Module 4: Data Acquisition and Duplication

Advanced Forensics Format (AFF)

AFF is an open-source data acquisition format that stores disk images and related metadata. The objective behind the development of the format was to create an open disk imaging format that provides users an alternative to being locked into a proprietary format. The AFF file extensions are .afm for the AFF metadata and .afd for segmented image files. There are no implementation restrictions imposed by AFF on forensic investigators, as it is an open-source format. AFF has simple design and is accessible through multiple computing platforms and OSes. It provides option to compress the image files and allocates space to record metadata of the image files or segmented files. It provides internal consistency checks for self-authentication. AFF supports the following two compression algorithms: Zlib, which is faster but less efficient LZMA, which is slower but more efficient The actual disk image in AFF is a single file, which is composed of segments with drive data and metadata. AFF file contents can be compressed and uncompressed. AFFv3 supports AFF, AFD, and AFM file extensions.

Step 3: Sanitize the Target Media

Before data acquisition and duplication, an appropriate data sanitization method must be used to permanently erase any previous information stored on the target media. Destruction of data using industry standard data destruction methods is essential for sensitive data that one does not want falling into the wrong hands. These standards depend on the levels of sensitivity. Data deletion and disposal on electronic devices is only virtual, but physically it remains, posing a security threat. Methods like hard drive formatting or deleting partitions cannot delete the file data completely. However, it is important to destroy the data and protect it from retrieval, after the collection of evidence from the computer. Therefore, the only way to erase the data completely and protect it from recovery is to overwrite the data by applying a code of sequential zeroes or ones. Investigators can follow different standards as given below while sanitizing the target media: Russian Standard, GOST P50739-95 (6 passes): It is a wiping method that writes zeros in the first pass and then random bytes in the next pass. (German) VSITR (7 passes): This method overwrites in 6 passes with alternate sequences of 0x00 and 0xFF, and with 00xAA in the last (7th) pass. (American) NAVSO P-5239-26 (MFM) (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass. (American) DoD 5220.22-M (7 passes): This standard destroys the data on the drive's required area by overwriting with 010101 in the first pass, 101010 in the second pass and repeating this process thrice. This method then overwrites that area with random characters which is the 7th pass. (American) NAVSO P-5239-26 (RLL) (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass. NIST SP 800-88: The proposed NIST SP 800-88 guidance explains three sanitization methods- Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage The National Institute of Standards and Technology has issued a set of guidelines as given below to help organizations sanitize data to preserve the confidentiality of the information. The application of complex access controls and encryption can reduce the chances for an attacker to gain direct access to sensitive information An organization can dispose of the not so useful media data by internal or external transfer or by recycling to fulfill data sanitization Effective sanitization techniques and tracking of storage media are crucial to ensure protection of sensitive data by organizations against attackers All organizations and intermediaries are responsible for effective information management and data sanitization Physical destruction of media involves techniques, such as cross-cut shredding. Departments can destroy media on-site or through a third party that meets confidentiality standards. Investigators must consider the type of target media they are using for copying or duplicating the data and select an appropriate sanitization method to ensure that no part of previous data remains on the target media that will store the evidence files. The previous media may alter the properties or changes the data and its structure.

Proprietary Format

Commercial forensics tools acquire data from the suspect drive and save the image files in their own formats. They offer certain features which include the following: Option to compress the image files of the evidence disk/drive in order to save space on the target media Ability to split an image into multiple segments, in order to save them to smaller target media such as CD/DVD, while maintaining their integrity Ability to incorporate metadata into the image file, which includes date and time of acquisition, hash values of the files, case details, etc. Disadvantages: Image file format created by one tool may not be supported by other tool(s)

Bit-Stream Disk-to-Disk

Investigators cannot create a bit-stream disk-to-image file in the following situations: The suspect drive is very old and incompatible with the imaging software There is a need to recover credentials used for websites and user accounts In such cases, a bit-stream disk-to-disk copy of the original disk or drive can be performed. While creating a disk-to-disk copy, the geometry of the target disk, including its head, cylinder, and track configuration, can be modified to align with the suspect drive. This results in a smooth data acquisition process. Tools like EnCase, SafeBack, and Tableau Forensic Imager can help create a disk-to-disk bit-stream copy of the suspect drive.

Sparse Acquisition

Sparse acquisition is similar to logical acquisition. Through this method, investigators can collect fragments of unallocated (deleted) data. This method is useful when it is not necessary to inspect the entire drive.

Dead Acquisition (Static Acquisition)

Static data refers to nonvolatile data, which does not change its state even after the system is shut down. Dead acquisition refers to the process of extracting and gathering these data in an unaltered manner from storage media. Sources of nonvolatile data include hard drives, DVD-ROMs, USB drives, flashcards, smart-phones, and external hard drives. This type of data exists in the form of emails, word processing documents, web activity, spreadsheets, slack space, swap files, unallocated drive space, and various deleted files. Investigators can repeat the dead acquisition process on well-preserved disk evidence.

Step 1: Determine the Best Data Acquisition Method

The data acquisition method that must be adopted depends on the situation that the investigator is presented with.

Step 8: Validate Data Acquisition - Windows Validation Methods

Windows computers come with PowerShell utility, which has the ability to run cmdlet. The Get-FileHash cmdlet computes the hash value for an evidence file by using the specified hash algorithm. This hash value is used throughout the investigation for validating the integrity of the evidence.

Step 5: Enable Write Protection on the Evidence Media

Write protection refers to one or more measures that prevent a storage media from being written to or modified. It may either be implemented by a hardware device, or a software program on the computer accessing the storage media. Enabling write protection allows the data to be read but prohibits writing or modification. Write protection is important because forensic investigators should be confident about the integrity of the evidence they obtain during acquisition, analysis, and management. The evidence should be legitimate in order for it to be accepted by the authorities of the court. Therefore, the investigator needs to implement a set of procedures to prevent the execution of any program that can alter the disk contents.

Data Acquisition Methodology

1. Determining the data acquisition method 2. Determining the data acquisition tool 3. Sanitizing the target media 4. Acquiring volatile data 5. Enabling write protection on the evidence media 6. Acquiring non-volatile data 7. Planning for contingency 8. Validating data acquisition

Order of Volatility

1. Registers, processor cache: The information in the registers or the processor cache on the computer exists for nanoseconds. It is constantly changing and can be classified as the most volatile data. 2. Routing table, process table, kernel statistics, and memory: The routing table, ARP cache, and kernel statistics reside in the ordinary memory of the computer. These are slightly less volatile than the information in the registers, with a life span of about ten nanoseconds. 3. Temporary system files: Temporary system files tend to persist for a longer time on the computer compared to routing tables and ARP caches. These systems are eventually overwritten or changed, sometimes in seconds or minutes later. 4. Disk or other storage media: Anything stored on a disk stays for a while. However, sometimes due to unforeseen events, these data can be erased or overwritten. Therefore, disk data may also be considered somewhat volatile, with a lifespan of some minutes. 5. Remote logging and monitoring data related to the target system: Data that pass through a firewall cause a router or switch to generate logs. The system might store these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a week. However, these are generally less volatile data. 6. Physical configuration and network topology: Physical configuration and network topology are less volatile and have a longer life span than some other logs. 7. Archival media: A DVD-ROM, a CD-ROM, or a tape contains the least volatile data because the digital information does not change in such data sources automatically unless damaged under a physical force.

Bit-Stream Imaging

A bit-stream image is a bit-by-bit copy of any storage media that contains a cloned copy of the entire media, including all its sectors and clusters. This cloned copy of the storage media contains all the latent data that enables investigators to retrieve deleted files and folders. Investigators often use bit-stream images of the suspect media to prevent contamination of the original media. Moreover, most computer forensic tools such as FTK Imager and EnCase, can read bit-stream images, which further facilitates the investigation process. There are two kinds of bit-stream imaging procedures — bit-stream disk-to-image-file and bit-stream disk-to-disk.

Advanced Forensic Framework 4 (AFF4)

A redesigned and revamped version of the AFF format, which is designed to support storage media with large capacities. The creators referred to its design as being object-oriented as the format consists of generic objects (volumes, streams, and graphs) with externally accessible behavior. These objects can be addressed by their name within the AFF4 universe. They are universally referenced through a unique URL. It is an abstract information model that allows storage of disk-image data in one or more places while the information about the data is stored elsewhere. It stores more kinds of organized information in the evidence file. It offers unified data model and naming scheme. The format can support a vast number of images and offers a selection of container formats such as Zip and Zip64 for the binary files, and simple directories. It also supports storage from the network and the use of WebDAV (an extension of the HTTP protocol) that enables imaging directly to a central HTTP server. This format supports also maps, which are zero-copy transformations of data. Zero-copy transformations spare the CPU from having to perform the task of copying data from one memory area to another, thus increasing its efficiency. The AFF4 design adopts a scheme of globally unique identifiers for identifying and referring to all evidence. Basic AFF4 object types include the following: Volumes: They store segments, which are indivisible blocks of data. Streams: These are data objects that can help in reading or writing, for example, segments, images, and maps. Graphs: Collections of RDF statements.

Rule of thumb for Data Acquisition

A rule of thumb is a best practice that helps to ensure a favorable outcome when applied. In the case of a digital forensics investigation, the better that the quality of evidence is, the better the outcome of the analysis and likelihood of solving the crime generally is. Investigators must never perform a forensic investigation or any other process on the original evidence or source of evidence, as it may alter the data and render the evidence inadmissible in the court of law. Instead, investigators can create a duplicate bit-stream image of a suspicious drive or file to view the static data and analyze it. This practice not only preserves the original evidence, but also provides the option to recreate a duplicate if something goes wrong.

Step 4: Acquire Volatile Data

As the contents of RAM and other volatile data are dynamic, investigators need to be careful while acquiring such data. Working on a live system may alter the contents of the RAM or processes running on the system. Any involuntary action may change file access dates and times, use shared libraries or DLLs, trigger the execution of malware, or —in the worst case — force a reboot, thus making the system inaccessible. Therefore, the examination of a live system and volatile data acquisition must be conducted carefully. While most volatile data are recovered by examining the live system, approximately the same amount of data can be obtained by examining the image acquired from the memory of the system. The following sections describe how to acquire volatile data from Windows, Linux, and Mac systems.

Data Acquisition

Data acquisition is a process of imaging or collecting information using established methods from various media according to certain standards for their forensic value. It is the use of established methods to extract Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident.

live acquisition can help investigators obtain the following:

Data from unencrypted containers or disks that are open on the system, which are automatically encrypted when the system shuts down. Private browsing history and data from remote storage services such as Dropbox (cloud service) by examining the random-access memory (RAM).

Bit-Stream Disk-to-Image File

Forensic investigators commonly use this data acquisition method. It is a flexible method that enables the creation of one or more copies of the suspect drive. Tools such as ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc., can be used to create image files.

Step 2: Select the Data Acquisition Tool

Imaging tools must be validated and tested to ensure that they produce accurate and repeatable results. These tools must satisfy certain requirements, some of which are mandatory (features and tasks that the tool must possess or perform), while some are optional (features that are desirable for the tool to possess). Mandatory requirements: The following are the mandatory requirements for every tool used for the disk imaging process: The tool must not alter or make any changes to the original content The tool must log I/O errors in an accessible and readable form, including the type and location of the error. The tool must be able to compare the source and destination, and alert the user if the destination is smaller than the source The tool must have the ability to pass scientific and peer reviews. Results must be repeatable and verifiable by a third party, if necessary. The tool must completely acquire all visible and hidden data sectors from the digital source. The tool must create a bit-stream copy of the original content when there are no errors in accessing the source media. The tool must create a qualified bit-stream copy (a qualified bit-stream copy is defined as a duplicate except in identified areas of the bit-stream) when I/O errors occur while accessing the source media. The tool must copy a file only when the destination is larger or equal to the size of the source, and document the contents on the destination that are not a part of the copy. Tool documentation must be correct, i.e., the user should get the expected results by executing it as per the tool's documented procedures.

Logical Aquisition

In a situation with time constraints and where the investigator is aware of what files need to be acquired, logical acquisition may be considered ideal. Logical acquisition gathers only the files required for the case investigation. For Example: Collection of Outlook .pst or .ost files in email investigations Specific record collection from a large RAID server

Step 7: Plan for Contingency

In digital forensics investigation, planning for contingency refers to a backup program that an investigator must have in case certain hardware or software do not work, or a failure occurs during an acquisition. Contingency planning is necessary for all cyber investigations as it assists investigators in preparing for unexpected events. Specifically, it is a process that helps in completing the investigation process by providing alternative solutions to the failed software or hardware tools. Plans for contingency should include: Hard Disk Data Acquisition: Investigators must create at least two images of the digital evidence collected, in order to preserve it. If one copy of the digital evidence recovered becomes corrupt, investigators can then use the other copy. Imaging Tools: If you possess more than one imaging tool, such as Pro-DiscoverForensics or AccessData FTK Imager, it is recommended to create the first image with one tool and the second image with the other tool. If you possess only one tool, make two or more images of the drive using the same tool. Hardware Acquisition Tools: Consider using a hardware acquisition tool (such as UFED Ultimate or IM SOLO-4 G3 IT RUGGEDIZED) that can access the drive at the BIOS level to copy data in the Host Protected Area (HPA). Drive Decryption: Be prepared to deal with encrypted drives that need the user to provide the decryption key for decrypting. Microsoft includes a full disk encryption feature (BitLocker) with select editions of Windows Vista and later.

How many copies of the original media should you have before you start the investigation?

It is essential to produce two copies of the original media before starting the investigation process: One copy is used as a working copy for analysis, the second copy is the library/control copy stored for disclosure purposes or, to be used if the working copy becomes corrupted. If the investigators need to perform drive-to-drive imaging, they can use blank media to copy into shrink-wrapped new drives. After duplicating the original media, investigators must verify the integrity of copies by comparing them to the original using hash values such as MD5.

Network Data

Network information is the network-related information stored in the suspect system and connected network devices. Volatile network information includes open connections and ports, routing information and configuration, ARP cache, shared files, and services accessed.

Step 6: Acquire Non-volatile Data

Non-volatile data can be acquired from a hard disk both during live and dead acquisition processes. Investigators can use remote acquisition tools such as Netcat, or bootable CDs or USBs via tools such as CAINE to perform live acquisition of a hard disk. The dead acquisition process can be performed via the following steps: Remove the hard drive from the suspect drive. Connect it to a forensic workstation to perform the acquisition. Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents. Run any forensic acquisition tool suitable for the purpose of acquiring/collecting data.

Physical Destruction of Media

Physical destruction of media involves techniques, such as cross-cut shredding. Departments can destroy media on-site or through a third party that meets confidentiality standards. Investigators must consider the type of target media they are using for copying or duplicating the data and select an appropriate sanitization method to ensure that no part of previous data remains on the target media that will store the evidence files. The previous media may alter the properties or changes the data and its structure.

Raw Format

Raw format creates a bit-by-bit copy of the suspect drive. Images in this format are usually obtained by using the dd command. Advantages: Fast data transfers Minor data read errors on source drive are ignored Read by most of the forensic tools Disadvantages: Requires same amount of storage as that of the original media Tools (mostly open source) might fail to recognize/collect marginal (bad) sectors from the suspect drive Freeware tools have a low threshold of retry reads on weak media spots on a drive, whereas commercial acquisition tools use more retries to ensure all data is collected.

System Data

System information is the information related to a system, which can serve as evidence in a security incident. This information includes the current configuration and running state of the suspect computer. Volatile system information includes system profile (details about configuration), login activity, current system date and time, command history, current system uptime, running processes, open files, startup files, clipboard data, users logged in, DLLs, and shared libraries. The system information also includes critical data stored in the slack spaces of the hard disk drive.

Static data recovered from a hard drive include the following:

Temporary (temp) files System registries Event/system logs Boot sectors Web browser cache Cookies and hidden files

Live Acquisition

The live data acquisition process involves the collection of volatile data from devices when they are live or powered on. Volatile information, as present in the contents of RAM, cache, DLLs, etc. is dynamic, and is likely to be lost if the device to be investigated is turned off. It must therefore be acquired in real time.

Step 8: Validate Data Acquisition

The unique number (hash value) is referred to as a digital fingerprint, which represents the uniqueness of a file or disk drive. When two files have the same hash values, they are considered identical, even if they have different filenames, as the hash values are generated based on their actual content. Even a slight modification in the content of a file changes its hash value completely. Further, a hash is a one-way function, which implies that decryption is impossible without a key. The following are some hashing algorithms that can be used to validate the data acquired: CRC-32: Cyclic redundancy code algorithm-32 is a hash function based on the idea of polynomial division. The number 32 indicates that the size of the resulting hash value or checksum is 32 bits. The checksum identifies errors after data transmission or storage. MD5: This is an algorithm used to check data integrity by creating a 128-bit message digest from data input of any length. Every MD5 hash value is unique to that particular data input. SHA-1: Secure Hash Algorithm-1 is a cryptographic hash function developed by the United States National Security Agency, and it is a US Federal Information Processing Standard issued by NIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a 40 digits long hexadecimal number. SHA-256: This is a cryptographic hash algorithm that creates a unique and fixed-size 256-bit (32-byte) hash. Therefore, it is ideal for anti-tamper technologies, password validation, digital signatures, and challenge hash authentication.