An Overview of knowledge Acquisition

Knowledge Acquisition

An Overview of knowledge Acquisition is that the initial pro-active step within the forensic investigation method. The aim of forensic information acquisition is to extract as of knowledge gift on the victim’s fixed disk and build a forensic copy to use it as proof within the court.

In some cases, information duplication is preferred rather than information acquisition to gather the information. 1st investigators can even gift the duplicated data in court.This section discusses regarding information acquisition, a way to duplicate the info (imaging) and verify image integrity.

Data Acquisition

Data acquisition is that the use of established strategies to extract the electronically keep data (ESI) from suspect PC or storage media to realize insight into against the law or an occurrence. Forensic Knowledge acquisition may be a method of imaging or assembling data from numerous media in accordance with sure standards for analyzing its rhetorical price. it’s one in every of the foremost important steps of digital forensics as improper acquisition might alter knowledge obvious media, and render it impermissible within the court of law.

Incident res-ponders ought to be able to verify the accuracy of non-inheritable information, and also the complete method ought to be audit-able and acceptable to the court. With the progress of technology, the method of information acquisition has become a lot of correct, simple, and versatile. It uses many sorts of equipment, starting from tiny sensors to classy computers.

Following are the 2 classes of information acquisition:

Live/Volatile information Acquisition: It’s the method of exploit volatile information from a operating PC (either secured or in sleep condition) that’s already high-powered on. Volatile information is fragile and lost once the system loses power or the user switches it off. Such information reside in registries, cache, and RAM. Since RAM and different volatile information are dynamic, a group of this info ought to occur in real time.

• Static information Acquisition: It’s the method of exploit the nonvolatile or dateless information remains within the system even when closing. Incident res-ponders will recover such information from laborious drives further as from slack area, swap files, and unallocated drive area. Different sources of nonvolatile information embody DVD-RDMs, USB thumb drives, smartphones, and PDAs. The static acquisition is sometimes applicable for the computers the police had confiscate throughout the raid and embrace an encrypted drive.

Related Product :-  Certified Threat Intelligence Analyst | CTIA

Duplicate the data (Imaging)

Performing the investigation on the first proof will misdirect the investigation to totally different results and will create the original proof vulnerable. Information duplication is a very important step in securing the first proof. Investigation the first proof will cause injury to the identity of the proof that may build it now not helpful to the case.
Data duplication includes piecemeal repetition of the first knowledge employing a software system or hardware tool. The duplicated information ought to be a certain blueprint of the initial proof and create 2 or a lot of copies to perform completely different investigations. The copies may also facilitate if one copy is broken. Send the duplicated data to the forensics work for investigation and additional analysis.

The points to recollect whereas duplicating the data:

Make a reproduction of the collected information therefore .as to preserve the initial
• The data ought to be duplicated bit by bit to represent constant original information
• Use trade customary or commissioned hardware or software system tools to duplicate the information
• Once a replica of the initial knowledge is formed and verified, you’ll use the copy for additional process

Data Imaging Tools

Discussed below are a number of the necessary tools used for making a duplicated bit by bit image:

FTK imager:- FTK imager could be a information preview and imaging tool that enables analysis of files and folders on native arduous drives, MS/DVDs, network drives, and examination of the content of forensic pictures or memory dumps. FTK imager may also produce MOS or SHAl hashes of
files, review and recover files deleted from the Recycle Bin, export files and folders from rhetorical pictures to disk and mount a rhetorical image to look at its contents in Windows someone.

R-Drive Image:- R-Drive Image could be a potent utility that gives creation of disk image files for backup or duplication purposes’-Drive Image rest ores the pictures on the initial disks, on the other partitions, or maybe on a tough drive’s free area. Using R-Drive Image, one will restore the system once significant data loss caused by an OS crash, virus attack, or hardware failure.

• A easy wizard interface
• Image file compression
• Removable media support
• Image files rending
• Image Protection

Also Read:-Distribute Threat Intelligence Overview

Verify Image Integrity

Hash values are similar to information fingerprints. No 2 files contain a similar hash values. The hash algorithms utilized in forensics are MOS and SHA. Calculate and match the MOS hash for the first proof and also the forensic image. a similar hash values show that the image is that the same because the proof.

Perform the subsequent steps to verify image integrity:

• Calculate the hash price of the first information and also the forensic image generated
• If there’s a match it means the forensic image is an explicit reproduction of the first information

Listed below are some of the tools wont to calculate the hash value:

HashCalc:- Free calculator is employed to figure multiple hashes, check sums, and HMACs for files, text, and hex strings.

MOS Calculator:- MOS Calculator helps in hard the MOS hash price of the chosen file. Right click the file and select “MOS Calculator,” the program can calculate the MOS hash.

HashMyfiles:-HashMy Files may be a little utility that permits to calculate the MOS and SHA-1 hashes of 1 or additional files within the system.

Questions related to this topic

  1. How do I find the hash value of a file?
  2. How are hash values used in cyber investigations?
  3. Where does Accessdata FTK Imager find the original hash of the drive image file for hash comparison?
  4. How does FTK Imager verify the integrity of the evidence file?

Cyber Security Related Things

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


Leave a Comment