Data Acquisition and Preservation

using Tools
FTK Imager and dc3dd
Data Acquisition and Preservation procedure-
• Write protect the device you will copy data from
• Create hash of the device you copy data from
• Acquire a forensic disk image (file) of the device
• Create hash of disk image
• Compare hashes
• Put original device in secure storage
• Create copy of acquired disk image and work on copy with hash
Tool - FTK Imager
• From Access Data
• Creates forensic images – both memory (RAM) and Disk
• Need separate write blocking capability
• FTK Imager download -
Create Disk Image
• Demo to create an Image
• Discuss
ØCase Naming
ØVerifying hash results
ØImage summary
ØText doc created along with final image
RAM Capture
• Demo RAM Capture
• Pagefile.sys - a system file in Windows set aside for (RAM), When
computer's RAM begins to run out of memory, it uses the pagefile to
offload data it doesn't need, such as files and apps
• So how does your computer’s RAM decide when to offload data –
minimized apps pgm files dumped to pagefile
• Size of pagefile – 1.5 to 2 times RAM
• Speed of access RAM-pagefile-SSD-HDD
Demo of Features in FTK Imager
• Identifying file details – Add evidence image
• Text vs Hex view
• Retrieving Deleted files
• Exporting Logical Images of selected folders
• Exporting hashes – entire drive, folder wise
• Image mounting using FTK Imager
Evidence Acquisition and preservation using
• A typical device in Linux can be addressed or recognized as /dev/sda,

• /dev: Refers to the path of all devices and drives, which can be read from
or written to, recognized by Linux

• /sda: Refers to the Small Computer System Interface (SCSI), SATA, and
USB devices

• The sd stands for SCSI Mass-Storage Driver, with the letter after it
representing the drive number:
• Drive to be connected via write blocker to workstation
Device identification using the fdisk command
• Filesystem: FAT32
Figure 5.6 – Installing dc3dd in Kali Linux

d is a CLI tool and can be easily run in Kali Linux by first opening a Terminal and
ng in dc3dd. To start with, I recommend using the dc3dd --help command,
h lists the available parameters used with dc3dd:
The device size (in sector and bytes) should be noted and later compared to the output field.
Figure 5.14 – The command used to split the acquired file size
Compare the hashes in the following screenshots, created by dc3dd, with the ones in the previous screenshots:
In the
preceding command:
Figure 5.20 – MD5 calculation output
• dc3dd SHA-1 hash:
Erasing a drive using dc3dd

c3dd can wipe data and erase drives by overwriting data in three ways:

• Overwriting and filling the data and drives with zeroes. The command used is
dc3dd wipe=/dev/sdb:
134 Evidence Acquisition and Preservation with dc3dd and Guymager
Image acquisition using Guymager
• Size: 2.0GB

Figure 5.37 – Guymager interface displaying detected drives

