Interactive Powerpoint_How to Master effective communication
CSE4004_Module2_1.pptx
1. Digital Forensics
Module 2: Data Acquisition and Recovery
Dr. Nagaraj S V & Prof Seshu Babu Pulagara,
VIT Chennai
2. Storage formats
Three formats commonly used to store acquired
data as image files include
Raw format
Proprietary formats
Advanced Forensics Format (AFF)
Dr.Nagaraj S V & Prof Seshu Babu Pulagara, VIT Chennai
2
3. Raw Format
Bit-stream data is written to files
Benefits
1. Many digital forensics tools can handle raw format
2. Data transfers can be fast
3. Minor data read errors on source drives are overlooked
• Drawbacks
1. Bad sectors may be overlooked
2. Storage needed could be as much as original data
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
3
4. Proprietary Formats
Many proprietary tools possess unique formats
Capabilities
Metadata can be included in the image file
Image files may be compressed if needed
Images can be divided into segmented files of more diminished size
Drawbacks
Not easy to share images with other tools due to usage of
proprietary format
Size limitations for segmented volumes
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
4
5. The Expert Witness format (EWF)
The Expert Witness file format is an industry standard format for
storing forensic images.
It is currently widely used in the field of digital forensics in proprietary
tools such as EnCase and FTK
The format permits a user to access discretional offsets in the
uncompressed data without requiring decompression of the full data
stream.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
5
6. The Expert Witness format
EnCase contains functionality to create forensic images of suspect
media. Images are stored in proprietary Expert Witness File format; the
compressible file format is prefixed with case data information
The EWF format was succeeded by the Expert Witness Compression
Format version 2 in EnCase 7 (EWF2-Ex01 and EWF2-Lx01)
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
6
7. Exercises-Study
Martin S. Olivier, Sujeet Shenoi, ed. (2006). Advances in digital
forensics II. Springer. ISBN 0-387-36890-6.
https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.s
html
Extending the advanced forensic format to accommodate multiple
data sources, logical evidence, arbitrary information and forensic
workflow Digital Investigation Volume 6, Supplement, September
2009, Pages S57-S68
https://www.sciencedirect.com/science/article/pii/S174228760900
0401
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
7
8. Advanced Forensics Format
Advanced Forensics Format (AFF) is an open and extensible format
for the storage of disk images and related forensic metadata. It was
developed by Simson Garfinkel and Basis Technology Corp
See https://sourceforge.net/p/afflib/wiki/Home/
https://www.loc.gov/preservation/digital/formats/fdd/fdd000412.s
html
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
8
9. Exercise - Study
Advanced Forensic Format: an Open Extensible Format for
Disk Imaging
https://link.springer.com/chapter/10.1007/0-387-36891-4_2
https://cs.harvard.edu/malan/publications/aff.pdf
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
9
10. AFF
Open source
Works with several platforms and operating systems
Simple extensible design
Provision for including metadata in the image files or segmented files
No size restriction for disk-to-image files
Provision for compressed or uncompressed image files
File extensions .afd for segmented image files and .afm for AFF
metadata
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
10
11. Acquisition Methods
Static acquisitions
Live acquisitions
Logical acquisition
Sparse acquisition
Remote acquisition
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
11
12. Methods of data acquisition
Making a sparse data copy of a file or folder
Making a logical disk-to-disk or disk-to-data file
Making a disk-to-disk copy
Making a disk-to-image file
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
12
13. The Best Acquisition Method?
The best acquisition method varies from case to case. It is
contingent upon the situation.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
13
14. Making a disk to image file
Many tools such as SANS Investigative Forensic Toolkit – SIFT,
CAINE, ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways
Forensics, Magnet Axiom, iLookIX support this
Copies are bit-for-bit reproductions of the master or original drive
More than one copy can be made if needed
The most usually used method . It offers high adaptability
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
14
15. Making a disk to disk copy
Tools can align a disk’s geometry conformation to do this
It is often used when a disk-to-image copy is not feasible
Many tools such as Encase support this
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
15
16. Exercise
Terms such as mirror image, exact copy, bit-stream image, disk
duplicating, disk cloning, and mirroring can confuse novices. Read
https://capsicumgroup.com/2-key-differences-between-digital-forensic-
imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-
case/
to understand why it is important to know the terminology clearly
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
16
17. Read https://www.ncjrs.gov/pdffiles1/nij/199000.pdf
to see a report about the SafeBack forensic tool
Read https://en.wikipedia.org/wiki/List_of_digital_forensics_tools for a
list of widely used digital forensic tools
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
17
18. Logical acquisition
In some situations time for acquisition of data may be limited
In such situations, we may acquire only specific files of interest or
specific types of files to the case being investigated
Logical acquisition is feasible when the suspect drive is huge in size
(e.g. a RAID disk ) and when it is not feasible to make a full volume /
physical acquisition onsite
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
18
19. Sparse acquisition
In case we have large disks to acquire data from such as RAID disks
and in case we don’t have much time to acquire then sparse
acquisition can be used
Sparse acquisition collects fragments of unallocated /deleted data
In this deleted data and fragments are also acquired
Often used when performing static acquisition in RAID systems
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
19
20. What is a RAID System?
RAID ("Redundant Array of Inexpensive Disks" or "Redundant
Array of Independent Disks") is a data storage
virtualization technology that combines multiple physical disk
drive components into one or more logical units for the purposes
of data redundancy, performance improvement, or both.
See https://en.wikipedia.org/wiki/RAID
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
20
21. Many tools such as EnCase, X-Ways forensics, AccessData FTK
ProDiscover can acquire data from RAID systems, However, this is a
time consuming process.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
21
22. Exercise
Investigate the difficulties in acquiring data from RAID systems,
Storage Area Networks (SANs), and Network Attached Storage (NAS)
devices
See
https://en.wikipedia.org/wiki/RAID
https://en.wikipedia.org/wiki/Storage_area_network
https://en.wikipedia.org/wiki/Network-attached_storage
Study different RAID levels
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
22
23. Planning for image acquisition
Disks may be encrypted. The entire disk could be encrypted using whole
disk encryption. Only some sectors of a disk could be encrypted.
Decryption keys may be required
It may be necessary to copy host protected area (HPA) of a disk drive as
well. The HPA is an area of a hard drive or solid-state drive that is not
normally visible to an operating system.
See https://en.wikipedia.org/wiki/Host_protected_area
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
23
24. In digital forensics, it is necessary to analyze the data in the Host
Protected Area —a possibly enormous hidden region of the hard drive.
A HPA is an area of a hard drive that is generally inaccessible to the user.
Its existence is not made known to the BIOS or even to the operating
system of the host computer.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
24
25. The HPA is a reserved area on a hard disk drive. It was designed by
manufacturers so that it could store data that could not be easily
accessed, changed, or modified by the normal user. It could contain
utilities, diagnostic tools, and perhaps even boot sector code.
The HPA can be misused for e.g. by placing malware so it is of concern to
investigators
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
25
26. Device configuration overlays
Like the HPA, the Device configuration overlay (DCO) is a hidden area on
many of today’s hard disk drives. It is usually not accessible to
the BIOS, OS, or the user. However, some tools can be used to modify
the DCO.
This hidden area is also of concern to investigators due to the possibility
of misuse
See https://en.wikipedia.org/wiki/Device_configuration_overlay
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
26
27. The DCO can make a 60-gigabyte HDD appear as a 40-gigabyte HDD to
both the OS and the BIOS. HDDs of various sizes can be configured by
vendors to have same number of sectors
The potential to hide data using DCOs is of concern to forensic
investigators .
Another concern is imaging the HDD that has the HPA and/or DCO on it.
Some tools may not be able to properly image the HPA and/or the DCO.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
27
28. HPA can therefore be considered as a “hidden area of the hard drive
that can contain data in many formats, ranging from raw code or files
(possibly encrypted), to complete alternative system or data partitions,
and even disk images of operating systems. It can range in size from a
less than a megabyte to many gigabytes.” see Richard Leickly and David
K Angell, 2012 (PTO)
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
28
29. Exercise
Read the article “Applications of Data Recovery Tools to Digital
Forensics: Analyzing the Host Protected Area with the PC-3000 “
by Richard Leickly and David K Angell, 2012
https://www.researchgate.net/publication/235984791_Applicatio
ns_of_Data_Recovery_Tools_to_Digital_Forensics_Analyzing_the
_Host_Protected_Area_with_the_PC-3000
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
29
30. Good practices
Make a duplicate copy of the evidence image file
It is safe to make at least two images of the digital evidence. This can
be done using dissimilar tools or techniques for safety.
It is essential to create a duplicate copy of the evidence image file. In
digital forensics, the golden rule is to ensure that the original digital
evidence is not tampered with.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
30
31. Acquisition tools for Windows OS
Benefits
Makes acquiring evidence from a suspect drive easy
Particularly for hot-swappable devices
Note: Hot swapping is the replacement or addition of components to a
computer system without stopping, shutting down, or rebooting the
system. For example, eSATA, FireWire, and USB are examples of interfaces
that are hot-swappable on computers
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
31
32. Drawbacks
It is necessary to protect acquired data with a well-tested write-
blocking hardware device so that it does not get tampered
Often some tools nay not acquire data from a disk’s host protected
area or DCO.
The use of write-blocking devices for data acquisition has not been
universally accepted.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
32
33. Exercise
Explore the use of Mini-WinFE Boot CDs and USB Drives
Read https://www.winfe.net/
Read
The (Nearly) Perfect Forensic Boot CD – Windows Forensic Environment
by Brett Shavers
https://www.forensicfocus.com/articles/the-nearly-perfect-forensic-
boot-cd-windows-forensic-environment/
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
33
34. WINFE see https://winfe.wordpress.com
WinFE is a forensically sound version of WinPE, it is a bootable operating
system used by law enforcement agencies that conduct forensic
examinations.
The Windows Pre-installation Environment (Windows PE, sometimes
called WinPE) is a mini–operating system with specific purposes
WinPE is a bare bones operating system, based on the Windows XP
kernel, that provides the functionality required to automate Windows
Setup.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
34
35. Mini-WinFE is a minimalist 32 or 64-bit Windows Forensic
Environment (WinFE) with a GUI shell
See
http://mistyprojects.co.uk/mistype/mini-
winfe.docs/readme.files/intro.htm
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
35
36. Acquiring Data with a Linux Boot CD
Many Linux distributions offer an environment that you can boot your
computer into without having to install anything to a hard drive. For
some Linux distributions, this is actually their main purpose. This is
called a "live file system" and it allows you to boot into Linux like
normal from a CD, DVD, or USB drive.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
36
37. With a live file system, changes you make normally aren't saved after a
reboot. When you boot to a live CD/DVD/USB, system files and
everything else are stored temporarily in RAM, and RAM is always
cleared when a system shuts down or reboots.
See https://linuxconfig.org/live-cd-dvd-linux-download for info about
Linux Live CD/DVD
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
Acquiring Data with a Linux Boot CD
37
38. A live CD or live DVD is a CD-ROM or DVD-ROM containing a bootable
computer operating system. Live CDs /DVDS are unique in that they
have the ability to run a complete, modern operating system on a
computer lacking mutable secondary storage, such as a hard disk
drive.
See https://en.wikipedia.org/wiki/List_of_live_CDs
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
38
39. As CD and DVD drives have been steadily phased-out, live CDs have
become less popular, being replaced by live USBs, which are
equivalent systems written onto USB flash drives, which have the
added benefit of having write-able storage. The functionality of a live
CD is also available with a bootable live USB flash drive, or
an external hard disk drive connected by USB.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
39
40. Forensic Linux Live CDs are available
See
https://www.kali.org/docs/general-use/kali-linux-forensics-mode/ for
benefits of booting into the forensic boot mode.
Forensic Linux Live CDs don’t approach media automatically so this
does away with the demand for a write-blocker
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
40
41. Forensic Linux Live CDs
Forensic Hard Copy
Penguin Sleuth
F.I.R.E
CAINE
Deft
Kali Linux
Knoppix
SANS Investigative Toolkit
Ubuntu Rescue Remix
Helix
FCCU GNU/Linux Forensic Boot CD
Parrot
ForLex
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
41
42. Windows OSs and recent Linux versions mechanically mount and
access a drive in an automatic manner
Linux can get at a drive that isn’t mounted
Many recent Linux distributions can create Microsoft FAT and NTFS
partition tables
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
42
43. Commands for acquiring data
fdisk lists, creates, deletes, and verifies partitions in Linux
https://www.tldp.org/HOWTO/Partition/fdisk_partitioning.html
https://www.tecmint.com/fdisk-commands-to-manage-linux-disk-
partitions/
mkfs.msdos Create an MS-DOS file system under Linux
Read more at: https://www.commandlinux.com/man-page/man8/
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
43
44. Acquiring data with dd command
dd It is a command-line utility for Unix and Unix-like operating
systems, the primary purpose of which is to convert and copy files
See https://www.gnu.org/software/coreutils/manual/html_node/dd-
invocation.html
https://forensicswiki.xyz/wiki/index.php?title=Dd
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
44
45. The command dd
Drawbacks
Requires more sophisticated skills than an ordinary user
Has to be used with great caution. Can potentially wipe out the source
media the forensic examiner is trying to replicate
Does not compress data
Was not designed with forensics in mind
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
45
46. The command dd
Benefits
Can produce the raw format file that most digital forensics tools can
read
Can read and write from media instruments and data files
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
46
47. The command dcfldd
dcfldd is an enhanced version of dd developed by the U.S. Department
of Defense Computer Forensics Lab. Hence, the acronym dcfldd. It has
some useful features for forensic investigators.
dcfldd is based on an extremely old version of dd
http://dcfldd.sourceforge.net
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
47
48. The command dcfldd
The program only produces raw image files.
This tool is not suitable for imaging faulty drives
dcfldd can enter an infinite loop when a faulty sector is encountered
on the source drive, thus writing to the image over and over again until
there is no free space left.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
48
49. Features of dcfldd
On-the-fly hashing of the transmitted data.
Progress bar of how much data has already been sent.
Wiping of disks with known patterns.
Verification that the image is identical to the original drive, bit-for-bit.
Simultaneous output to more than one file/disk is possible.
The output can be split into multiple files.
Logs and data can be piped into external applications.
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
49
50. Tools for capturing images
ProDiscover https://www.prodiscover.com
ACCESSDATA FTK IMAGER LITE
https://accessdata.com/product-download/ftk-imager-lite-version-3-1-1
EnCase Forensic
https://www.guidancesoftware.com/encase-forensic
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
50
51. Validation of Data Acquisitions
Validation is the act of finding or testing the truth of something
Validation can be done using cyclic redundancy
checks, checksum functions, and cryptographic hash functions. E.g.
CRC-32, SHA-1 and SHA-512
https://en.wikipedia.org/wiki/Hash_function
https://en.wikipedia.org/wiki/List_of_hash_functions
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
51
52. Validation using Linux utilities
For data acquired using dd
md5sum or sha1sum utilities
For data acquired using dcfldd
hash option to designate a hashing algorithm
vf (verify file) option to compare the image file with the pilot
medium
hashlog option to output hash to a text file
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
52
53. Validation using Windows OS
Windows OS does not have in-built hashing utilities for digital forensics
However, third part utilities may be used
Raw data acquisitions have to be manually validated
Forensic tools may have utilities for validation
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
53
54. Acquiring RAID data
RAID systems are becoming commonplace
RAID systems can store several TB of data and even more
Size is thus a major worry
Other challenges could be due to the configuration and design
RAID was originally developed for data redundancy
https://en.wikipedia.org/wiki/RAID
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
54
55. Typical Levels in RAID systems
RAID 0
RAID 1
RAID 2
RAID 3
RAID 4
RAID 5
RAID 6
RAID 10
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
55
56. Acquiring RAID data – Points to consider
Data storage needed
Type of RAID
Suitable tool for acquiring
Capability of tools for reading forensically copied RAID images
Capability of tools for reading split data saved while acquiring
Vendors
Size of disks
Use of sparse or logical acquisition if needed
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
56
57. Remote Acquisition
Sometimes it may be necessary to remotely connect to a target
computer by means of a network connection and make a copy of data
Drawbacks
Malware may hinder acquisition
Alarms could be set by the suspects to warn them of data being
acquired
Some tools may not support remote acquisition
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
57
58. Exercise
Study how data is acquired by tools such as
ProDiscover https://www.prodiscover.com
EnCase https://www.guidancesoftware.com/encase-forensic
R-Studio https://www.r-studio.com/Data_Recovery_Technician.shtml
USB Live Acquisition and Triage Tool. (US-
LATT) http://www.softwareasia.com/us-latt-pro
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
58
59. F-Response https://www.f-response.com
PassMark software ImageUSB
https://www.osforensics.com/tools/write-usb-images.html
ILook Stand-Alone External Imager Iximager
http://www.ilook-forensics.org/iximager.html
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
59
60. ASR Data SMART for Linux http://www.asrdata.com/forensic-
software/smart-for-linux/
Runtime Software https://runtime.org/data-recovery-
products.htm
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
60
61. References
Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015.
Wikipedia
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
61