What is Data Acquisition in Digital Forensics
Data Acquisition means is the process of taking an image from a suspect’s machine.
Type of Data Acquisition:
- Static Acquisition = gathering non-volatile data, for example, gathering data from disk, USB, cd/DVD.
- Dynamic Acquisition = gathering volatile data, for example, gathering data from memory.
important to note: imaging isn’t copying
- imaging means take a mirroring the device’s entire storage on a file.
- copying means take a mirroring only the useful data from the source device.
Dead Acquisition refers to the attempt to acquire data from the suspect’s machine without the operating system. Reason: the suspect’s OS cannot be trusted.
there are many disk image formats:
- RAW: is the simplest format to save an image.
popular tools DD for Linux and RAWWrite studio for windows
dd if=[src] of=[dst]
- EnCase Forensic Evidence File (EWF/EVF)
- ILook Investigator IDIF, IRBF and IEIF
- PyFlag Seekable GZIP (sgzip)
- Advanced Forensics Format (AFF)
Besides a RAW format, there is a proprietary format such as AFF for forensics images. AFF is open and extensible and unencumbered by patents and trade secrets. Its open-source implementation is distributed under a license that allows its code to be freely integrated into other open-source and propriety programs. with AFF we can store more than one terabyte of data from imaged hard drives using less than 200 GB of storage.
- Ability to store disk images with or without compression.
- Ability to store disk images of any size.
- Ability to store metadata within disk images or separately.
- Ability to store images in a single file of any size or split among multiple files
- Extensibility and simple design.
- save disk space.
- Provisions for certifying the authenticity of evidence files with traditional hash functions (e.g., MD5 and SHA-1) and advanced digital signatures based on X.509(v)3 certificates.
- Disk-to-Image File(imaging): Forensic investigators commonly use this data acquisition method. It is a flexible method, which allows the creation of one or more copies, or bit-for-bit replications of the suspect drive. ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, ILook Investigator, etc. are the popular tools used to read the disk-to-image files.
- Disk-to-Disk(cloning): Sometimes it is not possible to create a bit-stream disk-to-image file due to software or hardware errors or incompatibilities. Investigators face such issues while trying to acquire data from older drives and create a bit-stream disk-to-disk copy of the original disk or drive. Tools like EnCase, SafeBack and Norton Ghost can help create disk-to-disk bit-stream copies of the suspect drive. These tools can modify the target disk’s geometry (its head, cylinder, and track configuration) to match the data copied from the original suspect drive.
- Logical Data Acquisition: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
- Sparse Data Acquisition: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also, this method is used when an investigator doesn’t need to examine the whole drive.
an investigator must consider the following when determining data Acquisition Methods:
- The size of the source disk.
- Can you retain the source disk as evidence or must you return it to the owner?
- Time to do perform the acquisition.
- Location of the evidence.
anyway, there is no one right method that works every time. different cases have different circumstances, and with different circumstances, different methods are needed.
Live Data Acquisition
live data Acquisition means collect data while the machine is running. when investigator needs volatile data and volatile data reside in RAM or Cache. there are the following two types of volatile data:
- System Information: is a generic term that describes basic system information about the machine, system profile (details about configuration), login activity, current system date and time, command history, current system uptime, running processes, open files, startup files, clipboard data, logged on users, DLLs, or shared libraries.
- Network Configuration: Network information is the network-related information stored in the suspicious system and connected network devices. Volatile network information includes open connections and ports, routing information and configuration, ARP cache, shared files, services accessed, etc.
list of forensics tools followed by:
- Access Data FTK Imager: FTK Imager is one of the most famous tools in the forensics world. the tool allows the investigator to acquire various type of storage device and store then in different format for analysis. it is extremely important to remember to use write blocking when acquiring images for a hard disk, so that it won’t destroy or alter important data an the disk
- Live response Collection: is a very handy framework from BriMor Labs, which can collect various and useful information from a machine. the tool offers many acquistion type, each one is used depending on the data we’re interested in.
- Volatility Framework: the Volatility framework is a completely open collection of tools, implemented in python under GNU license for extraction of digital artifact from volatile memory sample.
- Bulk Extractor: bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools.
- Autopsy: Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively. An autopsy is used by thousands of users worldwide to investigate what actually happened on the computer.
A curated list of awesome free (mostly open-source) forensic analysis tools and resources please visit -> https://github.com/cugu/awesome-forensics.