Data Acquisition and Deduplication

This document contains flashcards related to data acquisition and forensic evidence analysis.

Role of Digital Evidence

Digital evidence must establish a credible link between attacker, victim, crime scene.

Threats to Digital Evidence

Another user overwriting evidence, computer turned off losing memory, person deleting evidence.

Scientific Working Group on Digital Evidence (SWGDE Standards)

Hardware and Software must be appropriate and effective, Activities must be recorded in writing, Actions that can alter evidence must be performed forensically.

Sources of digital evidence

Regular files, Hidden files, Computer generated files.

Static Data

Remains unchanged after shutdown. Includes removable media and hard drives, as well as temporary files, registries, logs and caches.

Data Acquisition Methodology

Initiate, Determine, Select, Sanitize, Acquire, Enable, Plan, Validate, Process, Finalise.

Collecting Forensic evidence

Investigate, verify, acquire, document.

Commonly Used Terms

Copy, Backup, Image, Mirror image, Bit-stream copy, Bit-stream image

Bit-by-bit or mirror image

Exact duplication of original disk.

Tools: Mandatory Requirements

Tool should access drive, create bit stream copy, log all errors, and hold up to audit.

Tools: Optional Requirements

Creation of hash value, duplication to different size media, block level comparison, log other metadata.

Data Acquisition Formats :Raw

Very fast data transfers, ignores some errors, readable by most tools. Requires as much space as original, and basic tools may not handle bad sectors.

Data Acquisition Formats : Proprietary

Intelligent acquisition saves space, features to manipulate the image, can include metadata and case details. Locked to one tool and software limitations.

Data Acquisition Formats :AFF

Open source acquisition format with no size limits and can include metadata features. Extensions .afd and .afm

Types of acquisitions

Static acquisitions and live acquisitions.

Four methods of data collection

Creating a disk-to-image file, disk-to-disk, logical disk-to-disk or disk-to-data file, sparse data copy.

Creating a disk-to-image file

Most common, offers flexibility, creates more than one copy, bit-for-bit replications.

Remote Acquisition

Copy data from one or more computer systems connected to the network.

F-Response

A vendor-neutral remote access utility that sets up a security read-only connection.

Features of Data Dump (DD)

Evidence acquisition, cloning disks, copying partitions, error checking, wiping data.

Using DC3DD in Kali Linux

DC3DD offers the best of DD with more features, including on-the-fly hashing, a meter, writing of errors, splitting of output files, verification, and wiping.

Forensics data acquisition formats

Raw, Proprietary and AFF.

Data acquisition methods

Disk-to-image file, Disk-to-disk copy, Logical disk-to-disk or disk-to-data file, Sparse data copy

Role of Digital Evidence

Digital evidence must establish a credible link between attacker, victim, crime scene. What steps do you take to ensure this link is credible?

Threats to Digital Evidence

Another user overwriting evidence, computer turned off losing memory, person deleting evidence. How can these threats be mitigated in a real-world scenario?

Scientific Working Group on Digital Evidence (SWGDE Standards)

Hardware and Software must be appropriate and effective, Activities must be recorded in writing, Actions that can alter evidence must be performed forensically. Why is adherence to these standards crucial in digital forensics?

Sources of digital evidence

Regular files, Hidden files, Computer generated files. Can you describe a situation where each of these sources would be critical to an investigation?

Static Data

Remains unchanged after shutdown. Includes removable media and hard drives, as well as temporary files, registries, logs and caches. What are some challenges associated with preserving static data?

Data Acquisition Methodology

Initiate, Determine, Select, Sanitize, Acquire, Enable, Plan, Validate, Process, Finalise. What is the importance of following a structured methodology in data acquisition?

Collecting Forensic evidence

Investigate, verify, acquire, document. What is the importance of verifying evidence before acquisition?

Commonly Used Terms

Copy, Backup, Image, Mirror image, Bit-stream copy, Bit-stream image. How do these terms differ, and why is it important to use them correctly?

Bit-by-bit or mirror image

Exact duplication of original disk. What are the benefits and drawbacks of using bit-by-bit imaging in digital forensics?

Tools: Mandatory Requirements

Tool should access drive, create bit stream copy, log all errors, and hold up to audit. Why is it essential for forensic tools to meet these mandatory requirements?

Tools: Optional Requirements

Creation of hash value, duplication to different size media, block level comparison, log other metadata. How can these optional requirements enhance the forensic process?

Data Acquisition Formats :Raw

Very fast data transfers, ignores some errors, readable by most tools. Requires as much space as original, and basic tools may not handle bad sectors. In what scenarios would using the Raw format be most appropriate, and what are the risks?

Data Acquisition Formats : Proprietary

Intelligent acquisition saves space, features to manipulate the image, can include metadata and case details. Locked to one tool and software limitations. What are the implications of using proprietary formats in terms of accessibility and compatibility?

Data Acquisition Formats :AFF

Open source acquisition format with no size limits and can include metadata features. Extensions .afd and .afm. How does AFF compare to Raw and Proprietary formats in terms of features and usability?

Types of acquisitions

Static acquisitions and live acquisitions. What are the key differences between static and live acquisitions, and when should each be used?

Four methods of data collection

Creating a disk-to-image file, disk-to-disk, logical disk-to-disk or disk-to-data file, sparse data copy. What factors should be considered when choosing a data collection method?

Creating a disk-to-image file

Most common, offers flexibility, creates more than one copy, bit-for-bit replications. What are the advantages of creating a disk-to-

image file in digital forensics?

It allows for multiple copies to be made, ensuring data redundancy and integrity.

Remote Acquisition

Copy data from one or more computer systems connected to the network. What security measures should be implemented during remote acquisition to prevent data breaches?

F-Response

A vendor-neutral remote access utility that sets up a security read-only connection. How does a read-only connection enhance the integrity of the acquired data?

Features of Data Dump (DD)

Evidence acquisition, cloning disks, copying partitions, error checking, wiping data. What are the potential risks associated with using DD for evidence acquisition?

Using DC3DD in Kali Linux

DC3DD offers the best of DD with more features, including on-the-fly hashing, a meter, writing of errors, splitting of output files, verification, and wiping. How does on-the-fly hashing improve the forensic process?

Forensics data acquisition formats

Raw, Proprietary and AFF. What are the main advantages and disadvantages of each format in the context of forensic investigations?

Data acquisition methods

Disk-to-image file, Disk-to-disk copy, Logical disk-to-disk or disk-to-data file, Sparse data copy. In what situations would a sparse data copy be more appropriate than a full disk image?