List digital evidence storage formats Explain ways to determine the best acquisition method Describe contingency planning for data acquisitions Explain how to use acquisition tools
Explain how to validate data acquisitions Explain how to validate data acquisitions Describe RAID acquisition methods Explain how to use remote network acquisition tools List other forensic tools available for data acquisitions
Two types of data acquisition Two types of data acquisition - Static acquisition
- Copying a hard drive from a powered-off system
- Used to be the standard
- Does not alter the data, so it's repeatable
- Live acquisition
- Copying data from a running computer
- Now the preferred type, because of hard disk encryption
- Cannot be repeated exactly—alters the data
- Also, collecting RAM data is becoming more important
- But RAM data has no timestamp, which makes it much harder to use
Terms used for a file containing evidence data Terms used for a file containing evidence data - Bit-stream copy
- Bit-stream image
- Image
- Mirror
- Sector copy
They all mean the same thing
Three formats Three formats - Raw format
- Proprietary formats
- Advanced Forensics Format (AFF)
This is what the Linux dd command makes This is what the Linux dd command makes Bit-by-bit copy of the drive to a file Advantages - Fast data transfers
- Can ignore minor data read errors on source drive
- Most computer forensics tools can read raw format
Disadvantages Disadvantages - Requires as much storage as original disk or data
- Tools might not collect marginal (bad) sectors
- Low threshold of retry reads on weak media spots
- Commercial tools use more retries than free tools
- Validation check must be stored in a separate file
- Message Digest 5 ( MD5)
- Secure Hash Algorithm ( SHA-1 or newer)
- Cyclic Redundancy Check ( CRC-32)
Features offered Features offered - Option to compress or not compress image files
- Can split an image into smaller segmented files
- Such as to CDs or DVDs
- With data integrity checks in each segment
- Can integrate metadata into the image file
- Hash data
- Date & time of acquisition
- Investigator name, case name, comments, etc.
Disadvantages Disadvantages - Inability to share an image between different tools
- File size limitation for each segmented volume
- Typical segmented file size is 650 MB or 2 GB
Expert Witness format is the unofficial standard - Used by EnCase, FTK, X-Ways Forensics, and SMART
- Can produce compressed or uncompressed files
- File extensions .E01, .E02, .E03, …
Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Design goals - Provide compressed or uncompressed image files
- No size restriction for disk-to-image files
- Provide space in the image file or segmented files for metadata
- Simple design with extensibility
- Open source for multiple platforms and OSs
Design goals (continued) Design goals (continued) - Internal consistency checks for self-authentication
File extensions include .afd for segmented image files and .afm for AFF metadata AFF is open source
Types of acquisitions Types of acquisitions - Static acquisitions and live acquisitions
Four methods - Bit-stream disk-to-image file
- Bit-stream disk-to-disk
- Logical
- Sparse
Most common method Most common method Can make more than one copy Copies are bit-for-bit replications of the original drive Tools: ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Used when disk-to-image copy is not possible Used when disk-to-image copy is not possible - Because of hardware or software errors or incompatibilities
- This problem is more common when acquiring older drives
Adjusts target disk’s geometry (cylinder, head, and track configuration) to match the suspect's drive Tools: EnCase, SafeBack (MS-DOS), Snap Copy
When your time is limited, and evidence disk is large When your time is limited, and evidence disk is large Logical acquisition captures only specific files of interest to the case - Such as Outlook .pst or .ost files
Sparse acquisition collects only some of the data - I am finding contradictory claims about this—wait until we have a real example for clarity
Lossless compression might compress a disk image by 50% or more Lossless compression might compress a disk image by 50% or more But files that are already compressed, like ZIP files, won’t compress much more - Error in textbook: JPEGs use lossy compression and degrade image quality (p. 104)
Use MD5 or SHA-1 hash to verify the image
When working with large drives, an alternative is using tape backup systems When working with large drives, an alternative is using tape backup systems No limit to size of data acquisition But it’s slow
In civil litigation, a discovery order may require you to return the original disk after imaging it In civil litigation, a discovery order may require you to return the original disk after imaging it If you cannot retain the disk, make sure you make the correct type of copy (logical or bitstream) - Ask your client attorney or your supervisor what is required—you usually only have one chance
Create a duplicate copy of your evidence image file Create a duplicate copy of your evidence image file Make at least two images of digital evidence - Use different tools or techniques
Copy host protected area of a disk drive as well - Consider using a hardware acquisition tool that can access the drive at the BIOS level (link Ch 4c)
Be prepared to deal with encrypted drives - Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions
Windows BitLocker Windows BitLocker TrueCrypt If the machine is on, a live acquisition will capture the decrypted hard drive Otherwise, you will need the key or passphrase - The suspect may provide it
- There are some exotic attacks
- Cold Boot (link Ch 4e)
- Passware (Ch 4f)
- Electron microscope (Ch 4g)
Acquisition tools for Windows Acquisition tools for Windows - Advantages
- Make acquiring evidence from a suspect drive more convenient
- Especially when used with hot-swappable devices
- Disadvantages
- Must protect acquired data with a well-tested write-blocking hardware device
- Tools can’t acquire data from a disk’s host protected area
USB write-protection feature USB write-protection feature - Blocks any writing to USB devices
Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller Works in Windows XP SP2, Vista, and Win 7
Linux can read hard drives that are mounted as read-only Linux can read hard drives that are mounted as read-only Windows OSs and newer Linux automatically mount and access a drive Windows will write to the Recycle Bin, and sometimes to the NTFS Journal, just from booting up with a hard drive connected Linux kernel 2.6 and later write metadata to the drive, such as mount point configurations for an ext2 or ext3 drive All these changes corrupt the evidence
Forensic Linux Live CDs mount all drives read-only Forensic Linux Live CDs mount all drives read-only - Which eliminates the need for a write-blocker
Using Linux Live CD Distributions - Forensic Linux Live CDs
- Contain additional utilities
Configured not to mount, or to mount as read-only, any connected storage media Configured not to mount, or to mount as read-only, any connected storage media Well-designed Linux Live CDs for computer forensics - Helix
- Penguin Sleuth
- FCCU (French interface)
Preparing a target drive for acquisition in Linux - Modern linux distributions can use Microsoft FAT and NTFS partitions
Preparing a target drive for acquisition in Linux (continued) Preparing a target drive for acquisition in Linux (continued) - fdisk command lists, creates, deletes, and verifies partitions in Linux
- mkfs.msdos command formats a FAT file system from Linux
Acquiring data with dd in Linux - dd (“data dump”) command
- Can read and write from media device and data file
- Creates raw format file that most computer forensics analysis tools can read
Shortcomings of dd command Shortcomings of dd command - Requires more advanced skills than average user
- Does not compress data
dd command combined with the split command - Segments output into separate volumes
dd command is intended as a data management tool - Not designed for forensics acquisitions
dcfldd additional functions - Specify hex patterns or text for clearing disk space
- Log errors to an output file for analysis and review
- Use several hashing options
- Refer to a status display indicating the progress of the acquisition in bytes
- Split data acquisitions into segmented volumes with numeric extensions
- Verify acquired data with original disk or media data
Connecting the suspect’s drive to your workstation Connecting the suspect’s drive to your workstation - Document the chain of evidence for the drive
- Remove the drive from the suspect’s computer
- Configure the suspect drive’s jumpers as needed
- Connect the suspect drive to a write-blocker device
- Create a storage folder on the target drive
Using ProDiscover’s Proprietary Acquisition Format - Image file will be split into segments of 650MB
- Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)
Using ProDiscover’s Raw Acquisition Format Using ProDiscover’s Raw Acquisition Format - Select the UNIX style dd format in the Image Format list box
- Raw acquisition saves only the image data and hash value
Included on AccessData Forensic Toolkit Included on AccessData Forensic Toolkit View evidence disks and disk-to-image files Makes disk-to-image copies of evidence drives - At logical partition and physical drive level
- Can segment the image file
Evidence drive must have a hardware write-blocking device - Or the USB write-protection Registry feature enabled
FTK Imager can’t acquire drive’s host protected area (but ProDiscover can)
Steps Steps - Boot to Windows
- Connect evidence disk to a write-blocker
- Connect target disk
- Start FTK Imager
- Create Disk Image
Most critical aspect of computer forensics Most critical aspect of computer forensics Requires using a hashing algorithm utility Validation techniques - CRC-32, MD5, and SHA-1 to SHA-512
MD5 has collisions, so it is not perfect, but it’s still widely used SHA-1 has some collisions but it’s better than MD5 A new hashing function will soon be chosen by NIST
Validating dd acquired data Validating dd acquired data - You can use md5sum or sha1sum utilities
- md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes
Validating dcfldd acquired data - Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512
- hashlog option outputs hash results to a text file that can be stored with the image files
- vf (verify file) option compares the image file to the original medium
Windows has no built-in hashing algorithm tools for computer forensics Windows has no built-in hashing algorithm tools for computer forensics - Third-party utilities can be used
Commercial computer forensics programs also have built-in validation features - Each program has its own validation technique
Raw format image files don’t contain metadata - Separate manual validation is recommended for all raw acquisitions
Size is the biggest concern Size is the biggest concern - Many RAID systems now have terabytes of data
Redundant array of independent (formerly “inexpensive”) disks (RAID) Redundant array of independent (formerly “inexpensive”) disks (RAID) - Computer configuration involving two or more disks
- Originally developed as a data-redundancy measure
RAID 0 (Striped) - Provides rapid access and increased storage
- Lack of redundancy
RAID 1 (Mirrored) - Designed for data recovery
- More expensive than RAID 0
RAID 2 RAID 2 - Similar to RAID 1
- Data is written to a disk on a bit level
- Has better data integrity checking than RAID 0
- Slower than RAID 0
RAID 3 RAID 4 - Data is written in blocks
RAID 5 RAID 5 - Similar to RAIDs 0 and 3
- Places parity recovery data on each disk
RAID 6 - Redundant parity on each disk
RAID 10, or mirrored striping - Also known as RAID 1+0
- Combination of RAID 1 and RAID 0
Concerns Concerns - How much data storage is needed?
- What type of RAID is used?
- Do you have the right acquisition tool?
- Can the tool read a forensically copied RAID image?
- Can the tool read split data saves of each RAID disk?
Older hardware-firmware RAID systems can be a challenge when you’re making an image
Vendors offering RAID acquisition functions Vendors offering RAID acquisition functions - Technologies Pathways ProDiscover
- Guidance Software EnCase
- X-Ways Forensics
- Runtime Software
- R-Tools Technologies
Occasionally, a RAID system is too large for a static acquisition - Retrieve only the data relevant to the investigation with the sparse or logical acquisition method
You can remotely connect to a suspect computer via a network connection and copy data from it You can remotely connect to a suspect computer via a network connection and copy data from it Remote acquisition tools vary in configurations and capabilities Drawbacks - LAN’s data transfer speeds and routing table conflicts could cause problems
- Gaining the permissions needed to access more secure subnets
- Heavy traffic could cause delays and errors
- Remote access tool could be blocked by antivirus
Preview a suspect’s drive remotely while it’s in use Preview a suspect’s drive remotely while it’s in use Perform a live acquisition - Also called a “smear” because data is being altered
Encrypt the connection Copy the suspect computer’s RAM Use the optional stealth mode to hide the connection
All the functions of ProDiscover Investigator plus All the functions of ProDiscover Investigator plus - Capture volatile system state information
- Analyze current running processes
- Locate unseen files and processes
- Remotely view and listen to IP ports
- Run hash comparisons to find Trojans and rootkits
- Create a hash inventory of all files remotely
ProDiscover utility for remote access Needs to be loaded on the suspect computer PDServer installation modes - Trusted CD
- Preinstallation
- Pushing out and running remotely
PDServer can run in a stealth mode - Can change process name to appear as OS function
Password Protection Password Protection Encrypted communications Secure Communication Protocol Write Protected Trusted Binaries Digital Signatures
Remotely acquires media and RAM data Remotely acquires media and RAM data Integration with intrusion detection system (IDS) tools Options to create an image of data from one or more systems Preview of systems A wide range of file system formats RAID support for both hardware and software
R-Tools R-Studio R-Tools R-Studio WetStone LiveWire F-Response
Compact Shareware Utilities Compact Shareware Utilities - DiskExplorer for FAT
- DiskExplorer for NTFS
- HDHOST (Remote access program)
Features for acquisition - Create a raw format image file
- Segment the raw format or compressed image
- Access network computers’ drives
Tools Tools - SnapBack DatArrest
- SafeBack
- DIBS USA RAID
- ILook Investigator IXimager
- Vogon International SDi32
- ASRData SMART
- Australian Department of Defence PyFlag
Columbia Data Products Columbia Data Products Can make an image on three ways - Disk to SCSI drive
- Disk to network drive
- Disk to disk
Fits on a forensic boot floppy SnapCopy adjusts disk geometry
Reliable MS-DOS tool Reliable MS-DOS tool Small enough to fit on a forensic boot floppy Performs an SHA-256 calculation per sector copied Creates a log file
Functions Functions - Disk-to-image copy (image can be on tape)
- Disk-to-disk copy (adjusts target geometry)
- Parallel port laplink can be used
- Copies a partition to an image file
- Compresses image files
Rapid Action Imaging Device (RAID) Rapid Action Imaging Device (RAID) - Makes forensically sound disk copies
- Portable computer system designed to make disk-to-disk images
- Copied disk can then be attached to a write-blocker device
Iximager Iximager - Runs from a bootable floppy or CD
- Designed to work only with ILook Investigator
- Can acquire single drives and RAID drives
Linux forensics analysis tool that can make image files of a suspect drive Linux forensics analysis tool that can make image files of a suspect drive Capabilities - Robust data reading of bad sectors on drives
- Mounting suspect drives in write-protected mode
- Mounting target drives in read/write mode
- Optional compression schemes
PyFlag tool PyFlag tool - Intended as a network forensics analysis tool
- Can create proprietary format Expert Witness image files
- Uses sgzip and gzip in Linux
Dostları ilə paylaş: |