Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX4,129 views

CNIT 121: 8 Forensic Duplication

This document discusses various types of forensic duplication including simple duplication that copies selected data versus forensic duplication that retains every bit on the source drive including deleted files. It covers requirements for forensic duplication including the need to act as admissible evidence. It describes different forensic image formats including complete disk, partition, and logical images and details scenarios for each type. Key aspects of forensic duplication covered include recovering deleted files, non-standard data types, ensuring image integrity with hashes, and traditional duplication methods like using hardware write blockers or live DVDs.

Education
In this document
Powered by AI

Introduction to forensic duplication focusing on simple duplication vs forensic duplication which retains every bit including deleted files.

Requirements for data duplication including understanding of host protected areas and firmware not typically included in forensic images.

Different types of forensic images: complete disk, partition, and logical images used in data recovery.

Description of complete disk imaging as a method to recover deleted files after attempts to hide data by users.

Overview of Host Protected Area (HPA) and Device Configuration Overlay (DCO), and details of partition imaging.

Explanation of logical imaging, its cases, and the necessity to track file metadata for integrity.

Importance of image integrity through hashes and the formats used for storing forensic images.

Necessary documentation in forensic processes, including integrity hashes, chain of custody, and image format considerations.

Techniques for traditional duplication including static images, hardware write-blockers, and popular imaging tools.

Technical considerations in imaging including device automounting, and tool specifics for creating forensic images.

Processes and risks of live system duplication, managing central storage systems, and coping with virtualization in forensic analysis.

Embed presentation

Download as PDF, PPTX
CNIT 121: Computer Forensics 8 Forensic Duplication
Types of Duplication • Simple duplication • Copy selected data; file, folder, partition... • Forensic duplication • Every bit on the source is retained • Including deleted files • Goal: act as admissible evidence in court proceedings
Requirements
Requirements
Every Bit? • Some data on a hard disk or SSD isn't normally used to store user data • It contains firmware • "Host Protected Area" (HPA) • Not normally included in a forensic image
Forensic Image Formats
Three Types of Forensic Images • Complete disk • Partition • Logical
Complete Disk Image
Demo: FTK Imager
Demo: FTK Imager
Recovering Deleted Files • If a suspect attempts to hide data by • Deleting files or partitions • Reinstalling the OS • Reformatting • Then a whole-drive image gives the best chance of recovering the missing data
HPA and DCO • Host Protected Area (HPA) and Device Configuration Overlay (DCO) • A portion of the disk hidden from the computers's OS • Used for boot and recovery utilities • Rootkits can also hide here (link Ch 8a)
Three Data Types • Active data • Files and folders in use, in the directory • Unallocated Space • Remnants of deleted files • File slack • Fragments of data left at the end of other files
Partition Image • Not a common technique • May be required because of limited scope of authority, or an excessively large disk • All allocation units from a partition • Allows recovery of deleted files on that partition only • But not unpatitioned space, reserved areas, or other partitions
Logical Image • A simple copy of selected files or folders • Active data only--no chance to recover deleted files • If you are required to use a logical image, record the reason for later reference
When to Acquire a Logical Image • Court order only allows certain files to be collected • Only one user's files from a shared storage device, such as a NAS (Network Attached Storage) or SAN (Storage Area Network) • Files from a business-critical NAS or SAN that cannot be taken offline for duplication • And you are not able to perform a live image
Acquiring Logical Images • You need to save file metadata • Creation times, permissions, etc. • Also integrity hashes • FTK Imager and EnCase can collect logical images
Non-Standard Data • System admin gives you a USB stick full of logs • VM server admin hands over virtual machine files • Network admin submits network capture files • Document as much as you can and track the data the same way you tracn forensic images
Image Integrity • Hashes ensure that data is not changed after the time when the hash was computed • Also ensures that copies are accurate • Drives with bad sectors give a different hash each time they are imaged • Document that if it happens
Image Formats • AFF (Advanced Forensic Framework) • Used by AccessData's FTK and ASR Data's SMART • Expert Witness Format (EWF) • Used by EnCase • Both store MD5 or SHA1 hashes automatically • Both are compressed formats & split data into several files; such as .E01, .E02, .E03, ...
DD Files • .dd files are exact copies of a drive • A 500 GB drive results in a 500 GB .dd file • No compression, no extra data like hash values • dcfldd computes hashes also, and can optionally save them in a separate text file
Documentation • Evidence documentation must include integrity hashes • Chain of custody • Reports, other documents
Choosing a Format • All forensic image formats contain the same disk data, of course • Each can be converted to the others, but it's a lengthy process • Commercial Windows tools usually expect EWF files • Open-source tools usually require .dd files • For RAID and other multi-disk arrays, .dd files are best for advanced processing
Traditional Duplication
Static Image • Hard drive only • Computer has been powered off • Image is made with a hardware disk duplicator • Or by booting from a forensic LiveDVD
Hardware Write Blockers • Best way to ensure that the drive is not modified during image collection (image: Wikipedia)
Write-Blockers • Industry leaders are Tableau and WeibeTech • They cost hundreds of dollars
Forensic LiveDVD • Boot disk • Blocks writing with software
Image Creation Tools • Software tools: dc3dd, FTK Imager, EnCase • Hardware disk duplicators • Expensive but convenient
Imaging Considerations
dd, dcfldd, dc3dd • dd is included in Linux and Unix systems • It works, but doesn't create a hash value and doesn't provide user feedback • dcfldd and dc3dd • Add the missing features to dd • From US DoD Computer Forensics Laboratory (DCFL) and Defense Cyber Crime Center (DC3)
Device Automounting • Every modern OS mounts disks automatically • And writes on them immediately • Changing timestamps, journal entries, etc. • Hardware write-blockers are the best defense • Forensic LiveDVDs block this process in software
EnCase • Several tools to create forensic images • Directly in Windows with Encase Forensic • Two command-line utilities • winen.exe or winacq.exe • LinEn: Linux-based boot disk • You must own EnCase to use them
Live System Duplication
Live Imaging • Creating an image of media in a computer while it is running • Not ideal; called a "smear" • May be only option for • Business-critical systems • Encrypted drives • Document what you did
Risks of Live Imaging • No write-blocker • You are changing the system • You might destroy evidence • You might cause performance problems or even crash the system • Don't install anything or save anything on the evidence system • Run FTK Imager Lite from a network share or removable media
Apple Hardware • Compenents are integrated, hard to access • Use strange connectors, like ZIF ribbon connector • Reboot into Target Disk Mode • Makes the Mac act like a portable disk drive • Image it using Firewire or Thunderbolt connector • Tableau sells a FireWire write-blocker
Central Storage Systems • RAID, SAN, NAS • Not feasible to duplicate the entire original source, due to size and complexity • Sometimes using proprietary methods • Determine where relevant data is, and make a logical copy of it • Forensic tools like FTK can place the copy in a "container" with original metadata and a hash • Live imaging might work best
Virtual Machines • Many servers are now virtualized • Can simply copy VM files, including RAM • Document the source and calculate a hash
CNIT 121: 8 Forensic Duplication

More Related Content

PPT
Ch 04 Data Acquisition for Digital Forensics.ppt
bywhbwi21Basri
 
PDF
Computer Forensics Working with Windows and DOS Systems
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Module 02 ftk imager
byParminderKaurBScHons
 
PPT
File Carving
byAakarsh Raj
 
ODT
Operating System Forensics
byArunJS5
 
PDF
02 Types of Computer Forensics Technology - Notes
byKranthi
 
PDF
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPT
Cyber forensic standard operating procedures
bySoumen Debgupta
 
Ch 04 Data Acquisition for Digital Forensics.ppt
bywhbwi21Basri
 
Computer Forensics Working with Windows and DOS Systems
byJyothishmathi Institute of Technology and Science Karimnagar
 
Module 02 ftk imager
byParminderKaurBScHons
 
File Carving
byAakarsh Raj
 
Operating System Forensics
byArunJS5
 
02 Types of Computer Forensics Technology - Notes
byKranthi
 
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
Cyber forensic standard operating procedures
bySoumen Debgupta
 

What's hot

PPTX
Memory forensics.pptx
by9905234521
 
PDF
Forensics Analysis and Validation
byJyothishmathi Institute of Technology and Science Karimnagar
 
PDF
6 Scope & 7 Live Data Collection
bySam Bowne
 
PDF
Initial Response and Forensic Duplication
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPT
Windowsforensics
bySantosh Khadsare
 
PPTX
Windows Forensic 101
byDigit Oktavianto
 
PPTX
Introduction to filesystems and computer forensics
byMayank Chaudhari
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PPTX
Memory forensics
bySunil Kumar
 
PPT
Windows forensic artifacts
byn|u - The Open Security Community
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PDF
03 Data Recovery - Notes
byKranthi
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPT
Live data collection_from_windows_system
byMaceni Muse
 
PPT
Network forensics1
bySantosh Khadsare
 
PPTX
Ntfs and computer forensics
byGaurav Ragtah
 
PDF
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
PPTX
The Six Stages of Incident Response
byDarren Pauli
 
PPTX
Network Forensics
byprimeteacher32
 
PPT
Digital Forensic
byCleverence Kombe
 
Memory forensics.pptx
by9905234521
 
Forensics Analysis and Validation
byJyothishmathi Institute of Technology and Science Karimnagar
 
6 Scope & 7 Live Data Collection
bySam Bowne
 
Initial Response and Forensic Duplication
byJyothishmathi Institute of Technology and Science Karimnagar
 
Windowsforensics
bySantosh Khadsare
 
Windows Forensic 101
byDigit Oktavianto
 
Introduction to filesystems and computer forensics
byMayank Chaudhari
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
Memory forensics
bySunil Kumar
 
Windows forensic artifacts
byn|u - The Open Security Community
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
03 Data Recovery - Notes
byKranthi
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Live data collection_from_windows_system
byMaceni Muse
 
Network forensics1
bySantosh Khadsare
 
Ntfs and computer forensics
byGaurav Ragtah
 
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
The Six Stages of Incident Response
byDarren Pauli
 
Network Forensics
byprimeteacher32
 
Digital Forensic
byCleverence Kombe
 

Viewers also liked

PDF
Ch 11: Hacking Wireless Networks
bySam Bowne
 
PPTX
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
bySam Bowne
 
PDF
Ch 13: Network Protection Systems
bySam Bowne
 
PDF
Ch 10: Hacking Web Servers
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 9: OllyDbg
bySam Bowne
 
PDF
Ch 6: Enumeration
bySam Bowne
 
PDF
Ch 12: Cryptography
bySam Bowne
 
PDF
Ch 5: Port Scanning
bySam Bowne
 
PDF
Practical Malware Analysis Ch13
bySam Bowne
 
PDF
CNIT 123: Ch 13: Network Protection Systems
bySam Bowne
 
PDF
Ch 2: TCP/IP Concepts Review
bySam Bowne
 
PDF
CNIT 123 Ch 1: Ethical Hacking Overview
bySam Bowne
 
PDF
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
PPT
Digital Forensics in the Archive
byGarethKnight
 
PDF
CNIT 127 Ch 2: Stack overflows on Linux
bySam Bowne
 
PDF
CNIT 128 5: Mobile malware
bySam Bowne
 
PDF
CNIT 121: 10 Enterprise Services
bySam Bowne
 
PDF
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 
PDF
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
bySam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
bySam Bowne
 
Ch 11: Hacking Wireless Networks
bySam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
bySam Bowne
 
Ch 13: Network Protection Systems
bySam Bowne
 
Ch 10: Hacking Web Servers
bySam Bowne
 
Practical Malware Analysis: Ch 9: OllyDbg
bySam Bowne
 
Ch 6: Enumeration
bySam Bowne
 
Ch 12: Cryptography
bySam Bowne
 
Ch 5: Port Scanning
bySam Bowne
 
Practical Malware Analysis Ch13
bySam Bowne
 
CNIT 123: Ch 13: Network Protection Systems
bySam Bowne
 
Ch 2: TCP/IP Concepts Review
bySam Bowne
 
CNIT 123 Ch 1: Ethical Hacking Overview
bySam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
Digital Forensics in the Archive
byGarethKnight
 
CNIT 127 Ch 2: Stack overflows on Linux
bySam Bowne
 
CNIT 128 5: Mobile malware
bySam Bowne
 
CNIT 121: 10 Enterprise Services
bySam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
bySam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
bySam Bowne
 

Similar to CNIT 121: 8 Forensic Duplication

PPTX
Data Acquisition
byprimeteacher32
 
PDF
CNIT 152 8. Forensic Duplication
bySam Bowne
 
PPT
data acquisition in computer forensics and
byssuserec53e73
 
PPTX
Forensic imaging
byDINESH KAMBLE
 
ODP
Introduction to forensic imaging
byMarco Alamanni
 
PPT
Electornic evidence collection
byFakrul Alam
 
PDF
Foundation of Digital Forensics
byVictor C. Sovichea
 
PDF
Lecture #32: Forensic Duplication
byDr. Ramchandra Mangrulkar
 
PDF
Digital Forensics
byVikas Jain
 
PPT
Guide to computer forensics and investigation.ppt
byMaluOffice
 
PPTX
Lecture 4 - Data Acquisition1234_MH.pptx
bymuhammadosama0121
 
PDF
cyber forensics and digitalforensics.pdf
bymcjaya2024
 
PDF
dataacquisition.pdf
byJayaprasanna4
 
PDF
iam giving you entire process of  forensc duplication;the response.pdf
bymukhtaransarcloth
 
DOCX
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
bychristinemaritza
 
PPTX
Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS
byramakrishnandrhv
 
PDF
Workshop 2 revised
bypeterchanws
 
PDF
kbrgwillis.pdf
byKblblkb
 
PPS
intro to forensics
byPardhasaradhi ch
 
PDF
Accessing Forensic Images
byCTIN
 
Data Acquisition
byprimeteacher32
 
CNIT 152 8. Forensic Duplication
bySam Bowne
 
data acquisition in computer forensics and
byssuserec53e73
 
Forensic imaging
byDINESH KAMBLE
 
Introduction to forensic imaging
byMarco Alamanni
 
Electornic evidence collection
byFakrul Alam
 
Foundation of Digital Forensics
byVictor C. Sovichea
 
Lecture #32: Forensic Duplication
byDr. Ramchandra Mangrulkar
 
Digital Forensics
byVikas Jain
 
Guide to computer forensics and investigation.ppt
byMaluOffice
 
Lecture 4 - Data Acquisition1234_MH.pptx
bymuhammadosama0121
 
cyber forensics and digitalforensics.pdf
bymcjaya2024
 
dataacquisition.pdf
byJayaprasanna4
 
iam giving you entire process of  forensc duplication;the response.pdf
bymukhtaransarcloth
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
bychristinemaritza
 
Chapter_5_DF.pptx POWER POINT PRESENATION DIGITAL FORENSICS
byramakrishnandrhv
 
Workshop 2 revised
bypeterchanws
 
kbrgwillis.pdf
byKblblkb
 
intro to forensics
byPardhasaradhi ch
 
Accessing Forensic Images
byCTIN
 

More from Sam Bowne

PDF
4 Mapping the Application
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
Cyberwar
bySam Bowne
 
10 RSA
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 

Recently uploaded

PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PPTX
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PDF
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Analyzing the data of your initial survey
byThelma Villaflores
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 

CNIT 121: 8 Forensic Duplication

  • 1.
  • 2.
    Types of Duplication •Simple duplication • Copy selected data; file, folder, partition... • Forensic duplication • Every bit on the source is retained • Including deleted files • Goal: act as admissible evidence in court proceedings
  • 3.
  • 4.
  • 5.
    Every Bit? • Somedata on a hard disk or SSD isn't normally used to store user data • It contains firmware • "Host Protected Area" (HPA) • Not normally included in a forensic image
  • 6.
  • 7.
    Three Types ofForensic Images • Complete disk • Partition • Logical
  • 8.
  • 9.
  • 10.
  • 11.
    Recovering Deleted Files •If a suspect attempts to hide data by • Deleting files or partitions • Reinstalling the OS • Reformatting • Then a whole-drive image gives the best chance of recovering the missing data
  • 12.
    HPA and DCO •Host Protected Area (HPA) and Device Configuration Overlay (DCO) • A portion of the disk hidden from the computers's OS • Used for boot and recovery utilities • Rootkits can also hide here (link Ch 8a)
  • 13.
    Three Data Types •Active data • Files and folders in use, in the directory • Unallocated Space • Remnants of deleted files • File slack • Fragments of data left at the end of other files
  • 14.
    Partition Image • Nota common technique • May be required because of limited scope of authority, or an excessively large disk • All allocation units from a partition • Allows recovery of deleted files on that partition only • But not unpatitioned space, reserved areas, or other partitions
  • 15.
    Logical Image • Asimple copy of selected files or folders • Active data only--no chance to recover deleted files • If you are required to use a logical image, record the reason for later reference
  • 16.
    When to Acquirea Logical Image • Court order only allows certain files to be collected • Only one user's files from a shared storage device, such as a NAS (Network Attached Storage) or SAN (Storage Area Network) • Files from a business-critical NAS or SAN that cannot be taken offline for duplication • And you are not able to perform a live image
  • 17.
    Acquiring Logical Images •You need to save file metadata • Creation times, permissions, etc. • Also integrity hashes • FTK Imager and EnCase can collect logical images
  • 18.
    Non-Standard Data • Systemadmin gives you a USB stick full of logs • VM server admin hands over virtual machine files • Network admin submits network capture files • Document as much as you can and track the data the same way you tracn forensic images
  • 19.
    Image Integrity • Hashesensure that data is not changed after the time when the hash was computed • Also ensures that copies are accurate • Drives with bad sectors give a different hash each time they are imaged • Document that if it happens
  • 20.
    Image Formats • AFF(Advanced Forensic Framework) • Used by AccessData's FTK and ASR Data's SMART • Expert Witness Format (EWF) • Used by EnCase • Both store MD5 or SHA1 hashes automatically • Both are compressed formats & split data into several files; such as .E01, .E02, .E03, ...
  • 21.
    DD Files • .ddfiles are exact copies of a drive • A 500 GB drive results in a 500 GB .dd file • No compression, no extra data like hash values • dcfldd computes hashes also, and can optionally save them in a separate text file
  • 22.
    Documentation • Evidence documentationmust include integrity hashes • Chain of custody • Reports, other documents
  • 23.
    Choosing a Format •All forensic image formats contain the same disk data, of course • Each can be converted to the others, but it's a lengthy process • Commercial Windows tools usually expect EWF files • Open-source tools usually require .dd files • For RAID and other multi-disk arrays, .dd files are best for advanced processing
  • 24.
  • 25.
    Static Image • Harddrive only • Computer has been powered off • Image is made with a hardware disk duplicator • Or by booting from a forensic LiveDVD
  • 26.
    Hardware Write Blockers •Best way to ensure that the drive is not modified during image collection (image: Wikipedia)
  • 27.
    Write-Blockers • Industry leadersare Tableau and WeibeTech • They cost hundreds of dollars
  • 28.
    Forensic LiveDVD • Bootdisk • Blocks writing with software
  • 29.
    Image Creation Tools •Software tools: dc3dd, FTK Imager, EnCase • Hardware disk duplicators • Expensive but convenient
  • 30.
  • 31.
    dd, dcfldd, dc3dd •dd is included in Linux and Unix systems • It works, but doesn't create a hash value and doesn't provide user feedback • dcfldd and dc3dd • Add the missing features to dd • From US DoD Computer Forensics Laboratory (DCFL) and Defense Cyber Crime Center (DC3)
  • 32.
    Device Automounting • Everymodern OS mounts disks automatically • And writes on them immediately • Changing timestamps, journal entries, etc. • Hardware write-blockers are the best defense • Forensic LiveDVDs block this process in software
  • 33.
    EnCase • Several toolsto create forensic images • Directly in Windows with Encase Forensic • Two command-line utilities • winen.exe or winacq.exe • LinEn: Linux-based boot disk • You must own EnCase to use them
  • 34.
  • 35.
    Live Imaging • Creatingan image of media in a computer while it is running • Not ideal; called a "smear" • May be only option for • Business-critical systems • Encrypted drives • Document what you did
  • 36.
    Risks of LiveImaging • No write-blocker • You are changing the system • You might destroy evidence • You might cause performance problems or even crash the system • Don't install anything or save anything on the evidence system • Run FTK Imager Lite from a network share or removable media
  • 37.
    Apple Hardware • Compenentsare integrated, hard to access • Use strange connectors, like ZIF ribbon connector • Reboot into Target Disk Mode • Makes the Mac act like a portable disk drive • Image it using Firewire or Thunderbolt connector • Tableau sells a FireWire write-blocker
  • 38.
    Central Storage Systems •RAID, SAN, NAS • Not feasible to duplicate the entire original source, due to size and complexity • Sometimes using proprietary methods • Determine where relevant data is, and make a logical copy of it • Forensic tools like FTK can place the copy in a "container" with original metadata and a hash • Live imaging might work best
  • 39.
    Virtual Machines • Manyservers are now virtualized • Can simply copy VM files, including RAM • Document the source and calculate a hash