Data Acquisition Flashcards
Data Acquisition
- making a forensic copy of evidence, which could be any type of media
- hard disk drive, USB, CD/DVD, etc
Why do we Acquire?
- NEVER work directly on a suspected machine
- 1st: you might end up damaging evidence
- 2nd: the client likely cannot afford to not have the machine to keep working on
- 3rd: with only one copy, there is no way for multiple teams or investigators to work on the same case in parallel
What is important to remember about the first image taken?
- You’re not supposed to work on the first image you take
- The original image needs to be saved, and copies are made to do the actual work on
Order of Volatility?
- registers
- cpu cache
- RAM
- HDD
- External and Secondary storage devices
What are the two types of data acquisition?
- static
- dynamic/live
Static Acquisition
- gathering non-volatile data
- gathering the data that remains intact after the system reboots or goes down
- hard disks, flash discs
Dynamic Acquisition
- gathering volatile data while the system is still running
Which type of acquisition is typically done first?
- dynamic; higher risk of losing live data
Raw Format
- simplest format to save an image
- data is read from the source device’s disk and written on a file
- the image file can be mounted later and analyzed for evidence
What are the benefits of Raw Format?
- offers a faster transfer rate
- popular on most forensic tools; gives flexibility to move between different frameworks
What are some things to be aware of with Raw Format?
- takes up the same space as the original target device drive’s size
- neglects small errors on the source disk
What tool allows a disk to be imaged and split into multiple smaller files?
- DD tool
Proprietary Format
- commercial tools implement their own file format
- compress the data for space efficiency, but makes the imaging and analysis process slower
What are the advantages of using proprietary formats?
- space efficiency
- all the case related metadata
- data are on a single file
- allows investigator to do all work on a single framework (imaging, analysis, and reporting modules are all on the same tool)
What are the disadvantages of using proprietary formats?
- slower due to the compression/decompression and encoding/decoding processes
- binds the investigator to the framework since the proprietary format cannot cross platforms
What are the most notable proprietary formats?
- EWF (Expert Witness Format) from Encase
- IDIF, IRBF, IEIF from ILook Iinvestigator
- sgzip from PyFlag
Open Source Format
- AFF (Advanced Forensics Format)
Data Acquisition vs. Copying
- Imaging IS NOT copying
- Imaging mirrors the device’s entire storage on a file
- Copying mirrors only the “useful” data from the source device
What needs to be considered when copying an image?
- Make sure that the copy is an exact replica of the original image
- make sure the original image is safe from tampering
- make sure the copying process will not alter the original image
What are the two acquisition methods?
- from disk drive to image file (imaging)
- from disk drive to disk drive (cloning)
Imaging
- mirrors the suspect’s hard drive content into an image file
- imaging a drive creates what is called a “forensic image”
- the advantage of this method is scalability and efficiency
- a forensic image does not have to be for a full disk drive; you may only copy a particular partition
Cloning
- disk drive to disk drive
- mirrors the suspect’s hard disk content into another hard disk
- this result is a second disk that is exactly similar to the source disk (clone)
Live Acquisition
- used to collect data while the machine is running
- usually looking for volatile data
- volatile data resides in a memory that can’t hold the data after a reboot
- usually resides in RAM and cache
Why is volatile data so fragile?
- the data is not JUST lost on reboot
- processes running on the machine use the RAM and cache continually
- any move made on the machine will have an impact on the device’s RAM
Why is volatile data so important?
- it is very likely to hold passwords, messages, domain names, and IP addresses belonging to those processes
- very important in cases such as malware analysis and hunting
What tool may allow an investigator to extract and decrypt traffic going between malware and it’s operator?
- encryption key
SYS info
- generic term that describes basic system information about the machine, the running OS, its configuration, and the installed applications
- EX: OS version, build, product key, computer name, accounts, CPU model, RAM size, etc.
OS Configuration
- installed languages
- time zones
- uptime
- installed updates and hotfixes
RAM Dump and Running Processes
- knowing what processes were running at the time of the acquisition might be crucial for the investigation
- it should help the investigator know what to look for when analyzing the RAM dump acquired
Time Stamps
- play a major role in crime reconstruction
Network Configurations
- important when there is a network attack
- details such as: number of NICs, MAC and IP addresses
Write Blockers
- device that allow data acquisition to take place, while eliminating the chance of damaging or altering the disk’s contents
- blocks the hard disk from writing by filtering out write commands and preventing them from being executed
Bootable Disks
- usually hold a self-contained fully functioning, bootable OS
- this allows the investigator to launch an OS on the suspect’s machine without touching and modifying the device’s main disk
How is write protect on Windows 7 and later enabled?
- Regedit
- Access HKLM /SYSTEM/CurrentControlSet/Control
- New > Key named “StorageDevicePolicies”
- Create a new Value (DWORD 32-bit) inside the Key called “WriteProtect”
- Double click the newly created Key and change value to ‘1’
Volatility Framework
- completely open collection of tools, implemented in Python under GNU General Public License
- allows for the extraction of digital artifacts from volatile memory (RAM) samples
- support memory dumps in raw format, Microsoft crash dump, hibernation file, and virtual machine snapshot
- pre-installed with Kali Linux
- also comes as an exe to run on Windows
