Understand Acquiring RAID Disks may be challenging for forensics examiners due to the RAID system design, configuration, and size. The greatest concern is the size of the RAID system, as many systems are growing into many terabytes of data.
Copying small RAID systems to one large disk is possible with the availability of larger disks. Investigators should use a proprietary format acquisition with compression to store more data in small storage capacities.
Acquiring RAID Disks (Cont’d)
Computer forensics vendors have added many RAID recovery features and these vendors specialize in one or two kinds of RAID formats.
Some of the vendors offer RAID acquisition functions are:
- Technologies Pathways ProDiscover
- Guidance Software EnCase
- X-Ways Forensics
- Runtime Software
- R-Tools Technologies
Having up-to-date knowledge on the latest improvements in these products and which vendor supports which RAID format is necessary. Separation of each physical disk into smaller sets has eliminated the need of one large drive for storing acquired data. Investigators require similar sized drives matching each disk in the RAID array for acquiring RAID disks. For a static acquisition, a RAID system is too large. Collecting a complete image of evidence drives is not always practical. Therefore, it is preferable to recover only the data relevant to the investigation with the logical or sparse acquisition method. When dealing with very large RAID servers, in order to determine how to best capture RAID data, consult the computer forensics vendor.
Related Product : Computer Hacking Forensic Investigator | CHFI
Remote Data Acquisition
Computing devices and various forensics tools provide investigators with the ability to collect disk data from a suspect computer remotely via a network connection. Remote acquisition tools vary in capabilities and configuration. Some of them need manual supervision on remote suspect computers to start copying data while others can directly extract data through an encrypted link by loading a remote access program to the suspect’s computer.
Investigators can perform such data acquisitions without the knowledge of the user. Remote acquisitions save time but only support live acquisitions.
Drawbacks of remote acquisitions include:
- Problems could arise with the LAN’s data transfer speeds and routing table conflicts
- On a WAN, problems arise in gaining the permissions that require access to more secure subnets
- Heavy network traffic on the network can also cause errors and delays in data acquisition regardless of the tool used
- Antivirus, anti-spyware, and firewall tools are capable of detecting this remote access program
Remote acquisition tools include ProDiscover, WetStone LiveWire, F-Response and Runtime Software (DiskExplorer for FAT, DiskExplorer for NTFS, and HDHost).
Data Acquisition Mistakes
Investigators can sometimes make few mistakes during data collection that result in the loss of significant evidence. Therefore, the investigators have to be cautious during data acquisition. Some of the mistakes investigators commit are as follows:
- Choosing the wrong resolution for data acquisition: Bit resolution is important when selecting a data-acquisition board.
- Using the wrong cables and cabling techniques: The use of an incorrect type of cable and cabling technique may affect the information integrity and can damage the data.
- Taking insufficient time for system development: The data acquisition system needs careful dealing to develop completely. Forensic investigators can overlook some critical considerations when they do not give enough time to the data acquisition process, leading to data damage.
- Making the wrong connections: Electronic evidence is fragile in nature. Even a minor mistake such as wrong connections of media devices may cause irreversible damage to data.
- Having poor knowledge of the instrument: Investigators should be well aware of the technology they are using in a particular situation. Poor knowledge of tools and technology may jeopardize the integrity of the information.
Also Read : Understand Linux Standard Tools
Plan for Contingency
In digital forensics investigation, plan for contingency refers to a backup program an investigator should have in case hardware or software does not work or there is any failure during an acquisition. Contingency planning is necessary for all cyber investigations as it assists investigators to prepare for the unexpected events.
It is a process that helps in completing the investigation process by providing an alternative solution to the failed software or hardware tool.
Plan for Contingency include maintaining:
- Hard Disk Data Acquisition
- Imaging Tools
- Hardware Acquisition Tool
- Drive Decryption
Validata Data Acquisitions
Validating digital evidence is one of the most important aspects of computer forensics. Validation is essential to verify the evidence data integrity. Validating digital evidence requires a hashing algorithm utility developed to create a binary or hexadecimal number, called digital fingerprint, which represents the uniqueness of a file or disk drive. When two files have the same hash values, they are considered identical, even if they have different filenames, as hash values are unique. Even a slight modification in the input will change the hash value completely.
CRC-32 Cyclic Redundancy Code algorithm-32 (CRC-32) is a hash function based on polynomial division idea. The number 32 indicates the size of the resulting hash value or checksum, which is 32 bits.
The checksum identifies errors after data transmission or storage.
- MD5: It is an algorithm used to check the data integrity by creating 128-bit message digest from the data input of any length. Every MD5 hash value is unique to that particular data input.
- SHA-1: SHAD-1 (Secure Hash Algorithm-1) is a cryptographic hash function developed by the United States National Security Agency, and it is a US Federal Information Processing Standard issued by NIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a hexadecimal number, 40 digits long.
- SHA-256: It is a cryptographic hash algorithm that creates a unique and fixed-size 256- bit (32-byte) hash. Hash is a one-way function, which means, decryption is impossible. Therefore, it is apt for anti-tamper, password validation, digital signatures, and challenge hash authentication.
Linux Validation Methods
Linux uses various commands and functions to perform operations. Two Linux shell commands, dd and dcfldd in combination with other commands can help the investigators validate the acquired data.
The dd command can help validate the collected data when combined with other commands, whereas the dcfldd command has additional options that validate data. Linux provides two hashing algorithm utilities, sha1sum and md5sum. Both can calculate hashes of a single or multiple files, individual or multiple disk partitions or a whole disk drive.
Windows Validation Methods
Windows does not have built-in hashing algorithm tools for validating acquired data as part of computer forensics. Instead, Windows based systems use several third-party programs to validate the data. These programs range from hexadecimal editors, like X-Ways WinHex, Breakpoint Software, Hex Workshop, etc. to computer forensics programs, like ProDiscover, EnCase, AccessData FTK, etc.
Commercial forensics programs consist of built-in data validation options, and every program has its own validation technique, which it uses on the acquired data in a proprietary format. For e.g., ProDiscover’s .eve files contain the metadata in segmented files or acquisition files including the hash value for the suspect drive or partition. ProDiscover hashes the Image loaded into it as input and compares its hash value to that of the stored metadata. If the hashes do not match, then, ProDiscover alerts that the acquisition is corrupt and not reliable for evidence. This hash function is the Auto Verify Image Checksum. In most of the forensic took, raw format image files do not contain metadata. Instead, the investigator needs to perform a manual validation for all raw acquisitions during analysis. The raw format acquisitions validation file generated before analysis is essential for the digital evidence integrity. This validation file can later help the investigator to verify whether the acquisition file is in a proper condition or not.
In FTK imager, when the investigator selects the Expert Witness (.e01) or the SMART (.s01) format, the tool shows extra options for validation. This validation report also contains the IVID5 and SHA-1 hash values. The tool applies m05 hash value to the segmented files or proprietary format image. After loading this image into the forensics tools, the tool reads MD5 hash and compares it with the image to check the integrity of the acquired data.
Questions related to this topic
- What are the needs for computer forensics tools?
- What two data copying methods are used in software data acquisitions?
- What is acquisition computer forensics?
- What happens if computer forensics is ignored or practiced badly?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com