0% found this document useful (0 votes)

0 views

DF_Unit-2

Chapter 3 focuses on data acquisition in digital forensics, detailing the processes for both static and live acquisitions, and the importance of preserving digital evidence. It discusses various storage formats for digital evidence, including raw, proprietary, and Advanced Forensic Format (AFF), along with their advantages and disadvantages. The chapter also outlines the best acquisition methods based on specific circumstances and the tools available for effective data collection.

Uploaded by

deepanshux324

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

0 views

DF_Unit-2

Uploaded by

deepanshux324

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 49

CHAPTER 3

Data Acquisition
After reading this chapter and completing the exercises, you will
be able to:
List digital evidence storage formats

Explain ways to determine the best acquisition method

Describe contingency planning for data acquisitions

Explain how to use acquisition tools

Describe how to validate data acquisitions

Describe RAID acquisition methods

Explain how to use remote network acquisition tools

List other forensics tools available for data acquisitions

Data acquisition is the process of copying data. For digital forensics, it’s the task
of collecting digital evidence from electronic media. There are two types of data
acquisition: static acquisitions and live acquisitions. In this chapter, you learn how to
perform static acquisitions from magnetic disk media and flash drives. In Chapter 12,
you learn how to forensically acquire digital evidence from solid-state devices,
typically found in smartphones and tablets.
Because of the use of whole disk encryption, data acquisitions are shifting toward
live acquisitions with newer operating systems (OSs). In addition to encryption
concerns, collecting any data that’s active in a suspect’s computer RAM is becoming
more important to digital investigations. Techniques for acquiring live disk and
RAM data are covered in Chapter 10. The processes and data integrity requirements

93
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

68944_ch03_hr_093-142.indd 93 3/7/18 3:27 PM

94 CHAPTER 3 Data Acquisition

for static and live acquisitions are similar, in that static acquisitions capture data
that’s not accessed by other processes that can change. With live acquisitions, file
metadata, such as date and time values, changes when read by an acquisition tool.
With static acquisitions, if you have preserved the original media, making a second
static acquisition should produce the same results. The data on the original disk
isn’t altered, no matter how many times an acquisition is done. Making a second
live acquisition while a computer is running collects new data because of dynamic
changes in the OS.
Your goal when acquiring data for a static acquisition is to preserve the digital
evidence. Many times, you have only one chance to create a reliable copy of disk
evidence with a data acquisition tool. Although these tools are generally dependable,
you should still take steps to make sure you acquire an image that can be verified. In
addition, failures can and do occur, so you should learn how to use several acquisition
tools and methods; you work with a few different tools in this chapter. Other data
acquisition tools that work in Windows, MS-DOS 6.22, and Linux are described briefly
in the last section, but the list of vendors and methods is by no means conclusive.
You should always search for newer and better tools to ensure the integrity of your
forensics acquisitions.

Note
For additional information on older acquisition methods and tools, see Appendix D. You can
perform most digital evidence acquisitions for your investigations with a combination of the
tools discussed in this chapter.

Understanding Storage Formats for Digital Evidence

The data a forensics acquisition tool collects is stored as an image file, typically
in an open-source or proprietary format. Each vendor has unique features, so
several different proprietary formats are available. Depending on the proprietary
format, many forensics analysis tools can read other vendors’ formatted acquisitions.
Many acquisition tools create a disk-to-image file in an older open-source format,
known as raw, as well as their own proprietary formats. The new open-source
format, Advanced Forensic Format (AFF), is gaining recognition from some
forensics examiners.
Each data acquisition format has unique features along with advantages and
disadvantages. The following sections summarize each format to help you choose
which one to use.

Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

68944_ch03_hr_093-142.indd 94 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 95

Note
For additional information on digital evidence handling and documenting, see ISO/IEC 27037:
2012, www.iso.org/iso/catalogue_detail?csnumber=44381. Downloading ISO documents requires
paying a fee, so you might check with a college or public library about getting a copy.

Raw Format
In the past, there was only one practical way of copying data for the purpose of
evidence preservation and examination. Examiners performed a bit-by-bit copy from
one disk to another disk the same size or larger. As a practical way to preserve digital
evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command)
made it possible to write bit-stream data to files. This copy technique creates simple
sequential flat files of a suspect drive or data set. The output of these flat files is
referred to as a raw format. This format has unique advantages and disadvantages to
consider when selecting an acquisition format.
The advantages of the raw format are fast data transfers and the capability to
ignore minor data read errors on the source drive. In addition, most forensics tools
can read the raw format, making it a universal acquisition format for most tools. One
disadvantage of the raw format is that it requires as much storage space as the original
disk or data set. Another disadvantage is that some raw format tools, typically freeware
versions, might not collect marginal (bad) sectors on the source drive, meaning they
have a low threshold of retry reads on weak media spots on a drive. Many commercial
tools have a much higher threshold of retry reads to ensure that all data is collected.
Several commercial acquisition tools can produce raw format acquisitions and
typically perform a validation check by using Cyclic Redundancy Check (CRC32), Message
Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or later) hashing functions. These
validation checks, however, usually create a separate file containing the hash value.

Proprietary Formats
Most commercial forensics tools have their own formats for collecting digital evidence.
Proprietary formats typically offer several features that complement the vendor’s
analysis tool, such as the following:
• The option to compress or not compress image files of a suspect drive, thus
saving space on the target drive
• The capability to split an image into smaller segmented files for archiving purposes,
such as to CDs or DVDs, with data integrity checks integrated into each segment
• The capability to integrate metadata into the image file, such as date and time
of the acquisition, hash value (for self-authentication) of the original disk or
medium, investigator or examiner name, and comments or case details

68944_ch03_hr_093-142.indd 95 3/7/18 3:27 PM

96 CHAPTER 3 Data Acquisition

Note
Forensics examiners have several ways of referring to copying evidence data to files: bit-stream
copy, bit-stream image, image, mirror, and sector copy, to name a few. For the purposes of this
book, “image” is generally used to refer to all forensics acquisitions saved to a data file.

One major disadvantage of proprietary format acquisitions is the inability to share

an image between different vendors’ computer forensics analysis tools. For example,
the ILookIX imaging tool IXImager (www.perlustro.com/solutions/e-forensics/iximager)
produces three proprietary formats—IDIF, IRBF, and IEIF—that can be read only by
ILookIX (see www.perlustro.com for additional information on ILookIX).
Another problem with proprietary and raw formats is a file size limitation for
each segmented volume. Typically, proprietary format tools produce a segmented
file of 650 MB. The file size can be adjusted up or down, with a maximum file size
per segment of no more than 2 GB. Most proprietary format tools go up to only 2 GB
because many examiners use target drives formatted as FAT, which has a file size
limit of 2 GB.
Of all the proprietary formats for image acquisitions, the Expert Witness
Compression format is currently the unofficial standard. This format, the default for
Guidance Software EnCase, produces both compressed and uncompressed image files.
These files (or volumes) write an extension starting with .e01 and increment it for each
additional segmented image volume.
Several forensics analysis tools can generate generic versions of the Expert Witness
Compression format and analyze it, including X-Ways Forensics, AccessData Forensic
Toolkit (FTK), Belkasoft, and SMART. For more information on the Expert Witness
Compression format, see http://asrdata.com/E01-format.html.

Advanced Forensic Format

Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced
Forensic Format (AFF). This format has the following design goals:
• Capable of producing compressed or uncompressed image files
• No size restriction for disk-to-image files
• Space in the image file or segmented files for metadata
• Simple design with extensibility
• Open source for multiple computing platforms and OSs
• Internal consistency checks for self-authentication
File extensions include .afd for segmented image files and .afm for AFF metadata.
Because AFF is open source, digital forensics vendors have no implementation
restrictions on this format. For more information on AFF, see www.afflib.sourceforge.net
and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf.

68944_ch03_hr_093-142.indd 96 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 97

Tip
For more information on forensics acquisition file formats, see www.sleuthkit.org/informer,
issues #19 and #23.

Determining the Best Acquisition Method

As mentioned, there are two types of acquisitions: static acquisitions and live
acquisitions. Typically, a static acquisition is done on a computer seized during a police
raid, for example. If the computer has an encrypted drive, a live acquisition is done if
the password or passphrase is available—meaning the computer is powered on and has
been logged on to by the suspect. Static acquisitions are always the preferred way to
collect digital evidence. However, they do have limitations in some situations, such as
an encrypted drive that’s readable only when the computer is powered on or a computer
that’s accessible only over a network. Some solutions can help decrypt a drive that has
been encrypted with whole disk encryption, such as Elcomsoft Forensic Disk Decryptor
(www.elcomsoft.com/efdd.html).

Note
In Chapter 11, you learn how to perform live acquisitions, including data collection of digital
media and dynamic/volatile memory (RAM) on a computing system.

For both types of acquisitions, data can be collected with four methods: creating
a disk-to-image file, creating a disk-to-disk copy, creating a logical disk-to-disk or
disk-to-data file, or creating a sparse copy of a folder or file. Determining the best
acquisition method depends on the circumstances of the investigation.

Note
See ISO/IEC 27037: 2012 (section 5.4.4 Acquisition and section 6.5 Use reasonable care) for
additional discussions on when to perform sparse acquisitions.

Creating a disk-to-image file is the most common method and offers the most
flexibility for your investigation. With this method, you can make one or many copies
of a suspect drive. These copies are bit-for-bit replications of the original drive. In
addition, you can use many commercial forensics tools to read the most common

68944_ch03_hr_093-142.indd 97 3/7/18 3:27 PM

98 CHAPTER 3 Data Acquisition

types of disk-to-image files you create. These programs read the disk-to-image file as
though it were the original disk. Older MS-DOS tools can only read data from a drive.
To use MS-DOS tools, you have to duplicate the original drive to perform the analysis.
GUI programs save time and disk resources because they can read and interpret directly
from the disk-to-image file of a copied drive.
Sometimes you can’t make a disk-to-image file because of hardware or software
errors or incompatibilities. This problem is more common when you have to acquire
older drives. For these drives, you might have to create a disk-to-disk copy of the
suspect drive. Several imaging tools can copy data exactly from an older disk to a
newer disk. These programs can adjust the target disk’s geometry (its cylinder, head,
and track configuration) so that the copied data matches the original suspect drive.
These imaging tools include EnCase and X-Ways Forensics. See the vendors’ manuals
for instructions on using these tools for disk-to-disk copying.

Tip
For more information on current and older drives, see www.t13.org.

Collecting evidence from a large drive can take several hours. If your time is
limited, consider using a logical acquisition or sparse acquisition data copy method.
A logical acquisition captures only specific files of interest to the case or specific types
of files. A sparse acquisition is similar but also collects fragments of unallocated
(deleted) data; use this method only when you don’t need to examine the entire drive.
An example of a logical acquisition is an e-mail investigation that requires collecting
only Outlook .pst or .ost files. Another example is collecting only specific records
from a large RAID server. If you have to recover data from a RAID or storage area
network (SAN) server with several exabytes (EB) or more of data storage, the logical
method might be the only way you can acquire the evidence. In e-discovery for the
purpose of litigation, a logical acquisition is becoming the preferred method, especially
with large data storage systems.
To determine which acquisition method to use for an investigation, consider the
size of the source (suspect) disk, whether you can retain the source disk as evidence or
must return it to the owner, how much time you have to perform the acquisition, and
where the evidence is located.
If the source disk is very large, such as 4 terabytes (TB) or more, make sure you
have a target disk that can store a disk-to-image file of the large disk. If you don’t have
a target disk of comparable size, review alternatives for reducing the size of data to
create a verifiable copy of the suspect drive. Older Microsoft disk compression tools,
such as DoubleSpace or DriveSpace, eliminate only slack disk space between files.
Other compression methods use an algorithm to reduce file size. Popular archiving

68944_ch03_hr_093-142.indd 98 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 99

tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as “lossless
compression.” Compression algorithms for graphics files use what’s called “lossy
compression,” which can change data. For example, lossy compression is used with
.jpeg files to reduce file size and doesn’t affect image quality when the file is restored
and viewed. Because lossy compression alters original data, however, it isn’t used
for forensics acquisitions. Both compression methods are discussed in more detail
in Chapter 8.
Most imaging tools have an option to use lossless compression to save disk
space, which means the target drive doesn’t have to be as large as the suspect drive.
For example, if you’re examining a 3 TB SATA drive, you might be able to use lossless
compression to create the disk-to-image file on a 2 TB target drive. Image files can be
reduced by as much as 50% of the original. If the suspect drive already contains several
zip files, however, the imaging tool can’t compress them any further. This is because
zip files have already been compressed, so any additional compression results in very
little size reduction. For additional information on lossless compression, see www.data-
compression.com/lossless.shtml or www.cise.ufl.edu/~sahni/papers/encycloimage.pdf.
An easy way to test lossless compression is to perform an MD5 or SHA-1 hash on a
file before and after it’s compressed. If the compression is done correctly, both versions
have the same hash value. If the hashes don’t match, that means something corrupted
the compressed file, such as a hardware or software error. As an added precaution,
perform two separate hashes with different algorithms, such as MD5 and SHA-1. This
step isn’t mandatory; however, it’s a good way to establish that nothing has changed
during data processing.
If you can’t retain the original evidence drive and must return it to the owner, as
in a discovery demand for a civil litigation case, check with the requester (your lawyer
or supervisor, for example), and ask whether a logical acquisition is acceptable. If not,
you have to refer the matter back to the requester. When performing an acquisition
under these conditions, make sure you have a good copy because most discovery
demands give you only one chance to capture data. In addition, make sure you have a
reliable forensics tool that you know how to use.

Contingency Planning for Image Acquisitions

Because you’re working with digital evidence, you must take precautions to protect
it from loss. You should also make contingency plans in case software or hardware
doesn’t work or you encounter a failure during an acquisition. The most common and
time-consuming technique for preserving evidence is creating a duplicate of your
disk-to-image file. Many digital investigators don’t make duplicates of their evidence
because they don’t have enough time or resources to make a second image. However,
if the first copy doesn’t work correctly, having a duplicate is worth the effort and
resources. Be sure you take steps to minimize the risk of failure in your investigation.

68944_ch03_hr_093-142.indd 99 3/7/18 3:27 PM

100 CHAPTER 3 Data Acquisition

As a standard practice, make at least two images of the digital evidence you
collect. If you have more than one imaging tool, such as FTK Imager Lite and X-Ways
Forensics, make the first copy with one tool and the second copy with the other tool.
Different acquisition tools use different methods to copy data, and one tool might, for
example, make more attempts to copy corrupted areas of a drive. So using more than
one tool can be helpful in making sure data has been copied correctly.
If you have only one tool, however, consider making two images of the drive with
the same tool, especially for critical investigations. With many tools, you can make one
copy with no compression and compress the other copy. Remember that Murphy’s Law
applies to digital forensics, too: If anything can go wrong, it will.
Some acquisition tools don’t copy data in the host protected area (HPA) of a disk
drive. Check the vendor’s documentation to see whether its tool can copy a drive’s HPA.
If not, consider using a hardware acquisition tool that can access the drive at the BIOS
level, such as Belkasoft or ILookIX IXImager, with a write-blocker, Image MASSter Solo,
or X-Ways Replica. These tools can read a disk’s HPA.
Microsoft has added whole disk encryption with BitLocker to its newer
operating systems, such as Windows Vista, 7, 8, and 10, which makes performing
static acquisitions more difficult. (Several other third-party whole disk encryption
tools are available, and you should be familiar with as many as possible.) As part of
contingency planning, you must be prepared to deal with encrypted drives. A static
acquisition on most whole disk—encrypted drives currently involves decrypting the
drives, which requires the user’s cooperation in providing the decryption key. Most
whole disk encryption tools at least have a manual process for decrypting data, which
is converting the encrypted disk to an unencrypted disk. This process can take several
hours, depending on the disk size. One good thing about encryption is that data isn’t
altered, in that free and slack space aren’t changed. The biggest concern with whole
disk encryption is getting the decryption key—that is, the password or code used
to access encrypted data. If you can recover the whole disk key with tools such as
Elcomsoft Forensic Disk Decryptor, mentioned previously, you need to learn how to
use it to decrypt the drive. In criminal investigations, this might be impossible because
if a disk contains evidence supporting the crime, a suspect has a strong motivation not
to supply the decryption key.

Note
Researchers at Princeton University have produced a technique to recover passwords and
passphrases from RAM; for more information, see www.usenix.org/legacy/event/sec08/tech/
full_papers/halderman/halderman.pdf or https://jhalderm.com/pub/papers/coldboot-cacm09.pdf.

68944_ch03_hr_093-142.indd 100 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 101

Using Acquisition Tools

Many forensics software vendors have developed acquisition tools that run in
Windows. These tools make acquiring evidence from a suspect drive more convenient,
especially when you use them with hot-swappable devices, such as USB-3, FireWire
1394A and 1394B, or SATA, to connect disks to your workstation.
Using acquisition tools with current OSs, such as Windows and Linux, has some
drawbacks, however. Because Windows and Linux can easily contaminate an evidence
drive when it’s mounted, you must protect it with a well-tested write-blocking
hardware device. The automatic mounting process updates boot files by changing
metadata, such as the most recent access time. (Chapter 6 discusses write-blocking
devices in more detail.) In addition, some countries haven’t yet accepted the use
of write-blocking devices for data acquisitions. Check with your legal counsel for
evidence standards in your community or country.

Note
Although many digital forensics vendors have improved their acquisition tools, some older
Windows and Linux tools (such as the dd or dcfldd commands) can’t acquire data from a
disk’s HPA.

Mini-WinFE Boot CDs and USB Drives

Accessing a disk drive directly might not be practical for a forensics acquisition. For
example, a laptop’s design could make removing the disk drive to mount it on a
write-blocker difficult, or you might not have the right connector for a drive. In these
situations, a forensic boot CD/DVD or USB drive gives you a way to acquire data from a
suspect computer and write-protect the disk drive. These forensic boot discs or drives
can be Windows or Linux.
One forensically sound Windows boot utility is Mini-WinFE. It enables you to build
a Windows forensic boot CD/DVD or USB drive with a modification in its Windows
Registry file so that connected drives are mounted as read-only. Before booting a
suspect’s computer with Mini-WinFE, you need to connect your target drive, such as a
USB drive. After Mini-WinFE is booted, you can list all connected drives and alter your
target USB drive to read-write mode so that you can run an acquisition program.
To create your own Mini-WinFE boot CD or USB drive, review the documentation
and download the software from the following Web sites:
• For an overview of WinFE, see http://brettshavers.cc/index.php/brettsblog/tags/
tag/winfe. For the latest information and instructions, review the Downloads and
Using WinFE menus.

68944_ch03_hr_093-142.indd 101 3/7/18 3:27 PM

102 CHAPTER 3 Data Acquisition

• For download instructions on Mini-WinFE, see http://brettshavers.cc/index.php/

brettsblog/entry/mini-winfe-and-xwf.
• Another download site for Mini-WinFE is http://reboot.pro/files/file/375-mini-winfe.
• For complete instructions on Mini-WinFE, see www.forensicfocus.com/
downloads/WinFE.pdf.
In addition, you need a Windows installation DVD (version 8 or later) and FTK
Imager Lite or X-Ways Forensics installed on your workstation. Follow the instructions
in the preceding Web sites to create the Mini-WinFE ISO file and then burn it to
CD or transfer it to a USB drive. If you want to use a USB drive, you need a tool to
transfer an ISO image to a USB drive. A freeware tool called ISO to USB is available
at www.isotousb.com.

Acquiring Data with a Linux Boot CD

The Linux OS has many features that are applicable to digital forensics, especially data
acquisitions. One unique feature of older Linux versions is that it can access a drive
that isn’t mounted. Physical access for the purpose of reading data can be done on a
connected media device, such as a disk drive, a USB drive, or other storage devices.
In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire,
external SATA, or even internal PATA or SATA controllers, both OSs automatically
mount and access the drive. On Windows drives, an acquisition workstation can access
and alter data in the Recycle Bin; on Linux drives, the workstation most likely alters
metadata, such as mount point configurations for an Ext3 or later drive. If you need to
acquire a USB drive that doesn’t have a write-lock switch, use one of the forensic Linux
Live CDs (discussed in the next section) to access the device.

Caution
Use caution when working with newer Linux distributions with KDE or Gnome GUIs. Many
newer distributions mount most media devices automatically. If you’re using a nonforensic
Linux distribution, you should test it before using it on actual evidence to see how it handles
attached storage devices. If in doubt, always use a physical write-blocker for an acquisition
from Linux.

Using Linux Live CD Distributions

Several Linux distributions, such as Ubuntu, openSUSE, Arch Linux, Fedora, and
Slackware, provide ISO images that can be burned to a CD or DVD. They’re called
“Linux Live CDs.” Most of these Linux distributions are for Linux OS recovery, not for
digital forensics acquisition and analysis. For a list of the most current Linux Live CDs,
see https://livecdlist.com/.

68944_ch03_hr_093-142.indd 102 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 103

A few Linux ISO images are designed specifically for digital forensics, however.
These images contain additional utilities that aren’t typically installed in normal
Linux distributions. They’re also configured not to mount, or to mount as read-only,
any connected storage media, such as USB drives. This feature protects the media’s
integrity for the purpose of acquiring and analyzing data. To access media, you have
to give specific instructions to the Live CD boot session through a GUI utility or a shell
command prompt. Mounting drives from a shell gives you more control over them. See
the man page for the mount command (by typing man mount at the shell prompt) to
learn what options are available for your Linux distribution.

Tip
The man command displays pages from the online help manual for information on Linux
commands and their options.

Linux can read data from a physical device without having to mount it. As a usual
practice, don’t mount a suspect media device as a precaution against any writes to it.
Later in this section, you learn how to make a forensics acquisition in Linux without
mounting the device.
The following are some well-designed Linux Live CDs for digital forensics:
• Penguin Sleuth Kit (www.linux-forensics.com or https://sourceforge.net/projects/
psk/?source=directory)
• CAINE (www.caine-live.net)
• Deft (www.deftlinux.net)
• Kali Linux (www.kali.org), previously known as BackTrack (www.backtrack-linux
.org/wiki/index.php/Forensics_Boot)
• Knoppix (www.knopper.net/knoppix/index-en.html)
• SANS Investigate Forensic Toolkit (SIFT; http://computer-forensics.sans.org/
community/downloads)
You can download these ISO images to any computer, including a Windows
system, and then burn them to CD/DVD with burner software, such as Roxio or Nero.
Creating a bootable image from an ISO file is different from copying data or music files
to a CD or DVD. If you aren’t familiar with how to do it, see the Help menu in your
burner software for instructions on creating a bootable CD or DVD. For example, Roxio
Creator Classic and Nero Express have a Bootable CD or DVD option. An alternative
is using a USB drive instead of a CD or DVD. For this option, you need a tool such as
ISO to USB, mentioned previously (or another tool for transferring an ISO image to a
USB drive).

68944_ch03_hr_093-142.indd 103 3/7/18 3:27 PM

104 CHAPTER 3 Data Acquisition

Note
For an alternative Windows-based USB boot drive, see http://osforensics.com/tools/write-usb-
images.html.

After creating a Linux Live CD, test it on your workstation. Remember to check
your workstation’s BIOS to see whether it boots first from the CD or DVD on the system.
To test the Live CD, simply place it in the CD or DVD drive and reboot your system.
If successful, Linux loads into your computer’s memory, and a common GUI for Linux
is displayed. If you have problems with the video display on your workstation, try
another computer with a different video card. No one Live CD distribution has all video
drivers. Linux Live CDs load the OS into a computer’s RAM, so performance can be
affected when you’re using GUI tools. The following sections explain how to use Linux
to make forensically sound data acquisitions.

Preparing a Target Drive for Acquisition in Linux

The Linux OS has many tools you can use to modify non-Linux file systems. Current
Linux distributions can create Microsoft FAT and NTFS partition tables. Linux kernel
version 2.6.17.7 and earlier can format and read only the FAT file system, although an
NTFS driver, NTFS-3G, is available that allows Linux to mount and write data only to
NTFS partitions. You can download this driver from http://sourceforge.net/projects/ntfs-
3g, where you can also find information about NTFS and instructions for installing the
driver. For information on macOS file systems and acquisitions, see Chapter 7.
In this section, you learn how to partition and format a Microsoft FAT drive from
Linux so that you don’t have to switch OSs or computers to prepare a FAT target disk.
If you have a previously used target drive, you can use the following procedure to
format it as a FAT32 drive. After you make the acquisition, you can then transfer the
FAT disk to a Windows system to use a Windows analysis tool.

Note
When preparing a drive to be used on a Linux system for forensics acquisition or analysis, do
it in a separate boot session with no suspect drive attached.

Tip
Linux/UNIX commands are case sensitive, so make sure you type commands exactly as
shown in this section’s steps.

68944_ch03_hr_093-142.indd 104 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 105

Assuming you have a functioning Linux computer or one running with a Linux
Live CD, perform the following steps from a shell prompt:

Note
Depending on which version and distribution of Linux you use, your screen prompts might be
slightly different from those shown in this section.

1. First, boot Linux on your computer.

2. Connect the USB, FireWire, or SATA external drive to the Linux computer and
power it on.
3. If a shell window isn’t already open, start one.
4. At the shell prompt, type su and press Enter to log in as the superuser (root).
Then type the root password and press Enter.

Note
If you’re using one of the Live CDs listed previously, these distributions are typically already
in superuser (root) mode, so there’s no need to use the su command. Other Linux Live CDs
might have no password set and simply require pressing Enter.

5. To list the current disk devices connected to the computer, type fdisk -l
(lowercase L) and press Enter. You should see output similar to the following:

Note
Linux lists all IDE (also known as PATA) drives as hda, hdb, and so on. All SCSI, SATA, FireWire,
and USB-connected drives are listed as sda, sdb, and so forth.

Disk /dev/hda: 40.0 GB, 40007761920 bytes

255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 4864 38965657+ 8e Linux LVM
Disk /dev/sda: 6448 MB, 6448619520 bytes
199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes
Disk /dev/sda doesn't contain a valid partition table
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

68944_ch03_hr_093-142.indd 105 3/7/18 3:27 PM

106 CHAPTER 3 Data Acquisition

Note
In the preceding output, the /dev/sda device has no partition listed. These steps show how
to create a Microsoft FAT partition on this disk. If there’s a partition on this drive, it can
be deleted with the Linux fdisk utility. For additional information on fdisk, refer to the
man page.

6. Type fdisk/dev/sda and press Enter to partition the disk drive as a FAT file
system. You should see output similar to the following:

Welcome to fdisk (util-linux 2.21.2).

Changes will remain in memory only, until you decide
to write them.
Be careful before using the write command.
Command (m for help): m

7. Display fdisk menu options by typing m and pressing Enter. You should see
output similar to the following:

Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disk label
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

68944_ch03_hr_093-142.indd 106 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 107

8. Determine whether there are any partitions on /dev/sda by typing p and

pressing Enter. You should see output similar to the following:

Disk /dev/sda: 6448 MB, 6448619520 bytes

199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 1020 6292349 b W95 FAT32

Note
In this example, the disk has no previously configured partitions. If it did, there would be data
under each column heading describing each partition’s configuration.

9. Next, you create a new primary partition on /dev/sda. To use the defaults and
select the entire drive, type n and press Enter. To create a primary partition
table, type p and press Enter, and then type 1 (the numeral) to select the first
partition and press Enter. At the remaining prompts, press Enter. Your output
should be similar to the following:

Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1020, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-1020,
default 1020):
Using default value 1020

Note
In Linux, the first logical partition created after the primary and extended partitions is
numbered 5; any additional logical partitions are numbered 6, 7, and so on. For example,
the C partition is typically /dev/hda1, and the D partition is /dev/hda2.

68944_ch03_hr_093-142.indd 107 3/7/18 3:27 PM

108 CHAPTER 3 Data Acquisition

10. List the newly defined partitions by typing p and pressing Enter, which
produces the following output:

Disk /dev/sda: 6448 MB, 6448619520 bytes

199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 1020 6292349 83 Linux

11. To list the menu again so that you can select the change partition ID, type m and
press Enter. You should see output similar to the following:

Command action
a toggle a bootable flag
b edit bsd disk label
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disk label
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

12. To change the newly created partition to the Windows 95 FAT32 file system, first
type t and press Enter, which produces the following output:

Selected partition 1
Hex code (type L to list codes):

13. List available file systems and their code values by typing l (lowercase L) and
pressing Enter. You should see output similar to what’s shown in Figure 3-1.
14. Change the newly created partition to the Windows 95 FAT32 file system by
typing c and pressing Enter. Your output should look similar to the following:

Changed system type of partition 1 to c (W95 FAT32 (LBA))

68944_ch03_hr_093-142.indd 108 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 109

Figure 3-1 Listing code values for available file systems

Source: Linux Foundation.

15. To display partitions of the newly changed drive, type p and press Enter, which
produces the following output:

Disk /dev/sda: 6448 MB, 6448619520 bytes

199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 1020 6292349 c W95 FAT32 (LBA)

68944_ch03_hr_093-142.indd 109 3/7/18 3:27 PM

110 CHAPTER 3 Data Acquisition

16. Save (write) the newly created partition to the /dev/sda drive by typing w and
pressing Enter. Your output should look similar to the following:

The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: If you have created or modified any DOS 6.x partitions,

please see the fdisk manual page for additional information.

Note
Fdisk exits back to the shell prompt after updating the partition table on the /dev/sda
drive.

17. Show the known drives connected to your computer by typing fdisk -l and
pressing Enter, which produces the following output:

Disk /dev/hda: 40.0 GB, 40007761920 bytes

255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 4864 38965657+ 8e Linux LVM

Disk /dev/sda: 6448 MB, 6448619520 bytes

199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 1020 6292349 b W95 FAT32

18. To format a FAT file system from Linux, type mkfs.msdos -vF32 /dev/sda1
and press Enter, which produces the following output:

Note
If your Linux distribution is missing the mkfs.msdos command, download and install your
distribution’s dosfstools package. To find these files, search for mkfs.msdos Fedora or
dostools Debian, for example.

68944_ch03_hr_093-142.indd 110 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 111

mkfs.msdos 2.8 (28 Feb 2001)

Selecting 8 sectors per cluster
/dev/sde1 has 33 heads and 61 sectors per track,
logical sector size is 512,
using 0xf8 media descriptor, with 2047966 sectors;
file system has 2 32-bit FATs and 8 sectors per cluster.
FAT size is 1997 sectors, and provides 255492 clusters.
Volume ID is 420781ea, no volume label.

Note
Newer Linux distributions automatically sync a newly created partition and format the drive.
The sync feature eliminates the need to reboot the computer, unlike with Microsoft OSs.

19. Close the shell window for this session by typing exit and pressing Enter.
This drive can now be mounted and used to receive an image of a suspect drive.
Later in this section, you learn how to mount and write to this Microsoft FAT
target drive.

Acquiring Data with dd in Linux

A unique feature of a forensics Linux Live CD is that it can mount and read most drives.
To perform a data acquisition on a suspect computer, all you need are the following:
• A forensics Linux Live CD
• A USB, FireWire, or SATA external drive with cables
• Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux
Live CD
• Knowledge of which shell commands to use for the data acquisition

Tip
If you want to learn more about Linux and shell commands, review a Linux tutorial, such as
Nix Tutor at www.nixtutor.com/linux/all-the-best-linux-cheat-sheets.

The dd command, available on all UNIX and Linux distributions, means “data
dump.” This command, which has many functions and switches, can be used to read
and write data from a media device and a data file. The dd command isn’t bound by a
logical file system’s data structures, meaning the drive doesn’t have to be mounted for

68944_ch03_hr_093-142.indd 111 3/7/18 3:27 PM

112 CHAPTER 3 Data Acquisition

dd to access it. For example, if you list a physical device name, the dd command copies
the entire device—all data files, slack space, and free space (unallocated data) on the
device. The dd command creates a raw format file that most forensics analysis tools
can read, which makes it useful for data acquisitions.

Caution
Use extreme caution with the dd command. Make sure you know which drives are the
suspect drive and target drive. Although you might not have mounted the suspect drive, if
you reverse the input field (if=) of the suspect and target drives with the output field (of=),
data is written to the wrong drive, thus destroying the original evidence drive.

As powerful as this command is, it does have some shortcomings. One major
problem is that it requires more advanced skills than the average computer user might
have. Also, because it doesn’t compress data, the target drive needs to be equal to or
larger than the suspect drive. It’s possible to divide the output to other drives if a large
enough target drive isn’t available, but this process can be cumbersome and prone
to mistakes when you’re trying to keep track of which data blocks to copy to which
target drive.
The dd command combined with the split command segments output into
separate volumes. Use the split command with the -b switch to adjust the size of
segmented volumes the dd command creates. As a standard practice for archiving
purposes, create segmented volumes that fit on a CD or DVD. For additional
information on dd and split, see their man pages. Follow these steps to make an
image of an NTFS disk on a FAT32 disk by using the dd command:

1. Assuming that your workstation is the suspect computer and is booted from a Linux
Live CD, connect the USB, FireWire, or SATA external drive containing the FAT32 target
drive, and turn the external drive on.
2. If you’re not at a shell prompt, start a shell window, switch to superuser (su)
mode, type the root password, and press Enter.
3. At the shell prompt, list all drives connected to the computer by typing
fdisk -l and pressing Enter, which produces the following output:

Disk /dev/hda: 40.0 GB, 40007761920 bytes

255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 4864 38965657+ 8e Linux LVM

68944_ch03_hr_093-142.indd 112 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 113

Disk /dev/sda: 163.9 GB, 163928605184 bytes

255 heads, 63 sectors/track, 19929 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 12000 96389968+ b W95 FAT32
/dev/sda2 12001 19929 63689692+ 5 Extended
/dev/sda5 12001 19929 63689661 c W95 FAT32 (LBA)

Disk /dev/sdb: 6448 MB, 6448619520 bytes

199 heads, 62 sectors/track, 1020 cylinders
Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System

/dev/sdb1 1 1020 6292349 7 HPFS/NTFS

4. To create a mount point for the USB, FireWire, or SATA external drive and
partition, make a directory in /mnt by typing mkdir /mnt/sda5 and pressing
Enter.
5. To mount the target drive partition, type mount -t vfat /dev/sda5 /mnt/
sda5 and press Enter.
6. To change your default directory to the target drive, type cd /mnt/sda5 and
press Enter.
7. List the contents of the target drive’s root level by typing ls -al and pressing
Enter. Your output should be similar to the following:

total 40
drwxr-xr-x 2 root root 32768 Dec 31 1969 .
drwxr-xr-x 5 root root 4096 Feb 6 17:22 ..

8. To make a target directory to receive image saves of the suspect drive, type
mkdir case01 and press Enter.
9. To change to the newly created target directory, type cd case01 and press
Enter. Don’t close the shell window.

Next, you perform a raw format image of the entire suspect drive to the target
directory. To do this, you use the split command with the dd command. The
split command creates a two-letter extension for each segmented volume. The
-d switch creates numeric rather than letter extensions. As a general rule, if you
plan to use a Windows forensics tool to examine a dd image file created with this
switch, the segmented volumes shouldn’t exceed 2 GB each because of FAT32 file
size limits. This 2 GB limit allows you to copy only up to 198 GB of a suspect’s disk.
If you need to use the dd command, it’s better to use the split command’s default of
incremented letter extensions and make smaller segments. To adjust the segmented

68944_ch03_hr_093-142.indd 113 3/7/18 3:27 PM

114 CHAPTER 3 Data Acquisition

volume size, change the value for the -b switch from the 650 MB used in the following
example to 2000 MB.

1. Type dd if=/dev/sdb | split -b 650m - image_sdb. and press Enter. You

should see output similar to the following:

12594960+0 records in
12594960+0 records out

Tip
When using the split command, type a period at the end of the filename as shown, with
no space between it and the filename. Otherwise, the extension is appended to the filename
with no “.” delimiter.

2. List the raw images that have been created from the dd and split commands
by typing ls -l and pressing Enter. You should see output similar to the
following:

total 6297504
–rwxr-xr-x 1 root root 681574400 Feb 6 17:26 image_sdb.aa
–rwxr-xr-x 1 root root 681574400 Feb 6 17:28 image_sdb.ab
–rwxr-xr-x 1 root root 681574400 Feb 6 17:29 image_sdb.ac
–rwxr-xr-x 1 root root 681574400 Feb 6 17:30 image_sdb.ad
–rwxr-xr-x 1 root root 681574400 Feb 6 17:32 image_sdb.ae
–rwxr-xr-x 1 root root 681574400 Feb 6 17:33 image_sdb.af
–rwxr-xr-x 1 root root 681574400 Feb 6 17:34 image_sdb.ag
–rwxr-xr-x 1 root root 681574400 Feb 6 17:36 image_sdb.ah
–rwxr-xr-x 1 root root 681574400 Feb 6 17:37 image_sdb.ai
–rwxr-xr-x 1 root root 314449920 Feb 6 17:37 image_sdb.aj

3. To complete this acquisition, dismount the target drive by typing umount

/dev/sda5 and pressing Enter.

Depending on the Windows forensics analysis tool you’re using, renaming each
segmented volume’s extension with incremented numbers instead of letters might
be necessary. For example, rename image_sdb.aa as image_sdb.01, and so on.
Several Windows forensics tools can read only disk-to-image segmented files that have
numeric extensions. Most Linux forensics tools can read segments with numeric or
lettered extensions.
Acquiring a specific partition on a drive works the same way as acquiring the entire
drive. Instead of typing /dev/sdb as you would for the entire drive, add the partition

68944_ch03_hr_093-142.indd 114 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 115

number to the device name, such as /dev/sdb1. For drives with additional partitions,
use the number that would be listed in the fdisk -l output. For example, to copy
only the partition of the previous NTFS drive, you use the following dd command:

dd if=/dev/sdb1 | split -b 650m - image_sdb1

Remember to use caution with the dd command in your forensics data acquisitions.

Acquiring Data with dcfldd in Linux

The dd command is intended as a data management tool; it’s not designed for
forensics acquisitions. Because of these shortcomings, Nicholas Harbour of the Defense
Computer Forensics Laboratory (DCFL) developed a tool that can be added to most
UNIX/Linux OSs. This tool, the dcfldd command, works similarly to the dd command
but has many features designed for forensics acquisitions. The following are important
functions dcfldd offers that aren’t possible with dd:
• Specify hexadecimal patterns or text for clearing disk space.
• Log errors to an output file for analysis and review.
• Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with
logging and the option of specifying the number of bytes to hash, such as
specific blocks or sectors.
• Refer to a status display indicating the acquisition’s progress in bytes.
• Split data acquisitions into segmented volumes with numeric extensions (unlike
dd’s limit of 99).
• Verify the acquired data with the original disk or media data.
When using dcfldd, you should follow the same precautions as with dd. The
dcfldd command can also write to the wrong device, if you aren’t careful.
The following examples show how to use the dcfldd command to acquire data
from a 64 MB USB drive, although you can use the command on a larger media device.
All commands need to be run from a privileged root shell session. To acquire an entire
media device in one image file, type the following command at the shell prompt:

dcfldd if=/dev/sda of=usbimg.dat

If the suspect media or disk needs to be segmented, use the dcfldd command
with the split command, placing split before the output file field (of=), as
shown here:

dcfldd if=/dev/sda hash=md5 md5log=usbimgmd5.txt bs=512

conv=noerror,sync split=2M of=usbimg

This command creates segmented volumes of 2 MB each. To create segmented

volumes that fit on a CD of 650 MB, change the split=2M to split=650M. This
command also saves the MD5 value of the acquired data in a text file named
usbimgmd5.txt.

68944_ch03_hr_093-142.indd 115 3/7/18 3:27 PM

116 CHAPTER 3 Data Acquisition

Tip
For additional information on the dcfldd command, see http://dcfldd.sourceforge.net.
Information on how to download and install dcfldd is available for many UNIX, Linux, and
Macintosh OSs. You can also use the man page to find more information on dcfldd features
and switches.

Capturing an Image with AccessData FTK Imager Lite

The following activity assumes you have removed the suspect drive and connected it
to a USB or FireWire write-blocker device connected to your forensic workstation. The
acquisition is written to a work folder on your C drive, assuming it has enough free
space for the acquired data. Follow these steps to perform the first task of connecting
the suspect’s drive to your workstation:

1. Document the chain of evidence for the drive you plan to acquire.
2. Remove the drive from the suspect’s computer.
3. For IDE drives, configure the suspect drive’s jumpers as needed. (Note: This step
doesn’t apply to SATA or USB drives.)
4. Connect the suspect drive to the USB or FireWire write-blocker device.
5. Create a storage folder on the target drive. For this activity, you use your work
folder (C:\Work\Chap03\Chapter), but in real life, you’d use a folder name such
as C:\Evidence.

FTK Imager is a data acquisition tool included with a licensed copy of

AccessData Forensic Toolkit. Like most Windows data acquisition tools, it requires
using a USB dongle for licensing. FTK Imager Lite, Debian and Ubuntu x64 command-
line interfaces, and macOS 10.5 and 10.6x command-line interfaces are free and require
no dongle license. To download FTK Imager Lite, see http://accessdata.com/product-
download/digital-forensics/ftk-imager-lite-version-3.1.1. To download Debian and Ubuntu
x64, see http://accessdata.com/product-download/digital-forensics/debian-and-ubuntu-
x64-3.1.1#release-information. To download macOS 10.5 and 10.6x, see http://accessdata.
com/product-download/digital-forensics/mac-os-10.5-and-10.6x-version-3.1.1.
FTK Imager is designed for viewing evidence disks and disk-to-image files
created from other proprietary formats. It can read AccessData .ad1, Expert Witness
Compression (EnCase) .e01, SMART .s01, Advanced Forensic Format (AFF), and raw
format files. In addition to disk media, FTK Imager can read CD and DVD file systems.
This program shows a view of a disk partition or an image file as though it’s a mounted
partition, with additional panes showing the contents of the selected file (see Figure 3-2).

68944_ch03_hr_093-142.indd 116 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 117

Figure 3-2 The FTK Imager main window

Source: AccessData Group, Inc., www.accessdata.com

FTK Imager can make disk-to-image copies of evidence drives and enables you to
acquire an evidence drive from a logical partition level or a physical drive level. You
can also define the size of each disk-to-image file volume, allowing you to segment
the image into one or many split volumes. For example, you can specify 650 MB
volume segments if you plan to store volumes on 650 MB CD-Rs or 2.0 GB volume
segments so that you can record volumes on DVD-/+Rs. An additional feature of
FTK Imager is that it can image RAM on a live computer. The evidence drive you’re
acquiring data from must have a hardware write-blocking device or run from a Live CD,
such as Mini-WinFE.
FTK Imager can’t acquire a drive’s HPA and device configuration overlay (DCO),
however. In other words, if the drive’s specifications indicate it has 11,000,000 sectors
and the BIOS display indicates 9,000,000, a host protected area of 2,000,000 sectors
might be assigned to the drive. If you suspect an evidence drive has a host protected
area, you must use an advanced acquisition tool to include this area when copying
data. With older MS-DOS tools, you might have to define the exact sector count to
make sure you include more than what the BIOS shows as the number of known
sectors on a drive. Review vendors’ manuals to determine how to account for a drive’s
host protected area.

68944_ch03_hr_093-142.indd 117 3/7/18 3:27 PM

118 CHAPTER 3 Data Acquisition

In the following activity, you use FTK Imager Lite to make an image file. (If you
haven’t installed it already, do so now. You download it at http://accessdata.com/
product-download/digital-forensics/ftk-imager-lite-version-3.1.1.) Use a write-blocking
device to protect the suspect drive, and then follow these steps:

Note
Before starting this activity, create a work folder named Work\Chap03\Chapter. Note that
work folder names might differ slightly in screenshots.

1. Boot your forensic workstation to Windows, using an installed write-blocker.

2. Connect the evidence drive to a write-blocking device or USB device.
3. Connect the target drive to a USB external drive, if you’re using a write-blocker.
4. Start FTK Imager Lite. If prompted by the User Account Control message box,
click Yes.
5. In the FTK Imager main window, click File, Create Disk Image from the menu.
6. In the Select Source dialog box, click the Physical Drive option button,
if necessary, and then click Next.
7. In the Select Drive dialog box, click the Source Drive Selection list arrow
(see Figure 3-3), click the suspect drive, and then click Finish.

Figure 3-3 The Select Drive dialog box

Source: AccessData Group, Inc., www.accessdata.com

68944_ch03_hr_093-142.indd 118 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 119

8. In the Create Image dialog box, click to select the Verify images after they are
created check box, if necessary, and then click Add. In the Select Image Type
dialog box that opens (see Figure 3-4), click the Raw (dd) option button, if
necessary, and then click Next.

Figure 3-4 The Select Image Type dialog box

Source: AccessData Group, Inc., www.accessdata.com

9. In the Evidence Item Information dialog box, complete the case information, as
shown in Figure 3-5, and then click Next.

Figure 3-5 The Evidence Item Information dialog box

Source: AccessData Group, Inc., www.accessdata.com

68944_ch03_hr_093-142.indd 119 3/7/18 3:27 PM

120 CHAPTER 3 Data Acquisition

10. In the Select Image Destination dialog box (see Figure 3-6), click Browse,
navigate to the location for the image file (your work folder), and click to clear
the Use AD Encryption check box, if necessary.

Note
You can adjust the amount in the Image Fragment Size text box, but for this activity, leave the
default value of 1500 MB.

Figure 3-6 Selecting where to save the image file

Source: AccessData Group, Inc., www.accessdata.com

11. In the Image Filename (Excluding Extension) text box, type InChp03-ftk, and
then click Finish.
12. Next, in the Create Image dialog box, click Start to initiate the acquisition.
13. When FTK Imager finishes the acquisition, review the information in the Drive/
Image Verify Results dialog box, and then click Close. Click Close again in the
Creating Image dialog box (see Figure 3-7).
14. Exit FTK Imager Lite by clicking File, Exit from the menu.

68944_ch03_hr_093-142.indd 120 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 121

Figure 3-7 An image save in progress

Source: AccessData Group, Inc., www.accessdata.com

Note
For additional information, see the Help menu in FTK Imager Lite to learn more about its
many features.

Validating Data Acquisitions

Probably the most critical aspect of computer forensics is validating digital evidence.
The weakest point of any digital investigation is the integrity of the data you collect,
so validation is essential. In this section, you learn how to use several tools to validate
data acquisitions.
Validating digital evidence requires using a hashing algorithm utility, which is
designed to create a binary or hexadecimal number that represents the uniqueness of
a data set, such as a file or disk drive. This unique number is referred to as a “digital
fingerprint.” With a few exceptions, making any alteration in one of the files—even
changing one letter from uppercase to lowercase—produces a completely different
hash value.
These exceptions, known as “collisions,” have been found to occur in a small number
of files with MD5, and SHA-1 might also be subject to collisions. For forensic examinations
of data files on a disk drive, however, collisions are of little concern. If two files with
different content have the same MD5 hash value, a comparison of each byte of a file can
be done to see the differences. Currently, several tools can do a byte-by-byte comparison

68944_ch03_hr_093-142.indd 121 3/7/18 3:27 PM

122 CHAPTER 3 Data Acquisition

of files. Programs such as X-Ways Forensics, X-Ways WinHex, and IDM Computing
Solution’s UltraCompare can analyze and compare data files. For more information on
MD5 collisions, see www.x-ways.net/md5collision.html or www.mscs.dal.ca/~selinger/
md5collision/. Chapter 4 discusses methods of using MD5 and SHA-1.
For imaging an evidence drive, many tools offer validation techniques ranging
from CRC-32, MD5, and SHA-1 to SHA-512. These hashing algorithm utilities are
available as stand-alone programs or are integrated into many acquisition tools. The
following sections discuss how to perform validation with some currently available
acquisition programs.

Linux Validation Methods

Linux is rich in commands and functions. The two Linux shell commands shown
earlier in this chapter, dd and dcfldd, have several options that can be combined
with other commands to validate data. The dcfldd command has other options
that validate data collected from an acquisition. Validating acquired data with the dd
command requires using other shell commands.
Current distributions of Linux include two hashing algorithm utilities: md5sum and
sha1sum. Both utilities can compute hashes of a single file, multiple files, individual or
multiple disk partitions, or an entire disk drive.

Validating dd-Acquired Data

As shown earlier, the following command produces segmented volumes of the
/dev/sdb drive, with each segmented volume named image_sdb and an
incrementing extension of .aa, .ab, .ac, and so on:

dd if=/dev/sdb | split -b 650m image_sdb

To validate all segmented volumes of a suspect drive with the md5sum utility, you
use the Linux shell commands shown in the following steps. For the saved images,
remember to change to the directory where the data was saved, or list the exact path
for the saved images. To use sha1sum instead of md5sum, just replace all md5sum
references in commands with sha1sum. The drive should still be connected to your
acquisition workstation.

1. If necessary, start Linux, open a shell window, and navigate to the directory where
image files are saved. To calculate the hash value of the original drive, type
md5sum/dev/sdb > md5_sdb.txt and press Enter.

Note
The redirect (>) option saves the computed MD5 hash value in the md5_sdb.txt file. This file
should be saved with image files as validation of the evidence.

68944_ch03_hr_093-142.indd 122 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 123

2. To compute the MD5 hash value for the segmented volumes and append the
output to the md5_sdb.txt file, type cat image_sdb.*| md5sum >>
md5_sdb.txt and press Enter.

Note
By using the cat (concatenate) command with an asterisk (*) as the extension value, all
segmented volumes are read sequentially as one big contiguous file, as though they were the
original drive or partition. The pipe (|) function outputs the cat command read data to the
input of the md5sum command. The >> option adds the md5sum hash results to the end of the
md5_sdb.txt file’s content.

3. Examine the md5_sdb.txt file to see whether both hashes match by typing
cat md5_sdb.txt and pressing Enter. If the data acquisition is successful,
the two hash numbers should be identical. If not, the acquisition didn’t work
correctly. You should see output similar to the following:

34963884a4bc5810b130018b00da9de1 /dev/sdb
34963884a4bc5810b130018b00da9de1

4. Close the Linux shell window by typing exit and pressing Enter.
With the dd command, the md5sum or sha1sum utilities should be run on all
suspect disks and volumes or segmented volumes.

Validating dcfldd-Acquired Data

Because dcfldd is designed for forensics data acquisition, it has validation options
integrated: hash and hashlog. You use the hash option to designate a hashing
algorithm of md5, sha1, sha256, sha384, or sha512. The hashlog option
outputs hash results to a text file that can be stored with image files. To create an MD5
hash output file during a dcfldd acquisition, you enter the following command (in
one line) at the shell prompt:

dcfldd if=/dev/sda split=2M of=usbimg hash=md5

hashlog=usbhash.log

To see the results of files generated with the split command, you enter the list
directory (ls) command at the shell prompt. You should see the following output:

usbhash.logusbimg.004 usbimg.010 usbimg.016 usbimg.022 usbimg.028

usbseghash.logusbimg.005 usbimg.011 usbimg.017 usbimg.023 usbimg.029
usbimg.000 usbimg.006 usbimg.012 usbimg.018 usbimg.024 usbimg.030
usbimg.001 usbimg.007 usbimg.013 usbimg.019 usbimg.025
usbimg.002 usbimg.008 usbimg.014 usbimg.020 usbimg.026
usbimg.003 usbimg.009 usbimg.015 usbimg.021 usbimg.027

68944_ch03_hr_093-142.indd 123 3/7/18 3:27 PM

124 CHAPTER 3 Data Acquisition

Note that the first segmented volume has the extension .000 rather than .001. Some
Windows forensics tools might not be able to read segmented file extensions starting
with .000. They’re typically looking for .001. If your forensics tool requires starting with
an .001 extension, the files need to be renamed incrementally. So segmented file .000
should be renamed .001, .001 should be renamed .002, and so on.
Another useful dcfldd option is vf (verify file), which compares the image file
with the original medium, such as a partition or drive. The vf option applies only to a
nonsegmented image file. To validate segmented files from dcfldd, use the md5sum or
sha1sum command described previously. To use the vf option, you enter the following
command at the shell prompt:

dcfldd if=/dev/sda vf=sda_hash.img

For additional information on dcfldd, see the man page.

Windows Validation Methods

Unlike Linux, Windows has no built-in hashing algorithm tools for digital forensics.
However, many Windows third-party programs do have a variety of built-in tools.
These third-party programs range from hexadecimal editors, such as X-Ways WinHex
or Breakpoint Software Hex Workshop, to forensics programs, such as OSForensics,
Autopsy, EnCase, and FTK. In Chapter 9, you learn how to hash specific data by using a
hexadecimal editor to locate and verify groups of data that have no file association or
are sections within a file.
Commercial forensics programs also have built-in validation features. Each
program has its own validation technique used with acquisition data in its proprietary
format. For example, Autopsy uses MD5 to validate an image. It reads the metadata
in Expert Witness Compression or AFF image files to get the original hash. If the
hashes don’t match, Autopsy notifies you that the acquisition is corrupt and can’t be
considered reliable evidence.
In Autopsy and many other forensics tools, however, raw format image files
don’t contain metadata. As mentioned, a separate manual validation is recommended
for all raw acquisitions at the time of analysis. The previously generated validation
file for raw format acquisitions is essential to the integrity of digital evidence.
The saved validation file can be used later to check whether the acquisition file is
still good.
In FTK Imager Lite, when you select the Expert Witness Compression (.e01) or the
SMART (.s01) format, additional options for validation are displayed. This validation
report also lists the MD5 and SHA-1 hash values. The MD5 hash value is added to the
proprietary format image or segmented files. When this image is loaded into FTK,
SMART, or X-Ways Forensics (which can read only .e01 and raw files), the MD5 hash is
read and compared with the image to verify whether the acquisition is correct.

68944_ch03_hr_093-142.indd 124 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 125

You can find other open-source hashing tools online; just search for “windows
open source hash” to find the latest available Windows hashing tools. For example, a
recent search turned up SourceForge md5deep at http://md5deep.sourceforge.net and
Software Informer at http://softwaresolution.informer.com/Hash-Tool.

Performing RAID Data Acquisitions

Acquisitions of RAID drives can be challenging and frustrating for digital forensics
examiners because of how RAID systems are designed, configured, and sized. Size is
the biggest concern because many RAID systems are now pushing into exabytes or
more of data. The following sections review common RAID configurations and discuss
ways to acquire data on these large storage devices.

Understanding RAID
Redundant array of independent disks (RAID) is a computer configuration involving
two or more physical disks. Originally, RAID was developed as a data-redundancy
measure to minimize data loss caused by a disk failure. As technology improved, RAID
also provided increased storage capabilities.
Several levels of RAID can be implemented through software (known as “software
RAID”) or special hardware controllers (known as “hardware RAID”). Software RAID
is typically implemented from the host computer’s OS. Hardware RAID uses its own
controller as well as a processor and memory connected to the host computer. For
more information on RAID configurations, see www.adaptec.com/nr/rdonlyres/14b2fd84-
f7a0-4ac5-a07a-214123ea3dd6/0/4423_sw_hwraid_10.pdf.
For Windows XP, 2000, and NT servers and workstations, RAID 0 or 1 is available.
For a high-end data-processing environment, RAID 5 is common and is often based
in special RAID towers. These high-end RAID systems usually have integrated
controllers that connect to high-end servers or mainframes. These systems provide
redundancy and high-speed data access and can make many small disks appear as
one very large drive.

Note
Other variations of RAID besides 0, 1, and 5 are specific to their vendor or application.

68944_ch03_hr_093-142.indd 125 3/7/18 3:27 PM

126 CHAPTER 3 Data Acquisition

RAID 0 provides rapid access and increased data storage (see Figure 3-8). In RAID
0, two or more disk drives become one large volume, so the computer views the disks
as a single disk. The tracks of data on this mode of storage cross over to each disk. The
logical addressing scheme makes it seem as though each track of data is continuous
throughout all disks. If you have two disks configured as RAID 0, track one starts on
the first physical disk and continues to the second physical disk. When viewed from
a booted OS, such as Windows XP or later, the two disks appear as one large disk. The
advantage of RAID 0 is increased speed and data storage capability spread over two
or more disks that can be one large disk partition. Its biggest disadvantage is lack of
redundancy; if a disk fails, data isn’t continuously available.

RAID drive

64 KB
Disk 1 Disk 2 Disk 3 Disk 4
64 KB
128 KB
file

Figure 3-8 RAID 0: Striping

RAID 1, shown in Figure 3-9, is made up of two disks for each volume and is
designed for data recovery in the event of a disk failure. The contents of the two disks
in RAID 1 are identical. When data is written to a volume, the OS writes the data
twice—once to each disk at the same time. If one drive fails, the OS switches to the
other disk.

RAID drive

128 KB
Disk 1 Disk 2 Disk 3 Disk 4
128 KB
128 KB
file

Figure 3-9 RAID 1: Mirroring

68944_ch03_hr_093-142.indd 126 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 127

RAID 1 ensures that data isn’t lost and helps prevent computer downtime. The
main disadvantage of RAID 1 is that it takes two disks for each volume, which doubles
the cost of disk storage.
Like RAID 1, RAID 2 (see Figure 3-10) provides rapid access and increased storage by
configuring two or more disks as one large volume. The difference with RAID 2 is that
data is written to disks on a bit level. An error-correcting code (ECC) is used to verify
whether the write is successful. RAID 2, therefore, has better data integrity checking
than RAID 0. Because of the bit-level writes and the ECC, however, RAID 2 is slower
than RAID 0.

RAID drive

File 1
(3 KB)
1 KB 1 KB 1 KB Parity
File 2 0.33 KB 0.33 KB 0.33 KB Parity
(1 KB)
Disk 1 Disk 2 Disk 3 Disk 4

Figure 3-10 RAID 2: Striping (bit level)

RAID 3 uses data striping and dedicated parity and requires at least three disks.
Similar to RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
RAID 3 also implements dedicated parity of data to ensure recovery if data is corrupted.
Dedicated parity is stored on one disk in the RAID 3 array. Like RAID 3, RAID 4 uses data
striping and dedicated parity (block writing), except data is written in blocks rather
than bytes.
RAID 5 (see Figure 3-11) is similar to RAID 0 and RAID 3 in that it uses distributed
data and distributed parity and stripes data tracks across all disks in the RAID array.
Unlike RAID 3, however, RAID 5 places parity data on each disk. If a disk in a RAID array
has a data failure, the parity on other disks rebuilds the corrupt data automatically
when the failed drive is replaced.

RAID drive

File 1
(12 KB) 4 KB Parity
4 KB 4 KB
Parity 4 KB
File 2 4 KB
4 KB Parity
(16 KB) Parity
4 KB
Disk 1 Disk 2 Disk 3 Disk 4

Figure 3-11 RAID 5: Block-level striping with distributed parity

68944_ch03_hr_093-142.indd 127 3/7/18 3:27 PM

128 CHAPTER 3 Data Acquisition

In RAID 6, distributed data and distributed parity (double parity) function the
same way as RAID 5, except each disk in the RAID array has redundant parity. The
advantage of RAID 6 over RAID 5 is that it recovers any two disks that fail because of
the additional parity stored on each disk.
RAID 10, or mirrored striping, also known as RAID 1+0, is a combination of RAID
1 and RAID 0. It provides fast access and redundancy of data storage. RAID 15, or
mirrored striping with parity, also known as RAID 1+5, is a combination of RAID 1 and
RAID 5. It offers the most robust data recovery capability and speed of access of all
RAID configurations and is also more costly.

Acquiring RAID Disks

There’s no simple method for getting an image of a RAID server’s disks. You need to
address the following concerns:
• How much data storage is needed to acquire all data for a forensics image?
• What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardware-
firmware vendor’s RAID 5, 10, or 15? Is it another unknown configuration or OS?
• If it’s a RAID 1, 10, or 15 server, do you need to have all drives connected so that
the OS sees their contents? Some older RAID 1 systems required connecting both
drives to make the data readable, which might also apply to RAID 10 and 15.
• Do you have an acquisition tool capable of copying the data correctly?
• Can the tool read a forensic copy of a RAID image?
• Can the tool read split data saves of each RAID disk, and then combine all images
of each disk into one RAID virtual drive for analysis?
With the larger disks now available, copying small RAID systems to one large disk
is possible, similar to the way non-RAID suspect drives are copied. For example, a
small server running eight 36 GB SCSI drives in a RAID 0 tower requires about a 300 GB
SATA or IDE (PATA) drive. Less data storage is needed if a proprietary format acquisition
is used with compression applied. All forensics analysis tools can analyze an image
because they see the acquired data as one large drive, not eight separate drives.
Several forensics vendors have added RAID recovery features. These vendors
typically specialize in one or two types of RAID formats. The following are some
vendors offering RAID acquisition functions:
• Guidance Software EnCase
• X-Ways Forensics
• AccessData FTK
• Runtime Software
• R-Tools Technologies
You should know which vendor supports which RAID format and keep up to date
on the latest improvements in these products.
Being able to separate each physical disk into smaller save sets eliminates the
need to have one large drive for storing acquired data. Acquiring RAID data requires

68944_ch03_hr_093-142.indd 128 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 129

only similar-size drives that match each disk in the RAID array. For example, with a
RAID 0 array of three 2 TB disks, all you need are three target drives of the same size.
If each acquisition is compressed, you might be able to get by with slightly smaller
target drives.
Tools such as Runtime Software (www.runtime.org) and R-Tools Technologies
(www.r-tt.com) are designed as data recovery tools. Although not intended as forensics
acquisition tools, they have unique features that can aid in recovering corrupted RAID
data and can perform raw format acquisitions and repair broken RAID 0 and 5 systems.
The Runtime RAID Reconstructor tool copies the original RAID to a raw format file,
which must then be restored on another RAID-configured system where repairs can
be performed. It also scans and corrects errors on the newly copied RAID. R-Tools
R-Studio creates a virtual volume of the RAID image file. All repairs are made on the
virtual volume, which can then be restored to the original RAID.
Occasionally, a RAID system is too large for a static acquisition. Under ideal
circumstances, your goal is to collect a complete image of evidence drives. Because
RAID systems can have dozens or more terabytes of data storage, copying all data
isn’t always practical. For these occasions, retrieving only the data relevant to the
investigation with the sparse or logical acquisition method is the only practical
solution. When dealing with very large RAID servers, consult with the forensics vendor
to determine how to best capture RAID data. Another possible solution is renting a
portable RAIDBank for your acquisition.

Using Remote Network Acquisition Tools

Recent improvements in forensics tools include the capability to acquire disk data or
data fragments (sparse or logical) remotely. With this feature, you can connect to a
suspect computer remotely via a network connection and copy data from it. Remote
acquisition tools vary in configurations and capabilities. Some require manual
intervention on remote suspect computers to initiate the data copy. Others can
acquire data surreptitiously through an encrypted link by pushing a remote access
program to the suspect’s computer. From an investigation perspective, being able to
connect to a suspect’s computer remotely to perform an acquisition has tremendous
appeal. It saves time because you don’t have to go to a suspect’s computer, and it
minimizes the chances of a suspect discovering that an investigation is taking place.
Most remote acquisitions have to be done as live acquisitions, not static acquisitions.
When performing remote acquisitions, advanced privileges are required to push agent
applications to the remote system.
There are some drawbacks to consider, such as antivirus, antispyware, and firewall
tools. Most of these security programs can be configured to ignore remote access
programs. However, if suspects have administrator rights on their computers, they
could easily install their own security tools that trigger an alarm to notify them of
remote access intrusions.

68944_ch03_hr_093-142.indd 129 3/7/18 3:27 PM

130 CHAPTER 3 Data Acquisition

The following sections describe methods used by digital forensics tools that have
the capability to perform remote acquisitions. An older version of ProDiscover is
used as an example to show how remote acquisitions work. Other vendors’ remote
acquisition functions work similarly. Chapter 10 covers other resources for data copying
and explains how to perform a live forensics acquisition.

Remote Acquisition with ProDiscover

ProDiscover Incident Response is designed to be integrated as a network intrusion
analysis tool and is useful for performing remote acquisitions. When connected
to a remote computer, it uses the same ProDiscover acquisition method described
previously. After the connection is established, the remote computer is displayed in the
Capture Image dialog box. This tool offers all the functions and features of other tools
in the ProDiscover suite plus the following:
• Capture volatile system state information.
• Analyze current running processes on a remote system.
• Locate unseen files and processes on a remote system that might be running
malware or spyware.
• Remotely view and listen to IP ports on a compromised system.
• Run hash comparisons on a remote system to search for known Trojans and
rootkits.
• Create a hash inventory of all files on a system remotely (a negative hash search
capability) to establish a baseline if it gets attacked.
The ProDiscover utility for remote access is the PDServer remote agent, which must
be loaded on the suspect computer before ProDiscover Incident Response can access it.
This remote agent can be installed in three different ways:
• Trusted CD—For this manual installation method, ProDiscover can create a
special CD/DVD or USB drive containing the PDServer remote agent. It’s used to
load PDServer manually on the suspect computer.
• Preinstallation—For networks with a configured OS, the PDServer remote agent
can be added to the standard installation of high-risk computers, which enables
network security administrators to respond to network attacks and malware
contaminations quickly. Any network management tool, such as DameWare
(www.dameware.com) or Hyena (www.systemtools.com/hyena/), can be used to
initiate a connection with ProDiscover. This is a remote method of installing the
remote acquisition tool.
• Pushing out and running remotely—Downloading PDServer to a remote computer
helps investigators respond quickly to incidents. Data is collected in real time
when using this function. This is a remote method of installing the remote
acquisition tool.
With PDServer, you have the option of running it in a stealth mode to hide it
from the suspect. Note that Windows Task Manager lists the process as PDServer. To
disguise it, you can change the process name so that it appears to be an OS function in

68944_ch03_hr_093-142.indd 130 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 131

the suspect computer’s Task Manager. In addition, the following security features are
available for remote connections:
• Password protection—PDServer on the target computer is password-protected,
and the password is encrypted at all times.
• Encryption—All communication between PDServer on the suspect’s and
investigator’s computers can be encrypted. ProDiscover provides 256-bit
Advanced Encryption Standard (AES) or Twofish encryption for the connection.
• Secure communication protocol—All connections between the suspect’s and
examiner’s computers have globally unique identifiers (GUIDs) to prevent
inserting packets in the data stream.
• Write-protected trusted binaries—PDServer can run from a write-protected device,
such as a CD.
• Digital signatures—PDServer and its removal device driver, PARemoval.sys, are
digitally signed to verify that they haven’t been tampered with before and during
the remote connection.

Note
For more information on ProDiscover, see www.arcgroupny.com.

Remote Acquisition with EnCase Enterprise

Guidance Software was the first forensics vendor to develop a remote acquisition and
analysis tool based on its desktop tool EnCase. This remote tool, EnCase Endpoint
Investigator, can perform the following functions:
• Search and collect internal and external network systems over a wide
geographical area
• Support multiple OSs and file systems
• Triage to help determine systems’ relevance to an investigation
• Perform simultaneous searches of up to five systems at a time
For more information, see www.guidancesoftware.com/docs/default-source/
document-library/product-brief/encase-endpoint-investigator-product-overview.pdf.

Remote Acquisition with R-Tools R-Studio

The R-Tools suite of software is designed for data recovery. As part of this recovery
capability, the R-Studio network edition can remotely access networked computer
systems. Data acquired with R-Studio network edition creates raw format acquisitions,
and it’s capable of recovering many different file systems, including ReFS. For more
information on R-Studio, see www.r-studio.com.

68944_ch03_hr_093-142.indd 131 3/7/18 3:27 PM

132 CHAPTER 3 Data Acquisition

Remote Acquisition with WetStone US-LATT PRO

US-LATT PRO, part of a suite of tools developed by WetStone, can connect to a
networked computer remotely and perform a live acquisition of all drives connected to
it. For more information on this tool, see www.wetstonetech.com/product/us-latt/.

Remote Acquisition with F-Response

F-Response is a vendor-neutral specialty remote access utility designed to work
with any digital forensics program. When installed on a remote computer, it sets up
a security read-only connection that allows forensics examiners to access it. With
F-Response, examiners can access remote drives at the physical level and view raw
data. After the F-Response connection has been set up, any forensics acquisition tool
can be used to collect digital evidence.
F-Response is sold in four different versions: Enterprise Edition, Consultant +
Convert Edition, Consultant Edition, and TACTICAL Edition. For the latest information
on F-Response, see www.f-response.com.

Using Other Forensics Acquisition Tools

In addition to the tools you’ve learned about already, you can use other commercial
acquisition tools, described in the following sections. Prices for some tools are
discounted for law enforcement officers working in digital forensics.

PassMark Software ImageUSB

PassMark Software has an acquisition tool called ImageUSB for its OSForensics analysis
product. To create a bootable flash drive, you need Windows XP or later and ImageUSB
downloaded from the OSForensics Web site. For more information on ImageUSB, see
www.osforensics.com/tools/write-usb-images.html.

ASR Data SMART

ASR Data SMART is a Linux forensics analysis tool that can make image files of a
suspect drive. SMART can produce proprietary or raw format images and includes the
following capabilities:
• Robust data reading of bad sectors on drives
• Mounting suspect drives in write-protected mode
• Mounting target drives, including NTFS drives, in read/write mode
• Optional compression schemes to speed up acquisition or reduce the amount of
storage needed for acquired digital evidence
For more information on SMART, see www.asrdata.com.

68944_ch03_hr_093-142.indd 132 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 133

Runtime Software
In addition to RAID Reconstructor, Runtime Software offers several compact shareware
programs for data acquisition and recovery, including DiskExplorer for FAT and
DiskExplorer for NTFS. Runtime has designed its tools to be file system specific, so
DiskExplorer versions for both FAT and NTFS are available. These tools offer the
following features for acquisition needs:
• Create a raw format image file.
• Segment the raw format or compressed image for archiving purposes.
• Access network computers’ drives.
For more information on Runtime Software, see www.runtime.org/raid.htm.

ILookIX IXImager
IXImager runs from a bootable thumb drive or CD/DVD. It’s a stand-alone proprietary
format acquisition tool designed to work only with ILookIX. It can acquire single drives
and RAID drives. It supports IDE (PATA), SCSI, USB, and FireWire devices. The IXImager
proprietary format can be converted to a raw format if other analysis tools are used.
For more information on IXImager, see www.perlustro.com/solutions/e-forensics/
iximager.

SourceForge
SourceForge provides several applications for security, analysis, and investigations.
For a listing of its current tools, see https://sourceforge.net/directory/os:windows/.
SourceForge also offers a Windows version of dcfldd; for updates, go to https://
sourceforge.net/projects/dcfldd/?source=typ_redirect.

Chapter Summary
• Forensics data acquisitions are stored in restored, unlike lossy compression. Lossless
three different formats: raw, proprietary, compression can compress up to 50% for
and AFF. Most proprietary formats and AFF most data. If data is already compressed
store metadata about the acquired data in on a drive, lossless compression might not
the image file. save much more space.
• The four methods of acquiring data for • If there are time restrictions or too much
forensics analysis are disk-to-image file, data to acquire from large drives or RAID
disk-to-disk copy, logical disk-to-disk or drives, a logical or sparse acquisition
disk-to-data file, and sparse data copy of a might be necessary. Consult with your lead
folder or file. attorney or supervisor first to let them
• Lossless compression for forensics know that collecting all the data might not
acquisitions doesn’t alter the data when it’s be possible.
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

68944_ch03_hr_093-142.indd 133 3/7/18 3:27 PM

134 CHAPTER 3 Data Acquisition

• You should have a contingency plan to • The preferred Linux acquisition tool is
ensure that you have a forensically sound dcfldd instead of dd because it was designed
acquisition and make two acquisitions if for forensics acquisition. The dcfldd tool is
you have enough data storage. The first also available for Windows. Always validate
acquisition should be compressed, and the the acquisition with the hashing features of
second should be uncompressed. If one dcfldd and md5sum or sha1sum.
acquisition becomes corrupt, the other one • When using the Linux dd or dcfldd
is available for analysis. commands, remember that reversing the
• Write-blocking devices or utilities must output field (of=) and input field (if=) of
be used with GUI acquisition tools in both suspect and target drives could write data
Windows and Linux. Practice with a test to the wrong drive, thus destroying your
drive rather than suspect drive, and use a evidence. If available, you should always
hashing tool on the test drive to verify that use a physical write-blocker device for
no data was altered. acquisitions.
• Always validate your acquisition • To acquire RAID disks, you need to
with built-in tools from a forensics determine the type of RAID and which
acquisition program, a hexadecimal acquisition tool to use. With a firmware-
editor with MD5 or SHA-1 hashing hardware RAID, acquiring data directly
functions, or the Linux md5sum or from the RAID server might be necessary.
sha1sum commands. • Remote network acquisition tools require
• A Linux Live CD, such as Ubuntu, openSUSE, installing a remote agent on the suspect
Arch Linux, Fedora, or Slackware provides computer. The remote agent can be
many useful tools for digital forensics detected if suspects install their own
acquisitions. security programs, such as a firewall.

Key Terms
Advanced Forensic Format logical acquisition sparse acquisition
(AFF) raw format static acquisitions
host protected area (HPA) redundant array of whole disk encryption
live acquisitions independent disks (RAID)

Review Questions
1. What’s the main goal of a static 3. What are two advantages and
acquisition? disadvantages of the raw format?
2. Name the three formats for digital 4. List two features common with
forensics data acquisitions. proprietary format acquisition files.

68944_ch03_hr_093-142.indd 134 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 135

5. Of all the proprietary formats, which one 14. What’s the most critical aspect of digital
is the unofficial standard? evidence?
6. Name two commercial tools that can 15. What’s a hashing algorithm?
make a forensic sector-by-sector copy of 16. In the Linux dcfldd command, which
a drive to a larger drive. three options are used for validating
7. What does a logical acquisition collect data?
for an investigation? 17. What’s the maximum file size when
8. What does a sparse acquisition collect writing data to a FAT32 drive?
for an investigation? 18. What are two concerns when acquiring
9. What should you consider when data from a RAID server?
determining which data acquisition 19. With remote acquisitions, what
method to use? problems should you be aware of?
10. Why is it a good practice to make two (Choose all that apply.)
images of a suspect drive in a critical a. Data transfer speeds
investigation? b. Access permissions over the network
11. When you perform an acquisition at c. Antivirus, antispyware, and firewall
a remote location, what should you programs
consider to prepare for this task? d. The password of the remote
12. With newer Linux kernel distributions, computer’s user
what happens if you connect a hot- 20. Which forensics tools can connect to
swappable device, such a USB drive, a suspect’s remote computer and run
containing evidence? surreptitiously?
13. In Linux, the fdisk -l command lists 21. EnCase, FTK, SMART, and ILookIX treat
the suspect drive as /dev/hda1. Is the an image file as though it were the
following dcfldd command correct? original disk. True or False?
dcfldd if=image_file.img 22. FTK Imager can acquire data in a drive’s
of=/dev/hda1 host protected area. True or False?

Hands-On Projects
Create a Chap03\Projects folder under your work folder. Then copy the data files from the
downloads section for this chapter (on the student companion site for this book) to this work
subfolder. If necessary, extract any compressed files to this subfolder.

Hands-On Project 3-1

In this project, you prepare a drive and create a FAT32 disk partition using Linux. You need
the following:
• A Linux distribution or Linux Live CD
• A disk drive

68944_ch03_hr_093-142.indd 135 3/7/18 3:27 PM

136 CHAPTER 3 Data Acquisition

• A method of connecting a disk drive to your workstation, such as USB, FireWire, external
SATA, or internal connections, such as PATA or SATA
• A review of the steps in the “Preparing a Target Drive for Acquisition in Linux” section
To format a drive as FAT32 in Linux, follow these steps:
1. Connect the target drive to be partitioned and formatted as FAT32 to your workstation.
2. Start your workstation, and log on or boot the Linux Live CD.
3. Follow the steps in the “Preparing a Target Disk for Acquisition in Linux” section.
4. When you’ve finished formatting the target drive, leave it connected for the next project.

Hands-On Project 3-2

In this project, you use the Linux dd command to make an acquisition split into 30 MB
segmented volumes. Then you validate the data by using the Linux md5sum command on the
original drive and the image files. The output for md5sum is then redirected to a data file kept
with the image files. For this project, you need the following:
• A Linux distribution or Linux Live CD
• The FAT32 drive partitioned and formatted in Hands-On Project 3-1
• A method of connecting the FAT32 drive and the drive created in Hands-On Project 3-1 to
your workstation, such as USB, FireWire, external SATA, or internal connections, such as
PATA or SATA
• A review of the “Acquiring Data with dd in Linux” and “Validating dd-Acquired Data” sections
Follow these steps:
1. Make sure you’ve connected the drive you prepared in Hands-On Project 3-1 to your
Linux workstation.
2. Start your workstation, if necessary, and log on to Linux or boot the Linux Live CD.
3. Reboot the Linux system, and make the dd acquisition, following the steps in “Acquiring
Data with dd in Linux.” For the split -b command, make the segmented size 30m,
and use the -d switch to create numeric extensions for each segmented file.
4. When the acquisition is finished, do a validation of the suspect drive and the acquired
image files. Follow the steps in the “Validating dd-Acquired Data” section. When you’re
finished, keep the terminal window open, and keep Linux running for the next project.

Hands-On Project 3-3

Digital forensics examiners are sometimes asked to restore an image file to a disk drive.
In this project, you learn how to perform this task. To prepare for this project, you need
the following items:
• Two USB drives formatted as FAT16 or FAT32 that can hold up to 120 MB

Note
Both USB drives should be formatted as FAT16 or FAT32. Your version of Linux might
not be able to read or write data to USB media formatted as NTFS.

68944_ch03_hr_093-142.indd 136 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 137

• A Linux distribution, Linux Live CD, or a computer running Linux with at least two USB ports
• The GCFI-datacarve-FAT.dd data file (extracted from CH03ProjDataFiles.exe to
your work folder)

Data-Loading Procedure in Linux

First, you transfer data from the GCFI-datacarve-FAT.dd file to the target drive. Second,
you restore the image file to another USB drive. Follow these steps:
1. On your Windows computer, copy the GCFI-datacarve-FAT.dd file to one of your
USB drives.
2. Start your Linux workstation, if necessary. If you’re using your Windows computer
with a Linux Live CD, connect the second USB drive to the computer to serve
as the target drive. If you’re using a computer running Linux, connect both USB
drives to it.
3. In Linux, open a terminal window, if necessary. To switch to the superuser account, type
su and press Enter, and at the password prompt, type the root password and press
Enter.
4. Type df and press Enter to list all attached devices to the computer, as shown in
Figure 3-12. This output identifies the Linux-assigned pathnames.

Figure 3-12 Displaying a disk’s file system

Source: Linux Foundation.

Note
Different distributions of Linux display slightly different names, as shown in
Figure 3-13. For example, note that the /media directory in LinuxMint lists a joe
subdirectory and an oem subdirectory. DeftZ Linux shows the /media directory’s
subdirectories as cdrom and root. Subdirectory names vary depending on the Linux
distribution you’re using. Remember to substitute the correct directory names for
commands in this and other projects.

68944_ch03_hr_093-142.indd 137 3/7/18 3:27 PM

138 CHAPTER 3 Data Acquisition

Figure 3-13 Examples of how

different Linux distributions display
the /media directory
Source: Linux Foundation.

Note
The following steps were performed in LinuxMint. These commands work the same
in other Linux distributions and most Linux Live CDs. If necessary, replace the
subdirectory name joe with the correct name for your distribution.

5. To determine which USB drive contains the image file GCFI-datacarve-FAT.dd and
which one is empty of any data, type ls /media/joe/FC11-3D2E and press Enter,
and then type ls /media/joe/UDISK (see Figure 3-14) and press Enter.

Note
Some USB drives have a hexadecimal number or a vendor-assigned name, such as
the FC11-3D2E shown in Figure 3-14. Substitute the subdirectory names displayed
with the commands in Step 5.

Figure 3-14 Showing the contents of subdirectories in the /media/joe

directory
Source: Linux Foundation.

68944_ch03_hr_093-142.indd 138 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 139

Note
For this example, the UDISK subdirectory shows only the FAT System Volume
Information file. The FC11-3D2E subdirectory shows the GCFI-datacarve-FAT.dd
file, which will be restored from FC11-3D2E to UDISK.

6. Type dd if=/media/joe/FC11-3D2E/GCFI-datacarve-FAT.dd of=/dev/sdh1

bs=64 conv=noerror,sync status=progress and press Enter. Figure 3-15 shows
the output.

Figure 3-15 The dd command for restoring an image to a disk drive

Source: Linux Foundation.

7. When the data has finished copying, continue to the next project. If you’re not
continuing, close the terminal window and log off Linux.

Hands-On Project 3-4

For this project, you use the dd command to make segmented image files of the restored
USB drive created in Hands-On Project 3-3. To prepare, you need the following:
• One USB drive containing the restored image GCFI-datacarve-FAT.dd from Hands-On
Project 3-3
• One USB drive formatted as FAT16 or FAT32 that can hold up to 120 MB
• A Linux distribution, Linux Live CD, or a computer running Linux with at least two USB ports
To make this acquisition, follow these steps:
1. If necessary, connect the two USB drives and boot the system to Linux, and then open a
terminal window.
2. Type su and press Enter, and then type the root password, if necessary, and press
Enter.
3. Type df -h and press Enter to list all devices attached to the computer and see the
assigned pathnames.
4. Change your current working directory to the USB drive containing the
GCFI-datacarve-FAT.dd file by typing cd /media/root/usbdrive and pressing Enter.

Note
Replace /root/usbdrive with the path listed in the df -h command output.

68944_ch03_hr_093-142.indd 139 3/7/18 3:27 PM

140 CHAPTER 3 Data Acquisition

5. Examine the output of the df -h command from Step 3 to see how much space (under
the Avail column) is available on the USB drive, /media/root/usbdrive. If there’s less
than 120 MB, type rm GCFI-datacarve-FAT.dd and press Enter to delete the file and
make space for writing the segmented image files.
6. Type dd if=/dev/sdb | split -b 50m - GCFI-datacarve-FAT. -d and press
Enter.

Note
Replace sdb with the USB drive that received the image file created in Hands-On
Project 3-3. To reduce the number of segmented files, change the 50m to 650m or
larger.

7. When the acquisition is finished, type ls -l and press Enter to see how many
segmented files were produced.
8. Shut down the acquisition workstation, remove the USB drives, and remove the Linux
Live CD, if necessary.

Case Projects
Case Project 3-1
Your supervisor has asked you to research current acquisition tools. Using your preferred
Internet search engine and the vendors listed in this chapter, prepare a report containing the
following information for each tool and stating which tool you would prefer to use:
• Forensics vendor name
• Acquisition tool name and latest version number
• Features of the vendor’s product
With this data collected, prepare a spreadsheet listing vendors in the rows. For the column
headings, list the following features:
• Raw format
• Proprietary format
• AFF format
• Other proprietary formats the tool can read
• Compression of image files
• Remote network acquisition capabilities
• Method used to validate (MD5, SHA-1, and so on)

68944_ch03_hr_093-142.indd 140 3/7/18 3:27 PM

CHAPTER 3 Data Acquisition 141

Case Project 3-2

At a murder scene, you have started making an image of a computer’s drive. You’re in the
back bedroom of the house, and a small fire has started in the kitchen. If the fire can’t be
extinguished, you have only a few minutes to acquire data from a 10 GB hard disk. Write one
to two pages outlining your options for preserving the data.

Case Project 3-3

You need to acquire an image of a disk on a computer that can’t be removed from the scene,
and you discover that it’s a Linux computer. What are your options for acquiring the image?
Write a brief paper specifying the hardware and software you would use.

Case Project 3-4

A bank has hired your firm to investigate employee fraud. The bank uses four 20 TB
machines on a LAN. You’re permitted to talk to the network administrator, who is familiar
with where the data is stored. What diplomatic strategies should you use? Which acquisition
method should you use? Write a two-page report outlining the problems you expect to
encounter, explaining how to rectify them, and describing your solution. Be sure to address
any customer privacy issues.

Case Project 3-5

You’re investigating a case involving a 2 GB drive that you need to copy at the scene. Write
one to two pages describing the three types of acquisitions—physical, logical, and sparse—
you can use to copy the drive accurately. Be sure to include your software and media choices.

Case Project 3-6

Your supervisor has asked you to list the acquisition tools available on a forensic Linux Live
CD. Download the current ISO version of Deft (www.deftlinux.net), CAINE (www.caine-live.net),
Kali Linux (www.kali.org), or Penguin Sleuth (www.linux-forensics.com), and then create a
bootable CD or DVD of it. Start it on your workstation and survey its tools. Then write a one-
to two-page report containing a brief description of each acquisition utility on the CD or DVD.

68944_ch03_hr_093-142.indd 141 3/7/18 3:27 PM

Canon imageRUNNER 2630 - 2625 Service Manual EN 7.0
100% (3)
Canon imageRUNNER 2630 - 2625 Service Manual EN 7.0
795 pages
Chapter 3 - Data Acquisition
100% (1)
Chapter 3 - Data Acquisition
58 pages
3D Modeling For Beginners
75% (12)
3D Modeling For Beginners
202 pages
Chap 03
No ratings yet
Chap 03
45 pages
Lecture 5 - Data Acquisition
No ratings yet
Lecture 5 - Data Acquisition
26 pages
Data Formats
No ratings yet
Data Formats
89 pages
Gcfi6e Im Ch03
No ratings yet
Gcfi6e Im Ch03
14 pages
Guide To Computer Forensics and Investigations: Data Acquisition
No ratings yet
Guide To Computer Forensics and Investigations: Data Acquisition
13 pages
Data Acquisition
100% (1)
Data Acquisition
31 pages
Lec 2
No ratings yet
Lec 2
23 pages
Acquisition and Tools: Planning Your Investigation
No ratings yet
Acquisition and Tools: Planning Your Investigation
13 pages
WINSEM2024-25_BCSE322L_TH_VL2024250501658_2024-12-17_Reference-Material-I
No ratings yet
WINSEM2024-25_BCSE322L_TH_VL2024250501658_2024-12-17_Reference-Material-I
68 pages
CH 04
No ratings yet
CH 04
76 pages
SCI4201 Lecture 4 - Data Acquistion
No ratings yet
SCI4201 Lecture 4 - Data Acquistion
46 pages
Reupload
No ratings yet
Reupload
63 pages
Forensics LEC 2
No ratings yet
Forensics LEC 2
22 pages
CH 04 I C
No ratings yet
CH 04 I C
93 pages
Chapter 4 - Data Acquisition
No ratings yet
Chapter 4 - Data Acquisition
39 pages
Digital forensics extra
No ratings yet
Digital forensics extra
5 pages
3 Data Acquisition - Xid-10710319 - 2
No ratings yet
3 Data Acquisition - Xid-10710319 - 2
32 pages
Digital Forensics (Data Acquisition and Hashing)
100% (1)
Digital Forensics (Data Acquisition and Hashing)
48 pages
Lecture 5 APIC 1.2.3
No ratings yet
Lecture 5 APIC 1.2.3
51 pages
Lecture-5&6 Data Acquisition
No ratings yet
Lecture-5&6 Data Acquisition
66 pages
2.data Acquisition
No ratings yet
2.data Acquisition
42 pages
Data Acquisition: Paul Ssemaluulu (PHD)
100% (2)
Data Acquisition: Paul Ssemaluulu (PHD)
35 pages
DF Unit 2 My Notes
No ratings yet
DF Unit 2 My Notes
18 pages
CF Lecture 04-Data Acquisition
100% (1)
CF Lecture 04-Data Acquisition
65 pages
IS & F Lecture #29 30 - Computer Forensics-Data Acquisition
No ratings yet
IS & F Lecture #29 30 - Computer Forensics-Data Acquisition
17 pages
Module 2 Webinar Slides - Powerpoint
No ratings yet
Module 2 Webinar Slides - Powerpoint
24 pages
Akuisisi Data: Forensic Computer
No ratings yet
Akuisisi Data: Forensic Computer
76 pages
Forensics Data
No ratings yet
Forensics Data
17 pages
Guide To Computer Forensics: 6 Edition
No ratings yet
Guide To Computer Forensics: 6 Edition
30 pages
Week 2 Webinar Slides
No ratings yet
Week 2 Webinar Slides
16 pages
4680 ch04
No ratings yet
4680 ch04
64 pages
Module 02 Data Acquisition
No ratings yet
Module 02 Data Acquisition
15 pages
CH 04
No ratings yet
CH 04
13 pages
Lecture 4 - Digital Foresics Tools
No ratings yet
Lecture 4 - Digital Foresics Tools
37 pages
Week 1 Digital Forensics Overview
No ratings yet
Week 1 Digital Forensics Overview
25 pages
Data Acquisition
No ratings yet
Data Acquisition
29 pages
Guide For Digital Forensic
No ratings yet
Guide For Digital Forensic
69 pages
Lec3 18-3-2024
No ratings yet
Lec3 18-3-2024
52 pages
Topic02 Data Acquisition
No ratings yet
Topic02 Data Acquisition
26 pages
Digital Forensics Lec4 Spring 2021-2
No ratings yet
Digital Forensics Lec4 Spring 2021-2
59 pages
Unit 04
No ratings yet
Unit 04
24 pages
Computer Forensic Saturday1
No ratings yet
Computer Forensic Saturday1
16 pages
Lec3 23-3-2024
No ratings yet
Lec3 23-3-2024
35 pages
Investigation - Data Aquisition
No ratings yet
Investigation - Data Aquisition
18 pages
Chapter 09
No ratings yet
Chapter 09
41 pages
Fallsem2023-24 Cse4004 Eth5
No ratings yet
Fallsem2023-24 Cse4004 Eth5
20 pages
Khoa-Hoc-Phap-Ly-So - Ho-Dac-Hung - Ch04-Data-Acquisition - (Cuuduongthancong - Com)
No ratings yet
Khoa-Hoc-Phap-Ly-So - Ho-Dac-Hung - Ch04-Data-Acquisition - (Cuuduongthancong - Com)
76 pages
Guide To Computer Forensics: 6 Edition
No ratings yet
Guide To Computer Forensics: 6 Edition
31 pages
unit 4
No ratings yet
unit 4
14 pages
CH 06
No ratings yet
CH 06
35 pages
unit 5
No ratings yet
unit 5
8 pages
Short Answers (4)
No ratings yet
Short Answers (4)
8 pages
6 Analysis & Validation Xid-10936710 2
No ratings yet
6 Analysis & Validation Xid-10936710 2
34 pages
Digital Forensics: Module 2: Data Acquisition and Recovery
No ratings yet
Digital Forensics: Module 2: Data Acquisition and Recovery
61 pages
Dr. Phil Nyoni: Digital Forensics Lecture 2: Acquiring Digital Evidence July 2021
No ratings yet
Dr. Phil Nyoni: Digital Forensics Lecture 2: Acquiring Digital Evidence July 2021
56 pages
4 Forensics Tools - Xid-10781030 - 2
No ratings yet
4 Forensics Tools - Xid-10781030 - 2
39 pages
Cloud: Get All The Support And Guidance You Need To Be A Success At Using The CLOUD
From Everand
Cloud: Get All The Support And Guidance You Need To Be A Success At Using The CLOUD
John Hawkins
No ratings yet
Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments
From Everand
Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments
EMC Education Services
No ratings yet
Organize and Safeguard Your Photo Collection
From Everand
Organize and Safeguard Your Photo Collection
Lauren Shepard
No ratings yet
Design_of_an_Anthropomorphic_Respiratory_Phantom_f
No ratings yet
Design_of_an_Anthropomorphic_Respiratory_Phantom_f
28 pages
Game Graphics: General Concepts
No ratings yet
Game Graphics: General Concepts
13 pages
Functions of Modem
No ratings yet
Functions of Modem
3 pages
Software Engineering - Module1
No ratings yet
Software Engineering - Module1
60 pages
Introduction To Database
No ratings yet
Introduction To Database
28 pages
Hindi Language Pack for PC- 1 paper
No ratings yet
Hindi Language Pack for PC- 1 paper
15 pages
Initial Instructions
No ratings yet
Initial Instructions
5 pages
E - B R E: Exercises - Basic Regular Expressions
No ratings yet
E - B R E: Exercises - Basic Regular Expressions
6 pages
Logcat
No ratings yet
Logcat
30 pages
Ensayo de La Vida en La Ciudad
100% (1)
Ensayo de La Vida en La Ciudad
8 pages
Annual Plan 7
No ratings yet
Annual Plan 7
7 pages
Unit 2
No ratings yet
Unit 2
24 pages
Data Warehousing & Mining: Unit - V
100% (2)
Data Warehousing & Mining: Unit - V
13 pages
TLE ICT-7-1st-Periodical With TOS and BOW
No ratings yet
TLE ICT-7-1st-Periodical With TOS and BOW
5 pages
ATI2023Micron Userguide en-US
No ratings yet
ATI2023Micron Userguide en-US
106 pages
How To Use EasyClicks Macros
No ratings yet
How To Use EasyClicks Macros
10 pages
GH Buttons&Bugs Full - Rules v1.5
No ratings yet
GH Buttons&Bugs Full - Rules v1.5
52 pages
Spectrum 5.4 GettingStartedGuide
No ratings yet
Spectrum 5.4 GettingStartedGuide
88 pages
Experiment-1 Macromedia Flash Aim of The Experiment: Resource Required
No ratings yet
Experiment-1 Macromedia Flash Aim of The Experiment: Resource Required
31 pages
BDA Practical File
No ratings yet
BDA Practical File
57 pages
Sheetcam Manual Español
50% (2)
Sheetcam Manual Español
2 pages
Real Time Face Recognition
No ratings yet
Real Time Face Recognition
6 pages
ETAP Workshop Notes Creating New Project File & One Line Diagram
No ratings yet
ETAP Workshop Notes Creating New Project File & One Line Diagram
7 pages
Android Chapter08 ActionBar Menus DialogBoxes
No ratings yet
Android Chapter08 ActionBar Menus DialogBoxes
93 pages
DDE Client Driver
No ratings yet
DDE Client Driver
15 pages
Zadig Manual
No ratings yet
Zadig Manual
4 pages
How-To-Integrate-Visual-Paradigm-With-Netbeans-Đã G P
No ratings yet
How-To-Integrate-Visual-Paradigm-With-Netbeans-Đã G P
14 pages
Autocad Civil 3d Overview Brochure en
No ratings yet
Autocad Civil 3d Overview Brochure en
6 pages