Digital Forensics Data Acquisition Comprehensive Study Guide
Objectives of Data Acquisition in Digital Forensics
- List digital evidence storage formats.
- Explain ways to determine the best acquisition method.
- Describe contingency planning for data acquisitions.
- Explain how to use acquisition tools.
- Explain how to validate data acquisitions.
- Explain how to use remote network acquisition tools.
- List other forensic tools available for data acquisitions.
Understanding Storage Formats for Digital Evidence
Data in a forensics acquisition tool is typically stored as an image file. There are three primary formats used:
Raw Format
- Description: Makes it possible to write bit-stream data directly to files.
- Advantages:
- Facilitates fast data transfers.
- Capable of ignoring minor data read errors on the source drive.
- The majority of computer forensics tools are equipped to read the raw format.
- Disadvantages:
- Requires a storage capacity equal to the original disk or data set.
- Some tools might fail to collect marginal or bad sectors.
Proprietary Formats
- Description: Most forensics tools utilize their own unique formats.
- Features Offered:
- Options to compress or leave image files uncompressed.
- Capability to split a large image into smaller segmented files.
- Ability to integrate metadata directly into the image file.
- Disadvantages:
- Difficulty or inability to share images between different forensic tools.
- File size limitations for individual segmented volumes.
- Standardization: The Expert Witness format is considered the unofficial standard for proprietary formats.
Advanced Forensics Format (AFF)
- Description: Developed by Dr. Simson L. Garfinkel as an open-source acquisition format.
- Design Goals:
- Provide both compressed and uncompressed image file options.
- Eliminate size restrictions for disk-to-image files.
- Provide space within the image file or its segments for metadata.
- Ensure a simple design with high extensibility.
- Maintain open-source availability for multiple platforms and Operating Systems (OSs).
- Implement internal consistency checks for self-authentication.
- File Extensions:
- for segmented image files.
- for AFF metadata.
Determining the Best Acquisition Method
There are two main types of acquisitions: static acquisitions and live acquisitions. The determination of the best method depends entirely on the specific circumstances of the investigation.
Methods of Data Collection:
- Creating a Disk-to-Image File: This is the most common method and offers the greatest flexibility. It allows for the creation of multiple copies and produces bit-for-bit replications of the original drive. Tools supporting this include ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, and iLookIX.
- Creating a Disk-to-Disk: Used when a disk-to-image copy is not possible. Tools can adjust the disk's geometry configuration. Examples include EnCase, SafeBack, and SnapCopy.
- Logical Disk-to-Disk or Disk-to-Data File: Used when time is limited. Logical acquisition captures only specific files of interest to the case.
- Sparse Data Copy: Used for large disks, such as PST or OST mail files and RAID servers. It collects fragments of unallocated (deleted) data.
Considerations for Acquisition:
- The size of the source disk.
- Utility of lossless compression.
- Use of digital signatures for verification.
- For extremely large drives, tape backup systems may be an alternative.
- Whether the physical disk can be retained by the investigator.
Contingency Planning for Image Acquisitions
- Always create a duplicate copy of the evidence image file (at least two images of digital evidence should be made).
- Utilize different tools or techniques to ensure accuracy.
- Acquire the Host Protected Area (HPA) of a disk drive.
- Consider hardware acquisition tools that access the drive at the BIOS level.
- Be prepared for encrypted drives:
- The BitLocker feature in Windows makes static acquisitions more difficult.
- Decryption may require the user to provide a specific key.
Using Acquisition Tools
Windows Acquisition Tools Tools:
- Advantages: Convenient for acquiring evidence from suspect drives, especially with hot-swappable devices.
- Disadvantages: Data must be protected using well-tested hardware write-blocking devices. These tools generally cannot acquire data from the HPA. Some jurisdictions do not accept the use of write-blocking devices for certain acquisitions.
Mini-WinFE Boot CDs and USB Drives:
- Mini-WinFE allows for the creation of a Windows forensic boot CD/DVD or USB drive that mounts connected drives as read-only.
- Procedure: Connect the target drive (e.g., a USB drive) before booting the suspect's computer. Once Mini-WinFE is booted, the investigator can list connected drives and change the target USB drive to read-write mode to run acquisition programs.
AccessData FTK Imager Lite:
- Included with the AccessData Forensic Toolkit.
- Purpose: Viewing evidence disks and disk-to-image files. It creates disk-to-image copies at both logical partition and physical drive levels.
- Features: Can segment the image file.
- Requirement: Requires a hardware write-blocking device or must be run from a Live CD like Mini-WinFE.
Validating Data Acquisitions
Validation is considered the most critical aspect of computer forensics, ensuring that the evidence has not been altered.
- Validation Tools: Requires the use of a hashing algorithm utility.
- Techniques: Common algorithms include , , and through .
- Windows Limitations: Windows does lacking built-in hashing algorithm tools for forensics; third-party or commercial forensic programs are necessary.
- Note on Raw Format: Raw format image files do not contain metadata. Therefore, a separate manual validation process is strongly recommended for all raw acquisitions.
Remote Network Acquisition Tools
Remote acquisition allows an investigator to connect to a suspect computer over a network to copy data.
Drawbacks:
- Security software (antivirus, antispyware, firewalls) may block or ignore remote access programs.
- Suspects can install security tools that notify them of remote intrusions.
Tool-Specific Features:
- ProDiscover: Uses the PDServer remote agent which can be loaded via trusted CD, preinstallation, or remote push. Features include "Stealth Mode" (masking the process name as an OS function), capturing volatile system states, analyzing running processes, and viewing IP ports. Security features include password protection, encryption, and digital signatures.
- EnCase Enterprise: Allows remote data acquisition of media and RAM. Integrates with Intrusion Detection Systems (IDS) and supports RAID (hardware and software).
- R-Tools R-Studio: Designed for data recovery. Uses Triple Data Encryption Standard () for remote connections and creates raw format acquisitions.
- WetStone US-LATT PRO: Part of a WetStone suite; can connect to a networked computer for live acquisition of all connected drives.
- F-Response: A vendor-neutral utility designed to work with any forensics program. It creates a security read-only connection. Available in Enterprise, Consultant + Convert, Consultant, and TACTICAL editions.
Other Forensic Acquisition Tools
- PassMark Software ImageUSB: Used for OSForensics; requires Windows XP or later to create bootable flash drives.
- ASRData SMART: A Linux-based tool that produces proprietary or raw images. It can read bad sectors and mount drives in write-protected or read/write modes. It includes compression schemes.
- Runtime Software: Offers DiskExplorer for FAT and NTFS. Features include creating raw format images and segmenting them for archiving.
- ILook Investigator IXimager: Runs from a bootable floppy or CD. Specifically designed for ILook Investigator and supports RAID, IDE (), SCSI, USB, and FireWire.
- SourceForge: A repository for various security and analysis applications.