CSE4004_Module2_1.pptx

Digital Forensics
Module 2: Data Acquisition and Recovery
Dr. Nagaraj S V & Prof Seshu Babu Pulagara,
VIT Chennai

Storage formats
 Three formats commonly used to store acquired
data as image files include
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)
Dr.Nagaraj S V & Prof Seshu Babu Pulagara, VIT Chennai
2

Raw Format
 Bit-stream data is written to files
 Benefits
1. Many digital forensics tools can handle raw format
2. Data transfers can be fast
3. Minor data read errors on source drives are overlooked
• Drawbacks
1. Bad sectors may be overlooked
2. Storage needed could be as much as original data
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
3

Proprietary Formats
 Many proprietary tools possess unique formats
 Capabilities
 Metadata can be included in the image file
 Image files may be compressed if needed
 Images can be divided into segmented files of more diminished size
 Drawbacks
 Not easy to share images with other tools due to usage of
proprietary format
 Size limitations for segmented volumes
4

The Expert Witness format (EWF)
 The Expert Witness file format is an industry standard format for
storing forensic images.
 It is currently widely used in the field of digital forensics in proprietary
tools such as EnCase and FTK
 The format permits a user to access discretional offsets in the
uncompressed data without requiring decompression of the full data
stream.
5

The Expert Witness format
 EnCase contains functionality to create forensic images of suspect
media. Images are stored in proprietary Expert Witness File format; the
compressible file format is prefixed with case data information
 The EWF format was succeeded by the Expert Witness Compression
Format version 2 in EnCase 7 (EWF2-Ex01 and EWF2-Lx01)
6

Exercises-Study
 Martin S. Olivier, Sujeet Shenoi, ed. (2006). Advances in digital
forensics II. Springer. ISBN 0-387-36890-6.
 https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.s
html
 Extending the advanced forensic format to accommodate multiple
data sources, logical evidence, arbitrary information and forensic
workflow Digital Investigation Volume 6, Supplement, September
2009, Pages S57-S68
https://www.sciencedirect.com/science/article/pii/S174228760900
0401
7

Advanced Forensics Format
 Advanced Forensics Format (AFF) is an open and extensible format
for the storage of disk images and related forensic metadata. It was
developed by Simson Garfinkel and Basis Technology Corp
 See https://sourceforge.net/p/afflib/wiki/Home/
 https://www.loc.gov/preservation/digital/formats/fdd/fdd000412.s
html
8

Exercise - Study
 Advanced Forensic Format: an Open Extensible Format for
Disk Imaging
https://link.springer.com/chapter/10.1007/0-387-36891-4_2
 https://cs.harvard.edu/malan/publications/aff.pdf
9

AFF
 Open source
 Works with several platforms and operating systems
 Simple extensible design
 Provision for including metadata in the image files or segmented files
 No size restriction for disk-to-image files
 Provision for compressed or uncompressed image files
 File extensions .afd for segmented image files and .afm for AFF
metadata
10

Acquisition Methods
 Static acquisitions
 Live acquisitions
 Logical acquisition
 Sparse acquisition
 Remote acquisition
11

Methods of data acquisition
 Making a sparse data copy of a file or folder
 Making a logical disk-to-disk or disk-to-data file
 Making a disk-to-disk copy
 Making a disk-to-image file
12

The Best Acquisition Method?
 The best acquisition method varies from case to case. It is
contingent upon the situation.
13

Making a disk to image file
 Many tools such as SANS Investigative Forensic Toolkit – SIFT,
CAINE, ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways
Forensics, Magnet Axiom, iLookIX support this
 Copies are bit-for-bit reproductions of the master or original drive
 More than one copy can be made if needed
 The most usually used method . It offers high adaptability
14

Making a disk to disk copy
 Tools can align a disk’s geometry conformation to do this
 It is often used when a disk-to-image copy is not feasible
 Many tools such as Encase support this
15

Exercise
Terms such as mirror image, exact copy, bit-stream image, disk
duplicating, disk cloning, and mirroring can confuse novices. Read
https://capsicumgroup.com/2-key-differences-between-digital-forensic-
imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-
case/
to understand why it is important to know the terminology clearly
16

 Read https://www.ncjrs.gov/pdffiles1/nij/199000.pdf
to see a report about the SafeBack forensic tool
 Read https://en.wikipedia.org/wiki/List_of_digital_forensics_tools for a
list of widely used digital forensic tools
17

Logical acquisition
 In some situations time for acquisition of data may be limited
 In such situations, we may acquire only specific files of interest or
specific types of files to the case being investigated
 Logical acquisition is feasible when the suspect drive is huge in size
(e.g. a RAID disk ) and when it is not feasible to make a full volume /
physical acquisition onsite
18

Sparse acquisition
 In case we have large disks to acquire data from such as RAID disks
and in case we don’t have much time to acquire then sparse
acquisition can be used
 Sparse acquisition collects fragments of unallocated /deleted data
 In this deleted data and fragments are also acquired
 Often used when performing static acquisition in RAID systems
19

What is a RAID System?
 RAID ("Redundant Array of Inexpensive Disks" or "Redundant
Array of Independent Disks") is a data storage
virtualization technology that combines multiple physical disk
drive components into one or more logical units for the purposes
of data redundancy, performance improvement, or both.
 See https://en.wikipedia.org/wiki/RAID
20

 Many tools such as EnCase, X-Ways forensics, AccessData FTK
ProDiscover can acquire data from RAID systems, However, this is a
time consuming process.
21

Exercise
 Investigate the difficulties in acquiring data from RAID systems,
Storage Area Networks (SANs), and Network Attached Storage (NAS)
devices
See
https://en.wikipedia.org/wiki/RAID
https://en.wikipedia.org/wiki/Storage_area_network
https://en.wikipedia.org/wiki/Network-attached_storage
 Study different RAID levels
22

Planning for image acquisition
 Disks may be encrypted. The entire disk could be encrypted using whole
disk encryption. Only some sectors of a disk could be encrypted.
Decryption keys may be required
 It may be necessary to copy host protected area (HPA) of a disk drive as
well. The HPA is an area of a hard drive or solid-state drive that is not
normally visible to an operating system.
See https://en.wikipedia.org/wiki/Host_protected_area
23

 In digital forensics, it is necessary to analyze the data in the Host
Protected Area —a possibly enormous hidden region of the hard drive.
 A HPA is an area of a hard drive that is generally inaccessible to the user.
Its existence is not made known to the BIOS or even to the operating
system of the host computer.
24

 The HPA is a reserved area on a hard disk drive. It was designed by
manufacturers so that it could store data that could not be easily
accessed, changed, or modified by the normal user. It could contain
utilities, diagnostic tools, and perhaps even boot sector code.
 The HPA can be misused for e.g. by placing malware so it is of concern to
investigators
25

Device configuration overlays
 Like the HPA, the Device configuration overlay (DCO) is a hidden area on
many of today’s hard disk drives. It is usually not accessible to
the BIOS, OS, or the user. However, some tools can be used to modify
the DCO.
 This hidden area is also of concern to investigators due to the possibility
of misuse
 See https://en.wikipedia.org/wiki/Device_configuration_overlay
26

 The DCO can make a 60-gigabyte HDD appear as a 40-gigabyte HDD to
both the OS and the BIOS. HDDs of various sizes can be configured by
vendors to have same number of sectors
 The potential to hide data using DCOs is of concern to forensic
investigators .
 Another concern is imaging the HDD that has the HPA and/or DCO on it.
Some tools may not be able to properly image the HPA and/or the DCO.
27

 HPA can therefore be considered as a “hidden area of the hard drive
that can contain data in many formats, ranging from raw code or files
(possibly encrypted), to complete alternative system or data partitions,
and even disk images of operating systems. It can range in size from a
less than a megabyte to many gigabytes.” see Richard Leickly and David
K Angell, 2012 (PTO)
28

Exercise
 Read the article “Applications of Data Recovery Tools to Digital
Forensics: Analyzing the Host Protected Area with the PC-3000 “
by Richard Leickly and David K Angell, 2012
https://www.researchgate.net/publication/235984791_Applicatio
ns_of_Data_Recovery_Tools_to_Digital_Forensics_Analyzing_the
_Host_Protected_Area_with_the_PC-3000
29

Good practices
 Make a duplicate copy of the evidence image file
 It is safe to make at least two images of the digital evidence. This can
be done using dissimilar tools or techniques for safety.
 It is essential to create a duplicate copy of the evidence image file. In
digital forensics, the golden rule is to ensure that the original digital
evidence is not tampered with.
30

Acquisition tools for Windows OS
 Benefits
 Makes acquiring evidence from a suspect drive easy
 Particularly for hot-swappable devices
 Note: Hot swapping is the replacement or addition of components to a
computer system without stopping, shutting down, or rebooting the
system. For example, eSATA, FireWire, and USB are examples of interfaces
that are hot-swappable on computers
31

Drawbacks
 It is necessary to protect acquired data with a well-tested write-
blocking hardware device so that it does not get tampered
 Often some tools nay not acquire data from a disk’s host protected
area or DCO.
 The use of write-blocking devices for data acquisition has not been
universally accepted.
32

Exercise
 Explore the use of Mini-WinFE Boot CDs and USB Drives
 Read https://www.winfe.net/
 Read
The (Nearly) Perfect Forensic Boot CD – Windows Forensic Environment
by Brett Shavers
https://www.forensicfocus.com/articles/the-nearly-perfect-forensic-
boot-cd-windows-forensic-environment/
33

 WINFE see https://winfe.wordpress.com
 WinFE is a forensically sound version of WinPE, it is a bootable operating
system used by law enforcement agencies that conduct forensic
examinations.
 The Windows Pre-installation Environment (Windows PE, sometimes
called WinPE) is a mini–operating system with specific purposes
 WinPE is a bare bones operating system, based on the Windows XP
kernel, that provides the functionality required to automate Windows
Setup.
34

 Mini-WinFE is a minimalist 32 or 64-bit Windows Forensic
Environment (WinFE) with a GUI shell
 See
http://mistyprojects.co.uk/mistype/mini-
winfe.docs/readme.files/intro.htm
35

Acquiring Data with a Linux Boot CD
 Many Linux distributions offer an environment that you can boot your
computer into without having to install anything to a hard drive. For
some Linux distributions, this is actually their main purpose. This is
called a "live file system" and it allows you to boot into Linux like
normal from a CD, DVD, or USB drive.
36

 With a live file system, changes you make normally aren't saved after a
reboot. When you boot to a live CD/DVD/USB, system files and
everything else are stored temporarily in RAM, and RAM is always
cleared when a system shuts down or reboots.
 See https://linuxconfig.org/live-cd-dvd-linux-download for info about
Linux Live CD/DVD
Acquiring Data with a Linux Boot CD
37

 A live CD or live DVD is a CD-ROM or DVD-ROM containing a bootable
computer operating system. Live CDs /DVDS are unique in that they
have the ability to run a complete, modern operating system on a
computer lacking mutable secondary storage, such as a hard disk
drive.
 See https://en.wikipedia.org/wiki/List_of_live_CDs
38

 As CD and DVD drives have been steadily phased-out, live CDs have
become less popular, being replaced by live USBs, which are
equivalent systems written onto USB flash drives, which have the
added benefit of having write-able storage. The functionality of a live
CD is also available with a bootable live USB flash drive, or
an external hard disk drive connected by USB.
39

 Forensic Linux Live CDs are available
See
https://www.kali.org/docs/general-use/kali-linux-forensics-mode/ for
benefits of booting into the forensic boot mode.
 Forensic Linux Live CDs don’t approach media automatically so this
does away with the demand for a write-blocker
40

Forensic Linux Live CDs
 Forensic Hard Copy
 Penguin Sleuth
 F.I.R.E
 CAINE
 Deft
 Kali Linux
 Knoppix
 SANS Investigative Toolkit
 Ubuntu Rescue Remix
 Helix
 FCCU GNU/Linux Forensic Boot CD
 Parrot
 ForLex
41

 Windows OSs and recent Linux versions mechanically mount and
access a drive in an automatic manner
 Linux can get at a drive that isn’t mounted
 Many recent Linux distributions can create Microsoft FAT and NTFS
partition tables
42

Commands for acquiring data
 fdisk lists, creates, deletes, and verifies partitions in Linux
 https://www.tldp.org/HOWTO/Partition/fdisk_partitioning.html
 https://www.tecmint.com/fdisk-commands-to-manage-linux-disk-
partitions/
 mkfs.msdos Create an MS-DOS file system under Linux
Read more at: https://www.commandlinux.com/man-page/man8/
43

Acquiring data with dd command
 dd It is a command-line utility for Unix and Unix-like operating
systems, the primary purpose of which is to convert and copy files
 See https://www.gnu.org/software/coreutils/manual/html_node/dd-
invocation.html
 https://forensicswiki.xyz/wiki/index.php?title=Dd
44

The command dd
Drawbacks
 Requires more sophisticated skills than an ordinary user
 Has to be used with great caution. Can potentially wipe out the source
media the forensic examiner is trying to replicate
 Does not compress data
 Was not designed with forensics in mind
45

The command dd
Benefits
 Can produce the raw format file that most digital forensics tools can
read
 Can read and write from media instruments and data files
46

The command dcfldd
 dcfldd is an enhanced version of dd developed by the U.S. Department
of Defense Computer Forensics Lab. Hence, the acronym dcfldd. It has
some useful features for forensic investigators.
 dcfldd is based on an extremely old version of dd
 http://dcfldd.sourceforge.net
47

The command dcfldd
 The program only produces raw image files.
 This tool is not suitable for imaging faulty drives
 dcfldd can enter an infinite loop when a faulty sector is encountered
on the source drive, thus writing to the image over and over again until
there is no free space left.
48

Features of dcfldd
 On-the-fly hashing of the transmitted data.
 Progress bar of how much data has already been sent.
 Wiping of disks with known patterns.
 Verification that the image is identical to the original drive, bit-for-bit.
 Simultaneous output to more than one file/disk is possible.
 The output can be split into multiple files.
 Logs and data can be piped into external applications.
49

Tools for capturing images
 ProDiscover https://www.prodiscover.com
 ACCESSDATA FTK IMAGER LITE
https://accessdata.com/product-download/ftk-imager-lite-version-3-1-1
EnCase Forensic
https://www.guidancesoftware.com/encase-forensic
50

Validation of Data Acquisitions
 Validation is the act of finding or testing the truth of something
 Validation can be done using cyclic redundancy
checks, checksum functions, and cryptographic hash functions. E.g.
CRC-32, SHA-1 and SHA-512
 https://en.wikipedia.org/wiki/Hash_function
 https://en.wikipedia.org/wiki/List_of_hash_functions
51

Validation using Linux utilities
 For data acquired using dd
md5sum or sha1sum utilities
 For data acquired using dcfldd
 hash option to designate a hashing algorithm
 vf (verify file) option to compare the image file with the pilot
medium
 hashlog option to output hash to a text file
52

Validation using Windows OS
 Windows OS does not have in-built hashing utilities for digital forensics
 However, third part utilities may be used
 Raw data acquisitions have to be manually validated
 Forensic tools may have utilities for validation
53

Acquiring RAID data
 RAID systems are becoming commonplace
 RAID systems can store several TB of data and even more
 Size is thus a major worry
 Other challenges could be due to the configuration and design
 RAID was originally developed for data redundancy
 https://en.wikipedia.org/wiki/RAID
54

Typical Levels in RAID systems
 RAID 0
 RAID 1
 RAID 2
 RAID 3
 RAID 4
 RAID 5
 RAID 6
 RAID 10
55

Acquiring RAID data – Points to consider
 Data storage needed
 Type of RAID
 Suitable tool for acquiring
 Capability of tools for reading forensically copied RAID images
 Capability of tools for reading split data saved while acquiring
 Vendors
 Size of disks
 Use of sparse or logical acquisition if needed
56

Remote Acquisition
 Sometimes it may be necessary to remotely connect to a target
computer by means of a network connection and make a copy of data
 Drawbacks
Malware may hinder acquisition
Alarms could be set by the suspects to warn them of data being
acquired
Some tools may not support remote acquisition
57

Exercise
Study how data is acquired by tools such as
 ProDiscover https://www.prodiscover.com
 EnCase https://www.guidancesoftware.com/encase-forensic
 R-Studio https://www.r-studio.com/Data_Recovery_Technician.shtml
 USB Live Acquisition and Triage Tool. (US-
LATT) http://www.softwareasia.com/us-latt-pro
58

 F-Response https://www.f-response.com
 PassMark software ImageUSB
https://www.osforensics.com/tools/write-usb-images.html
 ILook Stand-Alone External Imager Iximager
http://www.ilook-forensics.org/iximager.html
59

 ASR Data SMART for Linux http://www.asrdata.com/forensic-
software/smart-for-linux/
 Runtime Software https://runtime.org/data-recovery-
products.htm
60

References
 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015.
 Wikipedia
61

CSE4004_Module2_1.pptx

Recommended

Recommended

More Related Content

Similar to CSE4004_Module2_1.pptx

Similar to CSE4004_Module2_1.pptx (20)

Recently uploaded

Recently uploaded (20)

CSE4004_Module2_1.pptx