1

CSCD496Computer Forensics

Lecture 5Applying Process to Computer

ForensicsWinter 2010

2

Introduction

• Look at digital data acquisition

• Just what is called static acquisition for now– Disk and other storage media

• Live acquisition is another technique– And includes capturing RAM and any other

volatile data from a live machine

3

Static Acquisition

• Process of copying data

• Goal of Static Acquisition– Preserve data and establish integrity – No question of the validity of data so it can be

used as evidence in court

4

Formats for Acquisition

• Different Formats of digital files from copying forensics software– Proprietary format

• Most commercial tools produce their own format• One popular standard supported by many tools

– Open Source• Free with most Linux distributions• Raw format from Linux dd tool

– Bit-by-bit copy of the media

• Also supported by commercial tools• Creates a sequential flat file of suspect drive

5

Advantages or Disadvantages

• Advantages of Raw– Fast transfer, important for large disk copies– Can handle minor data read errors– Universal format, most tools can read it

• Disadvantages of Raw– Requires as much storage space as original

disk– Fail to collect bad sectors on disk– Commercial tools make more effort to collect

all data

6

Advantages or Disadvantages

• Advantages of Proprietary Format– Offer features not available with Raw

• Compress image, saves space • Can flexibly split images into smaller files to fit onto

other media• Can integrate meta data into image, hash value of

original disk, date and time of copy

– Disadvantages of Proprietary Format• Can't share image between vendors analysis tools

7

Advantages or Disadvantages

• Example Propriety Format– lLook Iximager produces three proprietary

formats• IDIF, IRBF and IEIT

– Can copy to raw format for use by other tools– Ilook is only available to Law Enforcement

agencies

http://www.perlustro.com/

8

Standard Formats

• Encase's format, Expert Witness – Closest to a standard – Recognized by other commercial tools

• Can generate generic versions of Expert Witness format

• X-Ways Forensics, Access Data Forensic Toolkit (FTK), and SMART

– Can be compressed or uncompressed http://www.guidancesoftware.com/computer-forensics-ediscovery-

software-digital-evidence.htm

9

Standard Formats

• Another proposed OpenSource acquisition format– Advanced Forensic Format (AFF)– AFF is a new format proposed by Dr. Simson

Garfinkel, a forensics researcher– Expectation is that AFF will become standard

of the future for acquisition of data– Both Sleuthkit and Autopsy support the aff

image format

http://www.afflib.org/

10

AFF Format

• An open standard enables investigators to use their preferred tools to solve crimes and gather intelligence

• Proprietary file formats means you will convert from one format to another to use multiple tools

• Converting between formats risks data corruption if the formats are not well understood

• Metadata may be lost if all formats do not support the same forms of metadata

• Read more about the AFF format

http://www.forensicswiki.org/wiki/AFF

11

Techniques of Acquisition

• Several ways to do static acquisition– Typically done on computer or digital media

seized as evidence– Most Common

• Disk-to-image file –Provides greatest flexibility–Bit-by-bit copy of original drive–Can use a variety of tools to read and

analyze data

12

Techniques of Acquisition• Another Method

– Disk-to-disk copy– Copying data from one drive to another– Circumstances when you might have to do that

• Older drive, with hardware or software errors• Some tools can adjust disk geometry to match

original suspect drive• Do that, so exact circumstances of disk are

preserved• SafeBack, SnapCopy are two tools that run in and

MSDos window do a disk-to-disk copy• Encase also does this type of data acquisition

13

Linux vs. Windows

• Do you think it matters which OS you use to analyze the disk or data?– Yes.– Windows can contaminate your evidence drive!– Must protect drive with a write blocking device

• Hardware devices can be inserted between disk and the OS used to analyze and copy the data

• More about these in a later chapter

14

Linux vs. Windows

• Windows XP Blocking Feature– Since Service Pack 2,

• Feature added to XP to turn off writing to USB devices

• Must edit registry to do this, book has step-by-step instructions, Chapter 4

• Connect suspect drive to USB external drive after you turn off write permission to that USB device

• Will not allow you to write to device• Make a copy of data

15

Linux Live Boot CD

• Linux can access a drive that is not mounted, means you can't read or write to it in usual way

• However, newer Linux distributions automatically mount and allow access to connected drives– Can allow alteration of data

• Answer: Linux Live Boot CD

16

Linux Live Boot CD• CAINE Live CD

– http://www.caine-live.net/

• Knoppix– http://www.knoppix-std.org/download.html

• F.I.R.E.– http://fire.dmzs.com/

• Penguin Sleuth– http://www.linux-forensics.com/

• DeftLinux– http://www.deftlinux.net/

17

Live CD's for Data Acquisition

• Live CD's – Advantages,

• Have a number of tools in one distribution• Configured by default to mount as read-only any

connected storage media• Can then access and examine media connected

to suspect machine

– We will be exploring Live CD's in more detail later

18

Validating Data Acquisitions

• Anything you can do to validate evidence to prove it wasn't compromised

• Typically, accepted technique – data hash

• Linux– Two hash functions, md5sum and sha1sum– Take hash of original drive – save it– Take hash of copied image file – save it– Compare it – Does it match?

19

Validating Data Acquisitions• Windows

– Sigh ... No built-in hash utilities– Third party hex editors

• Xways WinHex http://www.x-ways.net/winhex/index-m.html

• Breakpoint Software Hex Workshophttp://www.bpsoft.com/

• Produce hashes of files

– Commercial Tools• Uses built-in hash capabilities• ProDiscover .eve file – stores metadata with file

– Date, time and hash value of original media– Each time you load image ProDiscover checks hash value – Insures it matches saved hash of original media

20

Protocol of Images

• Strongly Recommended– Make 2 copies of your media– Why?– Stuff happens to images– Don't want to be caught without another image– Destroy your case – lose evidence, no more

case

21

Linux dd Command

• dd – Oldest imaging tool still used– Although it is functional and requires only

minimal resources to run, it lacks some useful features found in more modern imagers

• Metadata gathering, • Error correction, • Piecewise hashing, • User-friendly interface

– Ported to Linux, Mac and Windows

22

Newer Version of dd

• dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab

Useful features for forensic investigators such as:

• On-the-fly hashing of the transmitted data.• Progress bar of how much data has already been sent.• Verification image is identical to original drive, bit-for-bit• Output can be split into multiple files.• Logs and data can be piped into external applications

23

Example Using dd

• Example: Preserve Image of Floppy

md5sum /dev/fd0 > /tmp/original-md5 Why?

Use the dd command

dd if=/dev/fd0 of=/tmp/disk.img bs=1k

What should I do next?

md5sum /tmp/disk.img > /tmp/img-md5

cat /tmp/*md5

Am I finished here?

24

Summary

• Data Acquisition critical part of the forensics process

• Mess this up, and your evidence is useless• Need to be very careful to not impact the

data you are trying hard to preserve• Live CD's, write-blockers – hardware and

software, help preserve integrity

25

Finish

– Friday – Guest Speaker – Brian Kamp• Think about good questions you can ask!!!