How we Duplicate or Acquire Data

 

Understanding Data Acquisition

  • To obtain information about a crime or occurrence, data acquisition involves using tried and true techniques to retrieve Electronically Stored Information (ESI) from a suspect computer or storage medium.
  • Since faulty acquisition may change data in evidence media and make it inadmissible in a court of law, it is one of the most important processes in digital forensics.
  • The entire procedure should be auditable and acceptable to the court, and investigators should be able to confirm the accuracy of the data they have collected.

 

Types of data acquisition:

Live Data Acquisition

  • Live data acquisition is gathering dynamic data stored in RAM, cache, and registries.
  • Real time data collection is necessary because RAM and other volatile data are changing.
  • Just browsing through files on a computer that is currently running, starting the computer to “look around” or playing games on it can all result in the loss or destruction of potential evidence.
  • Because tools and commands may alter file access dates and times, use shared libraries or DLLs, enable malicious software (malware) to run, or, in the worst situation, force a reboot and erase all volatile data, contamination in volatile data collecting is more difficult to regulate.

Dead Acquisition

Non-volatile data that remains unchanged long after the system has been shut down is referred to as static data. The process of collecting and extracting data from storage medium without alteration is known as “dead acquisition.” This enables investigators to circumvent legal restrictions and maintain the data or system’s condition when it is not in use, such as data obtained from a computer system that has been confiscated.

External hard drives, flashcards, USB drives, DVD-ROMs, smartphones, and hard drives are all sources of non-volatile data. Emails, word processing papers, spreadsheets, web activity, slack space, swap files, unallocated drive spaces, and other deleted items are some examples of the data that can be found in these sources. With well-preserved disk evidence, investigators can replicate the dead acquisition procedure.

 

The following are examples of static data that can be recovered from a hard drive:

  • System registries
  • Boot sectors
  • Event/system logs
  • Temporary (temp) files
  • Web browser cache
  • Cookies
  • Hidden files

Types of volatile data:

System Information

  • Information gathering regarding the suspicious computer’s present setup and operation.
  • System profile (configuration details), current system date and time, command history, current system uptime, active processes, open files, startup files, clipboard data, logged on users, and DLLs or shared libraries are examples of volatile system information.

Network Information

  • Gathering data regarding the suspicious computer network condition.
  • Open connections and ports, routing configuration and ARP cache are examples of volatile network data.

Order of Volatility

The most volatile evidence should be gathered first, followed by the least volatile. The order of volatility for a typical system is as follows:

  • Registry and hives
  • Process table, kernel statistics and memory
  • File systems that are temporary
  • Disk or other storage media
  • Remote logging and monitoring data that is relevant to the system in question
  • Physical configuration and network topology

Rules of Thumb for Data Acquisition

A rule of thumb is the best practice that helps to ensure a positive outcome when applied. In a digital forensic investigation, the better the quality of evidence, the better the outcome of the analysis and the likely of solving the crime.

Investigators must never conduct a forensic investigation or any other process on the original evidence or source of evidence because this may alter the data and render the evidence inadmissible in a court of law.

 

Some general guidelines for data acquisition are as follows:

  • Keep records of every procedure: Note every step of the data collection procedure, including the participants, the date, the time, the place, and the equipment used.
  • Consider a forensic methodology: Follow a recognized forensic procedure for acquiring data such as digital investigation framework (DIF).
  • Preserve original evidence: Create a bitstream image of an evidence drive or file to view static data and analyze them. This practice not only preserves the original evidence but also provides the option of recreating a duplicate if something goes wrong. The first is the working copy to be used for analysis and the second is the master copy that is stored for disclosure purposes or if the working copy gets corrupt.
  • Verify hash values: Use hash values like MD5, SHA1 and SHA256 to compare copies to the original after copying the original media to ensure its integrity.
  • Legal authorization: Only get and review the necessary documentation after making sure you have the required legal authorization and are abiding by all applicable laws and regulations.
  • Maintain Chain of Custody: Ensure that the chain of custody for evidence is maintained.
  • Minimize data exposure: Always avoid unnecessary data exposure and acquire relevant data to reduce the risk of breaches and data mishandling.
  • Quality assurance: Quality control procedures are implemented to maintain the reliability and accuracy of the entire data acquisition process.

Why make a Duplicate Image?

  • The computer or storage media is crime scene evidence, and it should be protected to ensure that the evidence is not contaminated.
  • Duplicate images allow the following:
      • The original evidence is preserved
      • Prevents accident alteration of original evidence during examination
      • Allows recreation of the duplicate image if necessary

Data Acquisition and Duplication Steps

  1. Determine the data acquisition method
  2. Select data acquisition tool
  3. Sanitize the Target Media
  4. Acquiring volatile data
  5. Enable Write Protection on the Evidence Media
  6. Acquire non-volatile data
  7. Plan for Contingency
  8. Validate Data Acquisitions

Step 1: Choose the most Effective Data Acquisition Technique

The situation in which the investigator is present determines the best approach for gathering data. Specific goals, the type of data, resource availability, and limits all play a role in choosing the appropriate data gathering strategy.

When choosing a data gathering method, the following important elements need to be considered.

  1. Suspect drive size: The investigator must use disk-to-image copying if the suspect drive is large. Furthermore, if the size of the target disk is significantly smaller than that of the suspect drive, investigators must reduce the data size using compression tool DriveSpace, which excludes the slack disk space between files. Testing lossless compression by applying MD5, SHA-1 hashes to the file before and after compression. The hash values must match for the compression to be successful.
  2. Time required to duplicate: The larger the suspect drives, the longer it takes to gather data. For example, a suspected drive of 1 TB may require a minimum of 6 hrs. to complete the data acquisition process.
  3. Can the suspect drive be retained: If the investigator cannot retain the original drive, they should go for logical acquisition. If investigators can retain the drive, they must create a duplicate using a trustworthy data acquisition tool because in some cases, there is only one chance to duplicate data.

 

Preparing a Chain of Custody Document

  • Prepare a chain of custody documents to ensure the integrity of collected evidence
  • Description of the evidence, Time of collection, Location from where it is collected, details of the people who handled it and rationale behind their handling, these details should be included in the chain of custody documents.

Step2: Select Data acquisition methods & tool

 

Bit-stream disk-to-image file

It is the most common technique used by digital forensic investigators. With this method, one or many copies of the evidence drive can be generated. The copies are bit-for-bit replications of the original drive.

Tools such as EnCase, Ftk Imager, The Sleuth Kit, X-Ways Forensics, etc. can be used to read the most common types of disk-to-image files generated.

 

Bit-stream disk-to-disk

Sometimes it is not possible to create a bit stream disk to image file due to hardware or software errors or incompatibilities. To fix this, use software like EnCase to create a disk-to-disk bit stream copy of the evidence drive.

These programs can alter the target disk’s geometry (its head, cylinder, and track configuration) such that the copied data matches the original evidence drive

 

Logical Acquisition

  • Evidence collection from a large drive gets more time. So, when the time is limited, consider using logical acquisition data copy technique.
  • Logical acquisition captures only specific types of files to the case
  • Examples of logical acquisition include an Email investigation that requires collection of Outlook pst or ost files.
  • Collecting specific records from a large RAID server.

TX1 (Hardware Tool)

  • Imaging & Cloning

FTK Imager (Software Tool)

  • Acquiring data from a wide variety of devices.
  • Maintain the integrity of the evidence in a manner that the courts have come to rely on.

Step 3: Sanitize Target Media

Any prior data recorded on the target medium must be permanently erased using an acceptable data sanitization technique prior to data acquisition and duplication.

Methods such as hard drive formatting or deleting partitions cannot completely delete file data. However, it is important to delete the data and protect it from retrieval after collecting evidence from the suspect computer. Therefore, to completely erase data and protect them from recovery, they must be overwritten by applying a code of sequential zeros or ones. Furthermore, once the target data are collected and analyzed, the media must be appropriately disposed of to prevent data retrieval and protect confidentiality.

 

Listed below are different standards that can be followed while sanitizing the target media:

  • (German) VSITR (7 passes): This method overwrites data in six passes with alternate sequences of 0x00 and 0xFF, and with 0xAA in the last (7th) pass.
  • (American) NAVSO P-5239-26 (MFM) (3 passes): This is a three-pass overwriting algorithm that uses 0x01 in the first pass, 0 × 7FFFFFFF in the second pass for overwriting, and random characters in the last pass for verification.
  • US – DoD 5220.22-M (ECE) (7 passes): This standard destroys data by overwriting in the following pattern: binary zeros, binary ones, random bits, binary zeros, binary zeros, binary ones, and random bits. This method verifies the overwriting in the 7th pass.

Step4: Acquire Volatile Data

Investigators must use caution when gathering volatile data, such as RAM, because its contents are constantly changing. When working on a live system, the RAM contents or processes that are operating on the system may change. Any involuntary activity might alter the times and dates of file access, use DLLs or shared libraries, cause malware to run, or, in the worst situation, induce a system reboot that would make the system unusable. As a result, it is crucial to properly examine live systems and get volatile data.

While most volatile data are recovered by examining the live system, approximately the same amount of data can be obtained by examining an image acquired from the system memory. The following sections describe how volatile data can be acquired from Windows, Linux, and Mac systems.

 

Acquiring Volatile Data from Window Machine

▪ Belkasoft Live RAM Capturer

Acquiring Volatile Data from Linux Machine

▪ dd (Local Acquisition)

 

Linux Standard Tools

Forensic investigators use the built- in Linux commands dd and dcfldd to copy data from a disk drive. These utilities can make a bit-stream disk-to-disk copy and disk-to-image file. The dd command can copy data from any disk that Linux can mount and access. DD image files can be read by other forensics software like AccessData FTK.

 

Acquiring Data on Linux: dd Command

Dd Command Syntax: dd if= of= bs= skip= seek= conv =<conversion>

source: where the data is to be read from, target: where the data is to be written to, skip: number of blocks to skip at start of input, seek number of blocks to skip at start of output, conv: conversion options

  • Suppose a 2GB hard disk is seized as evidence. Use DD to make a complete physical backup of the hard disk: dd if=/dev/hda of=/dev/case5img1
  • Copy one hard disk partition to another hard disk: dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
  • Make an ISO image of a CD: dd if=/dev/hdc of=/home/sam/mycd. iso bs=2048 conv=notrunc
  • Restore a disk partition from an image file: dd if=/home/sam/partition. image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
  • Copy RAM memory to a file: dd if=/dev/mem of=/home /sam /mem.bin bs=1024

 

Acquiring Volatile Data from Mac Machine

▪ Digital Collector

 

 

Step5: Enable Write Protection on the Evidence Media

According to the National Institute of Justice, write protection should be initiated, if available, to preserve and protect original evidence. Write blocker is a hardware device or software application that allows data acquisition from the storage media without altering its contents. It blocks write commands, thus allowing read-only access to the storage media

Hardware writes blocker: USB WriteBlocker, Tableau Forensic Bridges, etc.

Software write blocker: SAFE Block, MacForensicsLab Write Controller, etc.

Determine the Data Acquisition Format

  1. Raw Format

Vendors and certain OS utilities are permitted to write bit-stream data to files to preserve digital evidence. This copy technique creates simple sequential flat files of a data set or suspect drive. The output of these flat files is referred to as raw format.

Advantages

  • Fast data transfers
  • Can ignore minor data read errors on source drive

Disadvantages

  • Requires as much storage as original disk or data set
  • Tools might not collect bad sectors on the source drive
  1. Proprietary Format

To gather digital evidence, commercial forensics tools have their own formats. Proprietary formats typically provide features that are available in analysis tools from counterpart vendors, such as: 

  • The ability to split an image into smaller segmented files to archive, like CDs or DVDs with data integrity checks integrated into each segment.
  • The ability to incorporate metadata into the image file, including the date and time of acquisition, hash value of the suspect drive, investigator name, comments, case details, etc.
  1. Advanced Forensics Format (AFF)

Advanced Forensics Format is an open-source acquisition format. Disk-to-image files have no size restrictions; they can be compressed or uncompressed. They can contain metadata in image files or segmented files. They are open source for multiple computing platforms. File extensions include .afm for AFF metadata and .afd for segmented image files.

 

  1. Advanced Forensic Framework 4 (AFF4):
  • Redesign and update AFF to handle and utilize a lot of disk images, cutting down on acquisition time and storage needs.
  • Volumes, Streams and graphs are the three fundamental categories of AFF4 objects. They are universally accessible via a distinct URL.
  • An abstract information paradigm permits disk-image data to be stored in one or more locations while data information is kept elsewhere.
  • Provides a unified data model and naming method; stores more types of organized information in the evidence file.

Step6: Acquire Non-volatile Data

Non-volatile data can be acquired from a hard drive during both live and dead acquisition processes.

Investigators can use remote acquisition tools such as Netcat or bootable USBs via tools such as CAINE to perform live acquisition on a hard disk.

 

The dead acquisition process can be performed via the following steps:

  • Remove the hard drive from the suspect drive.
  • Connect it to a forensic workstation to perform the acquisition.
  • Write-block the hard disk to ensure that it provides read-only access to the hard drive, thus preventing any modification or tampering with its contents.
  • Run any forensic acquisition tool suitable for the purpose of collecting data.

For window – ftk imager

For Linux — dcfldd

For mac – Single user mode & Target Disk Mode

 

Remote Data Acquisition

  • Data can be copied from a suspect computer by connecting remotely to it via a network connection
  • The configurations and capabilities of remote acquisition tools vary; some demand manual action on distant suspect computers to start the data copy; others obtain data discreetly by sending remote access software to the suspect computer via an encrypted link.

Drawbacks

  • LAN’s data transfer speeds and routing table disputes may lead to issues.
  • On a WAN, it is difficult to gain permissions required to access more secure subnets.
  • Heavy traffic on the network could cause delays during the acquisition.
  • The firewall, antivirus and anti-spyware programs are detecting remote access programs.

Linux Bootable USB:

For this purpose, you can use Rufus, a Windows utility, to create a bootable USB, along with CAINE distro of Linux. Subsequently, you can use the Guymager forensic imager tool for media acquisition.

  • Rufus: It is a utility that helps format and create bootable USB flash drives such as USB pen drives.
  • CAINE: Computer aided investigative environment offers a complete forensic environment that integrates existing software tools into software modules and provides a friendly graphical interface.
  • Guymager: Guymager is a forensic imager for media acquisition that runs on Linux and can generate flat (dd), EWF (E01), and AFF images, as well as support disk cloning.

Acquiring RAID Disks

Before gathering data, forensic investigators need to take into the following factors:

  • The quantity of data storage is needed to collect data.
  • RAID 0, RAID 1, RAID 5 and RAID 10 are the formats used.
  • Find out if RAID is controlled by software (like an OS-based RAID) or hardware (like a specialized RAID controller). The acquisition process differs depending on the type of acquisition.
  • Recognize how the RAID setup uses data redundancy and striping. The recovery and interpretation of data depend on this information.
  • The ability to read and photograph RAID drives using forensic tools. For further analysis, verify that the program can read divided data stored in each RAID disk and merge all disk images into a single RAID virtual drive.
  • Verify the status of the RAID rebuild. A RAID array can be in the process of rebuilding if there has been disk failure. Data integrity may be impacted if you interfere with this process.
  • Depending on the investigation’s objectives and RAID arrangement, choose between logical acquisition and disk imaging. It is better to image disks bit by bit to maintain their original state.
  • Ensure that forensic hardware and software tools are compatible with the RAID controller. Some RAID controllers need specific drivers and utilities.
  • Using a different forensic workstation or specialized RAID recovery tool, rebuild the RAID array. This step is essential for accessing and acquiring data.
  • To ensure data integrity, compute and compare the checksums of the acquired data with those of the original RAID array.
  • If any RAID disk fails, take the necessary steps to preserve and examine the failed drives, as they can have important information about the failures.

Identifying RAID Drives in Linux System

Forensic Investigators can identify RAID drives and configurations by running the following commands on the Linux terminal:

▪ Run the following command to check whether RAID is configured: lspci | grep RAID

▪ Run the following command to acquire essential information about active RAID devices: cat /etc/mdadm.conf

▪ Run the following command to check the status of RAID devices: cat /proc/mdstat

 

Identifying RAID Drives in Windows System

 

Forensic Investigators can use the following steps to identify RAID drives in a Windows system:

Step 1: Open Device Manager.

Step 2: Check for RAID device drivers by expanding the options for disk drives, storage controllers, and other devices.

Step 3: After identifying RAID drivers, run the following commands in the command line to comprehensive information of RAID:

o Run the “Diskpart” command to open the command line disk partitioning utility.

o Run the “lis dis” command to list all disks connected to the Windows system. Run the “sel dis <disk number>” command to select the disk for operating. Run the “det dis” command to display details of the selected disk.

Step7: Plan for Contingency

Investigators must make contingency plans in case the hardware or software does not work, or in case there is any type of failure during acquisition.

 

Hard Disk Data Acquisition: Investigators need to make at least two images (Master and Working Copy) of the digital evidence collected, to preserve it. In that way, if one copy of the digital evidence recovered is corrupt, investigators can use the second copy.

Imaging Tools: If you possess more than one imaging tool, such as FTK and X-Ways Forensics, etc., make the first copy with one tool and the second copy with the other tool. If you possess only one tool, make two images of the drive using the same tool.

Hardware Acquisition Tool: Consider using a hardware acquisition tool (such as Pro-Discover Basic with the NoWrite FPU write-blocker, Tx1 and TD4) that can access the drive at BIOS level to copy data in the Host Protected Area (HPA).

Drive Decryption: Be prepared to deal with encrypted drives that need the user to provide the decryption key for decrypting. Microsoft included a full disk encryption feature (BitLocker) with select editions of Windows Vista and later.

 

Step8: Validate Data Acquisitions

  • Digital evidence validation involves using a hashing algorithm utility to create a binary or hexadecimal number that represents the uniqueness of a data set such as a disk drive or file.
  • Hash values are unique. If two files have the same hash value, they are 100% identical even if the files are named differently.
  • The utility algorithms MD5, SHA-1, and SHA-256 generate hash values.
  • MD5: It is a cryptographic hash function with a 128-bit hash value. The hash value can be applied to a variety of data types, including files, physical disks, partitions, etc., and can be used to show the integrity of data.
  • SHA-1 and SHA-256: They are cryptographic hash functions that produce 160-bits and 256-bit message digests respectively.

 

Linux Validation Methods

  • The two Linux shell commands dd and dcfldd have many options that can be combined with other commands to validate data. Other shell commands are required to validate acquired data with the dd command. Whereas dcfldd command has additional options to validate data collected from an acquisition.
  • MD5 and SHA-1 are the two hashing algorithm utilities in current distributions of Linux that can compute hashes of single or multiple files, single or multiple disk partitions, or an entire disk drive.
  • Validating dd Acquired Data: dd command produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an extension of .aa,.ab,.ac, etc.: dd if=/dev/sdb | split –b 650m – image_sdb

 

Windows Validation Methods

  • Windows has no built-in hashing algorithm tools for computer forensics in Linux and Unix. However, Windows third-party programs such as X-Ways, EnCase and FTK do have a variety of built-in tools for validation.
  • Commercial computer forensics programs also have built-in validation features, and each program has its own validation technique to be used with acquisition data in its proprietary format.

Best Practices and Guidelines Data Acquisition

  • Limit access to the system to authorized personnel only.
  • Keep track of the people who participated in the search.
  • Note when the system was last accessed.
  • Do not turn the system “ON” if it is “Off”.
  • Place all the magnetic media in antistatic packages.
  • Properly label the containers used to hold evidence.
  • Protect the evidence from extreme temperatures
  • Disable all remote access to the system (modem cables, LAN cables, etc.), and ensure to tag and label the cables and connectors.
  • Never work on the original storage medium, instead duplicate it and work on the working copy.
  • Take a snapshot or video tape the scene including the contents on the monitor.
  • Store the seized evidence in a secured storage area such as a lab with restricted lab access, locked cabinet, etc.
  • Ensure that the acquired data is authentic and reliable form of the original evidence.
  • Use specialized read-only equipment such as Tableau Write Blocker, etc.
  • When shutting down Windows or Linux/Unix, perform a normal shutdown to preserve log files
  • Collect documentation and media related to the investigation such as hardware, software, backup media, documentation, manuals, etc.
  • Make sure that the chain of custody is maintained all the time.
  • Never manipulate live systems, this might destroy critical evidence.
  • Record the model and serial numbers of the system and its components.
  • Record all active windows or shell sessions
 
References:
1. Ec-Council CHFI Ebook