Gcfi6e Im Ch03

Guide to Computer Forensics and Investigations, Sixth Edition 3-1
Chapter 3
Data Acquisition
At a Glance
Instructor’s Manual Table of Contents

 Overview
 Objectives
 Teaching Tips
 Quick Quizzes
 Class Discussion Topics
 Additional Projects
 Additional Resources
 Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Lecture Notes
Overview
Chapter 3 explains data acquisition. Students learn about digital evidence storage
formats and how to determine the best acquisition method. Next, students will learn
about contingency planning for data acquisitions and how to use acquisition tools. This
chapter also explains how to validate data acquisitions. In addition, students will review
various RAID acquisition methods and learn how to use remote network acquisition
tools. Finally, Chapter 3 lists other forensic tools available for data acquisitions.
Chapter Objectives
 List digital evidence storage formats
 Explain ways to determine the best acquisition method
 Describe contingency planning for data acquisitions
 Explain how to use acquisition tools
 Explain how to validate data acquisitions
 Describe RAID acquisition methods
 Explain how to use remote network acquisition tools
 List other forensic tools available for data acquisitions
Teaching Tips
Understanding Storage Formats for Digital Evidence
1. This section describes the following three storage formats for digital evidence:
a. Raw format
b. Proprietary formats
c. Advanced Forensics Format (AFF)
Raw Format
1. Explain that raw format makes it possible to write bit-stream data to files.
2. Describe the advantages of using raw format, including:

a. Fast data transfers
b. Capability to ignore minor data read errors on the source drive
c. Most computer forensics tools can read raw format
3. Describe the disadvantages of using raw format, including:

a. Requires as much storage space as the original disk or data
b. Tools might not collect marginal (bad) sectors
Proprietary Formats
1. Describe the features offered by proprietary formats, including:

a. Option to compress or not compress image files
b. Capability to split an image into smaller segmented files
c. Capability to integrate metadata into the image file
2. Describe the disadvantages of using proprietary formats, including:

a. Inability to share an image between different tools
b. File size limitation for each segmented volume
3. Mention that of all the proprietary formats for image acquisitions, Expert Witness
Compression format is currently the unofficial standard.
Advanced Forensics Format
1. Mention that the Advanced Forensics Format (AFF) was developed by Dr. Simson L.
Garfinkel.
2. Describe the design goals of AFF, including:

a. Produce compressed or uncompressed image files
b. No size restriction for disk-to-image files
c. Provide space in the image file or segmented files for metadata
d. Simple design with extensibility
e. Open source for multiple computing platforms and OSs
f. Offer internal consistency checks for self-authentication
3. Explain that file extensions include .afd for segmented image files and .afm for AFF
metadata.
4. Mention that AFF is open source.
Teaching For more information about Advanced Forensics Format (AFF), visit:
Tip http://www.forensicswiki.org/wiki/AFF
Determining the Best Acquisition Method
1. Describe the following two types of data acquisition:

a. Static acquisition
b. Live acquisition
2. Describe the four different methods for acquiring data:

a. Creating a disk-to-image file
b. Creating a disk-to-disk copy
c. Creating a logical disk-to-disk or disk-to-data file
d. Creating a sparse data copy
3. Introduce students to the logical acquisition data copy method, which captures only
specific files of interest to the case or specific types of files.
4. Mention that a sparse acquisition is similar but also collects fragments of unallocated
(deleted) data.
5. Explain some of the main considerations when acquiring evidence data, including:
a. Size of the source disk (explain compression methods)
b. When working with large drives, an alternative is using lossless compression
c. Whether or not you can retain the suspect’s disk
d. Time you have to perform the acquisition
e. Where the evidence is located
Contingency Planning for Image Acquisitions
1. Present a list of considerations to take to prevent copies of the evidence from damaging
or losing.
a. Duplicate your evidence copies
b. Acquire more than one image of the evidence using different tools or techniques
c. Consider host protected areas
d. Be prepared to deal with encrypted drives
Using Acquisition Tools
1. Describe the advantages and disadvantages of using acquisition tools for Windows,
including:
a. Make acquiring evidence from a suspect drive more convenient, especially when
you use them with hot-swappable devices
b. You must protect acquired data with a well-tested write-blocking hardware
device
c. Tools can’t acquire data from a disk’s host protected area
Mini-WinFE Boot CDs and USB Drives
1. Discuss the Windows boot utility called Mini-WinFE. Explain that it enables you to
build a Windows forensic boot CD/DVD or USB drive with a modification in its
Windows Registry file so that connected drives are mounted as read-only.
2. Explain how students can create a Mini-WinFE boot CD or USB drive. Point out that
they will also need a Windows installation DVD (version 8 or later) and FTK Imager
Lite or X-Ways Forensics installed on the workstation.
Acquiring Data with a Linux Boot CD
1. Explain that older Linux versions can access a drive that isn’t mounted. Windows OSs
and newer Linux automatically mount and access a drive. Forensic Linux Live CDs
don’t access media automatically, which eliminates the need for a write-blocker.
2. Explain that forensic Linux Live CDs contain additionally utilities and are configured
not to mount, or to mount as read-only, any connected storage media.
3. Mention some of the well-designed Linux Live CDs for computer forensics, such as:
Penguin Sleuth Kit, CAINE, Deft, Kali Linux, Knoppix, and SANS Investigative
Forensic Toolkit.
4. Explain that Linux distributions can create Microsoft FAT and NTFS partition tables.
5. Describe how to partition and format a Microsoft FAT drive from Linux using the
fdisk and mkfs.msdos commands. If able, walk students through the activity in the
text.
Teaching Read more about the fdisk command at:

Tip http://linux.about.com/od/commands/l/blcmdl8_fdisk.htm.
6. Explain that the dd (“dump data”) command can be used to read and write data from a
media device and a data file. The dd command creates a raw format file that most
digital forensics analysis tools can read.
7. Describe the shortcomings of using the dd command, including:

a. Requires more advanced skills than the average computer user might have
b. Does not compress data
8. Mention that the dd command combined with the split command segments output
into separate volumes.
9. Describe how to acquire data using the dd command in Linux, as described in this
section.
Teaching Read more about the dd command at:

Tip http://linux.about.com/od/commands/l/blcmdl1_dd.htm.
10. Mention that the dd command is intended as a data management tool; it’s not designed
for forensics acquisitions. The dcfldd command offers additional capabilities,
including:
a. Specify hexadecimal patterns or text for clearing disk space
b. Log errors to an output file for analysis and review
c. Use several hashing options
d. Refer to a status display indicating the progress of the acquisition in bytes
e. Split data acquisitions into segmented volumes with numeric extensions
f. Verify the acquired data with the original disk or media data
Capturing an Image with AccessData FTK Imager Lite
1. Mention that FTK Imager is included on the AccessData Forensic Toolkit.
2. Explain that FTK Imager Lite allows you to view evidence disks and disk-to-image
files. It also makes disk-to-image copies of evidence drives at logical partition and
physical drive level, and can segment the image file. Use Figure 3-2 to illustrate your
explanation. Also, FTK Imager Lite can image RAM on a live computer.
3. Mention that the evidence drive must have a hardware write-blocking device or the
USB write-protection Registry feature enabled. FTK Imager can’t acquire a drive’s host
protected area.
4. Use Figures 3-3 through 3-7 to explain the steps to capture an image with AccessData
FTK Imager, as described in this section.
Quick Quiz 1
1. Most forensics tools can read the _____ format, making it a universal acquisition format
for most tools.
Answer: raw
2. The preferred way to collect digital evidence is through a(n) _____ acquisition.
Answer: static
3. Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as
____.
Answer: lossless compression
4. The dd command combined with the _____ command segments output into separate
volumes.
Answer: split
5. ____ is a Windows data acquisition program that’s included with a licensed copy of
AccessData Forensic Toolkit
Answer: FTK Imager
FTK Imager Lite
Validating Data Acquisitions
1. Mention that validating digital evidence is probably the most critical aspect of computer
forensics.
2. Explain that validating digital evidence requires using a hashing algorithm utility.
Hashing algorithms range from CRC-32, MD5, and SHA-1 to SHA-512.
Teaching Read more about hashing functions at:

Tip http://www.cs.hmc.edu/~geoff/classes/hmc.cs070.200101/homework10/hashfunc
s.html
Linux Validation Methods
1. Discuss how to use the md5sum and sha1sum commands to validate data acquired
using the dd command.
2. Mention that md5sum or sha1sum utilities should be run on all suspect disks and
volumes or segmented volumes.
3. Explain how to validate data acquired with dcfldd using the hash, hashlog, and
vf options.
Windows Validation Methods
1. Explain that Windows has no built-in hashing algorithm tools for digital forensics, but
third-party utilities can be used.
2. Explain that commercial digital forensics programs also have built-in validation
features. Each program has its own validation technique.
3. Mention that raw format image files don’t contain metadata, so separate manual
validation is recommended for all raw acquisitions.
Performing RAID Data Acquisitions
1. Mention that size is the biggest concern because many RAID systems are now pushing
into many exabytes or more of data.
Understanding RAID
1. Define redundant array of independent disks (RAID) as a computer configuration

involving two or more disks that was originally developed as a data-redundancy
measure.
2. Use Figures 3-8 through 3-11 to explain all different RAID levels, similarities and
differences, and advantages and disadvantages:
a. RAID 0
b. RAID 1
c. RAID 2
d. RAID 3
e. RAID 4
f. RAID 5
g. RAID 6
h. RAID 10 (RAID 1+0)
i. RAID 15 (RAID 1+5)
Teaching
Read more about RAID at: http://www.acnc.com/raid
Tip
Acquiring RAID Disks
1. Describe the main concerns when acquiring RAID disks, including:

a. How much data storage is needed?
b. What type of RAID is used?
c. Do you have all the drives connected?
d. Do you have the right acquisition tool?
e. Can the tool read a forensically copied RAID image?
f. Can the tool read split data saves of each RAID disk?
2. Mention that copying small RAID systems to one large disk is possible. All forensics
analysis tools can analyze an image because they see the acquired data as one large
drive.
3. Mention some of the vendors offering RAID acquisition functions, including:

a. Guidance Software EnCase
b. X-Ways Forensics
c. AccessData FTK
d. Runtime Software
e. R-Tools Technologies
4. Mention that occasionally, a RAID system is too large for a static acquisition.
Retrieving only the data relevant to the investigation with the sparse or logical
acquisition method is the practical solution.
Using Remote Network Acquisition Tools
1. Explain that you can remotely connect to a suspect computer via a network connection
and copy data from it. Remote acquisition tools vary in configurations and capabilities.
2. Describe some of the drawbacks of acquiring data through a network, including:

a. Antivirus, antispyware, and firewall tools
b. If suspects have administrator rights on their computers, they could install their
own security tools that trigger an alarm to notify them of remote access
intrusions
Remote Acquisition with ProDiscover
1. Describe the additional functions available through ProDiscover Incident Response,

including:
a. Capture volatile system state information
b. Analyze current running processes
c. Locate unseen files and processes
d. Remotely view and listen to IP ports
e. Run hash comparisons
f. Create a hash inventory of all files on a system remotely
2. Explain that the PDServer remote agent is the ProDiscover utility for remote access and
needs to be loaded on the suspect computer before a remote connection can be
established.
3. Describe the PDServer installation modes, including:

a. Trusted CD
b. Preinstallation
c. Pushing out and running remotely
4. Mention that PDServer has the option of running in a stealth mode. In addition, you can
change the process name so that it appears to be an OS function.
5. Describe the remote connection security features offered by ProDiscover, including:

a. Password protection
b. Encryption
c. Secure communication protocol
d. Write-protected trusted binaries
e. Digital signatures
Teaching
For more information on ProDiscover Incident Response and PDServer, see
Tip
http://www.arcgroupny.com/products/prodiscover-incident-response/.
Remote Acquisition with EnCase Enterprise
1. Describe the remote acquisition features available through EnCase Enterprise,

including:
a. Search and collect internal and external network systems over a wide
geographical area
b. Support multiple Oss and file systems
c. Triage to help determine system’s relevance to an investigation
d. Perform simultaneous searches of up to five systems at a time
Remote Acquisition with R-Tools R-Studio
1. Explain that the R-Tools suite of software is designed for data recovery.
2. Mention that R-Studio creates raw format acquisitions and supports various file
systems.
Teaching
For more information on R-Studio, see www.r-studio.com.
Tip
Remote Acquisition with WetStone US-LATT PRO
1. Introduce students to US-LATT PRO, which can connect to a networked computer

remotely and perform a live acquisition of all drives connected to it. Direct students to
the WetStone website for more information.
Remote Acquisition with F-Response
1. Explain that F-Response is a vendor-neutral specialty remote access utility designed to

work with any digital forensics program.
2. Mention that F-Response is sold in four different versions: Enterprise, Consultant +

Convert, Consultant, and TACTICAL.
Using Other Forensics-Acquisition Tools
1. This section describes the following acquisition tools:

a. PassMark Software ImageUSB
b. ASRData SMART
c. Runtime Software
d. ILook Investigator IXimager
e. SourceForge
PassMark Software ImageUSB
1. Explain that PassMark Software has an acquisition tool called ImageUSB for its
OSForensics analysis product. It allows you to create a bootable flash drive.
ASR Data SMART
1. Describe the main capabilities of ASR Data SMART, including:

a. Robust data reading of bad sectors on drives
b. Mounting suspect drives in write-protected mode
c. Mounting target drives in read/write mode
d. Optional compression schemes
Remote Acquisition with Runtime Software
1. Introduce students to the utilities offered by Runtime Software, including:

a. DiskExplorer for FAT
b. DiskExplorer for NTFS
2. Mention the acquisition features offered by Runtime Software, including:

a. Create a raw format image file
b. Segment the raw format or compressed image
c. Access network computers’ drives
ILook Investigator IXimager
1. Describe the main characteristics of ILook Investigator IXImager, as explained in this

section.
SourceForge
1. Direct students to the website listing all of the current tools offered by SourceForge
Quick Quiz 2
1. A(n) _____ utility is designed to create a binary or hexadecimal number that represents
the uniqueness of a data set.
Answer: hashing algorithm
2. The dcfldd option that outputs hash results to a text file is the _____ option.
Answer: hashlog
3. ____ uses data striping and dedicated parity and requires at least three disks.
Answer: RAID 3
4. With _____, you have the option of running it in stealth mode to hide it from the
suspect.
Answer: PDServer
5. ____ was the first digital forensics vendor to develop a remote acquisition and analysis
tool based on its desktop tool EnCase.
Answer: Guidance Software
Class Discussion Topics

1. Ask the students to discuss the disadvantages of creating a bit-stream copy from a disk
to a network drive. Is it worthwhile?
2. Ask the students to discuss the advantages and disadvantages of using a USB dongle for
licensing purposes.
Additional Projects
1. Ask the students to read more about compression algorithms. Ask your students to
compare them. Can they find what algorithm is implemented by most of the forensic
tools described in this chapter?
2. Ask the students to investigate about SHA-3 characteristics and requirements. How
does SHA-3 compare to SHA-1 and SHA-2?
Additional Resources
1. AFF:
http://cs.harvard.edu/malan/publications/aff.pdf
2. How and when to use the dd command?:

www.codecoffee.com/tipsforlinux/articles/036.html
3. Cryptographic Hash Functions SHA Family:

http://citeseerx.ist.psu.edu/viewdoc/
download;jsessionid=0D27D8D6DAEDA1B7E30528FB2F87A097?
doi=10.1.1.687.6598&rep=rep1&type=pdf
4. Cyclic redundancy check:

http://heather.cs.ucdavis.edu/~matloff/Networks/CRC/Old/ErrChkCorr.html
Key Terms
 Advanced Forensic Format (AFF) — An open-source format that stores image data
and metadata. File extensions include .afd for segmented image files and .afm for AFF
metadata.
 host-protected area (HPA) — An area of a disk drive reserved for booting utilities and
diagnostic programs. It’s not visible to the computer’s OS.
 live acquisitions — A data acquisition method used when a suspect computer can’t be
shut down to perform a static acquisition.
 logical acquisition — This data acquisition method captures only specific files of
interest to the case or specific types of files, such as Outlook PST files. See also sparse
acquisition.
 raw format — A data acquisition format that creates simple sequential flat files of a
suspect drive or data set.
 redundant array of independent disks (RAID) — Two or more disks combined into
one large drive in several configurations for special needs. Some RAID systems are
designed for redundancy to ensure continuous operations if one disk fails. Another
configuration spreads data across several disks to improve access speeds for reads and
writes.
 sparse acquisition — Like logical acquisitions, this data acquisition method captures
only specific files of interest to the case, but it also collects fragments of unallocated
(deleted) data. See also logical acquisition.
 static acquisitions — A data acquisition method used when a suspect drive is write-
protected and can’t be altered. If disk evidence is preserved correctly, static acquisitions
are repeatable.
 whole disk encryption — An encryption technique that performs a sector-by-sector
encryption of an entire drive. Each sector is encrypted in its entirety, making it
unreadable when copied with a static acquisition method.

Gcfi6e Im Ch03

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gcfi6e Im Ch03

Uploaded by

Copyright:

Available Formats

Guide to Computer Forensics and Investigations, Sixth Edition 3-1

Instructor’s Manual Table of Contents

 Class Discussion Topics

2. Describe the advantages of using raw format, including:

3. Describe the disadvantages of using raw format, including:

1. Describe the features offered by proprietary formats, including:

2. Describe the disadvantages of using proprietary formats, including:

Advanced Forensics Format

2. Describe the design goals of AFF, including:

4. Mention that AFF is open source.

Determining the Best Acquisition Method

1. Describe the following two types of data acquisition:

2. Describe the four different methods for acquiring data:

Contingency Planning for Image Acquisitions

Using Acquisition Tools

Mini-WinFE Boot CDs and USB Drives

Acquiring Data with a Linux Boot CD

Teaching Read more about the fdisk command at:

7. Describe the shortcomings of using the dd command, including:

Teaching Read more about the dd command at:

Capturing an Image with AccessData FTK Imager Lite

1. Mention that FTK Imager is included on the AccessData Forensic Toolkit.

Validating Data Acquisitions

Teaching Read more about hashing functions at:

Linux Validation Methods

Windows Validation Methods

Performing RAID Data Acquisitions

1. Define redundant array of independent disks (RAID) as a computer configuration

Acquiring RAID Disks

1. Describe the main concerns when acquiring RAID disks, including:

3. Mention some of the vendors offering RAID acquisition functions, including:

Using Remote Network Acquisition Tools

2. Describe some of the drawbacks of acquiring data through a network, including:

Remote Acquisition with ProDiscover

1. Describe the additional functions available through ProDiscover Incident Response,

3. Describe the PDServer installation modes, including:

5. Describe the remote connection security features offered by ProDiscover, including:

Remote Acquisition with EnCase Enterprise

1. Describe the remote acquisition features available through EnCase Enterprise,

Remote Acquisition with R-Tools R-Studio

Remote Acquisition with WetStone US-LATT PRO

1. Introduce students to US-LATT PRO, which can connect to a networked computer

Remote Acquisition with F-Response

1. Explain that F-Response is a vendor-neutral specialty remote access utility designed to

2. Mention that F-Response is sold in four different versions: Enterprise, Consultant +

Using Other Forensics-Acquisition Tools

1. This section describes the following acquisition tools:

PassMark Software ImageUSB

ASR Data SMART

1. Describe the main capabilities of ASR Data SMART, including:

Remote Acquisition with Runtime Software

1. Introduce students to the utilities offered by Runtime Software, including:

2. Mention the acquisition features offered by Runtime Software, including:

ILook Investigator IXimager

1. Describe the main characteristics of ILook Investigator IXImager, as explained in this

Class Discussion Topics

2. How and when to use the dd command?:

3. Cryptographic Hash Functions SHA Family:

4. Cyclic redundancy check:

You might also like