Study Notes on Data Acquisition and Duplication

Module 4: Data Acquisition and Duplication

This module focuses on the methodologies, formats, and tools used to collect Electronically Stored Information (ESI) in a manner that is forensically sound and admissible in a court of law.

1. Fundamentals of Data Acquisition

  • Goal: Extract ESI from various media (computers, mobile devices, servers) to gain insight into a crime or incident.

  • Legal Defensibility Requirements:

    • Auditable: Every step of the process must be logged for review.

    • Reproducible: Another investigator using the same tools should achieve the same results, ensuring consistency.

    • Integrity-Preserved: The data must be proven to be an exact and unaltered copy of the original.

Core Rules of Acquisition

  1. Never Work on the Original Media: Always work on bit-stream copies to avoid unintentional changes to metadata.

  2. Use Clean Media: Ensure destination drives are sanitized (wiped) prior to use to prevent contamination.

  3. Hash Everything: Utilize cryptographic hashes (e.g., MD5, SHA) to verify that copies match the original exactly, ensuring data integrity.

2. Live vs. Static Acquisition

Live Acquisition (System Powered ON)

  • Focus: Collects Volatile Data—data stored in Random Access Memory (RAM) which is lost when power is cut.

  • Data Collected:

    • Running processes

    • Logged-on users

    • Network connections

    • Clipboard contents

    • Unencrypted data in memory

  • Risk: Running tools can alter the RAM. This

● Risk: Running tools on a live system alters RAM. This is an "involuntary action" that

must be documented.

Static/Dead Acquisition (System Powered OFF)

Focuses on Non-Volatile Data stored on persistent media.

● Data Collected: Filesystem, deleted files, slack space, and system logs.

● Requirement: Always use a Write Blocker to prevent the host OS from writing

metadata (like "Last Accessed" dates) to the evidence drive.

3. Data Acquisition Formats

Format

Description

Pros/Cons

Raw (dd)

A bit-for-bit copy of the

original media.

Pros: Universally compatible. Cons:

No metadata or compression; needs

equal space.

Proprietary

Formats created by tools

like FTK or EnCase (e.g.,

.E01).

Pros: Supports compression, splitting

files, and embedding hashes. Cons:

May require specific software.

AFF/AFF4

Advanced Forensic

Format (Open Source).

Pros: Fast, no size limits, supports

metadata, highly organized.

4. The 8-Step Acquisition Methodology

Step 1: Determine Method

Decide between a Logical Acquisition (specific files), Sparse Acquisition

(fragments/unallocated space), or a Bit-stream Image (full drive). Civil cases often allow for

smaller, targeted collections.

Step 2: Select the Tool

The tool must be capable of creating a "qualified bit-stream copy."

● Alerting: A critical feature is that the tool should warn you if the destination drive is

smaller than the source (e.g., trying to copy 10TB to 5TB) to prevent mid-process

corruption.

Step 3: Sanitize Target Media

Prior data on your destination drive can ruin an investigation.

● Standards: Follow NIST, DoD, or GOST (Russian) standards for wiping.

● Disposal: After the case, media must be destroyed/wiped to prevent unauthorized

disclosure of PII (Personally Identifiable Information).

Step 4: Acquire Volatile Data

If the system is on, extract the RAM first.

● Tool: Belkasoft Live RAM Capturer extracts memory into a .mem file.

● Warning: Loading the tool into RAM will alter the memory slightly; investigators must be

aware of this impact.

● PowerShell: Use the command Get-FileHash -Path [FilePath] -Algorithm MD5 |

Format-List.

● Note: Raw format images do not contain internal metadata, so they require a separate

manual validation process to ensure integrity.

Step 5: Enable Write Protection

● Hardware: Use physical bridges (e.g., Tableau, CRU) to block "Write" commands at the

hardware level.

● Software: Use examiner-controlled OS settings or tools like SafeBlock if hardware isn't

available.

Step 6: Acquire Non-Volatile Data

Once the system is off and write-blocked, image the hard drive.

● Dead Acquisition: Remove the drive and connect it to a forensic workstation.

● Tools: Use AccessData FTK Imager to create the image and verify it with an MD5/SHA

hash.

Step 7: Planning for Contingencies

"Two is one, and one is none."

● Multiple Copies: Always make at least two images. If one file becomes corrupt, the

second is your backup.

● Multiple Tools: It is best practice to create the first image with one tool (e.g., FTK

Imager) and a second with another (e.g., ProDiscover) to validate the results.

● Encryption: Be prepared for BitLocker (Windows). You must find the recovery key or

the user-provided password to access the data.

Step 8: Validate the Acquisition

Perform a final hash comparison.

Summary

We have covered the importance of volatility, the differences between raw and proprietary

formats, and the rigorous 8-step process required to ensure digital evidence stands up in court