Review Data Acquisition and Duplication Steps in this Data acquisition is the first pro-active step in the forensic investigation process. The aim of forensic data acquisition is to make a forensic copy of data, which can act as evidence in the court.
Forensic data duplication refers to the creation of a file that has every bit of information from the source in a raw bit-stream format.
Steps to follow in the process of data acquisition and data duplication are:
- Prepare a chain of custody document and make a note of all the actions performed over the evidence source and data, along with the names of investigators performing the task, the time and date, and the result
- Enable write protection on the evidence media as most of the devices have two-way communication enabled and can after the data in source of evidence
- Sanitize the target media, which is going to hold a copy of the evidence data
- Determine the data acquisition format before starting the process and see that the copy remains in the same format as the original data
- Analyze the requirements and select the best acquisition method
- Select the appropriate data acquisition tool, which can serve all the actions required while ensuring safety of the data
- Acquire the complete data along with hidden and encrypted spaces
- Have contingency plans in case of an incident
- After completion of duplication, validate data acquisitions to check the integrity and completeness of the data
Related Product : Computer Hacking Forensic Investigator | CHFI
Prepare a Chain of Custody Document
A chain of custody is a written record consisting of all the processes involved in the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It also includes the details of people, time, and purpose involved in the investigation and evidence maintenance processes.
Chain of custody documents, track collected information and preserve the integrity of the collected evidence. It should contain details of every action performed during the process and the result. The forensic investigators are always responsible for the protection of the chain of custody document.
Enable Write Protection on the Evidence Media
Write protection is the ability of a hardware device or a software program to restrict itself from writing any new data to a computer or modifying the data on it. Enabling write protection allows reading the data but not writing or modifying.
Forensic investigators should be confident about the integrity of the evidence they obtain during the acquisition, analysis, and management. The evidence should be legitimate to convince the authorities of the court.
The investigator needs to implement a set of procedures to prevent the execution of any program that can alter the disk contents. The procedures that would offer a defense mechanism against any alterations include:
- Set a hardware jumper to make the disk read only
- Use operating system and software which cannot write to the disk unless instructed
- Employ a hard disk write block tool to protect against disk writes
Hardware and software write blacker tools provide read-only access to the hard disks and other storage devices without compromising their security. The main differences arise during installation and usage process.
Also Read : Understand Static Data Acquisition
Sanitize the Target Media: NIST SP 800-88 Guidelines
Media sanitization is the process of permanently deleting or destroying data from storage media. The proposed NIST SP 800-88 guidance explains three sanitization methods:
- Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands.
- Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory
- Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage.
The National Institute of Standards and Technology has issued a set of guidelines to help organizations sanitize data to preserve the confidentiality of the information.
They are:
- The application of complex access controls and encryption can reduce the chances for an attacker to gain direct access to sensitive information
- An organization can dispose of the not so useful media data by internal or external transfer or by recycling to fulfill data sanitization
- Effective sanitization techniques and tracking of storage media are crucial to ensure protection of sensitive data by organizations against attackers
- All organizations and intermediaries are responsible for effective information management and data sanitization
Physical destruction of media involves techniques, such as cross-cut shredding. Departments can destroy media on-site or through a third party that meets confidentiality standards.
Investigators must consider the type of target media they are using for copying or duplicating the data and select an appropriate sanitization method to ensure that no part of previous data remains on the target media that will store the evidence files. The previous media may alter the properties or changes the data and its structure.
Determine the Data Acquisition Format
The data collected by forensic tools is stored in image files. There are three formats available for these data storage image files.
They are:
1. Raw Format
Previously, a bit-by-bit copy of data from one disk to another was the only option to copy data to preserve and examine the evidence. Therefore, to achieve evidence preservation vendors and some OS utilities allowed writing bit-stream data to files. This copy technique allowed the creation of simple, sequential, flat files of a data set or suspect drive. Raw format is the output of these flat files.
Advantages:
- Data transferring is fast
- Can ignore minor data read errors on the source drive
- A Universal acquisition format that most of the forensic toots can read
Disadvantages:
- Takes same storage space as that of original disk or data set
- Some tools like freeware versions may not collect bad sectors on the source drive
In freeware tools, there is a low threshold of retry reads on weak media spots on a drive than commercial acquisition tools, which have a higher threshold to ensure the collection of entire data.
Determine the Data Acquisition Format (Cont’d)
1. Proprietary Format
Raw format and advanced forensics format are open source formats, and these are the only proprietary format. These formats can change from one vendor to another according to the features they offer. This means that there are a number of proprietary formats available.
Features:
- Saves space on the target drive and allows to compress or not compress image files of a suspect drive
- Allows splitting an image into smaller segmented files and store them on CDs or DVDs
- Ensures data integrity by applying data integrity checks on each segment while splitting
- It can integrate metadata into image file by adding metadata such as date and time of the acquisition, examiner or investigator name, the hash value of the original medium or disk and case details or comments
Disadvantages:
- Sharing of an image between different computer forensics tools is not possible (example, ILook Investigator and IXimager produce three proprietary formats—IDIF, IRBF, and IEIF—that can be read only by ILook)
- Each segmented volume has file size limitation
2. Advanced Forensics Format (AFF)
AFF is an open source data acquisition format that stores disk images and related metadata. The aim was to make a disk imaging format that could not lock users into a proprietary format. The AFF File extensions are .afm for AFF metadata and .afd for segmented image files. There are no AFF implementation restrictions on forensic investigators, as it is an open source format, but it can limit its analysis.
AFF supports two compression algorithms: 1) zlib, faster but less efficient and 2) LZMA, slower but more efficient. The actual AFF is a single file which has segments with drive data and metadata. AFF file contents can be compressed and uncompressed. AFFv3 supports AFF, AFD, and AFM file extensions.
3. Advanced Forensic Framework 4 (AFF4)
Michael Cohen, Simson Garfinkel, and Bradly Schatz created the Advanced Forensic Framework 4 (AFF4) as a redesigned and revamped version of AFF format. The creators named it object oriented as it contained some generic objects with externally accessible behavior. Designed to support storage media with huge capacities AFF4 universe allows addressing of the objects by their name.
The format can support a vast number of images; offer a selection of binary container formats like Zip, Zip 4, and simple directories through this format. It also supports storage from network and use of WebDAV used for imaging directly to a central HTTP server. This format supports maps that are zero copy transformations of data, e.g., without storing a new copy of a carved file we only store a map of the blocks allocated to this file. AFF4 supports image signing and cryptography. This format also offers image transparency to clients.
The AFF4 design adopts a scheme of globally unique identifiers for identifying and referring to all evidence.
Basic AFF4 object types include:
- Volumes: They store segments which are indivisible blocks of data
- Streams: These data objects can help in reading or writing. For, e.g., segments, images, maps.
- Graphs: Collections of RDF statements
4. Generic Forensic Zip (gfzip)
Gfzip provides an open file format for compressed, forensically complete, and signed disk image data files. It is a set of tools and libraries that can help in creating and accessing randomly accessible zip files. It uses multi-lever SHA256 digests to safeguard the files. It also embeds the user’s metadata within the file metadata. This file format focuses on signed data and metadata sections using x509 certificates.
The Gfzip file format is suitable for compressed and non-sequential accessible storage of disk image data for computer forensic purposes.
Features:
- Uncompressed disk images are similar to the dd images.
- Non-sequential seek/read methods are used for read access to compressed disk image data.
- Flags can be set for disk image data sections. For e.g., to mark bad sections.
Questions related to this topic
- What are the different types of file formats?
- Where is file metadata stored?
- What is file system metadata?
- What metadata can we get from various files?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com