential for ensuring the integrity of raw
acquisitions.

Open-Source Hashing Tools:

 • Users can find open-source hashing tools online by searching for "windows open
source hash."

• Examples include SourceForge md5deep and Software Informer's Hash Tool.

• Linux Validation Method:

Validating dd-Acquired Data:

1. If necessary, start Linux, open a shell window, and navigate to the

directory where image files are saved. To calculate the hash value of the
original drive, type md5sum/dev/sdb > md5_sdb.txt and press Enter.

2. To compute the MD5 hash value for the segmented volumes and append the
output to the md5_sdb.txt file, type cat image_sdb.*| md5sum >>
md5_sdb.txt and press Enter.

3. Examine the md5_sdb.txt file to see whether both hashes match by typing cat
md5_sdb.txt and pressing Enter. If the data acquisition is successful, the two
hash numbers should be identical. If not, the acquisition didn’t work correctly.

4. Close the Linux shell window by typing exit and pressing Enter.

Validating dcfldd-Acquired Data:

1. To create an MD5 hash output file during a dcfldd acquisition, you enter the
following command (in one line) at the shell prompt:

dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log

2. To see the results of files generated with the split command, you enter the list
directory (ls) command at the shell prompt.

3. To use the vf option, you enter the following command at the shell prompt:

dcfldd if=/dev/sda vf=sda_hash.img