Structure of Case File

Case #

Case Files

Image

Case Index

dd image
Hash code

FTK

Report

Doc
Recovered files
E-mails
Photos
Etc.

Forensic Work Station

Clean install of the OS

Clean install of all apps
Clean install of all forensic packages
Keep all evidence and case related info on
an external clean hard drive
After case is completed physically archive
the external hard drive
Wipe the operational hard drive

HD Data Acquisition
Imaging the Hard Drive
1.
2.
3.
4.
5.

Acquisition Layers
Write Blockers
Media Preparation
Imaging
Integrity Hashes

Imaging Digital Media

Hash the media

Make an exact copy of the media

Everything
Errors, deleted stuff

Hash the image

Prove it is an exact copy

Compare with hash of the original

MD5, SHA1, SHA256

Acquisition Layers
Device
Partition
File

Physical Layer
Logical Layer
Logical Layer

Always acquire data at the lowest possible layer. Acquire

every sector on the disk. Your tools can abstract the
raw data at any level.

Acquisition Tools
Know what your tools do
Test them
Validate them

1.
2.
3.

Test plan
Test report

NIST - http://www.cftt.nist.gov/disk_imaging.htm
http://nij.ncjrs.gov/publications/Pub_search.asp?
category=99&searchtype=basic&location=top&PSID=5
5&sort=date#nijpubs

Imaging Hardware Setup

Forensics
Workstation
Write
Blocker

Suspect
Media

Forensic
Storage

External

Write Blockers

Cannot touch the suspect media

Evidence cannot be altered
Important to verify

Test, test, test

Hardware and Software

Always use hardware

Be careful of read only and read/write blockers

Write Blockers
1.

HW
1.

Paraben

2.

$249.95 - $2000

Tableau

$249.95 - $2000

2.

SW

3.

Modifies interrupt table

NIST Reports

1.

ttp://www.cftt.nist.gov/software_write_block.htm

Write Blocker
Tableau T8

Inputs

USB

Outputs

USB, Firewire

Write Blocker

On/Off Switch

USB Device

Inputs

IDE, SATA

Outputs

USB, Firewire

Write Blocker
Tableau T35e
Write Blocker

On/Off Switch

IDE Device

SATA Cable

Write Blocker
Paraben

Inputs

IDE

Outputs

USB, Firewire

Write Blocker

On/Off Switch

IDE Device

Case Storage Media

Preparation

External hard drive storage

Zero all sectors
32 bit checksum = 0

32 bit sum with carry bit added

Use WinHex

Partition
Format NTFS

Particulars

Start up Helix live CD

Zero drive

Partition Drive

dd if=/dev/zero of=/dev/sdb
fdisk /dev/sdb
Etc.

mkntfs /dev/sdb

Imaging

Exact copy of drive

Cannot be changed
Must be verifiable
HW/SW

Reading the Source

1.

2.

3.
4.

Read device directly

Extended INT13h
Use the BIOS

May lie about the size

INT13h
Dead vs Live acquisition
Error handling
1.
logging, bad blocks

Imaging Apps

FTK Imager

EnCase
WinHex
Open Source

Bootable memory stick

dd Windows (Garner), linux

Helix

Defense Computer Forensic Labs

dcfldd
dc3dd

Output Format of Image

1.

Separate drive
A single file ease of use
Multiple files facilitate archiving on DVDs

1.
2.
1.

2.

Raw or Custom

3.

160 Gbytes ~~ 27 DVDs

dd can be interpreted by every thing

EnCase has imbedded info

Hash codes & errors

1.

Interlaced
EnCase saves in a proprietary format

2.

Separate file
dcfldd save hashes in a separate file

3.

Nothing
dd save hash in a separate file
Can calculate an MD5 hash

Image Formats

dd Raw bit for bit copy

E01 EnCase format

.001
Includes file description, hashes, etc.
.e01
Uses zLib compression

AD1 AccessData Custom Content Logical Image

S01 SMART linux formats

SMART format

Integrity Hashes
1.
2.
3.
4.

CRC, MD5, SHA, SHA1, SHA256

By device
By partition
By sector

dd

Standard on all linux distros

Windows

http://gmgsystemsinc.com/fau/
Create a directory at root level

C:\bin
Add that path to your path environment variable

Control Panel\System Properties\environment variables\system variables\path edit

Append C:\bin

Add sysinternals

Using dd
Unix command structure
Included with all Unix/Linux/BSD distros
http://unxutils.sourceforge.net/

Windows version is available

http://www.gmgsystemsinc.com/fau/
#dd input output options
#dd if=suspect.drive of=E:\Case\image\captured

Input Sources
Linux
/dev/hda
/dev/sda
/dev/fd0
/dev/mem

ATAPI device
SCSI device
Floppy
RAM

Windows
\\.\PhysicalDevice0 IDE bus 0 master device
\\.\PhysicalMemory - RAM

Output Sources
Windows
F:\Images\Case-08001

Linux on another drive internal

/dev/hdb1 Saved onto the slave drive on IDE bus 1

Usually an external USB hard drive is mounted

/media/FlashDisk/hda-evidence.data

Options
bs=n, ibs, obs

Block size is n bytes, in or out or both

skip=n

Skip n blocks

count=n

Copy n blocks

Must declare block size prior to skip/count

#dd if=/dev/sda1 of=/root/lynn.dd bs=4096 count=1

Example
#dd if=/dev/sda1 of=/home/lynn/example.dd bs=512 count=1
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
00000e0:
00000f0:
0000100:
0000110:
0000120:
0000130:
0000140:
0000150:
0000160:
0000170:
0000180:
0000190:
00001a0:
00001b0:
00001c0:
00001d0:
00001e0:
00001f0:

eb3c
0200
dfe7
4d45
8ed1
384e
66a1
0288
6616
6089
c348
0072
6174
fb7d
bb07
e1cd
3b00
3d7d
0696
6603
4a4a
4a52
d2f7
c0cc
8bf4
5e0b
b04e
5379
0a44
6573
6573
0000

904d
0200
0300
2020
bcf0
247d
1c7c
5602
0346
46fc
f7f3
3926
324e
b47d
00cd
16cd
72e8
c746
7dcb
461c
8a46
5006
f691
020a
8a56
4975
544c
7374
6973
7320
7461
0000

5344
00f8
8001
2020
7b8e
248b
2666
80c3
1c13
8956
0146
382d
7409
8bf0
10eb
1926
5b8a
f429
ea03
668b
0d32
536a
f7f6
ccb8
24cd
06f8
4452
656d
6b20
616e
7274
0000

4f53
ff00
2905
4641
d9b8
c199
3b07
1073
561e
feb8
fc11
7417
83c7
ac98
efa0
8b55
5624
7d8c
0000
d066
e4f7
016a
4287
0102
1361
c341
2020
206d
6572
7920
0d0a
0000

352e
3f00
8f93
5431
0020
e83c
268a
eb33
0346
2000
4efe
60b1
203b
4074
fd7d
1a52
be0b
d989
200f
c1ea
e203
1091
caf7
807e
6172
bb00
2020
6973
726f
6b65
0000
0000

3000
ff00
804e
3620
8ec0
0172
57fc
c98a
0e13
f7e6
61bf
0bbe
fb72
0c48
ebe6
b001
7c8b
4ef2
b6c8
10eb
46fc
8b46
761a
020e
0b40
0060
2020
7369
72ff
7920
0000
00ac

0204
3f00
4f20
2020
fcbd
1c83
7506
4610
d18b
8b5e
0000
a17d
e6eb
7413
a0fc
bb00
fcc7
894e
668b
5e0f
1356
1896
8af2
7504
7501
666a
0d0a
6e67
0d0a
746f
0000
bfcc

0100
0000
4e41
33c9
007c
eb3a
80ca
98f7
7611
0b03
e8e6
f3a6
dca0
b40e
7deb
00e8
46f0
f6c6
46f8
b6c8
feeb
9233
8ae8
b442
4203
00eb
6720
ff0d
5072
2072
0000
55aa

.<.MSDOS5.0.....
........?...?...
......)....NO NA
ME
FAT16
3.
....{.... .....|
8N$}$....<.r...:
f..|&f;.&.W.u...
..V....s.3..F...
f..F..V..F....v.
`.F..V.. ....^..
.H...F..N.a.....
.r9&8-t.`....}..
at2Nt... ;.r....
.}.}....@t.Ht...
.........}....}.
.....&.U.R......
;.r.[.V$..|...F.
=}.F.)}...N..N..
..}..... ...f.F.
f.F.f..f....^...
JJ.F.2....F..V..
JRP.Sj.j...F...3
......B...v.....
.........~..u..B
...V$..aar.@u.B.
^.Iu...A...`fj..
.NTLDR
..g
System missing..
.Disk error...Pr
ess any key to r
estart..........
..............U.

Md5 Hash

#dd if=/dev/sda1 bs=512 count=1 | md5sum > hash.txt

#cat hash.txt
D41d8cd98f00b204e9800998ecf8427e
#dd if=/dev/sda1 bs=512 count=1 | sha1sum > hash.txt
#cat hash.txt
d41d8cd98f00b204e9800998ecf8427e

dcfldd

Very much like dd

dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \
errlog=error_log1 \
hash=md5 hashwindow=4096 hashlog=hash_dmp1 \
hashformat="#hash#" >> report

However lets you make multiple copis of

the image
dcfldd if=/dev/mem of=/home/image of=/media/storage/image2

Bad Sectors

Bad Sectors are treated differently

Hashes may be different

Some imagers zero fill
One hash is calculated by ignoring the sector
The other using the zero fill after imaging

Hard to explain in court

Remedies

dclfdd
conv=noerror,sync

hashconv=after

This converts bad sectors to zeroes

Continues if an error is encounter
This calcs the hash after the conversion for the device hash
Can be questioned in court

Hard to explain in court

Better solution
Use small hash window
Compare all the hashes of the small chuncks

Hashwindow=1M hashlog=hash-dump

Show that on the bad sector hashes dont agree

dc3dd

Makes dd similar to dcfldd

Written Jesse Kornblum
Maintained by DoD Cyber Crime Center
dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \
errlog=error_log1 \
hash=md5 hashwindow=4096 hashlog=hash_dmp1 \
hashformat="#hash#" >> report

Pattern writes.
Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1,
SHA-256, and SHA-512.
Progress meter with automatic input/output file size probing
Combined log for hashes and errors
Error grouping. Produces one error message for identical sequential errors
Verify mode.
Ability to split the output into chunks with numerical or alphabetic extensions

dd_rescue

Sort of like dd
However some of the options are not called
the same
Ddrescue
Copies data from one device to another
Attempts to correct block errors
Usually does a really good job
Can take a long time if the drive is hosed

Not forensically sound

ddrescue (GNU)

Sort of like dd_rescue

However some of the options are not called
the same
ddrescue
Copies data from one device to another
Attempts to correct block errors
Usually does a really good job
Can take a long time if the drive is hosed

Not forensically sound

X-Ways Software Technology AG

Builds WinHex

Very good hexadecimal editor

$300

And X- Forensics Ways

Excellent Forensics package

$1000

Access Data Corp.

FTK Forensics Tool Kit

1.70, 1.72, 1.80, 2.0, 2.2, 3.2

$3000 - 4000

PRTK Password Recovery Toolkit

Registry Viewer
FTK Imager

Free

Spinrite

Fast
Accurate
Does over write the
drive
Not forensically sound
Great if you are
desperate
Recovers a lot of data
off of an injured drive
$89.00

Lab Today

Dry Run
Use dd on the hard drive in the workstation

Only capture the first 100 sectors or so

Look at the image in WinHex
Save it, you will need it next week