Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 3-1
Chapter 3
Data Acquisition
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
Guide to Computer Forensics and Investigations, Fifth Edition 3-2
Lecture Notes
Overview
Chapter 3 explains data acquisition. Students learn about digital evidence storage
formats and how to determine the best acquisition method. Next, students will learn
about contingency planning for data acquisitions and how to use acquisition tools. This
Chapter Objectives
• List digital evidence storage formats
• Explain ways to determine the best acquisition method
• Describe contingency planning for data acquisitions
• Explain how to use acquisition tools
• Explain how to validate data acquisitions
Teaching Tips
Understanding Storage Formats for Digital Evidence
1. This section describes the following three storage formats for digital evidence:
a. Raw format
Raw Format
1. Explain that raw format makes it possible to write bit-stream data to files.
2. Describe the advantages of using raw format, including:
3. Describe the disadvantages of using raw format, including:
a. Requires as much storage space as the original disk or data
Guide to Computer Forensics and Investigations, Fifth Edition 3-3
Proprietary Formats
1. Describe the features offered by proprietary formats, including:
a. Option to compress or not compress image files
2. Describe the disadvantages of using proprietary formats, including:
3. Mention that of all the proprietary formats for image acquisitions, Expert Witness
Advanced Forensics Format
1. Mention that the Advanced Forensics Format (AFF) was developed by Dr. Simson L.
Garfinkel.
2. Describe the design goals of AFF, including:
a. Produce compressed or uncompressed image files
b. No size restriction for disk-to-image files
3. Explain that file extensions include .afd for segmented image files and .afm for AFF
metadata.
4. Mention that AFF is open source.
Determining the Best Acquisition Method
1. Describe the following two types of data acquisition:
2. Describe the four different methods for acquiring data:
a. Creating a disk-to-image file
3. Introduce students to the logical acquisition data copy method, which captures only
specific files of interest to the case or specific types of files.
4. Explain some of the main considerations when acquiring evidence data, including:
a. Size of the source disk (explain compression methods)
Contingency Planning for Image Acquisitions
1. Present a list of considerations to take to prevent copies of the evidence from damaging
or losing.
a. Duplicate your evidence copies
Using Acquisition Tools
1. Describe the advantages and disadvantages of using acquisition tools for Windows,
including:
a. Make acquiring evidence from a suspect drive more convenient, especially when
Mini-WinFE Boot CDs and USB Devices
1. Discuss the Windows boot utility called Mini-WinFE. Explain that it enables you to
2. Explain how students can create a Mini-WinFE boot CD or USB drive. Point out that
Acquiring Data with a Linux Boot CD
1. Explain that Linux can access a drive that isn’t mounted. Windows OSs and newer
2. Explain that forensic Linux Live CDs contain additionally utilities and are configured
3. Mention some of the well-designed Linux Live CDs for computer forensics, such as:
5. Describe how to partition and format a Microsoft FAT drive from Linux using the fdisk
and mkfs.msdos commands. If able, walk students through the activity in the text.
6. Explain that the dd (“dump data”) command can be used to read and write data from a
7. Describe the shortcomings of using the dd command, including:
8. Mention that the dd command combined with the split command segments output into
separate volumes.
9. Describe how to acquire data using the dd command in Linux, as described in this
section.
10. Mention that the dd command is intended as a data management tool; it’s not designed
for forensics acquisitions. The dcfldd command offers additional capabilities, including:
a. Specify hexadecimal patterns or text for clearing disk space
b. Log errors to an output file for analysis and review
Capturing an Image with ProDiscover Basic
1. Describe the steps for connecting the suspect’s drive to your workstation, including:
a. Document the chain of evidence for the drive
3. Explain how to acquire data using ProDiscover’s raw acquisition format. Mention that
Capturing an Image with AccessData FTK Imager
1. Mention that FTK Imager is included on the AccessData Forensic Toolkit.
2. Explain that FTK Imager allows you to view evidence disks and disk-to-image files. It
3. Mention that the evidence drive must have a hardware write-blocking device or the
4. Use Figures 3-5 through 3-9 to explain the steps to capture an image with AccessData
Quick Quiz 1
1. Most forensics tools can read the _____ format, making it a universal acquisition format
for most tools.
2. The preferred way to collect digital evidence is through a(n) _____ acquisition.
3. Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____.
4. The dd command combined with the _____ command segments output into separate volumes.
5. ____ is a Windows data acquisition program that’s included with a licensed copy of AccessData
Forensic Toolkit
Guide to Computer Forensics and Investigations, Fifth Edition 3-7
Validating Data Acquisitions
2. Explain that validating digital evidence requires using a hashing algorithm utility.
Hashing algorithms range from CRC-32, MD5, and SHA-1 to SHA-512.
Linux Validation Methods
1. Discuss how to use the md5sum and sha1sum commands to validate data acquired using
the dd command.
3. Explain how to validate data acquired with dcfldd using the hash, hashlog, and vf
Windows Validation Methods
1. Explain that Windows has no built-in hashing algorithm tools for digital forensics, but
third-party utilities can be used.
Performing RAID Data Acquisitions
1. Mention that size is the biggest concern because many RAID systems are now pushing
Understanding RAID
1. Define redundant array of independent (formerly “inexpensive”) disks (RAID) as a
2. Use Figures 3-10 through 3-13 to explain all different RAID levels, similarities and
differences, and advantages and disadvantages:
a. RAID 0
b. RAID 1
Tip
Acquiring RAID Disks
1. Describe the main concerns when acquiring RAID disks, including:
a. How much data storage is needed?
b. What type of RAID is used?
c. Do you have the right acquisition tool?
2. Mention that copying small RAID systems to one large disk is possible. All forensics
3. Mention some of the vendors offering RAID acquisition functions, including:
a. Technologies Pathways ProDiscover
4. Mention that occasionally, a RAID system is too large for a static acquisition.
Using Remote Network Acquisition Tools
2. Describe some of the drawbacks of acquiring data through a network, including:
a. Antivirus, antispyware, and firewall tools
Guide to Computer Forensics and Investigations, Fifth Edition 3-9
b. If suspects have administrator rights on their computers, they could install their
Remote Acquisition with ProDiscover
1. Describe the additional functions available through ProDiscover Incident Response,
including:
a. Capture volatile system state information
2. Explain that the PDServer remote agent is the ProDiscover utility for remote access and
3. Describe the PDServer installation modes, including:
4. Mention that PDServer has the option of running in a stealth mode. In addition, you can
change the process name so that it appears to be an OS function.
5. Describe the remote connection security features offered by ProDiscover, including:
a. Password protection
b. Encryption
Remote Acquisition with EnCase Enterprise
1. Describe the remote acquisition features available through EnCase Enterprise,
including:
a. Remote data acquisition of a computer’s media and RAM data
Guide to Computer Forensics and Investigations, Fifth Edition 3-10
Remote Acquisition with R-Tools R-Studio
2. Mention that R-Studio creates raw format acquisitions and supports various file
systems.
Remote Acquisition with WetStone US-LATT PRO
1. Introduce students to US-LATT PRO, which can connect to a networked computer
Remote Acquisition with F-Response
1. Explain that F-Response is a vendor-neutral specialty remote access utility designed to
work with any digital forensics program.
2. Mention that F-Response is sold in four different versions: Enterprise, Consultant +
Using Other Forensics-Acquisition Tools
1. This section describes the following acquisition tools:
a. PassMark Software ImageUSB
b. ASRData SMART
PassMark Software ImageUSB
1. Explain that PassMark Software has an acquisition tool called ImageUSB for its
OSForensics analysis product. It allows you to create a bootable flash drive.
ASRData SMART
1. Describe the main capabilities of ASRData SMART, including:
a. Robust data reading of bad sectors on drives
Guide to Computer Forensics and Investigations, Fifth Edition 3-11
Remote Acquisition with Runtime Software
1. Introduce students to the utilities offered by Runtime Software, including:
2. Mention the acquisition features offered by Runtime Software, including:
a. Create a raw format image file
ILook Investigator IXimager
1. Describe the main characteristics of ILook Investigator IXimager, as explained in this
section.
SourceForge
1. Direct students to the website listing all of the current tools offered by SourceForge
Quick Quiz 2
1. A _____ utility is designed to create a binary or hexadecimal number that represents the
uniqueness of a data set.
2. The dcfldd option that outputs hash results to a text file is the _____ option.
3. ____ uses data striping and dedicated parity and requires at least three disks.
4. With _____, you have the option of running it in stealth mode to hide it from the
suspect.
5. ____ was the first digital forensics vendor to develop a remote acquisition and analysis tool based
on its desktop tool EnCase.
Class Discussion Topics
1. Ask the students to discuss the disadvantages of creating a bit-stream copy from a disk
to a network drive. Is it worthwhile?
2. Ask the students to discuss the advantages and disadvantages of using a USB or parallel
Additional Projects
1. Ask the students to read more about compression algorithms. Ask your students to
compare them. Can they find what algorithm is implemented by most of the forensic
tools described in this chapter?
2. Ask the students to investigate about SHA-256 characteristics and requirements. How
does SHA-256 compare to SHA-1 and MC5?
Additional Resources
1. AFF:
2. How and when to use the dd command?:
3. SHA hash functions:
4. Cyclic redundancy check:
Guide to Computer Forensics and Investigations, Fifth Edition 3-13
Key Terms
interest to the case or specific types of files, such as Outlook PST files. See also sparse
acquisition.
➢ raw format — A data acquisition format that creates simple sequential flat files of a
suspect drive or data set.
➢ redundant array of independent disks (RAID) — Two or more disks combined into
unreadable when copied with a static acquisition method.
