Paper (KW3CompForen)

profileSashraf
Chapter3CompForen.pdf

Data acquisition After reading this chapter and completing the exercises, you will be able to:

List digital evidence storage formats

Explain ways to determine the best acquisition method

Describe contingency planning for data acquisitions

Explain how to use acquisition tools

Describe how to validate data acquisitions

Describe RAID acquisition methods

Explain how to use remote network acquisition tools

List other forensics tools available for data acquisitions

Data acquisition is the process of copying data. For digital forensics, it’s the task of collecting digital evidence from electronic media. There are two types of data acquisition: static acquisitions and live acquisitions. In this chapter, you learn how to perform static acquisitions from magnetic disk media and flash drives. In Chapter 12, you learn how to forensically acquire digital evidence from solid-state devices, typically found in smartphones and tablets.

Because of the use of whole disk encryption, data acquisitions are shifting toward live acquisitions with newer operating systems (OSs). In addition to encryption concerns, collecting any data that’s active in a suspect’s computer RAM is becoming more important to digital investigations. Techniques for acquiring live disk and RAM data are covered in Chapter 10. The processes and data integrity requirements

93

c H a P t E R 3

68944_ch03_hr_093-142.indd 93 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition94

for static and live acquisitions are similar, in that static acquisitions capture data that’s not accessed by other processes that can change. With live acquisitions, file metadata, such as date and time values, changes when read by an acquisition tool. With static acquisitions, if you have preserved the original media, making a second static acquisition should produce the same results. The data on the original disk isn’t altered, no matter how many times an acquisition is done. Making a second live acquisition while a computer is running collects new data because of dynamic changes in the OS.

Your goal when acquiring data for a static acquisition is to preserve the digital evidence. Many times, you have only one chance to create a reliable copy of disk evidence with a data acquisition tool. Although these tools are generally dependable, you should still take steps to make sure you acquire an image that can be verified. In addition, failures can and do occur, so you should learn how to use several acquisition tools and methods; you work with a few different tools in this chapter. Other data acquisition tools that work in Windows, MS-DOS 6.22, and Linux are described briefly in the last section, but the list of vendors and methods is by no means conclusive. You should always search for newer and better tools to ensure the integrity of your forensics acquisitions.

Note

For additional information on older acquisition methods and tools, see Appendix D. You can perform most digital evidence acquisitions for your investigations with a combination of the tools discussed in this chapter.

Understanding Storage Formats for Digital Evidence The data a forensics acquisition tool collects is stored as an image file, typically in an open-source or proprietary format. Each vendor has unique features, so several different proprietary formats are available. Depending on the proprietary format, many forensics analysis tools can read other vendors’ formatted acquisitions. Many acquisition tools create a disk-to-image file in an older open-source format, known as raw, as well as their own proprietary formats. The new open-source format, Advanced Forensic Format (AFF), is gaining recognition from some forensics examiners.

Each data acquisition format has unique features along with advantages and disadvantages. The following sections summarize each format to help you choose which one to use.

68944_ch03_hr_093-142.indd 94 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 95

Raw Format In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bit-stream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format. This format has unique advantages and disadvantages to consider when selecting an acquisition format.

The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected.

Several commercial acquisition tools can produce raw format acquisitions and typically perform a validation check by using Cyclic Redundancy Check (CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or later) hashing functions. These validation checks, however, usually create a separate file containing the hash value.

Proprietary Formats Most commercial forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following:

• The option to compress or not compress image files of a suspect drive, thus saving space on the target drive

• The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment

• The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details

Note

For additional information on digital evidence handling and documenting, see ISO/IEC 27037: 2012, www.iso.org/iso/catalogue_detail?csnumber=44381. Downloading ISO documents requires paying a fee, so you might check with a college or public library about getting a copy.

68944_ch03_hr_093-142.indd 95 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition96

One major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools. For example, the ILookIX imaging tool IXImager (www.perlustro.com/solutions/e-forensics/iximager) produces three proprietary formats—IDIF, IRBF, and IEIF—that can be read only by ILookIX (see www.perlustro.com for additional information on ILookIX).

Another problem with proprietary and raw formats is a file size limitation for each segmented volume. Typically, proprietary format tools produce a segmented file of 650 MB. The file size can be adjusted up or down, with a maximum file size per segment of no more than 2 GB. Most proprietary format tools go up to only 2 GB because many examiners use target drives formatted as FAT, which has a file size limit of 2 GB.

Of all the proprietary formats for image acquisitions, the Expert Witness Compression format is currently the unofficial standard. This format, the default for Guidance Software EnCase, produces both compressed and uncompressed image files. These files (or volumes) write an extension starting with .e01 and increment it for each additional segmented image volume.

Several forensics analysis tools can generate generic versions of the Expert Witness Compression format and analyze it, including X-Ways Forensics, AccessData Forensic Toolkit (FTK), Belkasoft, and SMART. For more information on the Expert Witness Compression format, see http://asrdata.com/E01-format.html.

Advanced Forensic Format Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced Forensic Format (AFF). This format has the following design goals:

• Capable of producing compressed or uncompressed image files • No size restriction for disk-to-image files • Space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Internal consistency checks for self-authentication

File extensions include .afd for segmented image files and .afm for AFF metadata. Because AFF is open source, digital forensics vendors have no implementation restrictions on this format. For more information on AFF, see www.afflib.sourceforge.net and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf.

Note

Forensics examiners have several ways of referring to copying evidence data to files: bit-stream copy, bit-stream image, image, mirror, and sector copy, to name a few. For the purposes of this book, “image” is generally used to refer to all forensics acquisitions saved to a data file.

68944_ch03_hr_093-142.indd 96 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 97

Determining the Best Acquisition Method As mentioned, there are two types of acquisitions: static acquisitions and live acquisitions. Typically, a static acquisition is done on a computer seized during a police raid, for example. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect. Static acquisitions are always the preferred way to collect digital evidence. However, they do have limitations in some situations, such as an encrypted drive that’s readable only when the computer is powered on or a computer that’s accessible only over a network. Some solutions can help decrypt a drive that has been encrypted with whole disk encryption, such as Elcomsoft Forensic Disk Decryptor (www.elcomsoft.com/efdd.html).

Note

In Chapter 11, you learn how to perform live acquisitions, including data collection of digital media and dynamic/volatile memory (RAM) on a computing system.

For both types of acquisitions, data can be collected with four methods: creating a disk-to-image file, creating a disk-to-disk copy, creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file. Determining the best acquisition method depends on the circumstances of the investigation.

Note

See ISO/IEC 27037: 2012 (section 5.4.4 Acquisition and section 6.5 Use reasonable care) for additional discussions on when to perform sparse acquisitions.

Creating a disk-to-image file is the most common method and offers the most flexibility for your investigation. With this method, you can make one or many copies of a suspect drive. These copies are bit-for-bit replications of the original drive. In addition, you can use many commercial forensics tools to read the most common

Tip

For more information on forensics acquisition file formats, see www.sleuthkit.org/informer, issues #19 and #23.

68944_ch03_hr_093-142.indd 97 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition98

types of disk-to-image files you create. These programs read the disk-to-image file as though it were the original disk. Older MS-DOS tools can only read data from a drive. To use MS-DOS tools, you have to duplicate the original drive to perform the analysis. GUI programs save time and disk resources because they can read and interpret directly from the disk-to-image file of a copied drive.

Sometimes you can’t make a disk-to-image file because of hardware or software errors or incompatibilities. This problem is more common when you have to acquire older drives. For these drives, you might have to create a disk-to-disk copy of the suspect drive. Several imaging tools can copy data exactly from an older disk to a newer disk. These programs can adjust the target disk’s geometry (its cylinder, head, and track configuration) so that the copied data matches the original suspect drive. These imaging tools include EnCase and X-Ways Forensics. See the vendors’ manuals for instructions on using these tools for disk-to-disk copying.

Tip

For more information on current and older drives, see www.t13.org.

Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive. An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files. Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID or storage area network (SAN) server with several exabytes (EB) or more of data storage, the logical method might be the only way you can acquire the evidence. In e-discovery for the purpose of litigation, a logical acquisition is becoming the preferred method, especially with large data storage systems.

To determine which acquisition method to use for an investigation, consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner, how much time you have to perform the acquisition, and where the evidence is located.

If the source disk is very large, such as 4 terabytes (TB) or more, make sure you have a target disk that can store a disk-to-image file of the large disk. If you don’t have a target disk of comparable size, review alternatives for reducing the size of data to create a verifiable copy of the suspect drive. Older Microsoft disk compression tools, such as DoubleSpace or DriveSpace, eliminate only slack disk space between files. Other compression methods use an algorithm to reduce file size. Popular archiving

68944_ch03_hr_093-142.indd 98 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 99

tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as “lossless compression.” Compression algorithms for graphics files use what’s called “lossy compression,” which can change data. For example, lossy compression is used with .jpeg files to reduce file size and doesn’t affect image quality when the file is restored and viewed. Because lossy compression alters original data, however, it isn’t used for forensics acquisitions. Both compression methods are discussed in more detail in Chapter 8.

Most imaging tools have an option to use lossless compression to save disk space, which means the target drive doesn’t have to be as large as the suspect drive. For example, if you’re examining a 3 TB SATA drive, you might be able to use lossless compression to create the disk-to-image file on a 2 TB target drive. Image files can be reduced by as much as 50% of the original. If the suspect drive already contains several zip files, however, the imaging tool can’t compress them any further. This is because zip files have already been compressed, so any additional compression results in very little size reduction. For additional information on lossless compression, see www.data- compression.com/lossless.shtml or www.cise.ufl.edu/~sahni/papers/encycloimage.pdf.

An easy way to test lossless compression is to perform an MD5 or SHA-1 hash on a file before and after it’s compressed. If the compression is done correctly, both versions have the same hash value. If the hashes don’t match, that means something corrupted the compressed file, such as a hardware or software error. As an added precaution, perform two separate hashes with different algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a good way to establish that nothing has changed during data processing.

If you can’t retain the original evidence drive and must return it to the owner, as in a discovery demand for a civil litigation case, check with the requester (your lawyer or supervisor, for example), and ask whether a logical acquisition is acceptable. If not, you have to refer the matter back to the requester. When performing an acquisition under these conditions, make sure you have a good copy because most discovery demands give you only one chance to capture data. In addition, make sure you have a reliable forensics tool that you know how to use.

Contingency Planning for Image Acquisitions Because you’re working with digital evidence, you must take precautions to protect it from loss. You should also make contingency plans in case software or hardware doesn’t work or you encounter a failure during an acquisition. The most common and time-consuming technique for preserving evidence is creating a duplicate of your disk-to-image file. Many digital investigators don’t make duplicates of their evidence because they don’t have enough time or resources to make a second image. However, if the first copy doesn’t work correctly, having a duplicate is worth the effort and resources. Be sure you take steps to minimize the risk of failure in your investigation.

68944_ch03_hr_093-142.indd 99 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition100

As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as FTK Imager Lite and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. Different acquisition tools use different methods to copy data, and one tool might, for example, make more attempts to copy corrupted areas of a drive. So using more than one tool can be helpful in making sure data has been copied correctly.

If you have only one tool, however, consider making two images of the drive with the same tool, especially for critical investigations. With many tools, you can make one copy with no compression and compress the other copy. Remember that Murphy’s Law applies to digital forensics, too: If anything can go wrong, it will.

Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive. Check the vendor’s documentation to see whether its tool can copy a drive’s HPA. If not, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as Belkasoft or ILookIX IXImager, with a write-blocker, Image MASSter Solo, or X-Ways Replica. These tools can read a disk’s HPA.

Microsoft has added whole disk encryption with BitLocker to its newer operating systems, such as Windows Vista, 7, 8, and 10, which makes performing static acquisitions more difficult. (Several other third-party whole disk encryption tools are available, and you should be familiar with as many as possible.) As part of contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk—encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key. Most whole disk encryption tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption is that data isn’t altered, in that free and slack space aren’t changed. The biggest concern with whole disk encryption is getting the decryption key—that is, the password or code used to access encrypted data. If you can recover the whole disk key with tools such as Elcomsoft Forensic Disk Decryptor, mentioned previously, you need to learn how to use it to decrypt the drive. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key.

Note

Researchers at Princeton University have produced a technique to recover passwords and passphrases from RAM; for more information, see www.usenix.org/legacy/event/sec08/tech/ full_papers/halderman/halderman.pdf or https://jhalderm.com/pub/papers/coldboot-cacm09.pdf.

68944_ch03_hr_093-142.indd 100 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 101

Using Acquisition Tools Many forensics software vendors have developed acquisition tools that run in Windows. These tools make acquiring evidence from a suspect drive more convenient, especially when you use them with hot-swappable devices, such as USB-3, FireWire 1394A and 1394B, or SATA, to connect disks to your workstation.

Using acquisition tools with current OSs, such as Windows and Linux, has some drawbacks, however. Because Windows and Linux can easily contaminate an evidence drive when it’s mounted, you must protect it with a well-tested write-blocking hardware device. The automatic mounting process updates boot files by changing metadata, such as the most recent access time. (Chapter 6 discusses write-blocking devices in more detail.) In addition, some countries haven’t yet accepted the use of write-blocking devices for data acquisitions. Check with your legal counsel for evidence standards in your community or country.

Note

Although many digital forensics vendors have improved their acquisition tools, some older Windows and Linux tools (such as the dd or dcfldd commands) can’t acquire data from a disk’s HPA.

Mini-WinFE Boot CDs and USB Drives Accessing a disk drive directly might not be practical for a forensics acquisition. For example, a laptop’s design could make removing the disk drive to mount it on a write-blocker difficult, or you might not have the right connector for a drive. In these situations, a forensic boot CD/DVD or USB drive gives you a way to acquire data from a suspect computer and write-protect the disk drive. These forensic boot discs or drives can be Windows or Linux.

One forensically sound Windows boot utility is Mini-WinFE. It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only. Before booting a suspect’s computer with Mini-WinFE, you need to connect your target drive, such as a USB drive. After Mini-WinFE is booted, you can list all connected drives and alter your target USB drive to read-write mode so that you can run an acquisition program.

To create your own Mini-WinFE boot CD or USB drive, review the documentation and download the software from the following Web sites:

• For an overview of WinFE, see http://brettshavers.cc/index.php/brettsblog/tags/ tag/winfe. For the latest information and instructions, review the Downloads and Using WinFE menus.

68944_ch03_hr_093-142.indd 101 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition102

• For download instructions on Mini-WinFE, see http://brettshavers.cc/index.php/ brettsblog/entry/mini-winfe-and-xwf.

• Another download site for Mini-WinFE is http://reboot.pro/files/file/375-mini-winfe. • For complete instructions on Mini-WinFE, see www.forensicfocus.com/

downloads/WinFE.pdf.

In addition, you need a Windows installation DVD (version 8 or later) and FTK Imager Lite or X-Ways Forensics installed on your workstation. Follow the instructions in the preceding Web sites to create the Mini-WinFE ISO file and then burn it to CD or transfer it to a USB drive. If you want to use a USB drive, you need a tool to transfer an ISO image to a USB drive. A freeware tool called ISO to USB is available at www.isotousb.com.

Acquiring Data with a Linux Boot CD The Linux OS has many features that are applicable to digital forensics, especially data acquisitions. One unique feature of older Linux versions is that it can access a drive that isn’t mounted. Physical access for the purpose of reading data can be done on a connected media device, such as a disk drive, a USB drive, or other storage devices. In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire, external SATA, or even internal PATA or SATA controllers, both OSs automatically mount and access the drive. On Windows drives, an acquisition workstation can access and alter data in the Recycle Bin; on Linux drives, the workstation most likely alters metadata, such as mount point configurations for an Ext3 or later drive. If you need to acquire a USB drive that doesn’t have a write-lock switch, use one of the forensic Linux Live CDs (discussed in the next section) to access the device.

Caution

Use caution when working with newer Linux distributions with KDE or Gnome GUIs. Many newer distributions mount most media devices automatically. If you’re using a nonforensic Linux distribution, you should test it before using it on actual evidence to see how it handles attached storage devices. If in doubt, always use a physical write-blocker for an acquisition from Linux.

Using Linux Live CD Distributions Several Linux distributions, such as Ubuntu, openSUSE, Arch Linux, Fedora, and Slackware, provide ISO images that can be burned to a CD or DVD. They’re called “Linux Live CDs.” Most of these Linux distributions are for Linux OS recovery, not for digital forensics acquisition and analysis. For a list of the most current Linux Live CDs, see https://livecdlist.com/.

68944_ch03_hr_093-142.indd 102 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 103

A few Linux ISO images are designed specifically for digital forensics, however. These images contain additional utilities that aren’t typically installed in normal Linux distributions. They’re also configured not to mount, or to mount as read-only, any connected storage media, such as USB drives. This feature protects the media’s integrity for the purpose of acquiring and analyzing data. To access media, you have to give specific instructions to the Live CD boot session through a GUI utility or a shell command prompt. Mounting drives from a shell gives you more control over them. See the man page for the mount command (by typing man mount at the shell prompt) to learn what options are available for your Linux distribution.

Tip

The man command displays pages from the online help manual for information on Linux commands and their options.

Linux can read data from a physical device without having to mount it. As a usual practice, don’t mount a suspect media device as a precaution against any writes to it. Later in this section, you learn how to make a forensics acquisition in Linux without mounting the device.

The following are some well-designed Linux Live CDs for digital forensics:

• Penguin Sleuth Kit (www.linux-forensics.com or https://sourceforge.net/projects/ psk/?source=directory)

• CAINE (www.caine-live.net) • Deft (www.deftlinux.net) • Kali Linux (www.kali.org), previously known as BackTrack (www.backtrack-linux

.org/wiki/index.php/Forensics_Boot) • Knoppix (www.knopper.net/knoppix/index-en.html) • SANS Investigate Forensic Toolkit (SIFT; http://computer-forensics.sans.org/

community/downloads)

You can download these ISO images to any computer, including a Windows system, and then burn them to CD/DVD with burner software, such as Roxio or Nero. Creating a bootable image from an ISO file is different from copying data or music files to a CD or DVD. If you aren’t familiar with how to do it, see the Help menu in your burner software for instructions on creating a bootable CD or DVD. For example, Roxio Creator Classic and Nero Express have a Bootable CD or DVD option. An alternative is using a USB drive instead of a CD or DVD. For this option, you need a tool such as ISO to USB, mentioned previously (or another tool for transferring an ISO image to a USB drive).

68944_ch03_hr_093-142.indd 103 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition104

After creating a Linux Live CD, test it on your workstation. Remember to check your workstation’s BIOS to see whether it boots first from the CD or DVD on the system. To test the Live CD, simply place it in the CD or DVD drive and reboot your system. If successful, Linux loads into your computer’s memory, and a common GUI for Linux is displayed. If you have problems with the video display on your workstation, try another computer with a different video card. No one Live CD distribution has all video drivers. Linux Live CDs load the OS into a computer’s RAM, so performance can be affected when you’re using GUI tools. The following sections explain how to use Linux to make forensically sound data acquisitions.

Preparing a Target Drive for Acquisition in Linux The Linux OS has many tools you can use to modify non-Linux file systems. Current Linux distributions can create Microsoft FAT and NTFS partition tables. Linux kernel version 2.6.17.7 and earlier can format and read only the FAT file system, although an NTFS driver, NTFS-3G, is available that allows Linux to mount and write data only to NTFS partitions. You can download this driver from http://sourceforge.net/projects/ntfs- 3g, where you can also find information about NTFS and instructions for installing the driver. For information on macOS file systems and acquisitions, see Chapter 7.

In this section, you learn how to partition and format a Microsoft FAT drive from Linux so that you don’t have to switch OSs or computers to prepare a FAT target disk. If you have a previously used target drive, you can use the following procedure to format it as a FAT32 drive. After you make the acquisition, you can then transfer the FAT disk to a Windows system to use a Windows analysis tool.

Note

For an alternative Windows-based USB boot drive, see http://osforensics.com/tools/write-usb- images.html.

Note

When preparing a drive to be used on a Linux system for forensics acquisition or analysis, do it in a separate boot session with no suspect drive attached.

Tip

Linux/UNIX commands are case sensitive, so make sure you type commands exactly as shown in this section’s steps.

68944_ch03_hr_093-142.indd 104 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 105

Assuming you have a functioning Linux computer or one running with a Linux Live CD, perform the following steps from a shell prompt:

Note

Depending on which version and distribution of Linux you use, your screen prompts might be slightly different from those shown in this section.

1. First, boot Linux on your computer.

2. Connect the USB, FireWire, or SATA external drive to the Linux computer and power it on.

3. If a shell window isn’t already open, start one.

4. At the shell prompt, type su and press Enter to log in as the superuser (root). Then type the root password and press Enter.

Note

If you’re using one of the Live CDs listed previously, these distributions are typically already in superuser (root) mode, so there’s no need to use the su command. Other Linux Live CDs might have no password set and simply require pressing Enter.

5. To list the current disk devices connected to the computer, type fdisk -l (lowercase L) and press Enter. You should see output similar to the following:

Note

Linux lists all IDE (also known as PATA) drives as hda, hdb, and so on. All SCSI, SATA, FireWire, and USB-connected drives are listed as sda, sdb, and so forth.

Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 13 104391 83 Linux /dev/hda2 14 4864 38965657+ 8e Linux LVM Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Disk /dev/sda doesn't contain a valid partition table

68944_ch03_hr_093-142.indd 105 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition106

6. Type fdisk/dev/sda and press Enter to partition the disk drive as a FAT file system. You should see output similar to the following:

Welcome to fdisk (util-linux 2.21.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): m

7. Display fdisk menu options by typing m and pressing Enter. You should see output similar to the following:

Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disk label t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only)

Note

In the preceding output, the /dev/sda device has no partition listed. These steps show how to create a Microsoft FAT partition on this disk. If there’s a partition on this drive, it can be deleted with the Linux fdisk utility. For additional information on fdisk, refer to the man page.

68944_ch03_hr_093-142.indd 106 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 107

8. Determine whether there are any partitions on /dev/sda by typing p and pressing Enter. You should see output similar to the following:

Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System /dev/sda1 1 1020 6292349 b W95 FAT32

Note

In this example, the disk has no previously configured partitions. If it did, there would be data under each column heading describing each partition’s configuration.

9. Next, you create a new primary partition on /dev/sda. To use the defaults and select the entire drive, type n and press Enter. To create a primary partition table, type p and press Enter, and then type 1 (the numeral) to select the first partition and press Enter. At the remaining prompts, press Enter. Your output should be similar to the following:

Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-1020, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-1020, default 1020): Using default value 1020

Note

In Linux, the first logical partition created after the primary and extended partitions is numbered 5; any additional logical partitions are numbered 6, 7, and so on. For example, the C partition is typically /dev/hda1, and the D partition is /dev/hda2.

68944_ch03_hr_093-142.indd 107 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition108

10. List the newly defined partitions by typing p and pressing Enter, which produces the following output:

Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System /dev/sda1 1 1020 6292349 83 Linux

11. To list the menu again so that you can select the change partition ID, type m and press Enter. You should see output similar to the following:

Command action a toggle a bootable flag b edit bsd disk label c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disk label t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only)

12. To change the newly created partition to the Windows 95 FAT32 file system, first type t and press Enter, which produces the following output:

Selected partition 1 Hex code (type L to list codes):

13. List available file systems and their code values by typing l (lowercase L) and pressing Enter. You should see output similar to what’s shown in Figure 3-1.

14. Change the newly created partition to the Windows 95 FAT32 file system by typing c and pressing Enter. Your output should look similar to the following:

Changed system type of partition 1 to c (W95 FAT32 (LBA))

68944_ch03_hr_093-142.indd 108 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 109

15. To display partitions of the newly changed drive, type p and press Enter, which produces the following output:

Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System /dev/sda1 1 1020 6292349 c W95 FAT32 (LBA)

Figure 3-1 Listing code values for available file systems Source: Linux Foundation.

68944_ch03_hr_093-142.indd 109 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition110

16. Save (write) the newly created partition to the /dev/sda drive by typing w and pressing Enter. Your output should look similar to the following:

The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: If you have created or modified any DOS 6.x partitions, please see the fdisk manual page for additional information.

Note

If your Linux distribution is missing the mkfs.msdos command, download and install your distribution’s dosfstools package. To find these files, search for mkfs.msdos Fedora or dostools Debian, for example.

Note

Fdisk exits back to the shell prompt after updating the partition table on the /dev/sda drive.

17. Show the known drives connected to your computer by typing fdisk -l and pressing Enter, which produces the following output:

Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System /dev/hda1 * 1 13 104391 83 Linux /dev/hda2 14 4864 38965657+ 8e Linux LVM

Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System /dev/sda1 1 1020 6292349 b W95 FAT32

18. To format a FAT file system from Linux, type mkfs.msdos -vF32 /dev/sda1 and press Enter, which produces the following output:

68944_ch03_hr_093-142.indd 110 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 111

mkfs.msdos 2.8 (28 Feb 2001) Selecting 8 sectors per cluster /dev/sde1 has 33 heads and 61 sectors per track, logical sector size is 512, using 0xf8 media descriptor, with 2047966 sectors; file system has 2 32-bit FATs and 8 sectors per cluster. FAT size is 1997 sectors, and provides 255492 clusters. Volume ID is 420781ea, no volume label.

Note

Newer Linux distributions automatically sync a newly created partition and format the drive. The sync feature eliminates the need to reboot the computer, unlike with Microsoft OSs.

19. Close the shell window for this session by typing exit and pressing Enter. This drive can now be mounted and used to receive an image of a suspect drive. Later in this section, you learn how to mount and write to this Microsoft FAT target drive.

Acquiring Data with dd in Linux A unique feature of a forensics Linux Live CD is that it can mount and read most drives. To perform a data acquisition on a suspect computer, all you need are the following:

• A forensics Linux Live CD • A USB, FireWire, or SATA external drive with cables • Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux

Live CD • Knowledge of which shell commands to use for the data acquisition

Tip

If you want to learn more about Linux and shell commands, review a Linux tutorial, such as Nix Tutor at www.nixtutor.com/linux/all-the-best-linux-cheat-sheets.

The dd command, available on all UNIX and Linux distributions, means “data dump.” This command, which has many functions and switches, can be used to read and write data from a media device and a data file. The dd command isn’t bound by a logical file system’s data structures, meaning the drive doesn’t have to be mounted for

68944_ch03_hr_093-142.indd 111 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition112

dd to access it. For example, if you list a physical device name, the dd command copies the entire device—all data files, slack space, and free space (unallocated data) on the device. The dd command creates a raw format file that most forensics analysis tools can read, which makes it useful for data acquisitions.

Caution

Use extreme caution with the dd command. Make sure you know which drives are the suspect drive and target drive. Although you might not have mounted the suspect drive, if you reverse the input field (if=) of the suspect and target drives with the output field (of=), data is written to the wrong drive, thus destroying the original evidence drive.

As powerful as this command is, it does have some shortcomings. One major problem is that it requires more advanced skills than the average computer user might have. Also, because it doesn’t compress data, the target drive needs to be equal to or larger than the suspect drive. It’s possible to divide the output to other drives if a large enough target drive isn’t available, but this process can be cumbersome and prone to mistakes when you’re trying to keep track of which data blocks to copy to which target drive.

The dd command combined with the split command segments output into separate volumes. Use the split command with the -b switch to adjust the size of segmented volumes the dd command creates. As a standard practice for archiving purposes, create segmented volumes that fit on a CD or DVD. For additional information on dd and split, see their man pages. Follow these steps to make an image of an NTFS disk on a FAT32 disk by using the dd command:

1. Assuming that your workstation is the suspect computer and is booted from a Linux Live CD, connect the USB, FireWire, or SATA external drive containing the FAT32 target drive, and turn the external drive on.

2. If you’re not at a shell prompt, start a shell window, switch to superuser (su) mode, type the root password, and press Enter.

3. At the shell prompt, list all drives connected to the computer by typing fdisk -l and pressing Enter, which produces the following output:

Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System /dev/hda1 * 1 13 104391 83 Linux /dev/hda2 14 4864 38965657+ 8e Linux LVM

68944_ch03_hr_093-142.indd 112 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 113

Disk /dev/sda: 163.9 GB, 163928605184 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System /dev/sda1 1 12000 96389968+ b W95 FAT32 /dev/sda2 12001 19929 63689692+ 5 Extended /dev/sda5 12001 19929 63689661 c W95 FAT32 (LBA)

Disk /dev/sdb: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes

Device Boot Start End Blocks Id System /dev/sdb1 1 1020 6292349 7 HPFS/NTFS

4. To create a mount point for the USB, FireWire, or SATA external drive and partition, make a directory in /mnt by typing mkdir /mnt/sda5 and pressing Enter.

5. To mount the target drive partition, type mount -t vfat /dev/sda5 /mnt/ sda5 and press Enter.

6. To change your default directory to the target drive, type cd /mnt/sda5 and press Enter.

7. List the contents of the target drive’s root level by typing ls -al and pressing Enter. Your output should be similar to the following:

total 40 drwxr-xr-x 2 root root 32768 Dec 31 1969 . drwxr-xr-x 5 root root 4096 Feb 6 17:22 ..

8. To make a target directory to receive image saves of the suspect drive, type mkdir case01 and press Enter.

9. To change to the newly created target directory, type cd case01 and press Enter. Don’t close the shell window.

Next, you perform a raw format image of the entire suspect drive to the target directory. To do this, you use the split command with the dd command. The split command creates a two-letter extension for each segmented volume. The -d switch creates numeric rather than letter extensions. As a general rule, if you plan to use a Windows forensics tool to examine a dd image file created with this switch, the segmented volumes shouldn’t exceed 2 GB each because of FAT32 file size limits. This 2 GB limit allows you to copy only up to 198 GB of a suspect’s disk. If you need to use the dd command, it’s better to use the split command’s default of incremented letter extensions and make smaller segments. To adjust the segmented

68944_ch03_hr_093-142.indd 113 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition114

volume size, change the value for the -b switch from the 650 MB used in the following example to 2000 MB.

1. Type dd if=/dev/sdb | split -b 650m - image_sdb. and press Enter. You should see output similar to the following:

12594960+0 records in 12594960+0 records out

Tip

When using the split command, type a period at the end of the filename as shown, with no space between it and the filename. Otherwise, the extension is appended to the filename with no “.” delimiter.

2. List the raw images that have been created from the dd and split commands by typing ls -l and pressing Enter. You should see output similar to the following:

total 6297504 –rwxr-xr-x 1 root root 681574400 Feb 6 17:26 image_sdb.aa –rwxr-xr-x 1 root root 681574400 Feb 6 17:28 image_sdb.ab –rwxr-xr-x 1 root root 681574400 Feb 6 17:29 image_sdb.ac –rwxr-xr-x 1 root root 681574400 Feb 6 17:30 image_sdb.ad –rwxr-xr-x 1 root root 681574400 Feb 6 17:32 image_sdb.ae –rwxr-xr-x 1 root root 681574400 Feb 6 17:33 image_sdb.af –rwxr-xr-x 1 root root 681574400 Feb 6 17:34 image_sdb.ag –rwxr-xr-x 1 root root 681574400 Feb 6 17:36 image_sdb.ah –rwxr-xr-x 1 root root 681574400 Feb 6 17:37 image_sdb.ai –rwxr-xr-x 1 root root 314449920 Feb 6 17:37 image_sdb.aj

3. To complete this acquisition, dismount the target drive by typing umount /dev/sda5 and pressing Enter.

Depending on the Windows forensics analysis tool you’re using, renaming each segmented volume’s extension with incremented numbers instead of letters might be necessary. For example, rename image_sdb.aa as image_sdb.01, and so on. Several Windows forensics tools can read only disk-to-image segmented files that have numeric extensions. Most Linux forensics tools can read segments with numeric or lettered extensions.

Acquiring a specific partition on a drive works the same way as acquiring the entire drive. Instead of typing /dev/sdb as you would for the entire drive, add the partition

68944_ch03_hr_093-142.indd 114 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 115

number to the device name, such as /dev/sdb1. For drives with additional partitions, use the number that would be listed in the fdisk -l output. For example, to copy only the partition of the previous NTFS drive, you use the following dd command:

dd if=/dev/sdb1 | split -b 650m - image_sdb1

Remember to use caution with the dd command in your forensics data acquisitions.

Acquiring Data with dcfldd in Linux The dd command is intended as a data management tool; it’s not designed for forensics acquisitions. Because of these shortcomings, Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed a tool that can be added to most UNIX/Linux OSs. This tool, the dcfldd command, works similarly to the dd command but has many features designed for forensics acquisitions. The following are important functions dcfldd offers that aren’t possible with dd:

• Specify hexadecimal patterns or text for clearing disk space. • Log errors to an output file for analysis and review. • Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with

logging and the option of specifying the number of bytes to hash, such as specific blocks or sectors.

• Refer to a status display indicating the acquisition’s progress in bytes. • Split data acquisitions into segmented volumes with numeric extensions (unlike dd’s limit of 99).

• Verify the acquired data with the original disk or media data.

When using dcfldd, you should follow the same precautions as with dd. The dcfldd command can also write to the wrong device, if you aren’t careful.

The following examples show how to use the dcfldd command to acquire data from a 64 MB USB drive, although you can use the command on a larger media device. All commands need to be run from a privileged root shell session. To acquire an entire media device in one image file, type the following command at the shell prompt:

dcfldd if=/dev/sda of=usbimg.dat

If the suspect media or disk needs to be segmented, use the dcfldd command with the split command, placing split before the output file field (of=), as shown here:

dcfldd if=/dev/sda hash=md5 md5log=usbimgmd5.txt bs=512 conv=noerror,sync split=2M of=usbimg

This command creates segmented volumes of 2 MB each. To create segmented volumes that fit on a CD of 650 MB, change the split=2M to split=650M. This command also saves the MD5 value of the acquired data in a text file named usbimgmd5.txt.

68944_ch03_hr_093-142.indd 115 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition116

Capturing an Image with AccessData FTK Imager Lite The following activity assumes you have removed the suspect drive and connected it to a USB or FireWire write-blocker device connected to your forensic workstation. The acquisition is written to a work folder on your C drive, assuming it has enough free space for the acquired data. Follow these steps to perform the first task of connecting the suspect’s drive to your workstation:

1. Document the chain of evidence for the drive you plan to acquire.

2. Remove the drive from the suspect’s computer.

3. For IDE drives, configure the suspect drive’s jumpers as needed. (Note: This step doesn’t apply to SATA or USB drives.)

4. Connect the suspect drive to the USB or FireWire write-blocker device.

5. Create a storage folder on the target drive. For this activity, you use your work folder (C:\Work\Chap03\Chapter), but in real life, you’d use a folder name such as C:\Evidence.

FTK Imager is a data acquisition tool included with a licensed copy of AccessData Forensic Toolkit. Like most Windows data acquisition tools, it requires using a USB dongle for licensing. FTK Imager Lite, Debian and Ubuntu x64 command- line interfaces, and macOS 10.5 and 10.6x command-line interfaces are free and require no dongle license. To download FTK Imager Lite, see http://accessdata.com/product- download/digital-forensics/ftk-imager-lite-version-3.1.1. To download Debian and Ubuntu x64, see http://accessdata.com/product-download/digital-forensics/debian-and-ubuntu- x64-3.1.1#release-information. To download macOS 10.5 and 10.6x, see http://accessdata. com/product-download/digital-forensics/mac-os-10.5-and-10.6x-version-3.1.1.

FTK Imager is designed for viewing evidence disks and disk-to-image files created from other proprietary formats. It can read AccessData .ad1, Expert Witness Compression (EnCase) .e01, SMART .s01, Advanced Forensic Format (AFF), and raw format files. In addition to disk media, FTK Imager can read CD and DVD file systems. This program shows a view of a disk partition or an image file as though it’s a mounted partition, with additional panes showing the contents of the selected file (see Figure 3-2).

Tip

For additional information on the dcfldd command, see http://dcfldd.sourceforge.net. Information on how to download and install dcfldd is available for many UNIX, Linux, and Macintosh OSs. You can also use the man page to find more information on dcfldd features and switches.

68944_ch03_hr_093-142.indd 116 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 117

Figure 3-2 The FTK Imager main window Source: AccessData Group, Inc., www.accessdata.com

FTK Imager can make disk-to-image copies of evidence drives and enables you to acquire an evidence drive from a logical partition level or a physical drive level. You can also define the size of each disk-to-image file volume, allowing you to segment the image into one or many split volumes. For example, you can specify 650 MB volume segments if you plan to store volumes on 650 MB CD-Rs or 2.0 GB volume segments so that you can record volumes on DVD-/+Rs. An additional feature of FTK Imager is that it can image RAM on a live computer. The evidence drive you’re acquiring data from must have a hardware write-blocking device or run from a Live CD, such as Mini-WinFE.

FTK Imager can’t acquire a drive’s HPA and device configuration overlay (DCO), however. In other words, if the drive’s specifications indicate it has 11,000,000 sectors and the BIOS display indicates 9,000,000, a host protected area of 2,000,000 sectors might be assigned to the drive. If you suspect an evidence drive has a host protected area, you must use an advanced acquisition tool to include this area when copying data. With older MS-DOS tools, you might have to define the exact sector count to make sure you include more than what the BIOS shows as the number of known sectors on a drive. Review vendors’ manuals to determine how to account for a drive’s host protected area.

68944_ch03_hr_093-142.indd 117 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition118

In the following activity, you use FTK Imager Lite to make an image file. (If you haven’t installed it already, do so now. You download it at http://accessdata.com/ product-download/digital-forensics/ftk-imager-lite-version-3.1.1.) Use a write-blocking device to protect the suspect drive, and then follow these steps:

Figure 3-3 The Select Drive dialog box Source: AccessData Group, Inc., www.accessdata.com

1. Boot your forensic workstation to Windows, using an installed write-blocker.

2. Connect the evidence drive to a write-blocking device or USB device.

3. Connect the target drive to a USB external drive, if you’re using a write-blocker.

4. Start FTK Imager Lite. If prompted by the User Account Control message box, click Yes.

5. In the FTK Imager main window, click File, Create Disk Image from the menu.

6. In the Select Source dialog box, click the Physical Drive option button, if necessary, and then click Next.

7. In the Select Drive dialog box, click the Source Drive Selection list arrow (see Figure 3-3), click the suspect drive, and then click Finish.

Note

Before starting this activity, create a work folder named Work\Chap03\Chapter. Note that work folder names might differ slightly in screenshots.

68944_ch03_hr_093-142.indd 118 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 119

8. In the Create Image dialog box, click to select the Verify images after they are created check box, if necessary, and then click Add. In the Select Image Type dialog box that opens (see Figure 3-4), click the Raw (dd) option button, if necessary, and then click Next.

Figure 3-4 The Select Image Type dialog box Source: AccessData Group, Inc., www.accessdata.com

Figure 3-5 The Evidence Item Information dialog box Source: AccessData Group, Inc., www.accessdata.com

9. In the Evidence Item Information dialog box, complete the case information, as shown in Figure 3-5, and then click Next.

68944_ch03_hr_093-142.indd 119 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition120

10. In the Select Image Destination dialog box (see Figure 3-6), click Browse, navigate to the location for the image file (your work folder), and click to clear the Use AD Encryption check box, if necessary.

Note

You can adjust the amount in the Image Fragment Size text box, but for this activity, leave the default value of 1500 MB.

Figure 3-6 Selecting where to save the image file Source: AccessData Group, Inc., www.accessdata.com

11. In the Image Filename (Excluding Extension) text box, type InChp03-ftk, and then click Finish.

12. Next, in the Create Image dialog box, click Start to initiate the acquisition.

13. When FTK Imager finishes the acquisition, review the information in the Drive/ Image Verify Results dialog box, and then click Close. Click Close again in the Creating Image dialog box (see Figure 3-7).

14. Exit FTK Imager Lite by clicking File, Exit from the menu.

68944_ch03_hr_093-142.indd 120 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 121

Validating Data Acquisitions Probably the most critical aspect of computer forensics is validating digital evidence. The weakest point of any digital investigation is the integrity of the data you collect, so validation is essential. In this section, you learn how to use several tools to validate data acquisitions.

Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a “digital fingerprint.” With a few exceptions, making any alteration in one of the files—even changing one letter from uppercase to lowercase—produces a completely different hash value.

These exceptions, known as “collisions,” have been found to occur in a small number of files with MD5, and SHA-1 might also be subject to collisions. For forensic examinations of data files on a disk drive, however, collisions are of little concern. If two files with different content have the same MD5 hash value, a comparison of each byte of a file can be done to see the differences. Currently, several tools can do a byte-by-byte comparison

Figure 3-7 An image save in progress Source: AccessData Group, Inc., www.accessdata.com

Note

For additional information, see the Help menu in FTK Imager Lite to learn more about its many features.

68944_ch03_hr_093-142.indd 121 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition122

of files. Programs such as X-Ways Forensics, X-Ways WinHex, and IDM Computing Solution’s UltraCompare can analyze and compare data files. For more information on MD5 collisions, see www.x-ways.net/md5collision.html or www.mscs.dal.ca/~selinger/ md5collision/. Chapter 4 discusses methods of using MD5 and SHA-1.

For imaging an evidence drive, many tools offer validation techniques ranging from CRC-32, MD5, and SHA-1 to SHA-512. These hashing algorithm utilities are available as stand-alone programs or are integrated into many acquisition tools. The following sections discuss how to perform validation with some currently available acquisition programs.

Linux Validation Methods Linux is rich in commands and functions. The two Linux shell commands shown earlier in this chapter, dd and dcfldd, have several options that can be combined with other commands to validate data. The dcfldd command has other options that validate data collected from an acquisition. Validating acquired data with the dd command requires using other shell commands.

Current distributions of Linux include two hashing algorithm utilities: md5sum and sha1sum. Both utilities can compute hashes of a single file, multiple files, individual or multiple disk partitions, or an entire disk drive.

Validating dd-Acquired Data As shown earlier, the following command produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an incrementing extension of .aa, .ab, .ac, and so on:

dd if=/dev/sdb | split -b 650m image_sdb

To validate all segmented volumes of a suspect drive with the md5sum utility, you use the Linux shell commands shown in the following steps. For the saved images, remember to change to the directory where the data was saved, or list the exact path for the saved images. To use sha1sum instead of md5sum, just replace all md5sum references in commands with sha1sum. The drive should still be connected to your acquisition workstation.

1. If necessary, start Linux, open a shell window, and navigate to the directory where image files are saved. To calculate the hash value of the original drive, type md5sum/dev/sdb > md5_sdb.txt and press Enter.

Note

The redirect (>) option saves the computed MD5 hash value in the md5_sdb.txt file. This file should be saved with image files as validation of the evidence.

68944_ch03_hr_093-142.indd 122 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 123

2. To compute the MD5 hash value for the segmented volumes and append the output to the md5_sdb.txt file, type cat image_sdb.*| md5sum >> md5_sdb.txt and press Enter.

Note

By using the cat (concatenate) command with an asterisk (*) as the extension value, all segmented volumes are read sequentially as one big contiguous file, as though they were the original drive or partition. The pipe (|) function outputs the cat command read data to the input of the md5sum command. The >> option adds the md5sum hash results to the end of the md5_sdb.txt file’s content.

3. Examine the md5_sdb.txt file to see whether both hashes match by typing cat md5_sdb.txt and pressing Enter. If the data acquisition is successful, the two hash numbers should be identical. If not, the acquisition didn’t work correctly. You should see output similar to the following:

34963884a4bc5810b130018b00da9de1 /dev/sdb 34963884a4bc5810b130018b00da9de1

4. Close the Linux shell window by typing exit and pressing Enter.

With the dd command, the md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes.

Validating dcfldd-Acquired Data Because dcfldd is designed for forensics data acquisition, it has validation options integrated: hash and hashlog. You use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. The hashlog option outputs hash results to a text file that can be stored with image files. To create an MD5 hash output file during a dcfldd acquisition, you enter the following command (in one line) at the shell prompt:

dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log

To see the results of files generated with the split command, you enter the list directory (ls) command at the shell prompt. You should see the following output:

usbhash.logusbimg.004 usbimg.010 usbimg.016 usbimg.022 usbimg.028 usbseghash.logusbimg.005 usbimg.011 usbimg.017 usbimg.023 usbimg.029 usbimg.000 usbimg.006 usbimg.012 usbimg.018 usbimg.024 usbimg.030 usbimg.001 usbimg.007 usbimg.013 usbimg.019 usbimg.025 usbimg.002 usbimg.008 usbimg.014 usbimg.020 usbimg.026 usbimg.003 usbimg.009 usbimg.015 usbimg.021 usbimg.027

68944_ch03_hr_093-142.indd 123 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition124

Note that the first segmented volume has the extension .000 rather than .001. Some Windows forensics tools might not be able to read segmented file extensions starting with .000. They’re typically looking for .001. If your forensics tool requires starting with an .001 extension, the files need to be renamed incrementally. So segmented file .000 should be renamed .001, .001 should be renamed .002, and so on.

Another useful dcfldd option is vf (verify file), which compares the image file with the original medium, such as a partition or drive. The vf option applies only to a nonsegmented image file. To validate segmented files from dcfldd, use the md5sum or sha1sum command described previously. To use the vf option, you enter the following command at the shell prompt:

dcfldd if=/dev/sda vf=sda_hash.img

For additional information on dcfldd, see the man page.

Windows Validation Methods Unlike Linux, Windows has no built-in hashing algorithm tools for digital forensics. However, many Windows third-party programs do have a variety of built-in tools. These third-party programs range from hexadecimal editors, such as X-Ways WinHex or Breakpoint Software Hex Workshop, to forensics programs, such as OSForensics, Autopsy, EnCase, and FTK. In Chapter 9, you learn how to hash specific data by using a hexadecimal editor to locate and verify groups of data that have no file association or are sections within a file.

Commercial forensics programs also have built-in validation features. Each program has its own validation technique used with acquisition data in its proprietary format. For example, Autopsy uses MD5 to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash. If the hashes don’t match, Autopsy notifies you that the acquisition is corrupt and can’t be considered reliable evidence.

In Autopsy and many other forensics tools, however, raw format image files don’t contain metadata. As mentioned, a separate manual validation is recommended for all raw acquisitions at the time of analysis. The previously generated validation file for raw format acquisitions is essential to the integrity of digital evidence. The saved validation file can be used later to check whether the acquisition file is still good.

In FTK Imager Lite, when you select the Expert Witness Compression (.e01) or the SMART (.s01) format, additional options for validation are displayed. This validation report also lists the MD5 and SHA-1 hash values. The MD5 hash value is added to the proprietary format image or segmented files. When this image is loaded into FTK, SMART, or X-Ways Forensics (which can read only .e01 and raw files), the MD5 hash is read and compared with the image to verify whether the acquisition is correct.

68944_ch03_hr_093-142.indd 124 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 125

You can find other open-source hashing tools online; just search for “windows open source hash” to find the latest available Windows hashing tools. For example, a recent search turned up SourceForge md5deep at http://md5deep.sourceforge.net and Software Informer at http://softwaresolution.informer.com/Hash-Tool.

Performing RAID Data Acquisitions Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. Size is the biggest concern because many RAID systems are now pushing into exabytes or more of data. The following sections review common RAID configurations and discuss ways to acquire data on these large storage devices.

Understanding RAID Redundant array of independent disks (RAID) is a computer configuration involving two or more physical disks. Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure. As technology improved, RAID also provided increased storage capabilities.

Several levels of RAID can be implemented through software (known as “software RAID”) or special hardware controllers (known as “hardware RAID”). Software RAID is typically implemented from the host computer’s OS. Hardware RAID uses its own controller as well as a processor and memory connected to the host computer. For more information on RAID configurations, see www.adaptec.com/nr/rdonlyres/14b2fd84- f7a0-4ac5-a07a-214123ea3dd6/0/4423_sw_hwraid_10.pdf.

For Windows XP, 2000, and NT servers and workstations, RAID 0 or 1 is available. For a high-end data-processing environment, RAID 5 is common and is often based in special RAID towers. These high-end RAID systems usually have integrated controllers that connect to high-end servers or mainframes. These systems provide redundancy and high-speed data access and can make many small disks appear as one very large drive.

Note

Other variations of RAID besides 0, 1, and 5 are specific to their vendor or application.

68944_ch03_hr_093-142.indd 125 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition126

RAID 0 provides rapid access and increased data storage (see Figure 3-8). In RAID 0, two or more disk drives become one large volume, so the computer views the disks as a single disk. The tracks of data on this mode of storage cross over to each disk. The logical addressing scheme makes it seem as though each track of data is continuous throughout all disks. If you have two disks configured as RAID 0, track one starts on the first physical disk and continues to the second physical disk. When viewed from a booted OS, such as Windows XP or later, the two disks appear as one large disk. The advantage of RAID 0 is increased speed and data storage capability spread over two or more disks that can be one large disk partition. Its biggest disadvantage is lack of redundancy; if a disk fails, data isn’t continuously available.

Figure 3-8 RAID 0: Striping

64 KB

64 KB Disk 1 Disk 2 Disk 3

RAID drive

Disk 4

128 KB file

Figure 3-9 RAID 1: Mirroring

128 KB

128 KB Disk 1 Disk 2 Disk 3

RAID drive

Disk 4

128 KB file

RAID 1, shown in Figure 3-9, is made up of two disks for each volume and is designed for data recovery in the event of a disk failure. The contents of the two disks in RAID 1 are identical. When data is written to a volume, the OS writes the data twice—once to each disk at the same time. If one drive fails, the OS switches to the other disk.

68944_ch03_hr_093-142.indd 126 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 127

RAID 1 ensures that data isn’t lost and helps prevent computer downtime. The main disadvantage of RAID 1 is that it takes two disks for each volume, which doubles the cost of disk storage.

Like RAID 1, RAID 2 (see Figure 3-10) provides rapid access and increased storage by configuring two or more disks as one large volume. The difference with RAID 2 is that data is written to disks on a bit level. An error-correcting code (ECC) is used to verify whether the write is successful. RAID 2, therefore, has better data integrity checking than RAID 0. Because of the bit-level writes and the ECC, however, RAID 2 is slower than RAID 0.

Figure 3-10 RAID 2: Striping (bit level)

Disk 1

File 1 (3 KB)

File 2 (1 KB)

1 KB 1 KB 1 KB Parity

Parity0.33 KB0.33 KB0.33 KB

Disk 2 Disk 3 Disk 4

RAID drive

RAID 3 uses data striping and dedicated parity and requires at least three disks. Similar to RAID 0, RAID 3 stripes tracks across all disks that make up one volume. RAID 3 also implements dedicated parity of data to ensure recovery if data is corrupted. Dedicated parity is stored on one disk in the RAID 3 array. Like RAID 3, RAID 4 uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes.

RAID 5 (see Figure 3-11) is similar to RAID 0 and RAID 3 in that it uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. Unlike RAID 3, however, RAID 5 places parity data on each disk. If a disk in a RAID array has a data failure, the parity on other disks rebuilds the corrupt data automatically when the failed drive is replaced.

Figure 3-11 RAID 5: Block-level striping with distributed parity

Disk 1

File 1 (12 KB)

File 2 (16 KB)

4 KB

4 KB 4 KB

4 KB

4 KB

4 KB

4 KB Parity

Parity Parity

Parity

Disk 2 Disk 3 Disk 4

RAID drive

68944_ch03_hr_093-142.indd 127 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition128

In RAID 6, distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity. The advantage of RAID 6 over RAID 5 is that it recovers any two disks that fail because of the additional parity stored on each disk.

RAID 10, or mirrored striping, also known as RAID 1+0, is a combination of RAID 1 and RAID 0. It provides fast access and redundancy of data storage. RAID 15, or mirrored striping with parity, also known as RAID 1+5, is a combination of RAID 1 and RAID 5. It offers the most robust data recovery capability and speed of access of all RAID configurations and is also more costly.

Acquiring RAID Disks There’s no simple method for getting an image of a RAID server’s disks. You need to address the following concerns:

• How much data storage is needed to acquire all data for a forensics image? • What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardware-

firmware vendor’s RAID 5, 10, or 15? Is it another unknown configuration or OS? • If it’s a RAID 1, 10, or 15 server, do you need to have all drives connected so that

the OS sees their contents? Some older RAID 1 systems required connecting both drives to make the data readable, which might also apply to RAID 10 and 15.

• Do you have an acquisition tool capable of copying the data correctly? • Can the tool read a forensic copy of a RAID image? • Can the tool read split data saves of each RAID disk, and then combine all images

of each disk into one RAID virtual drive for analysis?

With the larger disks now available, copying small RAID systems to one large disk is possible, similar to the way non-RAID suspect drives are copied. For example, a small server running eight 36 GB SCSI drives in a RAID 0 tower requires about a 300 GB SATA or IDE (PATA) drive. Less data storage is needed if a proprietary format acquisition is used with compression applied. All forensics analysis tools can analyze an image because they see the acquired data as one large drive, not eight separate drives.

Several forensics vendors have added RAID recovery features. These vendors typically specialize in one or two types of RAID formats. The following are some vendors offering RAID acquisition functions:

• Guidance Software EnCase • X-Ways Forensics • AccessData FTK • Runtime Software • R-Tools Technologies

You should know which vendor supports which RAID format and keep up to date on the latest improvements in these products.

Being able to separate each physical disk into smaller save sets eliminates the need to have one large drive for storing acquired data. Acquiring RAID data requires

68944_ch03_hr_093-142.indd 128 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 129

only similar-size drives that match each disk in the RAID array. For example, with a RAID 0 array of three 2 TB disks, all you need are three target drives of the same size. If each acquisition is compressed, you might be able to get by with slightly smaller target drives.

Tools such as Runtime Software (www.runtime.org) and R-Tools Technologies (www.r-tt.com) are designed as data recovery tools. Although not intended as forensics acquisition tools, they have unique features that can aid in recovering corrupted RAID data and can perform raw format acquisitions and repair broken RAID 0 and 5 systems. The Runtime RAID Reconstructor tool copies the original RAID to a raw format file, which must then be restored on another RAID-configured system where repairs can be performed. It also scans and corrects errors on the newly copied RAID. R-Tools R-Studio creates a virtual volume of the RAID image file. All repairs are made on the virtual volume, which can then be restored to the original RAID.

Occasionally, a RAID system is too large for a static acquisition. Under ideal circumstances, your goal is to collect a complete image of evidence drives. Because RAID systems can have dozens or more terabytes of data storage, copying all data isn’t always practical. For these occasions, retrieving only the data relevant to the investigation with the sparse or logical acquisition method is the only practical solution. When dealing with very large RAID servers, consult with the forensics vendor to determine how to best capture RAID data. Another possible solution is renting a portable RAIDBank for your acquisition.

Using Remote Network Acquisition Tools Recent improvements in forensics tools include the capability to acquire disk data or data fragments (sparse or logical) remotely. With this feature, you can connect to a suspect computer remotely via a network connection and copy data from it. Remote acquisition tools vary in configurations and capabilities. Some require manual intervention on remote suspect computers to initiate the data copy. Others can acquire data surreptitiously through an encrypted link by pushing a remote access program to the suspect’s computer. From an investigation perspective, being able to connect to a suspect’s computer remotely to perform an acquisition has tremendous appeal. It saves time because you don’t have to go to a suspect’s computer, and it minimizes the chances of a suspect discovering that an investigation is taking place. Most remote acquisitions have to be done as live acquisitions, not static acquisitions. When performing remote acquisitions, advanced privileges are required to push agent applications to the remote system.

There are some drawbacks to consider, such as antivirus, antispyware, and firewall tools. Most of these security programs can be configured to ignore remote access programs. However, if suspects have administrator rights on their computers, they could easily install their own security tools that trigger an alarm to notify them of remote access intrusions.

68944_ch03_hr_093-142.indd 129 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition130

The following sections describe methods used by digital forensics tools that have the capability to perform remote acquisitions. An older version of ProDiscover is used as an example to show how remote acquisitions work. Other vendors’ remote acquisition functions work similarly. Chapter 10 covers other resources for data copying and explains how to perform a live forensics acquisition.

Remote Acquisition with ProDiscover ProDiscover Incident Response is designed to be integrated as a network intrusion analysis tool and is useful for performing remote acquisitions. When connected to a remote computer, it uses the same ProDiscover acquisition method described previously. After the connection is established, the remote computer is displayed in the Capture Image dialog box. This tool offers all the functions and features of other tools in the ProDiscover suite plus the following:

• Capture volatile system state information. • Analyze current running processes on a remote system. • Locate unseen files and processes on a remote system that might be running

malware or spyware. • Remotely view and listen to IP ports on a compromised system. • Run hash comparisons on a remote system to search for known Trojans and

rootkits. • Create a hash inventory of all files on a system remotely (a negative hash search

capability) to establish a baseline if it gets attacked.

The ProDiscover utility for remote access is the PDServer remote agent, which must be loaded on the suspect computer before ProDiscover Incident Response can access it. This remote agent can be installed in three different ways:

• Trusted CD—For this manual installation method, ProDiscover can create a special CD/DVD or USB drive containing the PDServer remote agent. It’s used to load PDServer manually on the suspect computer.

• Preinstallation—For networks with a configured OS, the PDServer remote agent can be added to the standard installation of high-risk computers, which enables network security administrators to respond to network attacks and malware contaminations quickly. Any network management tool, such as DameWare (www.dameware.com) or Hyena (www.systemtools.com/hyena/), can be used to initiate a connection with ProDiscover. This is a remote method of installing the remote acquisition tool.

• Pushing out and running remotely—Downloading PDServer to a remote computer helps investigators respond quickly to incidents. Data is collected in real time when using this function. This is a remote method of installing the remote acquisition tool.

With PDServer, you have the option of running it in a stealth mode to hide it from the suspect. Note that Windows Task Manager lists the process as PDServer. To disguise it, you can change the process name so that it appears to be an OS function in

68944_ch03_hr_093-142.indd 130 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 131

the suspect computer’s Task Manager. In addition, the following security features are available for remote connections:

• Password protection—PDServer on the target computer is password-protected, and the password is encrypted at all times.

• Encryption—All communication between PDServer on the suspect’s and investigator’s computers can be encrypted. ProDiscover provides 256-bit Advanced Encryption Standard (AES) or Twofish encryption for the connection.

• Secure communication protocol—All connections between the suspect’s and examiner’s computers have globally unique identifiers (GUIDs) to prevent inserting packets in the data stream.

• Write-protected trusted binaries—PDServer can run from a write-protected device, such as a CD.

• Digital signatures—PDServer and its removal device driver, PARemoval.sys, are digitally signed to verify that they haven’t been tampered with before and during the remote connection.

Note

For more information on ProDiscover, see www.arcgroupny.com.

Remote Acquisition with EnCase Enterprise Guidance Software was the first forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase. This remote tool, EnCase Endpoint Investigator, can perform the following functions:

• Search and collect internal and external network systems over a wide geographical area

• Support multiple OSs and file systems • Triage to help determine systems’ relevance to an investigation • Perform simultaneous searches of up to five systems at a time

For more information, see www.guidancesoftware.com/docs/default-source/ document-library/product-brief/encase-endpoint-investigator-product-overview.pdf.

Remote Acquisition with R-Tools R-Studio The R-Tools suite of software is designed for data recovery. As part of this recovery capability, the R-Studio network edition can remotely access networked computer systems. Data acquired with R-Studio network edition creates raw format acquisitions, and it’s capable of recovering many different file systems, including ReFS. For more information on R-Studio, see www.r-studio.com.

68944_ch03_hr_093-142.indd 131 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition132

Remote Acquisition with WetStone US-LATT PRO US-LATT PRO, part of a suite of tools developed by WetStone, can connect to a networked computer remotely and perform a live acquisition of all drives connected to it. For more information on this tool, see www.wetstonetech.com/product/us-latt/.

Remote Acquisition with F-Response F-Response is a vendor-neutral specialty remote access utility designed to work with any digital forensics program. When installed on a remote computer, it sets up a security read-only connection that allows forensics examiners to access it. With F-Response, examiners can access remote drives at the physical level and view raw data. After the F-Response connection has been set up, any forensics acquisition tool can be used to collect digital evidence.

F-Response is sold in four different versions: Enterprise Edition, Consultant + Convert Edition, Consultant Edition, and TACTICAL Edition. For the latest information on F-Response, see www.f-response.com.

Using Other Forensics Acquisition Tools In addition to the tools you’ve learned about already, you can use other commercial acquisition tools, described in the following sections. Prices for some tools are discounted for law enforcement officers working in digital forensics.

PassMark Software ImageUSB PassMark Software has an acquisition tool called ImageUSB for its OSForensics analysis product. To create a bootable flash drive, you need Windows XP or later and ImageUSB downloaded from the OSForensics Web site. For more information on ImageUSB, see www.osforensics.com/tools/write-usb-images.html.

ASR Data SMART ASR Data SMART is a Linux forensics analysis tool that can make image files of a suspect drive. SMART can produce proprietary or raw format images and includes the following capabilities:

• Robust data reading of bad sectors on drives • Mounting suspect drives in write-protected mode • Mounting target drives, including NTFS drives, in read/write mode • Optional compression schemes to speed up acquisition or reduce the amount of

storage needed for acquired digital evidence

For more information on SMART, see www.asrdata.com.

68944_ch03_hr_093-142.indd 132 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 133

Runtime Software In addition to RAID Reconstructor, Runtime Software offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS. Runtime has designed its tools to be file system specific, so DiskExplorer versions for both FAT and NTFS are available. These tools offer the following features for acquisition needs:

• Create a raw format image file. • Segment the raw format or compressed image for archiving purposes. • Access network computers’ drives.

For more information on Runtime Software, see www.runtime.org/raid.htm.

ILookIX IXImager IXImager runs from a bootable thumb drive or CD/DVD. It’s a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. It supports IDE (PATA), SCSI, USB, and FireWire devices. The IXImager proprietary format can be converted to a raw format if other analysis tools are used. For more information on IXImager, see www.perlustro.com/solutions/e-forensics/ iximager.

SourceForge SourceForge provides several applications for security, analysis, and investigations. For a listing of its current tools, see https://sourceforge.net/directory/os:windows/. SourceForge also offers a Windows version of dcfldd; for updates, go to https:// sourceforge.net/projects/dcfldd/?source=typ_redirect.

Chapter Summary •  Forensics data acquisitions are stored in

three different formats: raw, proprietary, and AFF. Most proprietary formats and AFF store metadata about the acquired data in the image file.

•  The four methods of acquiring data for forensics analysis are disk-to-image file, disk-to-disk copy, logical disk-to-disk or disk-to-data file, and sparse data copy of a folder or file.

•  Lossless compression for forensics acquisitions doesn’t alter the data when it’s

restored, unlike lossy compression. Lossless compression can compress up to 50% for most data. If data is already compressed on a drive, lossless compression might not save much more space.

•  If there are time restrictions or too much data to acquire from large drives or RAID drives, a logical or sparse acquisition might be necessary. Consult with your lead attorney or supervisor first to let them know that collecting all the data might not be possible.

68944_ch03_hr_093-142.indd 133 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition134

•  You should have a contingency plan to ensure that you have a forensically sound acquisition and make two acquisitions if you have enough data storage. The first acquisition should be compressed, and the second should be uncompressed. If one acquisition becomes corrupt, the other one is available for analysis.

•  Write-blocking devices or utilities must be used with GUI acquisition tools in both Windows and Linux. Practice with a test drive rather than suspect drive, and use a hashing tool on the test drive to verify that no data was altered.

•  Always validate your acquisition with built-in tools from a forensics acquisition program, a hexadecimal editor with MD5 or SHA-1 hashing functions, or the Linux md5sum or sha1sum commands.

•  A Linux Live CD, such as Ubuntu, openSUSE, Arch Linux, Fedora, or Slackware provides many useful tools for digital forensics acquisitions.

•  The preferred Linux acquisition tool is dcfldd instead of dd because it was designed for forensics acquisition. The dcfldd tool is also available for Windows. Always validate the acquisition with the hashing features of dcfldd and md5sum or sha1sum.

•  When using the Linux dd or dcfldd commands, remember that reversing the output field (of=) and input field (if=) of suspect and target drives could write data to the wrong drive, thus destroying your evidence. If available, you should always use a physical write-blocker device for acquisitions.

•  To acquire RAID disks, you need to determine the type of RAID and which acquisition tool to use. With a firmware- hardware RAID, acquiring data directly from the RAID server might be necessary.

•  Remote network acquisition tools require installing a remote agent on the suspect computer. The remote agent can be detected if suspects install their own security programs, such as a firewall.

Key Terms Advanced Forensic Format

(AFF) host protected area (HPA) live acquisitions

logical acquisition raw format redundant array of

independent disks (RAID)

sparse acquisition static acquisitions whole disk encryption

Review Questions 1. What’s the main goal of a static

acquisition? 2. Name the three formats for digital

forensics data acquisitions.

3. What are two advantages and disadvantages of the raw format?

4. List two features common with proprietary format acquisition files.

68944_ch03_hr_093-142.indd 134 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 135

5. Of all the proprietary formats, which one is the unofficial standard?

6. Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

7. What does a logical acquisition collect for an investigation?

8. What does a sparse acquisition collect for an investigation?

9. What should you consider when determining which data acquisition method to use?

10. Why is it a good practice to make two images of a suspect drive in a critical investigation?

11. When you perform an acquisition at a remote location, what should you consider to prepare for this task?

12. With newer Linux kernel distributions, what happens if you connect a hot- swappable device, such a USB drive, containing evidence?

13. In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct?

dcfldd if=image_file.img of=/dev/hda1

14. What’s the most critical aspect of digital evidence?

15. What’s a hashing algorithm? 16. In the Linux dcfldd command, which

three options are used for validating data?

17. What’s the maximum file size when writing data to a FAT32 drive?

18. What are two concerns when acquiring data from a RAID server?

19. With remote acquisitions, what problems should you be aware of? (Choose all that apply.) a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall

programs d. The password of the remote

computer’s user 20. Which forensics tools can connect to

a suspect’s remote computer and run surreptitiously?

21. EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

22. FTK Imager can acquire data in a drive’s host protected area. True or False?

Hands-On Projects

Create a Chap03\Projects folder under your work folder. Then copy the data files from the downloads section for this chapter (on the student companion site for this book) to this work subfolder. If necessary, extract any compressed files to this subfolder.

Hands-On Project 3-1 In this project, you prepare a drive and create a FAT32 disk partition using Linux. You need the following: • A Linux distribution or Linux Live CD • A disk drive

68944_ch03_hr_093-142.indd 135 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition136

• A method of connecting a disk drive to your workstation, such as USB, FireWire, external SATA, or internal connections, such as PATA or SATA

• A review of the steps in the “Preparing a Target Drive for Acquisition in Linux” section

To format a drive as FAT32 in Linux, follow these steps:

1. Connect the target drive to be partitioned and formatted as FAT32 to your workstation. 2. Start your workstation, and log on or boot the Linux Live CD. 3. Follow the steps in the “Preparing a Target Disk for Acquisition in Linux” section. 4. When you’ve finished formatting the target drive, leave it connected for the next project.

Hands-On Project 3-2 In this project, you use the Linux dd command to make an acquisition split into 30 MB segmented volumes. Then you validate the data by using the Linux md5sum command on the original drive and the image files. The output for md5sum is then redirected to a data file kept with the image files. For this project, you need the following: • A Linux distribution or Linux Live CD • The FAT32 drive partitioned and formatted in Hands-On Project 3-1 • A method of connecting the FAT32 drive and the drive created in Hands-On Project 3-1 to

your workstation, such as USB, FireWire, external SATA, or internal connections, such as PATA or SATA

• A review of the “Acquiring Data with dd in Linux” and “Validating dd-Acquired Data” sections Follow these steps:

1. Make sure you’ve connected the drive you prepared in Hands-On Project 3-1 to your Linux workstation.

2. Start your workstation, if necessary, and log on to Linux or boot the Linux Live CD. 3. Reboot the Linux system, and make the dd acquisition, following the steps in “Acquiring

Data with dd in Linux.” For the split -b command, make the segmented size 30m, and use the -d switch to create numeric extensions for each segmented file.

4. When the acquisition is finished, do a validation of the suspect drive and the acquired image files. Follow the steps in the “Validating dd-Acquired Data” section. When you’re finished, keep the terminal window open, and keep Linux running for the next project.

Hands-On Project 3-3 Digital forensics examiners are sometimes asked to restore an image file to a disk drive. In this project, you learn how to perform this task. To prepare for this project, you need the following items: • Two USB drives formatted as FAT16 or FAT32 that can hold up to 120 MB

Note

Both USB drives should be formatted as FAT16 or FAT32. Your version of Linux might not be able to read or write data to USB media formatted as NTFS.

68944_ch03_hr_093-142.indd 136 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 137

• A Linux distribution, Linux Live CD, or a computer running Linux with at least two USB ports • The GCFI-datacarve-FAT.dd data file (extracted from CH03ProjDataFiles.exe to

your work folder)

Data-Loading Procedure in Linux First, you transfer data from the GCFI-datacarve-FAT.dd file to the target drive. Second, you restore the image file to another USB drive. Follow these steps:

1. On your Windows computer, copy the GCFI-datacarve-FAT.dd file to one of your USB drives.

2. Start your Linux workstation, if necessary. If you’re using your Windows computer with a Linux Live CD, connect the second USB drive to the computer to serve as the target drive. If you’re using a computer running Linux, connect both USB drives to it.

3. In Linux, open a terminal window, if necessary. To switch to the superuser account, type su and press Enter, and at the password prompt, type the root password and press Enter.

4. Type df and press Enter to list all attached devices to the computer, as shown in Figure 3-12. This output identifies the Linux-assigned pathnames.

Figure 3-12 Displaying a disk’s file system Source: Linux Foundation.

Note

Different distributions of Linux display slightly different names, as shown in Figure 3-13. For example, note that the /media directory in LinuxMint lists a joe subdirectory and an oem subdirectory. DeftZ Linux shows the /media directory’s subdirectories as cdrom and root. Subdirectory names vary depending on the Linux distribution you’re using. Remember to substitute the correct directory names for commands in this and other projects.

68944_ch03_hr_093-142.indd 137 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition138

5. To determine which USB drive contains the image file GCFI-datacarve-FAT.dd and which one is empty of any data, type ls /media/joe/FC11-3D2E and press Enter, and then type ls /media/joe/UDISK (see Figure 3-14) and press Enter.

Note

The following steps were performed in LinuxMint. These commands work the same in other Linux distributions and most Linux Live CDs. If necessary, replace the subdirectory name joe with the correct name for your distribution.

Note

Some USB drives have a hexadecimal number or a vendor-assigned name, such as the FC11-3D2E shown in Figure 3-14. Substitute the subdirectory names displayed with the commands in Step 5.

Figure 3-13 Examples of how different Linux distributions display the /media directory Source: Linux Foundation.

Figure 3-14 Showing the contents of subdirectories in the /media/joe directory Source: Linux Foundation.

68944_ch03_hr_093-142.indd 138 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 139

6. Type dd if=/media/joe/FC11-3D2E/GCFI-datacarve-FAT.dd of=/dev/sdh1 bs=64 conv=noerror,sync status=progress and press Enter. Figure 3-15 shows the output.

Note

For this example, the UDISK subdirectory shows only the FAT System Volume Information file. The FC11-3D2E subdirectory shows the GCFI-datacarve-FAT.dd file, which will be restored from FC11-3D2E to UDISK.

Note

Replace /root/usbdrive with the path listed in the df -h command output.

Figure 3-15 The dd command for restoring an image to a disk drive Source: Linux Foundation.

7. When the data has finished copying, continue to the next project. If you’re not continuing, close the terminal window and log off Linux.

Hands-On Project 3-4 For this project, you use the dd command to make segmented image files of the restored USB drive created in Hands-On Project 3-3. To prepare, you need the following:

• One USB drive containing the restored image GCFI-datacarve-FAT.dd from Hands-On Project 3-3

• One USB drive formatted as FAT16 or FAT32 that can hold up to 120 MB • A Linux distribution, Linux Live CD, or a computer running Linux with at least two USB ports

To make this acquisition, follow these steps: 1. If necessary, connect the two USB drives and boot the system to Linux, and then open a

terminal window. 2. Type su and press Enter, and then type the root password, if necessary, and press

Enter. 3. Type df -h and press Enter to list all devices attached to the computer and see the

assigned pathnames. 4. Change your current working directory to the USB drive containing the

GCFI-datacarve-FAT.dd file by typing cd /media/root/usbdrive and pressing Enter.

68944_ch03_hr_093-142.indd 139 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition140

5. Examine the output of the df -h command from Step 3 to see how much space (under the Avail column) is available on the USB drive, /media/root/usbdrive. If there’s less than 120 MB, type rm GCFI-datacarve-FAT.dd and press Enter to delete the file and make space for writing the segmented image files.

6. Type dd if=/dev/sdb | split -b 50m - GCFI-datacarve-FAT. -d and press Enter.

Note

Replace sdb with the USB drive that received the image file created in Hands-On Project 3-3. To reduce the number of segmented files, change the 50m to 650m or larger.

7. When the acquisition is finished, type ls -l and press Enter to see how many segmented files were produced.

8. Shut down the acquisition workstation, remove the USB drives, and remove the Linux Live CD, if necessary.

Case Projects

Case Project 3-1 Your supervisor has asked you to research current acquisition tools. Using your preferred Internet search engine and the vendors listed in this chapter, prepare a report containing the following information for each tool and stating which tool you would prefer to use: • Forensics vendor name • Acquisition tool name and latest version number • Features of the vendor’s product

With this data collected, prepare a spreadsheet listing vendors in the rows. For the column headings, list the following features: • Raw format • Proprietary format • AFF format • Other proprietary formats the tool can read • Compression of image files • Remote network acquisition capabilities • Method used to validate (MD5, SHA-1, and so on)

68944_ch03_hr_093-142.indd 140 3/7/18 3:27 PMNOT FOR SALE

CHAPTER 3 Data Acquisition 141

Case Project 3-2 At a murder scene, you have started making an image of a computer’s drive. You’re in the back bedroom of the house, and a small fire has started in the kitchen. If the fire can’t be extinguished, you have only a few minutes to acquire data from a 10 GB hard disk. Write one to two pages outlining your options for preserving the data.

Case Project 3-3 You need to acquire an image of a disk on a computer that can’t be removed from the scene, and you discover that it’s a Linux computer. What are your options for acquiring the image? Write a brief paper specifying the hardware and software you would use.

Case Project 3-4 A bank has hired your firm to investigate employee fraud. The bank uses four 20 TB machines on a LAN. You’re permitted to talk to the network administrator, who is familiar with where the data is stored. What diplomatic strategies should you use? Which acquisition method should you use? Write a two-page report outlining the problems you expect to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues.

Case Project 3-5 You’re investigating a case involving a 2 GB drive that you need to copy at the scene. Write one to two pages describing the three types of acquisitions—physical, logical, and sparse— you can use to copy the drive accurately. Be sure to include your software and media choices.

Case Project 3-6 Your supervisor has asked you to list the acquisition tools available on a forensic Linux Live CD. Download the current ISO version of Deft (www.deftlinux.net), CAINE (www.caine-live.net), Kali Linux (www.kali.org), or Penguin Sleuth (www.linux-forensics.com), and then create a bootable CD or DVD of it. Start it on your workstation and survey its tools. Then write a one- to two-page report containing a brief description of each acquisition utility on the CD or DVD.

68944_ch03_hr_093-142.indd 141 3/7/18 3:27 PMNOT FOR SALE