Digital Forensics

Module 3
 Evidence Collection
Data Acquisition
• Data acquisition is the act of collecting data relevant to an
investigation
• It can be live data, including memory captures, or it can be collected
in a forensically sound manner as an image or a forensic copy
• The data acquisition should be conducted in a manner that creates
the fewest changes to a system
 Evidence Collection
Data Acquisition
• The acquisition of a system that is powered off is the simplest
example of collecting data in a forensically sound manner
• The analyst removes the system’s hard drive
• The hard drive is connected to the read-only port of a firmware write block
• A target device to store an image or a copy is connected to the read-write
port of the write block
• The communications port of the write block is connected to a computer or a
standalone device, or is built in
• The analyst then creates an image or a copy by writing to the target device
• The original is maintained and documented in a chain-of-custody form.
• The image or copy can then be examined (or additional copies made) on the
analysis platform
Evidence Collection
Data Acquisition
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
• Live data acquisition involves collecting data from a running system
• This can include memory, mounted files
• Such as Windows registry hives, unencrypted volumes or file systems,
security files, or open processes
• Live data acquisition has become common in cases where a suspect is
believed to have used full disk encryption
• Which means shutting down the system will remove the decryption
key from memory
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
Files
• Acquisition of files or mounted volumes can be accomplished by using
software such as AccessData’s FTK Imager, Mandiant’s RedLine
• Acquiring files utilizing a forensic tool rather than the Copy command
provides better options for accountability of what was acquired
• Chain of custody documentation, and verification through hashing is
also possible
• It can allow for acquisition of files that are protected by the OS such
as Windows registry hives, the Master File Table, or other metadata
files
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
Memory
• Memory can be acquired using software tools such as AccessData’s
FTKImager, Mandiant’s RedLine, or a memory dump tool such as LiME
• Memory is often acquired from a running system if it’s suspected of
running malware or encryption
• Encryption keys may be located in memory
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
Volumes
• Full volumes can be acquired utilizing a tool such as AccessData’s
FTKImager
• The tool can acquire a mounted volume including unallocated space
• Even if the volume is encrypted
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
Forensic Image
• A forensic image is the most common way of maintaining evidence from a computer
system
• An image file is created from the original source
• The image is created in blocks and every byte is copied in the block, including
unallocated bytes
• This is sometimes slightly inaccurately referred to as a bit-stream image or a byte-for-
byte copy
• The image may be stored in a flat file such as a raw “dd” image
• Or it may be stored in a compound evidence file such as an E01 or AD1
• An advantage to using a raw evidence file is that nearly every tool designed for analysis
can read from a raw file
• Disadvantagesinclude the fact that the image is not compressed
 Evidence Collection
Data Acquisition
Live Data (Including Memory)
Forensic Copy
• A forensic copy is a copy created in blocks where every byte is copied
in the block, including unallocated bytes
• Common uses of forensic copies include cases where a system needs
to be booted for various reasons
• such as utilizing a password to mount a volume, running software
natively, or booting an uncommon OS
• The forensic copy can then be used in the system instead of the
original evidence
 Evidence Collection
Examination
Disk Structures
• Disk structures, as with most technology, is ever-evolving
• A disk is a device used to store and retrieve data readable by a
computer system
• There are several subsets of each type of storage device
 Evidence Collection
Examination
Disk Structures
Physical Disk Structures
• A physical drive, in general terms, is the entire disk device
• This includes the metal housing, platters, read-write heads, motor,
and electronics
• Interfaces to the storage platters constantly evolve to allow for faster
disk access, broader data transmissions, and more storage space
• Small computer system interface (SCSI), serial attached SCSI (SAS),
integrated drive electronics (IDE), and serial AT attachment (SATA)
Evidence Collection
Examination
Disk Structures
 Evidence Collection
Examination
Disk Structures
Logical Volumes, Sectors, and Advanced Format Drives
• Formerly, logical volumes could only be created on a track boundary
• the maximum number of tracks on a cylinder is 63
• Advanced format drives include 4 Kb (4096 byte) sectors
 Evidence Collection
Examination
Disk Structures
Logical Disk Structures
• Logical structures on a physical disk are required for the OS to access the storage
space on the physical device
• Logical structures include partition tables such as an MBR (master boot record) or
a GPT (GUID partition table) or an actual partition
• A partition can include an entire logical volume or a portion of a volume
• A volume in turn typically contains a file system
• On a single-user, single-drive system, when a user attaches a new hard drive that
contains no data
• The user must follow these steps to access the drive as storage media
• Create a partition table – either MBR or GPT – with a tool such as FDISK
• Format the partition into a logical volume that contains a file system.
• Assign the partition a drive letter or mount point.
 Evidence Collection
Examination
Disk Structures
MBR
• IBM implemented MBR partitioning in 1983
• The partitioning scheme is still the most common in use at the time of this writing
• Modern OSs can read thisstyle of partitioning, and many create a MBR partitioning
scheme on a drive during installation
• The MBR itself consists of one sector – absolute sector zero
• This first sector includes the boot code, disk signature, and primary partition definitions,
and ends with a signature
• Additional sectors in the boot record are not typically accessible by the user without
tools
• Earlier installations required the first partition to be created on a track boundary
• Newer implementations remove this requirement, and the first volume can be anywhere
Evidence Collection
Examination
Disk Structures
Evidence Collection
Examination
Disk Structures
 Evidence Collection
Examination
Disk Structures
GUID Partition Table (GPT)
• To address limitations of the MBR partitioning format, GPT schemes
were created
• Some advantages of this partition scheme include using GUIDs (global
unique identifiers) to reference each partition
• Not limiting the number of partitions to a defined set of four
 Evidence Collection
Examination
File Systems
• File systems are formatted onto a volume
• Either a single-partition or a multiple partition volume
• The file system provides a means by which the OS can access the
actual files stored on disk
• A file system can be thought of as a database
• Data is stored and metadata is used to track the data
• Modern file systems are largely independent of the OS
• Linux can read and write to the Microsoft NTFS
• Windows can read and write to Linux EXT (Extended File System)
Evidence Collection
Examination
File Systems
 Evidence Collection
Examination
File Systems
Metadata
• Metadata is data about data
• Metadata can be used to
• track timestamps,
• location of data,
• the exposure setting on a digital image,
• or any number of arbitrary items that allow a user or the system to locate,
• sort,
• or collate data
• Metadata in a file system includes items like a file’s location (or address)
and the size of the data so the system can retrieve it from the hardware
 Evidence Collection
Examination
File Systems
Metadata
• Metadata is data about data
• Metadata can be used to
• track timestamps,
• location of data,
• the exposure setting on a digital image,
• or any number of arbitrary items that allow a user or the system to locate,
• sort,
• or collate data
• Metadata in a file system includes items like a file’s location (or address)
and the size of the data so the system can retrieve it from the hardware
 Evidence Collection
Examination
File Systems
• Metadata also includes items like
• a file name
• and the location of a file in hierarchical directory structures
• or paths so the user can find the file