Data Acquisition

Understanding Storage Formats for Digital Evidence

• Data acquisition: The process of copying data. It’s the task of collecting digital evidence from electronic media.

Raw Format

• Vendors made it feasible to write bit-stream data to files as a practical approach to retain digital evidence. This copying method turns a questionable drive or data set into simple sequential flat files.
  • The output of these flat files is referred to as a raw format.
• Fast data transfers and the ability to tolerate small data read errors on the source device are two benefits of the raw format.
• The raw format is a universal acquisition format for most forensics tools because the majority of them can read it.
• The raw format has the drawback of taking up the same amount of storage space as the original disk or data collection.
• The fact that some raw format programs, usually freeware ones, might not collect marginal (poor) sectors on the source drive means they have a low threshold of retry reads on weak media places on a drive, which is another drawback.

Proprietary Format

• Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following:
  • Compression or uncompression of image files on a suspect disk, which can free up capacity on the target drive.
  • the capacity to segment a picture into smaller files for archiving purposes, such as to CDs or DVDs, with data integrity checks included into each segment.
  • the ability to include metadata in the picture file, such as the date and time of acquisition, the original disk or medium's hash value, the name of the investigator or examiner, and remarks or case information.
  • The unavailability of computer forensics analysis tools from many vendors to share a picture is a significant drawback of proprietary format acquisitions.

Advanced Forensic Format

• Developed by Dr. Simson L. Garfinkel; an open-source acquisition format.
• This format has the following design goals:
  • Having the ability to create compressed or uncompressed image files
  • The size of disk-to-image files is not limited.
  • Metadata space in the image file or segmented files
  • Simple and extensible design
  • Open source for several operating systems and platforms
  • Self-authentication checks for internal consistency

Determining the Best Acquisition Method

• A static acquisition is done on a computer seized during a police raid.
• If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect.
• Static acquisitions are always the preferred way to collect digital evidence.
• For both types of acquisitions, data can be collected with four methods:
  • creating a disk-to-image file,
  • creating a disk-to-disk copy,
  • creating a logical disk-to-disk or disk-to-data file, or
  • creating a sparse copy of a folder or file.
• Logical Acquisition: Captures only specific files of interest to the case or specific types of files.
• Sparse Acquisition: Collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive.

3.3: Contingency Planning for Image Acquisitions

• In the event that software or hardware fails or you experience a problem when making an acquisition, you should have backup plans ready.

  The most common and time-consuming technique for preserving evidence is creating a duplicate of your disk-to-image file.

• Make sure you take action to reduce the possibility that your investigation may fail.

• Certain acquisition tools don't copy data from a disk drive's host-protected area (HPA). To determine whether a vendor's tool can duplicate a drive's HPA, consult the documentation.

• You need to have a plan for dealing with encrypted disks as part of your contingency preparation.

• The majority of full disk encrypted disks now require the user's assistance in providing the decryption key in order to be decrypted prior to static acquisition.

• The majority of entire disk encryption tools at least feature a manual decryption procedure that involves converting the encrypted disk to an unencrypted disk. Depending on the size of the disk, this operation could take a few hours.

Using Acquisition Tools

Mini-WinFE Boot CDs and USB Drives

• Forensic boot CD/DVD or USB drive gives you a way to acquire data from a suspect computer and write-protect the disk drive.
• Mini-WinFE: It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only.
  • You must attach your target disk, such as a USB drive, before Mini-WinFE may boot a suspect's PC.
  • After Mini-WinFE has loaded, you may view a list of all the devices that are attached and change the read-write mode of your target USB drive so that you can use it to run an acquisition application.

Acquiring Data with a Linux Boot CD

• Using Linux Live CD Distributions
• Preparing a Target Drive for Acquisition in Linux
• Acquiring Data with dd in Linux
• Acquiring Data with dcfldd in Linux

Capturing an Image with AccessData FTK Imager Lite

• FTK Imager: A data acquisition tool included with a licensed copy of AccessData Forensic Toolkit.
• It is made to view disk-to-image files made from other proprietary proprietary formats as well as evidence disks.
• It can read files in the Advanced Forensic Format (AFF), SMART, Expert Witness Compression (EnCase), AccessData.ad1, and raw formats.
• It allows you to acquire an evidence drive from a physical drive level or a logical partition level and can create disk-to-image copies of evidence drives.
• A drive's HPA and device configuration overlay cannot be acquired by FTK Imager.

Validating Data Acquisitions

• Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a digital fingerprint.

Linux Validation Methods

• Validating dd-acquired data refers to the process of verifying the integrity and accuracy of data that has been acquired using the dd command in Linux.
• Validating dcfldd-acquired data refers to the process of verifying the integrity and accuracy of data that has been acquired using the dcfldd command, which is an enhanced version of the dd command.
• These validation processes are important to ensure that the acquired data is reliable and can be used for forensic analysis or other purposes.

Windows Validation Methods

• Windows has no built-in hashing algorithm tools for digital forensics.
• Many Windows third-party programs do have a variety of built-in tools.
  • Hexadecimal Editors: X-Ways WinHex or Breakpoint Software Hex Workshop
  • Forensic Programs: OSForensics, Autopsy, EnCase, and FTK
• Autopsy use MD5 to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash.

Performing RAID Data Acquisitions

Understanding RAID

• Redundant array of independent disks (RAID): A computer configuration involving two or more physical disks.
• Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure.
• Software RAID is typically implemented from the host computer’s OS.
• Hardware RAID uses its own controller as well as a processor and memory connected to the host computer.
• For Windows XP, 2000, and NT servers and workstations, RAID 0 or 1 is available.
• For a high-end data-processing environment, RAID 5 is common and is often based in special RAID towers.

\

RAID Classifications

• RAID 0: Provides rapid access and increased data storage. Two or more disk drives become one large volume, so the computer views the disks as a single disk.

• RAID 1: Made up of two disks for each volume and is designed for data recovery in the event of a disk failure.

• RAID 2: Provides rapid access and increased storage by configuring two or more disks as one large volume.

  • Error-correcting code (ECC) is used to verify whether the write is successful.

• RAID 3: Uses data striping and dedicated parity and requires at least three disks.

• RAID 4: Uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes.

• RAID 5: Uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. It places parity data on each disk. I

• RAID 6: Distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity.

• RAID 10: A combination of RAID 1 and RAID 0. It provides fast access and redundancy of data storage. Also known as Mirrored Striping.

• RAID 15: A combination of RAID 1 and RAID 5. It offers the most robust data recovery capability and speed of access to all RAID configurations and is also more costly. Also known as Mirrored Striping with Parity.

  </p>

Acquiring RAID Disks

There’s no simple method for getting an image of a RAID server’s disks. You need to address the following concerns:

• How much data storage is needed to acquire all data for a forensics image?

• What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardware- firmware vendor’s RAID 5, 10, or 15? Is it another unknown configuration or OS?

• If it’s a RAID 1, 10, or 15 server, do you need to have all drives connected so that the OS sees their contents? Some older RAID 1 systems required connecting both drives to make the data readable, which might also apply to RAID 10 and 15.

• Do you have an acquisition tool capable of copying the data correctly?

• Can the tool read a forensic copy of a RAID image?

• Can the tool read split data saves of each RAID disk, and then combine all images of each disk into one RAID virtual drive for analysis?

  </p>

The following are some vendors offering RAID acquisition functions:

• Guidance Software EnCase
• X-Ways Forensics
• AccessData FTK
• Runtime Software
• R-Tools Technologies

Using Remote Network Acquisition Tools

Remote Acquisition with ProDiscover

• ProDiscover Incident Response is designed to be integrated as a network intrusion analysis tool and is useful for performing remote acquisitions.

\

• This tool offers all the functions and features of other tools in the ProDiscover suite plus the following:
  • Gather volatile system state data.
  • Assess the active processes on a distant system.
  • Find hidden files and processes that may be running spyware or malware on a remote system.
  • a hacked system's IP ports can be remotely viewed and heard.
  • Perform hash comparisons to look for known Trojans and rootkits on a remote machine.
  • To establish a baseline in case the system is attacked, remotely create a hash inventory of all the files on it.

\

• The following security features are available for remote connections:

  • Password protection.
  • Encryption
  • Secure communication protocol
  • Write-protected trusted binaries
  • Digital signatures

  </p>

Remote Acquisition with EnCase Enterprise

• Guidance Software was the first forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase.
• This remote tool, EnCase Endpoint Investigator, can perform the following functions:
  • Across a large geographic area, look for and collect internal and external network systems.
  • Different OSs and file systems are supported.
  • To determine which systems are relevant to an investigation, use triage.
  • Conduct up to five system searches simultaneously.

Remote Acquisition with R-Tools R-Studio

• For data recovery, there is a software package called R-Tools.
• Networked computer systems can be accessed remotely using the R-Studio network edition.
• R-Studio network edition data acquisition generates raw format acquisitions and has a wide range of file system recovery capabilities.

Remote Acquisition with WetStone US-LATT PRO

• The WetStone US-LATT PRO tool allows for remote acquisition of digital evidence from a target device.
• The tool ensures forensic soundness by creating a bit-for-bit copy of the target device's storage media.
• US-LATT PRO supports multiple acquisition protocols, including SSH, SCP, and SFTP.
• The tool also allows for live memory acquisition, which can be useful in capturing volatile data.
• US-LATT PRO provides remote control capabilities, allowing investigators to execute commands on the target device.
• The tool generates detailed reports of the acquisition process, including hash values and acquisition times.
• US-LATT PRO is compatible with a wide range of operating systems, including Windows, Linux, and macOS.
• The tool has a user-friendly interface, making it easy for investigators to navigate and use.

Remote Acquisition with F-Response

• F-Response is a vendor-neutral specialty remote access utility designed to work with any digital forensics program.
• It creates a security read-only connection that forensics investigators can access when installed on a remote machine.
• Examiners can physically access remote drives using F-Response and view raw data.
• Any forensics acquisition tool can be used to gather digital evidence after the F-Response link is established.

Using Other Forensics Acquisition Tools

PassMark Software ImageUSB

• PassMark Software has an acquisition tool called ImageUSB for its OSForensics analysis product.
• To create a bootable flash drive, you need Windows XP or later and ImageUSB downloaded from the OSForensics Web site.

ASR Data SMART

• ASR Data SMART is a Linux forensics analysis tool that can make image files of a suspect drive.
• SMART can produce proprietary or raw format images and includes the following capabilities:
  • Robust data reading of damaged drive sectors
  • Writing-protected mounting of suspicious disks
  • Mounting target disks in read/write mode, including NTFS drives
  • Optional compression techniques can quicken acquisition or cut down on the amount of storage required for digital evidence obtained.

Runtime Software

• Runtime Software offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS.
• Since Runtime's tools are file system-specific, there are FAT and NTFS versions of DiskExplorer available.
• These tools offer the following features for acquisition needs:
  • Make an image file in raw format.
  • Segment the compressed or raw image for archival needs.
  • Use the disks of machines on a network.

ILookIX (IXImager)

• ILookIX is an internet exchange point (IXP) located in Istanbul, Turkey.
• It was founded in 2016 and is operated by the Istanbul Metropolitan Municipality.
• ILookIX provides peering services to internet service providers (ISPs), content delivery networks (CDNs), and other networks.
• It has a diverse range of participants, including local and international ISPs, cloud providers, and social media companies.
• ILookIX offers both IPv4 and IPv6 peering, and supports a variety of peering policies, including open peering and selective peering.
• It is connected to other major IXPs in Europe and Asia, providing access to a global network of networks.
• ILookIX is committed to promoting internet development and digital transformation in Turkey and the wider region.

\