Guide to Computer Forensics and Investigations, Second Edition

Transcription

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition Objectives Determine the best acquisition method Plan data-recovery contingencies Use MS-DOS acquisition tools Guide to Computer Forensics and Investigations, 2e 2 Objectives (continued) Use GUI acquisition tools Use X-Ways Replica and other tools for data acquisition Recover data from PDAs Guide to Computer Forensics and Investigations, 2e 3 1

2 Determining the Best Acquisition Method Three ways Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy of a file or folder Bit-stream disk-to-image file Most common method Can make more than one copy EnCase, FTK, SMART, Sleuth Kit, X-Ways, ilook Guide to Computer Forensics and Investigations, 2e 4 Determining the Best Acquisition Method (continued) Bit-stream disk-to-disk When disk-to-image copy is not possible Consider disk s geometry CHS configuration SafeBack, SnapCopy, Norton Ghost 2002 Sparse data copy Creates exact copies of folders and files For large disks PST or OST mail files, RAID servers Guide to Computer Forensics and Investigations, 2e 5 Determining the Best Acquisition Method (continued) When making a copy, consider: Size of the source disk Lossless compression might be useful Use digital signatures for verification Whether you can retain the disk How much time you have Location of the evidence Guide to Computer Forensics and Investigations, 2e 6 2

3 Planning Data Recovery Contingencies Create a duplicate copy of your evidence image file Make at least two copies of digital evidence Use different tools or techniques Copy host-protected area of a disk drive as well Image MaSSter Solo HAZMAT and environment conditions Guide to Computer Forensics and Investigations, 2e 7 Using MS-DOS Acquisition Tools Original tools Fit on a forensic boot floppy disk Require fewer resources DriveSpy Data-preservation commands Data-manipulation commands Guide to Computer Forensics and Investigations, 2e 8 Understanding How DriveSpy Accesses Sector Ranges First method Absolute starting sector, total number of sectors Example 0:1000,100 (primary master drive) Second method Absolute starting sector-ending sector Example 0: (101 sectors) Moving data CopySect 0:1000,100 1:2000,100 Guide to Computer Forensics and Investigations, 2e 9 3

4 Understanding How DriveSpy Accesses Sector Ranges (continued) Guide to Computer Forensics and Investigations, 2e 10 Using DriveSpy Data-Preservation Commands Work only on FAT16 and FAT32 disks SavePart Acquires an entire partition Even non-dos partitions WritePart Re-creates saved partition to its original format Be careful when restoring non-dos partitions Guide to Computer Forensics and Investigations, 2e 11 Using the SavePart Command Creates an image file of a partition Uses lossless compression Copies image to target disk Smaller disks Removable media Generates an MD5 hash value Cannot be used with partition gaps Guide to Computer Forensics and Investigations, 2e 12 4

5 Using the WritePart Command Re-create saved partition image files created with SavePart Decompresses the image file and writes it to the target disk Checks if target disk is equal or larger than original disk Prompts for all disks where image file is stored Guide to Computer Forensics and Investigations, 2e 13 Using the WritePart Command (continued) Guide to Computer Forensics and Investigations, 2e 14 Using the WritePart Command (continued) Guide to Computer Forensics and Investigations, 2e 15 5

6 Using DriveSpy Data-Manipulation Commands Isolate specific areas of a disk for examination Commands: SaveSect WriteSect Guide to Computer Forensics and Investigations, 2e 16 Using the SaveSect Command Copies specific sectors on a disk to a file Bit-stream copy Creates non-compressed files Flat files For hidden or deleted partitions and gaps Drive and Partition modes Example: SaveSect 1: c:\dir_name\file_name Guide to Computer Forensics and Investigations, 2e 17 Using the SaveSect Command (continued) Guide to Computer Forensics and Investigations, 2e 18 6

7 Using the WriteSect Command Re-creates data acquired with SaveSect Use it on DriveSpy s Drive and Partition modes Example: WriteSect c:\dir_name\file_name 2:10000 Disadvantage: Can overwrite data on target disk Useful for non-microsoft FAT file systems Guide to Computer Forensics and Investigations, 2e 19 Using the WriteSect Command (continued) Guide to Computer Forensics and Investigations, 2e 20 Using Windows Acquisition Tools Make job more convenient Hot-swappable devices Drawbacks: Windows can contaminate your evidence Require write-blocking hardware devices Cannot access host-protected areas Guide to Computer Forensics and Investigations, 2e 21 7

8 AccessData FTK Imager Included on AccessData FTK View evidence disks and bit-stream image files Makes bit-stream disk-to-image copies At logical partition and physical drive level Can segment the image file Guide to Computer Forensics and Investigations, 2e 22 AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations, 2e 23 AccessData FTK Imager (continued) Steps: Boot up Windows Connect evidence disk to a write-blocker Connect target disk to write-blocker Start FTK Imager Create Disk Image Use Physical Drive option Guide to Computer Forensics and Investigations, 2e 24 8

9 AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations, 2e 25 Using X-Ways X Replica Compact bit-streaming application program Fits on a forensic bootable floppy disk Produces a dd-like image Disk-to-image copy Disk-to-disk copy Can access host protected areas Guide to Computer Forensics and Investigations, 2e 26 Using Replica Create a forensic boot floppy disk Boot in MS-DOS Replica checks if HPA on BIOS is on If yes, asks you to turn it off Reboot Copy information Guide to Computer Forensics and Investigations, 2e 27 9

10 PDA Data Acquisition PDAs store, send, and receive data PDA/cell phone Synch with host computers Duplicate a host PC during an investigation Paraben Forensic Tool Special tool GUI-based tool Guide to Computer Forensics and Investigations, 2e 28 PDA Data Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 29 PDA Data Acquisition (continued) Seize all PDA components Cables and power supplies Learn how to put PDA in debug mode Guide to Computer Forensics and Investigations, 2e 30 10

11 PDA Data Acquisition (continued) Guide to Computer Forensics and Investigations, 2e 31 General Considerations for PDA Investigations Seize the PDA and host computer PDA caddy and cables Collect documentation Get the power supply and recharge batteries Leave it plugged into the PDA Create a bit-stream image and a backup copy of the host PC Obtain or locate password used on the PDA Guide to Computer Forensics and Investigations, 2e 32 Re-create the Host Computer Steps: Connect caddy, cables, and external cards Install backup copy on new host Install PDA software Read documentation and synch PDA Examine downloaded PDA content Guide to Computer Forensics and Investigations, 2e 33 11

12 Re-create the Host Computer (continued) Guide to Computer Forensics and Investigations, 2e 34 Using Other Forensics-Acquisition Tools SnapBack DatArrest SafeBack EnCase Guide to Computer Forensics and Investigations, 2e 35 Exploring SnapBack DatArrest Columbia Data Products Old, reliable MS-DOS tool Perform bit-stream copy in three ways: Disk to SCSI drive Disk to network drive Disk to Disk Fits on a forensic boot floppy SnapCopy adjusts disk geometry Guide to Computer Forensics and Investigations, 2e 36 12

13 Exploring SafeBack Reliable MS-DOS tool Performs an SHA-256 calculation per sector copied Creates a log file Guide to Computer Forensics and Investigations, 2e 37 Exploring SafeBack (continued) Functions: Disk-to-image copy (image can be on tape) Disk-to-disk copy (adjusts target geometry) Parallel port laplink can be used Copies a partition to an image file Compresses acquire information Guide to Computer Forensics and Investigations, 2e 38 Exploring EnCase Windows Forensic Tool from Guidance Software Creates forensic boot floppy disks Load En.exe to the floppy Implements the best compression algorithm Copy methods Disk-to-disk Disk-to-network server drive Disk-to-drive on parallel port Guide to Computer Forensics and Investigations, 2e 39 13

14 Exploring EnCase (continued) Guide to Computer Forensics and Investigations, 2e 40 Summary Data acquisition methods: Bit-stream disk-to-image file Bit-stream disk-to-disk Sparse data copy Several tools available Lossless compression is acceptable Plan your digital evidence contingencies Use tools that can read partition gaps Guide to Computer Forensics and Investigations, 2e 41 Summary (continued) Be careful when using tools Risk of overwrite previous data Windows data acquisition tools Easy to use Can modify data DriveSpy, FTK Imager, Replica, SnapBack, SafeBack Investigations might involve PDAs Guide to Computer Forensics and Investigations, 2e 42 14