Professional Documents
Culture Documents
Gcfi6e Im Ch03
Gcfi6e Im Ch03
Chapter 3
Data Acquisition
At a Glance
Objectives
Teaching Tips
Quick Quizzes
Additional Projects
Additional Resources
Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-2
Lecture Notes
Overview
Chapter 3 explains data acquisition. Students learn about digital evidence storage
formats and how to determine the best acquisition method. Next, students will learn
about contingency planning for data acquisitions and how to use acquisition tools. This
chapter also explains how to validate data acquisitions. In addition, students will review
various RAID acquisition methods and learn how to use remote network acquisition
tools. Finally, Chapter 3 lists other forensic tools available for data acquisitions.
Chapter Objectives
List digital evidence storage formats
Explain ways to determine the best acquisition method
Describe contingency planning for data acquisitions
Explain how to use acquisition tools
Explain how to validate data acquisitions
Describe RAID acquisition methods
Explain how to use remote network acquisition tools
List other forensic tools available for data acquisitions
Teaching Tips
Understanding Storage Formats for Digital Evidence
1. This section describes the following three storage formats for digital evidence:
a. Raw format
b. Proprietary formats
c. Advanced Forensics Format (AFF)
Raw Format
1. Explain that raw format makes it possible to write bit-stream data to files.
Proprietary Formats
3. Mention that of all the proprietary formats for image acquisitions, Expert Witness
Compression format is currently the unofficial standard.
1. Mention that the Advanced Forensics Format (AFF) was developed by Dr. Simson L.
Garfinkel.
3. Explain that file extensions include .afd for segmented image files and .afm for AFF
metadata.
Teaching For more information about Advanced Forensics Format (AFF), visit:
Tip http://www.forensicswiki.org/wiki/AFF
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-4
3. Introduce students to the logical acquisition data copy method, which captures only
specific files of interest to the case or specific types of files.
4. Mention that a sparse acquisition is similar but also collects fragments of unallocated
(deleted) data.
5. Explain some of the main considerations when acquiring evidence data, including:
a. Size of the source disk (explain compression methods)
b. When working with large drives, an alternative is using lossless compression
c. Whether or not you can retain the suspect’s disk
d. Time you have to perform the acquisition
e. Where the evidence is located
1. Present a list of considerations to take to prevent copies of the evidence from damaging
or losing.
a. Duplicate your evidence copies
b. Acquire more than one image of the evidence using different tools or techniques
c. Consider host protected areas
d. Be prepared to deal with encrypted drives
1. Describe the advantages and disadvantages of using acquisition tools for Windows,
including:
a. Make acquiring evidence from a suspect drive more convenient, especially when
you use them with hot-swappable devices
b. You must protect acquired data with a well-tested write-blocking hardware
device
c. Tools can’t acquire data from a disk’s host protected area
1. Discuss the Windows boot utility called Mini-WinFE. Explain that it enables you to
build a Windows forensic boot CD/DVD or USB drive with a modification in its
Windows Registry file so that connected drives are mounted as read-only.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-5
2. Explain how students can create a Mini-WinFE boot CD or USB drive. Point out that
they will also need a Windows installation DVD (version 8 or later) and FTK Imager
Lite or X-Ways Forensics installed on the workstation.
1. Explain that older Linux versions can access a drive that isn’t mounted. Windows OSs
and newer Linux automatically mount and access a drive. Forensic Linux Live CDs
don’t access media automatically, which eliminates the need for a write-blocker.
2. Explain that forensic Linux Live CDs contain additionally utilities and are configured
not to mount, or to mount as read-only, any connected storage media.
3. Mention some of the well-designed Linux Live CDs for computer forensics, such as:
Penguin Sleuth Kit, CAINE, Deft, Kali Linux, Knoppix, and SANS Investigative
Forensic Toolkit.
4. Explain that Linux distributions can create Microsoft FAT and NTFS partition tables.
5. Describe how to partition and format a Microsoft FAT drive from Linux using the
fdisk and mkfs.msdos commands. If able, walk students through the activity in the
text.
6. Explain that the dd (“dump data”) command can be used to read and write data from a
media device and a data file. The dd command creates a raw format file that most
digital forensics analysis tools can read.
8. Mention that the dd command combined with the split command segments output
into separate volumes.
9. Describe how to acquire data using the dd command in Linux, as described in this
section.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-6
10. Mention that the dd command is intended as a data management tool; it’s not designed
for forensics acquisitions. The dcfldd command offers additional capabilities,
including:
a. Specify hexadecimal patterns or text for clearing disk space
b. Log errors to an output file for analysis and review
c. Use several hashing options
d. Refer to a status display indicating the progress of the acquisition in bytes
e. Split data acquisitions into segmented volumes with numeric extensions
f. Verify the acquired data with the original disk or media data
2. Explain that FTK Imager Lite allows you to view evidence disks and disk-to-image
files. It also makes disk-to-image copies of evidence drives at logical partition and
physical drive level, and can segment the image file. Use Figure 3-2 to illustrate your
explanation. Also, FTK Imager Lite can image RAM on a live computer.
3. Mention that the evidence drive must have a hardware write-blocking device or the
USB write-protection Registry feature enabled. FTK Imager can’t acquire a drive’s host
protected area.
4. Use Figures 3-3 through 3-7 to explain the steps to capture an image with AccessData
FTK Imager, as described in this section.
Quick Quiz 1
1. Most forensics tools can read the _____ format, making it a universal acquisition format
for most tools.
Answer: raw
2. The preferred way to collect digital evidence is through a(n) _____ acquisition.
Answer: static
3. Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as
____.
Answer: lossless compression
4. The dd command combined with the _____ command segments output into separate
volumes.
Answer: split
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-7
5. ____ is a Windows data acquisition program that’s included with a licensed copy of
AccessData Forensic Toolkit
Answer: FTK Imager
FTK Imager Lite
1. Mention that validating digital evidence is probably the most critical aspect of computer
forensics.
2. Explain that validating digital evidence requires using a hashing algorithm utility.
Hashing algorithms range from CRC-32, MD5, and SHA-1 to SHA-512.
1. Discuss how to use the md5sum and sha1sum commands to validate data acquired
using the dd command.
2. Mention that md5sum or sha1sum utilities should be run on all suspect disks and
volumes or segmented volumes.
3. Explain how to validate data acquired with dcfldd using the hash, hashlog, and
vf options.
1. Explain that Windows has no built-in hashing algorithm tools for digital forensics, but
third-party utilities can be used.
2. Explain that commercial digital forensics programs also have built-in validation
features. Each program has its own validation technique.
3. Mention that raw format image files don’t contain metadata, so separate manual
validation is recommended for all raw acquisitions.
1. Mention that size is the biggest concern because many RAID systems are now pushing
into many exabytes or more of data.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-8
Understanding RAID
2. Use Figures 3-8 through 3-11 to explain all different RAID levels, similarities and
differences, and advantages and disadvantages:
a. RAID 0
b. RAID 1
c. RAID 2
d. RAID 3
e. RAID 4
f. RAID 5
g. RAID 6
h. RAID 10 (RAID 1+0)
i. RAID 15 (RAID 1+5)
Teaching
Read more about RAID at: http://www.acnc.com/raid
Tip
2. Mention that copying small RAID systems to one large disk is possible. All forensics
analysis tools can analyze an image because they see the acquired data as one large
drive.
4. Mention that occasionally, a RAID system is too large for a static acquisition.
Retrieving only the data relevant to the investigation with the sparse or logical
acquisition method is the practical solution.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-9
1. Explain that you can remotely connect to a suspect computer via a network connection
and copy data from it. Remote acquisition tools vary in configurations and capabilities.
2. Explain that the PDServer remote agent is the ProDiscover utility for remote access and
needs to be loaded on the suspect computer before a remote connection can be
established.
4. Mention that PDServer has the option of running in a stealth mode. In addition, you can
change the process name so that it appears to be an OS function.
Teaching
For more information on ProDiscover Incident Response and PDServer, see
Tip
http://www.arcgroupny.com/products/prodiscover-incident-response/.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-10
1. Explain that the R-Tools suite of software is designed for data recovery.
2. Mention that R-Studio creates raw format acquisitions and supports various file
systems.
Teaching
For more information on R-Studio, see www.r-studio.com.
Tip
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-1
1. Explain that PassMark Software has an acquisition tool called ImageUSB for its
OSForensics analysis product. It allows you to create a bootable flash drive.
SourceForge
1. Direct students to the website listing all of the current tools offered by SourceForge
Quick Quiz 2
1. A(n) _____ utility is designed to create a binary or hexadecimal number that represents
the uniqueness of a data set.
Answer: hashing algorithm
2. The dcfldd option that outputs hash results to a text file is the _____ option.
Answer: hashlog
3. ____ uses data striping and dedicated parity and requires at least three disks.
Answer: RAID 3
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-2
4. With _____, you have the option of running it in stealth mode to hide it from the
suspect.
Answer: PDServer
5. ____ was the first digital forensics vendor to develop a remote acquisition and analysis
tool based on its desktop tool EnCase.
Answer: Guidance Software
2. Ask the students to discuss the advantages and disadvantages of using a USB dongle for
licensing purposes.
Additional Projects
1. Ask the students to read more about compression algorithms. Ask your students to
compare them. Can they find what algorithm is implemented by most of the forensic
tools described in this chapter?
2. Ask the students to investigate about SHA-3 characteristics and requirements. How
does SHA-3 compare to SHA-1 and SHA-2?
Additional Resources
1. AFF:
http://cs.harvard.edu/malan/publications/aff.pdf
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-3
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Guide to Computer Forensics and Investigations, Sixth Edition 3-4
Key Terms
Advanced Forensic Format (AFF) — An open-source format that stores image data
and metadata. File extensions include .afd for segmented image files and .afm for AFF
metadata.
host-protected area (HPA) — An area of a disk drive reserved for booting utilities and
diagnostic programs. It’s not visible to the computer’s OS.
live acquisitions — A data acquisition method used when a suspect computer can’t be
shut down to perform a static acquisition.
logical acquisition — This data acquisition method captures only specific files of
interest to the case or specific types of files, such as Outlook PST files. See also sparse
acquisition.
raw format — A data acquisition format that creates simple sequential flat files of a
suspect drive or data set.
redundant array of independent disks (RAID) — Two or more disks combined into
one large drive in several configurations for special needs. Some RAID systems are
designed for redundancy to ensure continuous operations if one disk fails. Another
configuration spreads data across several disks to improve access speeds for reads and
writes.
sparse acquisition — Like logical acquisitions, this data acquisition method captures
only specific files of interest to the case, but it also collects fragments of unallocated
(deleted) data. See also logical acquisition.
static acquisitions — A data acquisition method used when a suspect drive is write-
protected and can’t be altered. If disk evidence is preserved correctly, static acquisitions
are repeatable.
whole disk encryption — An encryption technique that performs a sector-by-sector
encryption of an entire drive. Each sector is encrypted in its entirety, making it
unreadable when copied with a static acquisition method.
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.