(13) Acquiring data and imaging systems

Question 1

What type of data or events may result from doing live imaging?

Answer 1

Live imagine may leave remnants from the imaging utility being mounted from a removable drive or installed

The contents of a drive or memory may change during the imaging process

Malware might detect that imaging is going on and try to stop it

Live images don’t normally include unallocated space

Question 2

What cautions do you need to observe when reimaging?

Answer 2

The cautions that need to be observed during reimaging are to remember that reimaging will remove everything from the target drive, and that one needs to make sure that all data that is not going to be needed later be moved to a separate drive

Question 3

What other data types may be needed when conducting forensics?

Answer 3

The other types of data that may be useful include log data, USB device histories, application data, browser cache and history, user files and e-mails

Question 4

What are good practices when working with log data from a forensic perspective?

Answer 4

Figure out where the logs are on the system

Figure out what time period you need to preserve

Speak with system or device admins to get a copy of the logs and document how you got them

Identify items of interest (actions, user IDs, event IDs, timeframes, other elements)

Log analysis tools like Splunk can help too

Question 5

What should we remember about viewing USB history on a Windows machine?

Answer 5

Windows keeps a history of devices that connect to it via USB. This can help while doing forensics investigations

Question 6

How are core dumps and crash dump files useful?

Answer 6

Core dump and crash dump files can provide good forensic information, for criminal and malware investigations.

Memory resident encryption keys, malware that only runs in memory, and additional items can be found here

Question 7

Where can the Windows crash dump file be located?

Answer 7

Control Panel>System and security>System>Advanced System settings>Startup and recovery>Settings

The root directory will be %SystemRoot%/memory.dmp

Question 8

What needs to be remembered when it comes to mobile device forensics?

Answer 8

With mobile device forensics, we need to remember that the network connectivity needs to be cut off and the screen lock passcode needs to be out of the way

Question 9

What are the four primary modes of data acquisition for mobile devices?

Answer 9

Physical, including getting the sim card, memory cards, or backups

Logical, which may involve a forensics tool

Manual, which is about reviewing the contents of the live, unlocked phone and taking photos and notes about what you discover

Filesystem, which provides details of deleted files and existing files/directories