Data Acquisition Methods in this article explain which of the method using on data acquition and also explain those method which is continuously using in forensic investigation.
There are following four methods available for data acquisition:
1. Bit-stream disk-to-image file
Forensic investigators commonly use this data acquisition method. It is a flexible method, which allows creation of one or more copies, or bit-for-bit repkations of the suspect drive. ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, ILook Investigator, etc. are the popular tools used to read the disk-to-image files.
2. Bit-stream disk-to-disk
Sometimes it is not possible to create a bit-stream disk-to-image file due to software or hardware errors or incompatibilities. Investigators face such issues while trying to acquire data from older drives and create a bit-stream disk-to-disk copy of the original disk or drive. Tools like EnCase, SafeBack, and Norton Ghost can help create disk-to-disk bit-stream copy of the suspect drive. These tools can modify the target disk’s geometry (its head, cylinder, and track configuration) to match the data copied from original suspect drive.
Related Product : Computer Hacking Forensic Investigator | CHFI
Data Acquisition Methods (Cont’d)
The other two methods of data acquisition are logical and sparse acquisition. Gathering evidence from large drives is time consuming, therefore investigators use logical or sparse acquisition data copy methods when there is a time limit.
1. Logical Acquisition
Logical acquisition gathers only the files required for the case investigation. E.g.:
- Collection of Outlook .pst or .ost files in email investigations
- Specific record collection from a large RAID server
2. Sparse Acquisition
Sparse acquisition is similar to logical acquisition. Through this method, investigators can collect fragments of unallocated (deleted) data. This method is very useful when it is not necessary to inspect the entire drive.
Determine the Best Acquisition Method
While creating a copy of the suspect drive, consider the following to determine the best acquisition method for the investigation process:
1. Size of the source disk:
- Know if you can retain the source disk as evidence or return it to the owner
- Calculate the time taken to perform acquisition and the evidence location
- Make sure that the target disk stores a disk-to-image file if the source disk is very large
- Choose an alternative method to reduce the data size if the target disk is not of comparable size
2. Methods to reduce data size are:
- Use Microsoft disk compression tools like DriveSpace and DoubleSpace which exclude slack disk space between the files
- Use the algorithms to reduce the file size
- Archiving tools like PKZip, WinZip, and WinRAR can help to compress
- Lossless compression algorithm can also be useful:
- Perform an MD5 or SHA-1 hash on a file before and after compressing it, in order to test the lossless compression The compression is successful only if the hash value matches.
Also Read : Review Data Acquisition and Duplication Steps
While creating a copy of the suspect drive, consider the following to determine the best acquisition method for the investigation process:
1. Whether you can retain the disk
- If the investigator cannot retrieve the original drive, as in a discovery demand for a civil litigation case, check with the requester, like a lawyer or supervisor if the court accepts logical acquisition
- If investigators can retain the drive, ensure to take a proper copy of it during acquisition, as most discovery demands give only one chance to capture the data
- Additionally, the investigators should maintain a familiar, reliable forensics tool
2. When the drive is very large
- Use tape backup systems like Super Digital Linear Tape (SDLT) or Digital Audio Tape/ Digital Data Storage (DAT/DDS) if the suspect drive is vast
- SnapBack and SafeBack have software drivers to write data to a tape backup system from a suspect drive through standard PI SCSI cards
- This method has an advantage of no limit to the required data size
- The biggest disadvantage is that it is a slow and time-consuming process
Select the Data Acquisition Tool:
1. Mandatory Requirements
Digital evidence is critical for the security incident investigation. The investigators usually perform the investigation process on the copy of the original digital evidence. Therefore, while creating a copy of the original evidence with the help of disk imaging tools, the investigator should ensure the reliability and integrity of the digital evidence.
Disk imaging toolshave two types of requirements – mandatory and optional:
- All the disk imaging tools must accomplish the tasks described as mandatory requirements
- The tools may or might not provide the features discussed under the optional requirements
2. Mandatory Requirements (Cont’d)
Following are the mandatory requirements for every tool used for the disk imaging process:
- The tool must not alter or make any changes to the original content
- The tool must log 1/0 errors in an accessible and readable form, including the type and location of the error
- The tool must be able to compare the source and destination and alert the user if the destination is smaller than the source
- The tool must have the ability to pass scientific and peer review. Results must be repeatable and verifiable by a third party, if necessary
- The tool shall completely acquire all visible and hidden data sectors from the digital source
Questions related to this topic
- What are the considerations you should have when deciding what data acquisition method to use on your investigation?
- What are the three best forensic tools?
- What are the forensic tools?
- What are the needs for computer forensics tools?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com