Chapter 03 Homework Guide to Computer Forensics and Investigations

Guide to Computer Forensics and Investigations, Fifth Edition 3-1

Chapter 3

Data Acquisition

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

Guide to Computer Forensics and Investigations, Fifth Edition 3-2

Lecture Notes

Overview

Chapter 3 explains data acquisition. Students learn about digital evidence storage

formats and how to determine the best acquisition method. Next, students will learn

about contingency planning for data acquisitions and how to use acquisition tools. This

Chapter Objectives

• List digital evidence storage formats

• Explain ways to determine the best acquisition method

• Describe contingency planning for data acquisitions

• Explain how to use acquisition tools

• Explain how to validate data acquisitions

Teaching Tips

Understanding Storage Formats for Digital Evidence

1. This section describes the following three storage formats for digital evidence:

a. Raw format

Raw Format

1. Explain that raw format makes it possible to write bit-stream data to files.

2. Describe the advantages of using raw format, including:

3. Describe the disadvantages of using raw format, including:

a. Requires as much storage space as the original disk or data

Guide to Computer Forensics and Investigations, Fifth Edition 3-3

Proprietary Formats

1. Describe the features offered by proprietary formats, including:

a. Option to compress or not compress image files

2. Describe the disadvantages of using proprietary formats, including:

3. Mention that of all the proprietary formats for image acquisitions, Expert Witness

Advanced Forensics Format

1. Mention that the Advanced Forensics Format (AFF) was developed by Dr. Simson L.

Garfinkel.

2. Describe the design goals of AFF, including:

a. Produce compressed or uncompressed image files

b. No size restriction for disk-to-image files

3. Explain that file extensions include .afd for segmented image files and .afm for AFF

metadata.

4. Mention that AFF is open source.

Determining the Best Acquisition Method

1. Describe the following two types of data acquisition:

2. Describe the four different methods for acquiring data:

a. Creating a disk-to-image file

3. Introduce students to the logical acquisition data copy method, which captures only

specific files of interest to the case or specific types of files.

4. Explain some of the main considerations when acquiring evidence data, including:

a. Size of the source disk (explain compression methods)

Contingency Planning for Image Acquisitions

1. Present a list of considerations to take to prevent copies of the evidence from damaging

or losing.

a. Duplicate your evidence copies

Using Acquisition Tools

1. Describe the advantages and disadvantages of using acquisition tools for Windows,

including:

a. Make acquiring evidence from a suspect drive more convenient, especially when

Mini-WinFE Boot CDs and USB Devices

1. Discuss the Windows boot utility called Mini-WinFE. Explain that it enables you to

2. Explain how students can create a Mini-WinFE boot CD or USB drive. Point out that

Acquiring Data with a Linux Boot CD

1. Explain that Linux can access a drive that isn’t mounted. Windows OSs and newer

2. Explain that forensic Linux Live CDs contain additionally utilities and are configured

3. Mention some of the well-designed Linux Live CDs for computer forensics, such as:

5. Describe how to partition and format a Microsoft FAT drive from Linux using the fdisk

and mkfs.msdos commands. If able, walk students through the activity in the text.

6. Explain that the dd (“dump data”) command can be used to read and write data from a

7. Describe the shortcomings of using the dd command, including:

8. Mention that the dd command combined with the split command segments output into

separate volumes.

9. Describe how to acquire data using the dd command in Linux, as described in this

section.

10. Mention that the dd command is intended as a data management tool; it’s not designed

for forensics acquisitions. The dcfldd command offers additional capabilities, including:

a. Specify hexadecimal patterns or text for clearing disk space

b. Log errors to an output file for analysis and review

Capturing an Image with ProDiscover Basic

1. Describe the steps for connecting the suspect’s drive to your workstation, including:

a. Document the chain of evidence for the drive

3. Explain how to acquire data using ProDiscover’s raw acquisition format. Mention that

Capturing an Image with AccessData FTK Imager

1. Mention that FTK Imager is included on the AccessData Forensic Toolkit.

2. Explain that FTK Imager allows you to view evidence disks and disk-to-image files. It

3. Mention that the evidence drive must have a hardware write-blocking device or the

4. Use Figures 3-5 through 3-9 to explain the steps to capture an image with AccessData

Quick Quiz 1

1. Most forensics tools can read the _____ format, making it a universal acquisition format

for most tools.

2. The preferred way to collect digital evidence is through a(n) _____ acquisition.

3. Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____.

4. The dd command combined with the _____ command segments output into separate volumes.

5. ____ is a Windows data acquisition program that’s included with a licensed copy of AccessData

Forensic Toolkit

Guide to Computer Forensics and Investigations, Fifth Edition 3-7

Validating Data Acquisitions

2. Explain that validating digital evidence requires using a hashing algorithm utility.

Hashing algorithms range from CRC-32, MD5, and SHA-1 to SHA-512.

Linux Validation Methods

1. Discuss how to use the md5sum and sha1sum commands to validate data acquired using

the dd command.

3. Explain how to validate data acquired with dcfldd using the hash, hashlog, and vf

Windows Validation Methods

1. Explain that Windows has no built-in hashing algorithm tools for digital forensics, but

third-party utilities can be used.

Performing RAID Data Acquisitions

1. Mention that size is the biggest concern because many RAID systems are now pushing

Understanding RAID

1. Define redundant array of independent (formerly “inexpensive”) disks (RAID) as a

2. Use Figures 3-10 through 3-13 to explain all different RAID levels, similarities and

differences, and advantages and disadvantages:

a. RAID 0

b. RAID 1

Tip

Acquiring RAID Disks

1. Describe the main concerns when acquiring RAID disks, including:

a. How much data storage is needed?

b. What type of RAID is used?

c. Do you have the right acquisition tool?

2. Mention that copying small RAID systems to one large disk is possible. All forensics

3. Mention some of the vendors offering RAID acquisition functions, including:

a. Technologies Pathways ProDiscover

4. Mention that occasionally, a RAID system is too large for a static acquisition.

Using Remote Network Acquisition Tools

2. Describe some of the drawbacks of acquiring data through a network, including:

a. Antivirus, antispyware, and firewall tools

Guide to Computer Forensics and Investigations, Fifth Edition 3-9

b. If suspects have administrator rights on their computers, they could install their

Remote Acquisition with ProDiscover

1. Describe the additional functions available through ProDiscover Incident Response,

including:

a. Capture volatile system state information

2. Explain that the PDServer remote agent is the ProDiscover utility for remote access and

3. Describe the PDServer installation modes, including:

4. Mention that PDServer has the option of running in a stealth mode. In addition, you can

change the process name so that it appears to be an OS function.

5. Describe the remote connection security features offered by ProDiscover, including:

a. Password protection

b. Encryption

Remote Acquisition with EnCase Enterprise

1. Describe the remote acquisition features available through EnCase Enterprise,

including:

a. Remote data acquisition of a computer’s media and RAM data

Guide to Computer Forensics and Investigations, Fifth Edition 3-10

Remote Acquisition with R-Tools R-Studio

2. Mention that R-Studio creates raw format acquisitions and supports various file

systems.

Remote Acquisition with WetStone US-LATT PRO

1. Introduce students to US-LATT PRO, which can connect to a networked computer

Remote Acquisition with F-Response

1. Explain that F-Response is a vendor-neutral specialty remote access utility designed to

work with any digital forensics program.

2. Mention that F-Response is sold in four different versions: Enterprise, Consultant +

Using Other Forensics-Acquisition Tools

1. This section describes the following acquisition tools:

a. PassMark Software ImageUSB

b. ASRData SMART

PassMark Software ImageUSB

1. Explain that PassMark Software has an acquisition tool called ImageUSB for its

OSForensics analysis product. It allows you to create a bootable flash drive.

ASRData SMART

1. Describe the main capabilities of ASRData SMART, including:

a. Robust data reading of bad sectors on drives

Guide to Computer Forensics and Investigations, Fifth Edition 3-11

Remote Acquisition with Runtime Software

1. Introduce students to the utilities offered by Runtime Software, including:

2. Mention the acquisition features offered by Runtime Software, including:

a. Create a raw format image file

ILook Investigator IXimager

1. Describe the main characteristics of ILook Investigator IXimager, as explained in this

section.

SourceForge

1. Direct students to the website listing all of the current tools offered by SourceForge

Quick Quiz 2

1. A _____ utility is designed to create a binary or hexadecimal number that represents the

uniqueness of a data set.

2. The dcfldd option that outputs hash results to a text file is the _____ option.

3. ____ uses data striping and dedicated parity and requires at least three disks.

4. With _____, you have the option of running it in stealth mode to hide it from the

suspect.

5. ____ was the first digital forensics vendor to develop a remote acquisition and analysis tool based

on its desktop tool EnCase.

Class Discussion Topics

1. Ask the students to discuss the disadvantages of creating a bit-stream copy from a disk

to a network drive. Is it worthwhile?

2. Ask the students to discuss the advantages and disadvantages of using a USB or parallel

Additional Projects

1. Ask the students to read more about compression algorithms. Ask your students to

compare them. Can they find what algorithm is implemented by most of the forensic

tools described in this chapter?

2. Ask the students to investigate about SHA-256 characteristics and requirements. How

does SHA-256 compare to SHA-1 and MC5?

Additional Resources

1. AFF:

2. How and when to use the dd command?:

3. SHA hash functions:

4. Cyclic redundancy check:

Guide to Computer Forensics and Investigations, Fifth Edition 3-13

Key Terms

interest to the case or specific types of files, such as Outlook PST files. See also sparse

acquisition.

➢ raw format — A data acquisition format that creates simple sequential flat files of a

suspect drive or data set.

➢ redundant array of independent disks (RAID) — Two or more disks combined into

unreadable when copied with a static acquisition method.