Data Acquisition
lakey872
Chapter07.pptx
Chapter 7
Data Acquisition
1
Never Work on the Original
Make forensically sound copies
Keep a master copy and make several working copies
Calculate a hash value of each copy and make sure they match
Each copy must have a unique identifier
Order of Volatility
RAM
Temporary files
Local disks
External storage media
Network attached storage (NAS or SAN)
Archival backups
Memory and Running Processes
Memory can hold passwords
Can be difficult to extract, but in a pinch may be all you have
Running processes can identify malware running on the system
Routing tables can be extracted from memory
Network connections reside in RAM
Capturing Memory
Memory is a device
Memory can be dumped into a file
The amount of memory capture may be different from the amount of installed RAM
Some utilities capture device cache memory
Some utilities don’t capture installed RAM devoted as a device cache
Memory Capture Utilities
Most commercial forensic suites offer memory capture capability
DD utility (both Windows and Linux)
Dumpit
Memoryze
Memory Capture Tips
Keep your memory footprint to a minimum
Run from a flash drive if possible
Copy memory image to an external device
Make sure device capturing image can handle large files
Computers today have large amounts of RAM
Many USB drives continue to be formatted to FAT32 (4GB maximum file size)
Memory Capture Procedures
Start the documentation process
Run a batch file that collects user information, network connections, time/date, and open files
Collect a memory dump
Copy the paging file
Copy any hibernation files
Media Capture
Document everything
Use a forensic write-blocker when copying any data
Do NOT use standard copy utilities to make copies
Store all images on forensically sound media
Disk Image File Formats
DD Images (bit-for-bit)
Expert Witness Format (EWF)
Advanced Forensic Format (AFF)
Safeback (by NTI)
ILook Imager
ProDiscover File Format
