---
# System prepended metadata

title: 03 Data Acquisition
tags: [School, DFI, Notes, DISM]

---

---
title: '03 Data Acquisition'
disqus: hackmd
---

03 Data Acquisition
===

<style>
img{
/*     border: 2px solid red; */
    margin-left: auto;
    margin-right: auto;
    width: 90%;
    display: block;
}
</style>


## Table of Contents

[TOC]


Data Acquisition
---
- before analyse data, need to secure
- goal of forensic data acquisition is to create forensic copy of piece of media that is suitable to use as evi in court of law


### Storage Formats for Digital Evidence
- data in forensics acquisition tool stored as **image file**
- image file in 1 of 3 formats
    - raw format
    - proprietary formats
    - advanced forensics format (AFF) - newer

#### Raw Format
- possible to write bit stream data to files
    - sequence flat file
    - in past only do bit by bit copy to media same size or bigger to create evi
- advantages
    - fast data transfers
    - ignores minor data read errors on src drive
    - most comp forensics tools can read raw format
        - eg. .dd
- disadvantages
    - need same storage amt as orig disk/data
    - tools may not collect marginal (bad) sectors
        - due to low threshold of retry reads on weak media spots on drive

#### Proprietary Formats
- features
    - can compress image files
        - save space
    - can split img into smaller segmented files
        - provide integrity check for split data
    - can integrate metadata into img file
- disadvantages
    - cannot share img between diff tools/vendors
    - file size limit for ea segmented volume
        - usually 650mb
        - can adjust up/down at limit of 2gb
- expoer witness format is unofficial standard
    - default for guidance software encase
    - eg. ex01, e01

#### Advanced Forensics Format (AFF)
- open src acquisition format
- design goals
    - compressed or uncompressed img files
    - no size restriction for disk to img files
    - provide space in img/segmented file for metadata
    - simple design with extensibility
    - open src for multiple platforms and OS
    - vendors have no implementation restrictions on this format
        - possible future standard
    - internal consistency checks for self auth
- file ext use `.afd` for segmented img and `.afm` for AFF metadata


### Determining Best Acquisition Method
- types of acquisitions
    - static
    - live
- 4 methods of data collection
    - disk to img file
    - disk to disk
    - logical disk to disk
    - sparse data copy of file/folder
- when making copy, consider
    - size of src disk
        - lossless compression can be useful
            - dont permenantly remove data
            - orig data can be reconstructed
        - target dont need to be so big
        - use digital sig for verification
    - with large drives, alt is to use tape backup systems
        - eg. SDLT
        - can be slow if data large
    - whether can retain disk
        - sometime after copy, orig disk may need to be returned

#### Disk-to-Image File
- most common method
    - most flexible
- can make more than 1 copy
- copies are bit for bit replications of orig drive
- prodiscover, encase, ftk, SMART, sleuth kit, x-ways, ilookIX
    - tools that perform disk to img
    - read disk to img file as if orig disk

#### Disk to Disk
- when disk to img copy not possible
- tools can adjust disk's geometry config
    - eg. track, sectors etc.
- encase, snapcopy, safeback

#### Logical or Sparse Acquisition
- collecting evi from large device can take several hours
- reasons to use these methods
    - time limited
        - logical acq. captures only specific files of interest to case
            - eg. only investigate outlook
        - sparse acq. collects fragments of unallocated/deleted data
    - for large disks
    - for PST or OST mail files, RAID servers
        - up to several tb

### Contingency Planning for Image Acquisitions
- create duplicate copy of evi img file
    - in case failure
    - but time consuming
- make at least 2 imgs of digital evi
    - use diff tools or techniques
- copy host protected area (HPA - area not visible for os on drive) of disk too
    - consider using hardware acq. tool that can access drive at BIOS lvl to access HPA
- be prepared to deal with encrypted drives
    - whole disk encryption feature in windows called **BitLocker** makes static acq. difficult
    - may need user to provide decryption key
        - suspect might not cooperate

### Using Acquisition Tools
- advantages
    - acquiring evi from suspect drive more convenient
        - many tools for windows
        - especially with hot-swappable devices
            - eg. usb, fireware
- disadvantages
    - must protect acquired data with well-tested write-blocking hardware device
    - tools cant acquire data from disk's host protected area
        - host protected area (HPA - area not visible for os on drive)
    - some countries havent accept use of write-blocking devices for data acquisition
        - need check with legal

### Capturing Image with ProDiscover Basic
- connecting with suspect's drive to your workstation
    - document chain of evi for drive
    - remove drive from suspect's pc
    - config suspect's drive jumpers as needed
    - connect suspect drive to write blker device
    - create storage folder on target drive
- using prodiscover's proprietary acq. format
    - pd creates img files with `.eve` ext
        - log file with `.log`
        - special inventory file `.pds`
    - if compression option selected, pd uses `.cmp` instead of `.eve` on all segmented volumes

### Capturing Data with AccessData FTK Imager Lite
- ftk imager is windows acq. tool included with accessdata forensic toolkit
    - designed for viewing evi disks and disk to img files
- makes disk to img copies of evi drives
    - at logical partition and phy drive lvl
    - can segment img file
- evi drive must have hardware write blking device
    - or run from live cd like mini-winfe
- ftk imager cannot acquire drive's HPA
- use write blking device and follow
    - boot to windows
    - connect evi disk to write blker
    - connect target disk to write blker
    - start ftk imager lite
    - create disk img
        - use phy drive option

![](https://i.imgur.com/3x04Wpn.png)


![](https://i.imgur.com/NTXaK5j.png)
![](https://i.imgur.com/u0CxgeP.png)


Validating Data Acquisitions
---
- validating evi is most critical aspect of comp forensics
- needs **hashing algo utility**
- validation techniques
    - CRC-32
    - MD5
    - SHA-1
    - SHA-512

### Windows Validation Methods
- windows have no builtin algo tools
    - use 3rd pt utilities
        - hex editors like win hex
- commercial comp forensics programs have builtin validation features
    - ea program has own technique
    - prodiscover's .eve files contain metadata in acq. file or segmented files including hash val for suspect drive/partition
- raw format img files dont have metadata
    - separate manual validation recommended for all raw acquisitions

### Remote Network Acquisition Tools
- can remotely connect to suspect comp via network conn and copy data from it
- remote acq. tools vary in config and capabilities
    - some need manual intervention on remote suspect comps to initiate data copy
- tools like encase, prodiscover allow remote acq.
- drawbacks
    - antivirus, antispyware and firewall tools can be configed to ignore remote access programs
        - access can be blked
    - suspects can easily install own security tools that trigger alarm to notify them of remote access intrusions
- connecting remotely allows to
    - preview suspect's drive remotely while in use or powered on
    - perform live acq. (AKA smear as disk data being altered while comp active) while comp's comp powered on
    - encrypt conn between suspect and examiner
    - copy suspect's comp ram while comp on
    - use optional stealth mode to hide remote conn from suspect while data previewed/acquired
- other funcs
    - capture volatile system state info
    - analyse current running processes on remote system
    - locate unseen files and processes that might be running malware/spyware
    - remotely listen and view ip ports
    - run hash comparisons on remote system to search for trojans and rootkits
    - create hash inventory of all files on system remotely to establish baseline if it gets attacked
        - negative hash search capability

### Other Forensics Acquisition Tools
- magnet axiom
- passmark software imageusb
- asrdata smart
- runtime software
- ilookix investigator iximager
- sourceforge projects repository

#### Magnet Axiom
- able to recover digital evi from most sources including smartphones, cloud services, comps, iot devices and 3rd party images
- examination tool help forensics professionals find most relevant data and visualise for better analysis
- gaining popularity as user base increases

#### PassMark Software ImageUSB
- has acq. tool called imageusb for its os forensics analysis product
    - imageusb downloaded from osforensics website
- imageusb is free utility
    - can write img concurrently to multiple usb drives

#### Runtime Software
- offers shareware programs for data acq. and recovery
    - diskexplorer for FAT and NTFS
- features
    - create raw format img file
    - segment raw format or compressed img for achiving purposes
    - acces network comp drives

#### SourceForge
- provides several applications for security, analysis and investigations
    - preferred sc code repo and distribution platform for free and open src software (FOSS) projects
- [list of current tools](http://sourceforge.net/directory/security-utilities/storage/archiving/os:windows/freshness:recently-updated)

Summary
---
![](https://i.imgur.com/sCxzDR6.png)
![](https://i.imgur.com/KQFxZTR.png)




###### tags: `DFI` `DISM` `School` `Notes`