Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Transcription

1 Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication

2 Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines on the Local Area Network. One of the machines was used to transfer client account information. Allen makes two copies of the data from each of the computers and discovers that the computer used by the employee was booby trapped. He recovers the data by using the SafeBack tool.

3 Module Objective Determining the best data acquisition methods Understanding data recovery contingencies Data preservation commands The need for data duplication Data duplication tools

4 Module Flow Data acquisition methods Data recovery contingencies Need for data duplication Data preservation commands Data duplication tools

5 Determining the Best Acquisition Methods Forensic investigators acquire digital evidence using the following methods Creating a bit-stream disk-to-image file Making a bit-stream disk-to-disk copy Creating a sparse data copy of a folder or file

6 Data Recovery Contingencies Investigators must make contingency plans when data acquisition failure occurs To preserve digital evidence investigators need to create a duplicate copy of the evidence files In case the original data recovered is corrupted investigators can make use of the second copy Use of at least two data acquisition tools are preferred to create copy of evidence incase the investigator s preferred tool does not properly recover data

7 MS-DOS Data Acquisition Tools In the past software tools developed for forensics investigation were created for MS-DOS Investigators still make use of these tools as they are commercially available and easy to use Advantages of MS-DOS acquisition tools Fit in a forensic boot disk Require fewer resources to make bit-stream files User friendly

8 MS-DOS Data Acquisition Tool: DriveSpy DriveSpy enables the investigator to direct data from one particular sector range to another sector DriveSpy provides two methods in accessing disk sector ranges: Defining the absolute starting sector after a comma and the total number of sectors to be read on the drive Listing the absolute starting and ending sectors

9 DriveSpy Data Manipulation Commands There are two commands in DriveSpy that is used for Data Manipulation: The SaveSect command- Used to copy particular sectors on a disk to a file It copies the sectors as a bitstream image so that the file is a duplicate of the original sectors The WriteSect command- Used to regenerate the information acquired through the SaveSect command

10 DriveSpy Data Preservation Commands The data preservation commands in the DriveSpy application are: The SavePart command- Used to create an image file of the specified disk partition of the suspect's drive The WritePart command- Counterpart of the SavePart command Used to recreate the saved partition image file that is created with the SavePart command

11 Using Windows Data Acquisition Tools Windows data acquisition tools allow the investigator to easily acquire evidence from a disk with the help of removable media such as USB storage devices These tools also can use Firewire to connect hard disks to the forensic lab systems Data acquisition tools in Windows cannot acquire data from the host protected area of the disk

12 Data Acquisition Tool: AccessData FTK Explorer FTK Explorer acquires data that can help the investigator understand how other forensic tools in Windows work This tool was first designed to examine disks and bit-stream diskto-image files created by using other forensic software FTK Explorer can make bit-stream disk-to-image copies of evidence disks This tool allows the investigator to acquire the evidence disk from a logical partition level or a physical drive level

13 FTK

14 Acquiring Data on Linux Forensic Investigators use the built- in Linux command dd to copy data from a disk drive This command can make a bit-stream disk-todisk file, disk-to-image file, block-to-block copy/ block-to-file copy The dd command can copy data from any disk that Linux can mount and access Other forensic tools such as AccessData FTK and Ilook can read dd image files

15 Dd.Exe (Windows XP Version) Works on Windows platform Detects unauthorized dialers User friendly program Command Syntax dd.exe if=\\.\physicaldrive0 of=d:\images\physicaldrive0. img --md5sum --verifymd5 -- md5out=d:\images\physicaldri ve0.img.md5

16 Data Acquisition Tool: Snapback Exact o Server based backup program for Windows server o Copies byte by byte images of the server hard drives to the tape o Keep tracks of records o Important features are: Full open file management Remote administration Backup scheduling

17 Snapshot Data acquisition tool

18 DatArrest Supports the tools for Forensic Data Seizure Works on all IBM compatible systems Recovers the deleted data User interface tool Any removable drives can back up through DatArrest

19 Data Acquisition Tool: SafeBack SafeBack is also a MS-DOS data acquisition tool and can perform a CRC-32 calculation for each sector copied to ensure data integrity SafeBack creates a log file of all transactions it performs Functions: Creates disk-to-image files Copies data from a source disk to an image on a tape drive Copies data from a partition to an image file Compresses acquired files to reduce the volume save-set sizes

20 Data Acquisition Tool: Encase The Encase tool delivers advanced features for computer forensics and investigations It is the primary data acquisition tool that is used by forensic investigators Provides tools to conduct investigations with accuracy and efficiency Data can be acquired by: Disk to disk Disk to network server drive Parallel port with a laplink cable to the forensics workstation s disk drive

21 Encase

22 Need for Data Duplication Investigators need to worry about destructive devices that can be planted in the system by the owner. Evidence can be destroyed if the investigator is not careful Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed Data duplication is essential for the proper preservation of digital evidence

23 Data Duplication Tool: R-drive Image R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk R-Drive can create partitions with various compression levels freely without stopping Windows OS These drive image files can then be stored in a variety of places, including various removable media such as CD- R(W) or DVD-R(W), Iomega Zip or Jazz disks

24 R-drive Image

25 Data Duplication Tool: DriveLook The DriveLook Tool has the following features: Indexes the hard drive for the text that was written to it Searches through a list of all words stored on the drive View the location of words in the disk editor Switches between different views Uses image file as input Access remote drives through serial cable or TCP/IP

26 Drivelook

27 Data Duplication Tool: DiskExplorer DiskExplorer aides examiners to investigate any drive and recover data Two versions of DiskExplorer exist: DiskExplorer for FAT Disk Explorer for NTFS The tool also has provisions to navigate through the drive by jumping to: Partition table Boot record Master file table Root directory

28 Diskexplorer

29 Summary Investigators can acquire data in three ways: creating a bitstream, disk-to-image file, making a bit-stream disk-todisk copy, or creating a sparse data copy of a specific folder path or file The SavePart command retrieves information about the partition space in the hard disk The dd command in Linux can make bit-stream disk-todisk copy and disk-to-image file copy Lossless compression is an acceptable method for computer forensics because it does not change the data Lossy compression alters the data, leading to loss of data