Forensic Data

Acquisition Tools
Getting The Data:
The First Step of a Successful Forensic Analysis
Presented By
RS
The Catch 22 of Computer Forensics:
Should you pull the plug?
You must not alter or contribute to
the digital evidence.
You will loose access to any volatile
and/or encrypted data by powering
down a live system!
How can you tell what you will loose,
without first examining the system?
How do you examine a live system
without modifying it in the process?
 What makes a Forensic
Investigation Challenging?
You only get one change to do it right!

There is not a single tool set or

process that will work for every
situation.

Every situation is different, you never

know what to expect.
 What we will cover
The goals of a forensic acquisition &
issues that can make the job difficult
Preparation of evidence media
Proper handling of suspect media
Popular hardware & software systems
available for forensic imaging.
Abilities and Limitations
Advantages and Disadvantages
Forensic image integrity verification
 Disclaimer
I am not a lawyer, this tutorial is not
legal advice or legal opinion.
I do not speak for or represent
anyone.
You assume all risks by acting on
any of this information.
Check the policies of your
organization before using any of
these tools in an investigation.
 Terms I will be using
Digital Evidence
Suspect/Original Drive/Media
Forensic/Evidence Drive/Media
Acquisitions & Imaging
Chain Of Custody
Verification Hashes & Checksums
Trusted Forensic Environment
Original Copies vs. Work Copies
 This talks does not fully cover
acquiring volatile system information
The steps for a forensic recovery of
volatile system information are product,
configuration, and situation dependent.

Acquiring volatile system information

without modifying the disk based evidence
is not always possible.

You need to know if the steps your taking

to access volatile system information will
alter anything on the disk, it may come up
in court.
 Examples of volatile information
Runtime and performance statistics
Time, Date, Time zone settings
Active Process listings
Logged-in user listings
Open files, libraries/DLLs in use
Network Activity
Temporary Configuration Information
Any information not saved to disk
This talks does not cover acquiring data
from the following devices or media:
Cellular phones
Palm / PocketPC / PDA
http://www.paraben.com
Wireless & wired network
communications
Wireless & Programmable keyboards
EPROMs
 Before Beginning
Be aware if fingerprint evidence could be
important to your case

Take photographs before starting any

work or touching anything.

Document all cable connections, especially

to modems & network ports

Investigate every incident as if it is going

to trial.
 Basic Forensic Principals
DO NOT examine evidence before a forensic
image is made.
Your interaction with original evidence
should be minimal.
Only examine copies of evidence, never
touch the originals, except to make backup
copies.
Store all original evidence in a safe
location, if possible.

Establish a clear chain of custody for all

original evidence and original copies.
 Basic Forensic Principals
Keep a journal documenting all activity
relating to the acquisition of the evidence,
include dates & times.

Restrict access to the evidence as much as

possible

Collate mail, DNS, and other network &

service logs to support & verify your
findings.

Always be able to verify the integrity of

your evidence!
 Basic Forensic Principals
Never use a tool you are not familiar with on
live or original evidence!
 Acquisition Documentation
Physical Context:
Item RM-A-01: A Seagate barracuda 40GB HD, SN: XXXXXX
Logical Context:
identified as /dev/hda1 mounted as /
Forensic Technician may be expected to defend
their methods of handling evidence.
The Chain of Custody may be challenged in court.
The tools, and the versions used, are important,
and should be documented!
 Digital Media Basics:
String of 0s and 1s
How is data stored on a hard drive?
What is a partition table?
What is a filesystem?
How are files stored on a drive?
What is the difference between a logical and
physical copy?
Information is lost as you move up through
the layers of data abstraction
You cant trust unknown hardware, it can lie
to your software tools (HPA, DCO)
 Goals of a forensic acquisition
Make a backup image containing a exact
copy of every single bit on the suspect
drive.

Preserve the state of the system by

making sure nothing is altered on the
original media during an acquisition.

Be able to verify the integrity of your

forensic image, or the results of an
examination may get challenged in court.
Requirements of a Forensic Product
Tool must not alter any data, especially
any last accessed file time stamps
Windows alters accessed times on various files
upon bootup.
Tool must see all data on a drive
HPA (Host Protected Area)
DCO (Device Configuration Overlay)
Issue with Linux 2.4.x kernels & hard drives
with an odd number of sectors
Requirements of a Forensic Product
Tool needs to have been tested by
an independent entity to validate
that it perform as expected.

Beware of using imaging tool that

are not specialized or independently
validated for forensic uses.
Scientific Working Group on Digital Evidence -
http://ncfs.org/swgde/documents.html
Preparation of a forensic hard drive
Wipe the drive with all Zero (NULL) bytes
Removes traces of any previous drive contents
Verifies that all sectors of the drive can be
successfully written to
Never use a drive that is misbehaving or a

refurbished drive for forensic tasks

Make sure the tool you use has been
successfully tested on HPA & DCO areas
 Tools To Wipe A Drive
cat /dev/zero > /dev/hdc
dd if=/dev/zero of=/dev/hdc
/dev/zero vs /dev/random
dban.sourceforge.net boot CD-ROM
x86 and PPC versions
Acronis Disk Director
gdisk, from Norton Ghost ver <9.0
A wide variety of functionally similar products
are available for different platforms
Most of the tools made before late 2004 do not
properly handle DCO and HPA sections of a disk.
 Best Case Scenario
Without rebooting, make two byte by
byte copies of the physical disk
DD disk dumps with an MD5 hash,
saved to a network link using netc or
cryptcat, or
Under normal circumstances, execution of
these commands will not alter the filesystem
This can be a very slow process, when
compared to other available techniques
and tools.
Not Appropriate for all circumstances
 What happens in real life
You need to shutdown the machine first before you
can make an image.

Your suspect disk has physical damage making

some areas unreadable.

The suspect hardware is old, and does not work with

your brand new tools

Your hardware finds new and interesting ways to fail

on you.

Time constraints will limit your options

 Boot to a forensic environment
Requires a bootable DOS, Linux, or BSD
diskette/CD-ROM, specifically modified or
created for forensic use.

Image MASSter boot CD uses a Windows

Preinstallation Environment.

Knoppix requires the noswap command line

option at bootup.
Not all Knoppix releases can be used for
forensics.
Older versions of Knoppix have known issues.
Current versions may have unknown issues.
 Forensic Boot Diskette/CD-ROM
Can be based on DOS or Unix/Linux/BSD
Windows based tools require a hardware write-blocker

A standard DOS boot diskette must be modified

before it can be used for forensics.

When booting a computer with DOS 6.22 or later,

there is a chance of altering the hard drive if
compression programs like DRVSPACE,
DBLSPACE or STACKER are present on the hard
disk. WIN9X also may try to access certain files
on the C: drive during bootup.

WinME and later versions of DOS cannot be

properly modified for forensic uses.
 Forensic DOS
mod_com
http://www.dmares.com
EnCase Boot Diskettes & CD-ROMs
http://www.encase.com/support/downloads.asp
 Forensic Unix
F.I.R.E. - http://fire.dmzs.com/
FCCU Knoppix http://d-fence.be
Knoppix STD - http://www.knoppix-std.org/
Penguin Sleuth Kit
http://www.linux-forensics.com/downloads.html
Commercial Hardware Solutions
Solo2 Image MASSter
LogiQube Products
MD5
Talon
 Hardware/Software Solutions
Link MASSter
Customized Solutions
 Reading Tape Backups
MM/PC
DD
Example here
 Imaging Read-Only Media
ISOBuster
UltraISO
WinImage
 Hardware Write Blockers
IDE Write Blockers
FastBLOC FE & LE
SCSI Write Blockers
Serial ATA Write Blockers
Flash Media Write Blockers
USB/1394 IDE Write Blocker
FireFly -
http://www.digitalintelligence.com/prod
ucts/firefly/
 Software Write Blockers
Linux
hdparm r 1 /dev/had
DOS
HDL
PDBLOCK
 High performance Hardware
Promise ATA133 Cards
Using Serial ATA for your forensic
drives
Portable RAID5 systems
Commercial Software Solutions
EnCase
Windows EnCase.EXE
DOS EN.EXE
Linux linen
AccessDatas FTK
NTIs Safeback
Blackbag tools
SMART
Commercial Software Solutions
Norton Ghost 2003 v8
Proper command line switches needed
Powerquest Drive Image (Ghost 9)
Acronis True Image
 Free Software Solutions
Knoppix based CD-ROMs
Beware: There are knows issues that make
early releases not suitable for forensic use.
Use the noswap & dma cheat codes
Belgian Federal Computer Crime Unit
(FCCU) http://www.d-fence.be
LinenLinux FCCU v8.0 (knoppix v3.8.1) with
EnCase v5.01
http://mirrors.easynews.com/linux/linenlinux
 Law Enforcement Only
iLook v8.0 iLook Imager
FBI Forensic Linux Distribution
 Network Acquisitions
SnapBack
EnCase Enterprise
Acquisition of RAID subsystems
Hardware vs. Software RAID

RAID0 - STRIPE
RAID1 - MIRROR
RAID5 STRIPE with PARITY
JBOD Just a Bunch Of Disks
Reconstructing a RAID array
 Macintosh Disk Mode
Hold down the T key upon bootup,
and the Macintosh will act as an
external firewire drive.
Forensic image integrity verification
Checksums
CRC32
Hashes
MD5
SHA-1
SHA-256
cksum Creates/Validates CRC32
Available in many older Unix systems
md5sum Creates/Validates MD5
Common on modern Unix Systems
Win32 & DOS versions available
 Commercial Verification Products
New Technologies, Inc.
http://www.Forensics-Intl.com
crcmd5
CRC & MD5 of files and file groups
disksig
MD5 of disks
 Forensic Image Formats
DD / RAW
EnCase
SafeBack
SnapBack
SMART
 For more information
http://users.erols.com/gmgarner/forensics/
International Journal of Digital Evidence
http://www.ijde.org/
http://www.e-evidence.info/
http://www.tucofs.com/tucofs.htm
http://www.forensics-intl.com
http://www.usdoj.gov/criminal/cybercrime
http://www.dcfl.gov
Any Final Questions?