Book Three-Chapter 2-Data Acquisition and Duplication Flashcards
What are the methods investigators use to acquire digital evidence?
Forensic investigators can acquire digital evidence using the following methods:
Creating a bitstream disk-to-image file
Making a bitstream disk-to-disk copy
Creating a sparse data copy of a folder or file
Disk-to-Image File
Creating a bitstream disk-to-image file is the most common method forensic investigators use. When using this method, forensic investigators are able to make as many copies of the digital evidence as they need. Investigators are able to image the original disk to another disk. An investigator can then make use of other tools such as EnCase, Forensic Toolkit Imager (FTK), Smart, Task, and Ilook to read and analyze the image file.
Disk-to-Disk Copy
If an investigator is unable to create a bitstream disk-to-image file, the alternative is to create a bitstream disk-to-disk copy of the suspect’s disk drive in order to acquire the information from it. There are several bitstreaming programs that can copy the information from one disk to another. Disk-to-disk imaging tools include SafeBack, SnapCopy, and Norton Ghost. Many of these applications run under MS-DOS.
Sparse Data Copy
There are times during a forensic investigation when an investigator finds incriminating evidence in a particular file or folder. Therefore, it would not be necessary to create a bitstream disk-to-image file or a disk-to-disk copy. The investigator would just need to create a sparse data copy of the folder or file. A sparse data copy is a copy that an investigator makes of only part of a large set of data in which only the data pertinent to the investigation is included. An investigator may choose to make a sparse data copy to reduce the overall size of an evidence file.
What do the SavePart and WritePart commands in DriveSpy do?
DriveSpy Data Preservation Commands
The DriveSpy application gives forensic examiners the ability to create and restore compressed images of drive partitions. If an investigator makes an image of a DOS partition, the free space is not included, as DOS cannot see the free space in a cluster. However, if an investigator makes an image of a non-DOS partition, every byte is preserved, including the free space.
There are three data preservation commands available in DriveSpy:
SavePart: The main function of the SavePart command is to generate an image of a partition. The syntax of the SavePart command is as follows:
SAVEPART [Destination File]
Investigators mainly make use of the SavePart command in DriveSpy to create a compressed forensic image of the present partition. SavePart allows an investigator to span media to store the complete image when necessary. After creating an image of the partition, DriveSpy provides a summary of the MD5 hash that is maintained for the image to ensure data integrity when the image is restored.
WritePart: The main function of the WritePart command is to restore an image of a partition. The image can be one that is stored in the partition that is being examined. The syntax of the WritePart command is as follows:
WRITEPART [Source File]
If the image is stored across many parts of media, the WritePart command would automatically look for the media that is necessary.
CopySect: The main function of the CopySect command is to copy sectors from one disk to a location on the same disk or on a different disk. The syntax of the CopySect command is as follows:
COPYSECT [Source Sector Range] [Destination Sector Range]
Forensic investigators most often use the CopySect command as it helps in creating direct disk-to-disk images of suspect media.
Why is there a need for data duplication?
The Need for Data Duplication
Investigators need to be concerned about destructive devices that can be planted in computer systems by their owners. Evidence can be destroyed if an investigator is not careful. These destructive devices can overwrite data fragments, and they can alter or destroy data stored in the Windows swap file. A suspect could use a self-destructing program that could wipe out any evidence when it detects a certain trigger. This can hamper an investigation and make the collection of evidence much more difficult. Thus, data duplication is essential for the proper preservation of digital evidence.
How is netcat used with dd to aquire data?
Linux Standard Tools
Forensic investigators use the built-in Linux command dd to copy data from a disk drive. This command can make a bitstream disk-to-disk copy or a disk-to-image file. The dd command can copy data from any disk that Linux can mount and access. Other forensic tools, such as AccessData FTK and Ilook, can read dd image files.
One of the advantages of using the dd command in Linux is that it is free software that does not rely on any additional resources from the computer. The dd command in Linux can create images of ext2, ext3, UNIX, FAT12, FAT16, FAT32, NTFS, HFS, and HPFS file-system disks. The dd command also enables examiners to extract digital evidence and copy it to any type of media that the Linux operating system is able to access.
The dd command in Linux does have certain limitations. An investigator needs to understand and be able to implement advanced UNIX shell scripting commands. The investigator must also define the exact number of blocks in the save set volume in order to create a volume save set. Also, the dd command is not available in all versions of Linux.
Using the dd Command
The syntax for the dd command is as follows:
dd if= of= bs= (usually some power of 2, not less than 512 bytes [i.e., 512, 1024, 2048, 4096, 8192]) skip= seek= conv=
source: where the data is to be read from
target: where the data is to be written to
skip: number of blocks to skip at start of input
seek: number of blocks to skip at start of output
conv: conversion options
For example, an investigator would use the following commands for these tasks:
To make a complete physical backup of a hard disk:
dd if=/dev/hda of=/dev/case5img1
To copy one hard disk partition to another hard disk:
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
To make an image of a CD:
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
To copy a floppy disk:
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
To restore a disk partition from an image file:
dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
To copy RAM memory to a file:
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Using dd to Extract the MBR
The master boot record (MBR) is the consistent starting point for hard disks. It stores information about the disk. The MBR is always located at cylinder zero, head zero, and sector one, the first sector on the disk.
The MBR consists of the following:
Master partition table: This table contains a complete description of the partitions on the disk.
Master boot code: This is the small bit of code that the BIOS loads to start the bootstrapping process.
To see the contents of the MBR, an investigator uses the following commands:
dd if=/dev/hda of=mbr.bin bs=512 count=1
od -xa mbr.bin
This dd command must be run as root. It reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics (IDE) drive) and writes them to the mbr.bin file.
The od command prints the binary file in hex and ASCII formats.
Using Netcat with dd
The netcat command supports the dd command with networking features. An investigator can use it to read and write data across the network using TCP or UDP. TCP is a protocol that implements a core set of rules that allow reliable connection-oriented connections between host computers over a network. UDP is a nonreliable protocol that implements a best-effort set of rules that allow for network communication where exact delivery of each packet is not critical, such as for streaming video.
To make a partition image on another machine:
On a source machine:
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
On a target machine:
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
Write down the hardware tools used for data acquisition.
Data Duplication Hardware Tools
The data duplication hardware tools that forensic investigators use are high-speed, high-volume devices. Most of these tools also provide investigators with the capability to completely erase data from a disk.
Image MASSter Solo-3
The Image MASSter Solo-3 is a lightweight handheld tool that investigators use to acquire data. It can pull data off of PATA, SATA, and SCSI notebook and desktop hard drives. It can also pull data off of flash memory cards. An investigator can also connect the device to a computer’s USB or Firewire port and acquire data from any storage device in the system. The Image MASSter Solo-3 can copy up to two evidence disks at a time at speeds exceeding 3 GB/min.
The following are the specifications of the Image MASSter Solo-3:
Supply voltage: 90–230 V/50–60 Hz
Power consumption: 10 W without drives
Operating temperature:
Relative humidity: 20 percent to 60 percent noncondensing
Net weight: 2.2 lbs
Overall dimensions: 8.3″ × 5.8″ × 2.2″
Power supply: UL and PSU certified, with universal autoswitching input voltage
The following are some of the features of the Image MASSter Solo-3:
MD5 and CRC-32 hashing: MD5 and CRC-32 hashing ensure data integrity.
Touch-screen user interface: The unit’s advanced touch-screen user interface and programmable keyboard provide for ease of use.
Built-in write protection: The suspect drive’s data is protected with built-in write protection.
Audit trail and logs: An investigator can print detailed operational event log information or save it to a CompactFlash card.
Upgradeability: An investigator can perform software and firmware upgrades using a CompactFlash card.
The following are some of the software features of the Image MASSter Solo-3:
Device configuration overlay (DCO) option: DCO can be used to hide and protect part of a drive from the operating system and file system. If the Image MASSter Solo-3 detects a DCO on a suspect’s drive, it can capture this hidden data.
Host protected area (HPA) option: An HPA may exist on a drive, hiding a certain portion of the drive’s contents from the operating system and file system. If an HPA exists on a suspect’s drive, the ImageMASSter Solo-3 can acquire data stored in the HPA.
WipeOut DoD option: WipeOut was designed to meet the U.S. Department of Defense specification DOD 5220-22M, regarding the sanitization of hard disk drive data. WipeOut performs three iterations to completely erase the contents of a hard drive.
WipeOut fast option: The WipeOut fast option provides a quick non-DoD method of sanitizing a drive of all previously stored data.
Linux dd capture option: The Linux dd capture option captures data as individual Linux dd segmented files. This option allows an investigator to perform multiple data acquisition operations using the same evidence drive.
LinkMASSter-2
The LinkMASSter-2 acquires data from a laptop or desktop by imaging a suspect’s hard drive through the computer’s USB or Firewire ports. It captures data at speeds exceeding 3 GB/min. It uses write protection and supports MD5, CRC-32, and SHA-1 hashing to ensure data integrity.
The following are the specifications of the LinkMASSter-2:
Supply voltage: 100–240 V/50–60 Hz
Power consumption: 3.5 W without drives
Operating temperature:
Relative humidity: 20 percent to 60 percent noncondensing
Net weight: 0.55 lb
Overall dimensions: 5.5″ × 3″ × 1″
Power supply: universal autoswitching input voltage
The following are some of the features of the LinkMASSter-2:
Forensic toolkit graphical user interface: The LinkMASSter-2 forensic toolkit application provides all the tools necessary to perform high-speed data acquisition operations. The interface runs on the Windows XP Professional platform.
Multiple media support: The device supports data transfers between PATA, SATA, and SCSI hard drives. With its built-in 2.5″ interface, it supports capturing data to notebook drives.
Audit trail and logs: An investigator can print detailed operational event log information or save it.
The following are some of the software features of the LinkMASSter-2:
LinkMASSter application: The LinkMASSter application is run from the supplied LinkMASSter bootable CD, which provides write protection for the suspect’s drive during initialization and during data acquisition.
Single capture option: The single capture option allows an investigator to acquire data using a forensic sector-by-sector format method.
Linux dd capture option: The Linux dd capture option supports seizing the entire contents of a suspect’s drive by capturing data as individual Linux dd segmented files, which are then stored in individual subdirectories on the evidence drive. This option allows any number of seizures to be performed using the same evidence drive, provided there is adequate space to save the seized data.
Intelligent capture option: The intelligent capture option (IQCopy) provides a fast method of acquiring data from FAT16, FAT32, and NTFS. This method analyzes the file system and captures only the allocated drive space.
WipeOut DoD option: This option is designed to erase all data on disk drives. WipeOut was designed to meet the U.S. Department of Defense specification DOD 5220-22M, regarding the sanitization of hard disk drives.
WipeOut fast option: The WipeOut fast option provides a quick non-DoD method of sanitizing a drive of all previously stored data.
RoadMASSter-2
The RoadMASSter-2 is a forensic data acquisition and analysis tool designed for use in the field. It provides an investigator with all the tools necessary to acquire and analyze data from Firewire and USB ports, flash memory cards, and PATA, SATA, and SCSI disks.
The following are the specifications of the RoadMASSter-2:
Supply voltage: 100–240 V/50–60 Hz
Power consumption: 150 W without drives
Operating temperature:
Relative humidity: 20 percent to 60 percent noncondensing
Net weight: 32 lbs
Overall dimensions: 13″ × 21″ × 7.5″
Power supply: universal autoswitching input voltage
Processor: AMD64 3500+
Memory: 2 GB RAM
Hard drive: 60 GB 7200 rpm internal IDE drive
Other storage: CD-RW, DVD+RW, DVD-RW, floppy disk
Display: 15″ TFT color LCD display
Card reader/writer: 1–7 multicard read/write slots and 1–7 multicard read-only slots
Sound system: Stereo speakers and line in/line out connector
Operating system: Windows XP Professional
The following are some of the features of the RoadMASSter-2:
MD5, CRC-32, and SHA-1 hashing: These hashing techniques ensure data integrity.
Forensic toolkit graphical user interface: The RoadMASSter-2 forensic toolkit application provides an investigator with all the tools necessary to perform high-speed forensic data acquisition operations.
High-speed operation: Data transfer rates can exceed 3.3 GB/min.
Multiple capture methods: Investigators can acquire data using a forensic sector-by-sector format method or using a Linux dd segmented file format method. The Linux dd capture method allows an investigator to put multiple images on one evidence drive.
Built-in write protection: The data on the suspect’s drive is protected with built-in write protection.
Multiple media support: The RoadMASSter-2 supports data transfers between PATA, SATA, and SCSI hard disk drives. Interface ports and readers are available to support flash memory cards, external Firewire and USB drives, and DVD and CD media. The built-in 2.5″ interface supports notebook drives.
Preview and analysis: The toolkit provides an investigator with the capability to preview and analyze a suspect’s write-protected data.
Audit trail and logs: An investigator can print detailed operational event log information or save it.
The following are some of the software features of the RoadMASSter-2:
WipeOut DoD option: This option is designed to completely erase data on disk drives. WipeOut was designed to meet the U.S. Department of Defense specification DOD 5220-22M, regarding the sanitization of hard disk drives.
WipeOut fast option: The WipeOut fast option provides an investigator with a quick non-DoD method of sanitizing a drive.
LinkMASSter application: The LinkMASSter application is run from the supplied LinkMASSter bootable CD, which provides write protection for the suspect’s drive during initialization and during data acquisition.
Intelligent capture mode: The intelligent capture option (IQCopy) provides a fast method of acquiring data from FAT16, FAT32, and NTFS. This method analyzes the file system and captures only the allocated drive space.
Write down the hardware tools used for data duplication
Data Duplication Hardware Tools
The data duplication hardware tools that forensic investigators use are high-speed, high-volume devices. Most of these tools also provide investigators with the capability to completely erase data from a disk.
The Image MASSter 4000PRO X2 SAS
The Image MASSter 4000PRO X2 SAS has double the power of its original version and features native support for SAS, SATA, and USB 3.0 drives in addition to other common drive interfaces through the use of optional adapters. Its units come with built-in support to connect an optional Eight Drive add-on module, providing the capability to copy and wipe up to 16 drives at the same time. This tool supports SHA-1 and SHA-2 hardware accelerated drive hashing as well as the standard MD-5 hashing method. Utilizing the NIST-approved AES-256 encryption standard, the built-in hard drive encryption support can secure a target drive’s data. Units feature a 1 GB ethernet connection to upload or download drive images to a network storage area. It also has an internal PCIe expansion slot which can be used to expand the unit’s capability to support additional drive interfaces such as SCSI and FireWire. Users can add 10 GB Ethernet connectivity if needed.
Disk Jockey IT Pro
Disk Jockey IT Pro is a high-speed data duplication tool. It can copy data from PATA and SATA desktop and laptop drives. It is a lightweight handheld device that can copy data to one or two target drives at speeds exceeding 2 GB/min.
The following are some of the features of the Disk Jockey IT Pro:
Stand-alone HD mode: An investigator can mount one or two PATA or SATA hard drives on a Windows or Macintosh computer, through Firewire or USB 2.0, without installing any extra drivers. The Disk Jockey IT Pro includes 2.5″ laptop adapter cables and 3.5″ desktop cables.
Mirroring: The Disk Jockey IT Pro allows an investigator to mirror two hard drives for real-time backup (RAID 1). If one drive fails, there will be no downtime, as the data is stored simultaneously on the second drive.
Spanning: An investigator can easily make one large logical volume from two disks attached to the Disk Jockey IT Pro. The investigator can then connect the Disk Jockey IT Pro to a Firewire or USB port on a Windows or Macintosh computer to access the two drives as standard external storage.
Disk copy compare/verification: This feature allows an investigator to verify that a copy is an exact duplicate, ensuring that there is no data loss.
Hard disk read test: The Disk Jockey IT Pro can perform a sector-by-sector hard disk read test to test the overall health of a hard drive.
Two levels of erasure: The Disk Jockey IT Pro offers two levels of disk erasure. The first is a fast, one-pass erase. The second is a more thorough three-pass erase that an investigator can use when he or she needs to feel more confident that the data is irretrievably erased.
QuickCopy
QuickCopy is a tape duplication system. The following are some of the features of QuickCopy:
Duplicates a master tape to one or more target tapes
Duplicates from master images stored on local or network hard drives
Capable of multitasking for mixed jobs. For instance, it can duplicate a 4-mm tape and a DLT simultaneously.
Provides 100 percent verification of all copies made
Uses the Microsoft NT operating system and graphical user interface (GUI)
Can also copy CD media with the QuickCopy-CD option
What file systems does dd work with?
Linux Standard Tools
Forensic investigators use the built-in Linux command dd to copy data from a disk drive. This command can make a bitstream disk-to-disk copy or a disk-to-image file. The dd command can copy data from any disk that Linux can mount and access. Other forensic tools, such as AccessData FTK and Ilook, can read dd image files.
One of the advantages of using the dd command in Linux is that it is free software that does not rely on any additional resources from the computer. The dd command in Linux can create images of ext2, ext3, UNIX, FAT12, FAT16, FAT32, NTFS, HFS, and HPFS file-system disks. The dd command also enables examiners to extract digital evidence and copy it to any type of media that the Linux operating system is able to access.
The dd command in Linux does have certain limitations. An investigator needs to understand and be able to implement advanced UNIX shell scripting commands. The investigator must also define the exact number of blocks in the save set volume in order to create a volume save set. Also, the dd command is not available in all versions of Linux.
Using the dd Command
The syntax for the dd command is as follows:
dd if= of= bs= (usually some power of 2, not less than 512 bytes [i.e., 512, 1024, 2048, 4096, 8192]) skip= seek= conv=
source: where the data is to be read from
target: where the data is to be written to
skip: number of blocks to skip at start of input
seek: number of blocks to skip at start of output
conv: conversion options
For example, an investigator would use the following commands for these tasks:
To make a complete physical backup of a hard disk:
dd if=/dev/hda of=/dev/case5img1
To copy one hard disk partition to another hard disk:
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
To make an image of a CD:
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
To copy a floppy disk:
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
To restore a disk partition from an image file:
dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
To copy RAM memory to a file:
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Using dd to Extract the MBR
The master boot record (MBR) is the consistent starting point for hard disks. It stores information about the disk. The MBR is always located at cylinder zero, head zero, and sector one, the first sector on the disk.
The MBR consists of the following:
Master partition table: This table contains a complete description of the partitions on the disk.
Master boot code: This is the small bit of code that the BIOS loads to start the bootstrapping process.
To see the contents of the MBR, an investigator uses the following commands:
dd if=/dev/hda of=mbr.bin bs=512 count=1
od -xa mbr.bin
This dd command must be run as root. It reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics (IDE) drive) and writes them to the mbr.bin file.
The od command prints the binary file in hex and ASCII formats.
Using Netcat with dd
The netcat command supports the dd command with networking features. An investigator can use it to read and write data across the network using TCP or UDP. TCP is a protocol that implements a core set of rules that allow reliable connection-oriented connections between host computers over a network. UDP is a nonreliable protocol that implements a best-effort set of rules that allow for network communication where exact delivery of each packet is not critical, such as for streaming video.
To make a partition image on another machine:
On a source machine:
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
On a target machine:
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
Describe the features of QuickCopy:
QuickCopy
QuickCopy is a tape duplication system. The following are some of the features of QuickCopy:
Duplicates a master tape to one or more target tapes
Duplicates from master images stored on local or network hard drives
Capable of multitasking for mixed jobs. For instance, it can duplicate a 4-mm tape and a DLT simultaneously.
Provides 100 percent verification of all copies made
Uses the Microsoft NT operating system and graphical user interface (GUI)
Can also copy CD media with the QuickCopy-CD option
What are the system requirements for Drive SnapShot?
Drive SnapShot
Drive SnapShot is a data acquisition tool that creates an exact disk image. It can create this image while an investigator continues doing his or her work in Windows. Booting into DOS is not necessary. It is compatible with all Windows file systems and most Linux file systems. Only a user with administrative privileges can use Drive SnapShot.
System Requirements for Drive SnapShot
Operating system: Windows NT/2000/XP/2003/Vista/7/8/10
RAM: 8 MB
Hard disk: At least 2 MB of free disk space
