Disk Acquisition Concept
Data Acquisition
A process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media
Image format
raw format: ex: output of dd
advanced forensics format: opensource format, like afk and afd
proprietary format: like e01 of encase format
…
Acquisition Method
Bit-stream disk copy
Sparse data copy
ps:
Bit-stream copy should always be performed first
Bit-stream disk copy
to-image file, Most common method
ex: EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook, DD
to-disk
ex: SafeBack, SnapCopy, Norton Ghost 2002
Sparse/logical data copy
Creates exact copies of folders and files
Pros: it is good for large disks like 10 TB network data or specific file like email files
Cons:copy will not include deleted files, file slack and other information
refer
http://www.bk.psu.edu/faculty/bowers/ist454/PowerPoint/Nelson/ch09.pdf
….
Data acquisition mistakes
wrong solution
wrong cable
insufficient time
wrong connections
poor knowledge of the instrument
防止資料抽取的意外發生
1.要有預防意外的計畫
2.為了保存數位證據,要對證據資料做備份
3.如果怕第一份co出來的資料損毀 還可以有第二份copy
4.使用至少兩種抽取工具並比對抽取結果是否相同
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
…
Type of data acquisition
static: hard disk
live: memory
………………………………………………………………………………………………………….
Disk Acquisition Tool Requirements
Tool requirements
The tool should not change the original content /Prevent Contamination.
The tool should log I/O errors in an accessible and readable form, including the type and location of the error.
The tool must have the ability to be held up to scientific and peer review.
The tool should compute a hash value for the complete bit stream copy generated from an image file of the source.
ex:
using a well-tested hardware write-blocking device to Prevent that the evidence drive is changed
ps
hardware write blocker device
a devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.
the device is used to prevent the system from recording data on an evidence disk.
ex: write blockers,forensic bridges
refer
http://forensicswiki.org/wiki/Write_Blockers
…
Common Windows tool
AccessData FTK
DD for windows
Snapback exact
Snapshot
DatArrest
Safeback
Encase
R-Drive Image 可以在不停下Windows的狀態下備份
Disk Explorer
drive spy
accessdata FTK
support source: memory, registry, pyshical disk
ps: when it finish acquisiisiton, hash will be made
output image support: dd,afk, e01
drive Spy
1.Savesect 將disk複製成檔案
2.WriteSect 將檔案寫回disk
3.SavePart 將特定Partition作成image
4.WritePart 將image資料寫回
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
…………………………………………
dd
convert and copy a file, linux build-in tool
supporting Bit-stream disk-to-image file
常見參數:
if :input file,表示指定讀取來源
of : output file,表示指定寫入目的
bs : block size,表示讀入與寫入的大小,預設以byte為單位. bs越大處理速度越快
count : 表示處理的次數
conv: 轉換參數,常見的有以下
notrunc 不截斷輸出文件
noerror 發生讀錯誤時,繼續進行
sync 把每個輸入記錄的大小都調到ibs的大小(用NUL填充)
常見用途
Copy a partition to an image file
ex:
block為10m而且要顯示進度
dd if=.d: of=demo.dd bs=10m –progress
ex:
檔案大於650m就切割
dd if=/dev/sdb | split -b 650m -image_sdb
Copy the running memory to a file
ex:
將memory複製到men.bin
dd if=/dev/mem of=/root/mem.bin bs=1024
Restore a disk from an image file
ex:
dd if=/usr/home/partition.image of=/dev/sda2 bs=4096
ps:
fciv can make hash from file that is made by dd
refer
http://nathan-inlinux.blogspot.tw/2013/05/linux-dd.html
http://fanqiang.chinaunix.net/a1/b5/20010917/1200021305_b.html
…
ddfldd
鑑識等級的DD工具
參數與dd差不多
常用參數如下
vf: verify file
hash: 選擇hash方式
hashlog: log記錄位置
ex:
Bit-stream disk-to-image file with hash verification
ddfldd if=/dev/sda split=2m of=usbimg hash=md5 hashlog=usbhash.log
ex:
fill the disk with zeros
ddfldd if=/dev/zero of=/dev/sda bs=4096 conv=noerror,sync
refer
http://blogger.gtwang.org/2015/01/dd-command-examples.html
…………………………………………………………………………………………………………………..
Validation Methods
Validating data acquisitions
hash is general method,
well-known hash is like md5,sha1
it is useful in before and after evidence examination
A method of use hash
1.Make hashes of the evidence and compare it with the original hash that was taken
when the evidence first entered the lab
2.if someone suspects wheather evidence has been changed while at the lab, investigator can prove the evidence is the same as it was when it first entered the lab