SCI 4201

Digital Forensics
Lecture 2: Acquiring Digital
Evidence

July 2021

Dr. Phil Nyoni

Cell: 0779457249
philnyoni@gmail.com
 Objectives

• Explain how to prepare a computer investigation

• Apply a systematic approach to an investigation
• Describe procedures for corporate high-tech
investigations
• Explain requirements for data recovery
workstations and software
• Describe how to conduct an investigation
• Explain how to complete and critique a case
 Overview of a Computer Crime

• Computers can contain information that helps

law enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• A potential challenge: information on hard disks
might be password protected so forensics tools
may be need to be used in your investigation
 Types of Computer Crime

• Identity Theft
• Phishing
• Spyware
• Discarded information
• Hacking
• SQL injection
• Password cracking (E.g., Ophcrack)
• Cyberstalking and Harassment
 Preparing a Computer Investigation
• Role of computer forensics professional is to gather
evidence to prove that a suspect committed a crime
or violated a company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Follow an accepted procedure to prepare a case
• Chain of custody
– Route the evidence takes from the time you find it
until the case is closed or goes to court
 Taking a Systematic Approach

• Steps for problem solving

– Make an initial assessment about the type of case
you are investigating
– Determine a preliminary design or approach to the
case
– Create a detailed checklist
– Determine the resources you need
– Obtain and copy an evidence disk drive
 Taking a Systematic Approach
(continued)
• Steps for problem solving (continued)
– Analyze and recover the digital evidence
– Investigate the data you recover
– Complete the case report
– Critique the case
 Assessing the Case

• Systematically outline the case details

– Situation
– Nature of the case
– Specifics of the case
– Type of evidence
– Operating system
– Known disk format
– Location of evidence
 Assessing the Case (continued)

• Based on case details, you can determine the case

requirements
– Type of evidence
– Computer forensics tools
– Special operating systems
 Planning Your Investigation

• A basic investigation plan should include the

following activities:
– Acquire the evidence
– Complete an evidence form and establish a chain of
custody
– Transport the evidence to a computer forensics lab
– Secure evidence in an approved secure container
 Planning Your Investigation
(continued)
• A basic investigation plan (continued):
– Prepare a forensics workstation
– Obtain the evidence from the secure container
– Make a forensic copy of the evidence
– Return the evidence to the secure container
– Process the copied evidence with computer
forensics tools
 Planning Your Investigation
(continued)
• An evidence custody form helps you document
what has been done with the original evidence and
its forensics copies
• Two types
– Single-evidence form
• Lists each piece of evidence on a separate page
– Multi-evidence form
Planning Your Investigation
(continued)
Planning Your Investigation
(continued)
 Public-Sector Investigations

• In a criminal case, a suspect is tried for a criminal

offense
– Such as burglary, murder, or molestation
• Computers and networks are only tools that can be
used to commit crimes
• Following the legal process
– Legal processes depend on local custom, legislative
standards, and rules of evidence
 Public-Sector Investigations
• When conducting public-sector investigations, you
must understand laws on computer-related crimes
including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case
• The Cyber Security & Data Protection Bill was
passed in 2020
– Provides for the investigation and collection of
evidence of cybercrimes
 Private-Sector Investigations
• Private-sector investigations involve private
companies and lawyers who address company
policy violations and litigation disputes
– Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
– E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage
• Line of authority - states who has the legal right to
initiate an investigation, who can take possession
of evidence, and who can have access to evidence
 Private-Sector Investigations (Cont.)

• During private investigations, you search for

evidence to support allegations of violations of a
company’s rules or an attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse
– Embezzlement
– Sabotage
• A private-sector investigator’s job is to minimize risk
to the company
 Procedures for Private-Sector
High-Tech Investigations
• As an investigator, you need to develop formal
procedures and informal checklists
• Cases of investigation
– Employee termination
– Internet abuse
– Email abuse
– Attorney-client privilege
– Industrial espionage
– Interview and interrogations in hi-tech
 Conducting an Investigation

• Gather resources identified in investigation plan

• Items needed
– Original storage media
– Evidence custody form
– Evidence container for the storage media
– Bit-stream imaging tool
– Forensic workstation to copy and examine your
evidence
– Securable evidence locker, cabinet, or safe
 Gathering the Evidence
• Avoid damaging the evidence
• Steps
– Meet the IT manager to interview him
– Fill out the evidence form, have the IT manager sign
– Place the evidence in a secure container
– Carry the evidence to the computer forensics lab
– Complete the evidence custody form
– Secure evidence by locking the container
Acquiring an Image of Evidence Media
• First rule of computer forensics
– Preserve the original evidence
• Conduct your analysis only on a copy of the data
• Several vendors provide MS-DOS, Linux, and
Windows acquisition tools
– Windows tools require a write-blocking device when
acquiring data from FAT or NTFS file systems
Using ProDiscover Basic to Acquire a
USB Drive
• Create a work folder for data storage
• Steps to perform an acquisition on a USB drive:
– On the USB drive locate the write-protect switch
and place the drive in write-protect mode
– Start ProDiscover Basic
– In the main window, click Action, Capture
Image from the menu
– Click the Source Drive drop-down list, and
select the thumb drive
Using ProDiscover Basic to Acquire a
USB Drive
 Analyzing Your Digital Evidence
• Your job is to recover data from:
– Deleted files
– File fragments
– Complete files
• Deleted files linger on the disk until new data is
saved on the same physical location
• Tools can be used to retrieve deleted files
– ProDiscover Basic
 Completing the Case
• You need to produce a final report
– State what you did and what you found
• Include ProDiscover report to document your
work
• Repeatable findings
– Repeat the steps and produce the same result
• If required, use a report template
• Report should show conclusive evidence
– Suspect did or did not commit a crime or violate a
company policy
• Answer the six Ws:
– Who, what, when, where, why, and how
 Understanding Storage Formats for
Digital Evidence
• Data in a forensics acquisition tool is stored as
an image file in three formats
• Raw format: Makes it possible to write
bit-stream data to files
– Fast data transfers, but requires as much storage as
original disk or data
• Proprietary formats: Most forensics tools have
their own formats
– Can split or compress an image, but not able to
share an image between different tools.
 Understanding Storage Formats for
Digital Evidence (Cont.)
• Advanced Forensics Format (AFF): Developed
by Dr. Simson L. Garfinkel as an open-source
acquisition format.
• File extensions include .afd for segmented
image files and .afm for AFF metadata
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files
for metadata
– Internal consistency checks for self-authentication
 Determining the Best Acquisition
Method
• Types of acquisitions
– Static acquisitions and live acquisitions
• Four methods of data collection
– Creating a disk-to-image file, a disk-to-disk, a
logical disk-to-disk or disk-to-data file, or a
sparse data copy of a file or folder
• Determining the best method depends on
the circumstances of the investigation
• When making a copy, consider:
– Size of the source disk
– Whether you can retain the disk
Determining the Best Acquisition
Method
• Creating a disk-to-image file
– Most common method and offers most flexibility
– Can make more than one copy
– Copies are bit-for-bit replications of the original
drive
– ProDiscover, EnCase, FTK, SMART, Sleuth Kit
(TSK), X-Ways Forensics & WinHex, iLookIX, and
DriverSpy
• Creating a disk-to-disk
– When disk-to-image copy is not possible
– Tools can adjust disk’s geometry configuration
– EnCase, SafeBack, SnapCopy
 Determining the Best Acquisition
Method
• Logical acquisition or sparse acquisition
– Can take several hours; use when your time is
limited
– Logical acquisition captures only specific files of
interest to the case
– Sparse acquisition collects fragments of unallocated
(deleted) data
– For large disks
– PST or OST mail files, RAID servers
 Contingency Planning for Image
Acquisitions
• Create a duplicate copy of your evidence image
file
• Make at least two images of digital evidence
– Use different tools or techniques
• Copy host protected area of a disk drive as
well
– Consider using a hardware acquisition tool that can
access the drive at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows called
BitLocker makes static acquisitions more difficult
– May require user to provide decryption key
 Using Acquisition Tools
• Acquisition tools for Windows
– Advantages: Make acquiring evidence from a
suspect drive more convenient, especially when
used with hot-swappable devices
– Disadvantages
• Must protect acquired data with a well-tested
write-blocking hardware device
• Tools can’t acquire data from a disk’s host protected
area
• Some countries haven’t accepted the use of
write-blocking devices for data acquisitions
Mini-WinFE Boot CDs and USB Drives

• Mini-WinFE
– Enables you to build a Windows forensic boot
CD/DVD or USB drive so that connected drives
are mounted as read-only
• Before booting a suspect’s computer:
– Connect your target drive, such as a USB drive
• After Mini-WinFE is booted:
– You can list all connected drives and alter your
target USB drive to read-write mode so you can
run an acquisition program
 Acquiring Data with a Linux Boot CD
• Linux can access a drive that isn’t mounted
• Windows OSs and newer Linux automatically
mount and access a drive
• Forensic Linux Live CDs don’t access media
automatically
– Which eliminates the need for a write-blocker
• Using Linux Live CD Distributions
– Forensic Linux Live CDs
• Contain additionally utilities configured not to mount, or to
mount as read-only, any connected storage media
• Well-designed Linux Live CDs for computer forensics
– Penguin Sleuth, F.I.R.E, CAINE, Deft, Kali Linux, Knoppix,
SANS Investigative Toolkit
 Preparing a Target Drive for
Acquisition in Linux
• Current Linux distributions can create
Microsoft FAT and NTFS partition tables
• fdisk command lists, creates, deletes, and
verifies partitions in Linux
• mkfs.msdos command formats a FAT file
system from Linux
 Acquiring Data with dd in Linux

• dd (“data dump”) command

– Can read and write from media device and data file
– Creates raw format file that most computer forensics
analysis tools can read
• Shortcomings of dd command
– Requires more advanced skills than average user
– Does not compress data
• dd command combined with the split command
– Segments output into separate volume
 Capturing an Image with
ProDiscover Basic
• Connecting the suspect’s drive to your workstation
– Document the chain of evidence for the drive
– Remove the drive from the suspect’s computer
– Configure the suspect drive’s jumpers as needed
– Connect the suspect drive to write-blocker device
– Create a storage folder on the target drive
 Capturing an Image with
ProDiscover Basic (Cont.)
• Using ProDiscover’s Proprietary Acquisition
Format
– Follow the steps starting on page 108 to start
ProDiscover Basic and configure settings for
acquisition
– ProDiscover creates image files with an .eve
extension, a log file (.log extension), and a
special inventory file (.pds extension)
– If the compression option was selected,
ProDiscover uses a .cmp rather than an .eve
extension on all segmented volumes
Capturing an Image with
ProDiscover Basic (Cont.)
Capturing an Image with AccessData
FTK Imager Lite
• Included with AccessData Forensic Toolkit
• Designed for viewing evidence disks and
disk-to-image files (free availale)
• Makes disk-to-image copies of evidence drives
– At logical partition and physical drive level
– Can segment the image file
• Evidence drive must have a hardware
write-blocking device
– Or run from a Live CD, such as Mini-WinFE
Capturing an Image with AccessData
FTK Imager Lite
Capturing an Image with AccessData
FTK Imager Lite
• FTK Imager can’t acquire a drive’s host
protected area
• Use a write-blocking device and follow these
steps
– Boot to Windows
– Connect evidence disk to a write-blocker
– Connect target disk to write-blocker
– Start FTK Imager Lite
– Create Disk Image - use Physical Drive option
– See Figures on the following slides for more
steps
 Validating Data Acquisitions

• Probably the most critical aspect of computer

forensics
• Requires using a hashing algorithm utility
– Designed to create a binary or hexadecimal number,
called digital fingerprint, that represents the
uniqueness of a data set.
– Exception on uniqueness for MD5, and some SH-1.
• Validation techniques
– CRC-32, MD5, and SHA-1 to SHA-512
– Byte-by-byte comparison tools for exception for MD5
files: X-Ways Forensics, X-Ways WinHex, etc.
 Linux Validation Methods
• Validating dd acquired data
– You can use md5sum or sha1sum utilities
– md5sum or sha1sum utilities should be run on all
suspect disks and volumes or segmented volumes
 Windows Validation Methods

• Windows has no built-in hashing algorithm tools

for computer forensics
– Third-party utilities can be used
• Commercial computer forensics programs also
have built-in validation features
– Each program has its own validation technique
• Raw format image files don’t contain metadata
– Separate manual validation is recommended for all
raw acquisitions
Performing RAID Data Acquisitions
• Acquisition of RAID drives can be challenging and
frustrating because of how RAID systems are
– Designed
– Configured
– Sized (Most concerned)
• Redundant array of independent (formerly
“inexpensive”) disks (RAID)
– Computer configuration involving two or more disks
– Originally developed as a data-redundancy measure
 Acquiring RAID Disks
• Address the following concerns
– How much data storage is needed?
– What type of RAID is used?
– Do you have the right acquisition tool?
• Vendors offering RAID acquisition functions
– Technology Pathways ProDiscover
– Guidance Software EnCase
– X-Ways Forensics
– AccessData FTK
– Runtime Software
– R-Tools Technologies
• Occasionally, a RAID system is too large for a static
acquisition
– Retrieve only the data relevant to the investigation with the
sparse or logical acquisition method
 Using Remote Network Acquisition
Tools
• You can remotely connect to a suspect
computer via a network connection and copy
data from it
• Remote acquisition tools vary in configurations
and capabilities
• Drawbacks
– Antivirus, antispyware, and firewall tools can be
configured to ignore remote access programs
– Suspects could easily install their own security tools
that trigger an alarm to notify them of remote access
intrusions
 Remote Acquisition with
ProDiscover
• ProDiscover Incident Response additional
functions
– Capture volatile system state information
– Analyze current running processes
– Locate unseen files and processes
– Remotely view and listen to IP ports
– Run hash comparisons
– Create a hash inventory of all files remotely
• PDServer remote agent
– ProDiscover utility for remote access
– Needs to be loaded on the suspect
 Remote Acquisition with
ProDiscover (Cont.)
• PDServer installation modes
– Trusted CD
– Preinstallation
– Pushing out and running remotely
• PDServer can run in a stealth mode
– Can change process name to appear as OS function
• Remote connection security features
– Password Protection
– Encryption
– Secure Communication Protocol
– Digital Signatures
 Remote Acquisition with EnCase
Enterprise
• Remote acquisition features
– Remote data acquisition of a computer’s media and
RAM data
– Integration with intrusion detection system (IDS)
tools
– Options to create an image of data from one or more
systems
– Preview of systems
– A wide range of file system formats
– RAID support for both hardware and software
 Remote Acquisition with Other Tools
(Cont.)
• Other commercial acquisition tools
– PassMark Software ImageUSB
– ASRData SMART: A Linux forensics analysis
tool that can make image files of a suspect drive
– Runtime Software: DiskExplorer for FAT and
NTFS
– ILookIX Investigator Iximager: Runs from a
bootable floppy or CD.
– SourceForge: Provides several applications for
security, analysis, and investigations
 Mac OS Forensic Tools

• FTK: Provides a Windows-based tool for Macintosh

computers
• Mac Marshal
• BlackLight
 Summary
• Always use a systematic approach to your
investigations
• Always plan a case taking into account the nature
of the case, case requirements, and gathering
evidence techniques
• Both criminal cases and corporate-policy violations
can go to court
• Plan for contingencies for any problems you might
encounter
• Keep track of the chain of custody of your evidence
 Summary (continued)
• Public and private computer investigations are
different
• Internet and media leak investigations require
examining server log data
• For attorney-client privilege cases, all written
communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the
original disk
• Always maintain a journal to keep notes on exactly
what you did
• You should always critique your own work