Data Acquisition in Digital Forensics
Data Acquisition in Digital Forensics
Overview of Data Acquisition
Importance of acquiring data accurately in digital investigations.
Aim to ensure the data collected is a true representation of the suspect device.
Considerations for Digital Forensic Investigators
Before Data Acquisition:
How can we preserve the best possible copy of the data?
Best possible copy is defined as a copy that has the smallest amount of changes.
The data must be unmodified to ensure the integrity of evidence derived from it.
How can we ensure all data is preserved?
Some technology limitations may prevent the acquisition of all data from a suspect system.
Investigators need to acknowledge those limitations and understand the implications.
During Data Acquisition:
How can we confirm that the acquired data is correct?
"Correct" means that the acquired data must be exactly the same as the original suspect data.
How can we ensure acquired data can be verified by a third party?
Verification is crucial in digital forensic investigations.
After Data Acquisition:
Ensure data has not been altered since its acquisition.
Document any modifications made to data with justifications.
Key Principles of Data Acquisition
Do not change data; collect data without modifying the original.
It is essential to demonstrate that original data has not been altered during the process.
Any alterations must be clearly explained and documented.
Write Blockers
A write blocker is essential in ensuring that data is not modified during acquisition.
Definition:
A write blocker acts as a hardware or software tool that prevents the user’s computer from writing data to the connected suspect hard drive.
Function:
Allows reading from the suspect hard drive while preventing any write actions that could alter original data.
Types of Data Acquisition
Focus of this week is on post mortem digital forensic acquisition:
Involves removing the suspect hard drive from a powered-off computer.
Data is then accessed directly.
Different types of devices necessitate varied acquisition approaches:
PC vs. Mac
Mobile devices (phones, tablets)
New devices (drones and their data storage)
Data Collection Process
Identify required data segment for investigation.
Consider the state of the device:
Is it off?
Is there any encryption that complicates access?
Understand the specific tools required for collecting RAM and other device types.
Forensic Soundness:
Data must be collected using proper procedures to ensure forensic soundness.
Forensic Disk Images
Acquired data is saved in a format called forensic disk image.
Definition:
A forensic disk image is a file that contains an exact, bit-for-bit copy of a suspect hard drive.
If no compression is used, the disk image file size will match the physical disk size.
Example: A 1-terabyte hard drive results in a 1-terabyte forensic disk image.
Cloning hard drives is alternative; however, forensic disk images are more commonly used for analysis.
Verifying Data Integrity
After acquiring data, it’s vital to confirm that the copied data matches the original without modifications.
Cryptographic Hashing:
Utilizes algorithms to generate unique identifiers for the data inputs.
Common hashing algorithms used in digital forensics include:
MD5
SHA-1
SHA-256
Procedure of Hashing for Validation:
Connect the suspect disk to a write blocker, then to a forensic workstation.
Create an initial hash for the original data on the suspect disk.
Acquire a physical disk image of the data and save it as a file.
Generate a hash for both the original disk and the acquired disk image.
Comparisons:
All three hashes (original suspect disk, new suspect disk, and digital forensic image hash) should match to confirm integrity.
Conclusion and Practice
The acquisition, imaging, and hashing process will be practiced in assignments.
Emphasis on correct methodologies to ensure the integrity and validity of collected digital evidence.