Forensic Acquisition Methods - Investigator's Manual 2018

Introduction

Digital Forensic applies mainly to the criminal side in the field of cybercrime or in an incident investigation. It is the process of collecting, preserving and analyzing evidence during the course of an investigation. Digital Forensic primarily focuses on the process of uncovering electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital evidence for the purpose of reconstructing past events. The context is most often for usage of data in a court of law, though digital forensics can be used in other instances.
The process of forensic investigation primarily focuses on the root cause analysis of malicious events. The root cause is a factor that caused disturbance and should be permanently eliminated. The root cause analysis is a collective term that describes a wide range of approaches, tools, and techniques used to uncover causes of problems. It is a practice to identify what, how and why an event occurred so that steps can be taken to prevent future occurrence.

While some forensic investigators visit crime scene or incident to gather data and collect evidence, others analyze objects brought to them by other individuals called custodians in a secure environment. The chain of custody is very important for verifying that the evidence has not been tampered with or altered by any custodian. Forensic investigation totally depends on collection or acquiring of digital evidence. The scope of Proper Acquisition and search of specific data is that it shall serve as acceptable evidence in a court of law.

Chain of Custody

Chain of Custody is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose of the transfer. It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from getting altered. It is absolutely necessary for admissible evidence in court.

Importance to the Examiner

Let us suppose that the examiner obtains some data lets say metadata for a piece of evidence. However, unable to extract meaningful information from it. Even if there is no meaningful information within the metadata, that does not mean that the evidence is insufficient. The chain of custody, in this case, helps show where the possible evidence might lie, where it came from, who created it, and the type of equipment that was used.

Importance to the Court

It is possible to have the evidence presented in court dismissed if there is a missing link in the chain of custody. It is accordingly vital to guarantee that a proper and significant chain of custody is presented alongside the evidence at the court.

Documentation

First of all, never work with the original evidence to develop procedures and use clean collecting media. During the course of an examination, information of evidence should be documented and brought to the attention because the information may be needed to obtain additional search authorities. A chronological report must contain the following sections:
  • Case Number
  • Case Investigator
  • Submitted Information
  • Date of Receipt
  • Date of Report
  • The serial number, Manufacturer, Model, Time, Location, Label etc
  • System administrator and users
  • Type and volume of media
  • Determining storage areas and operating system
  • Data recovered, Searches, Date created, Modification time, Point of Origin, Action performed, Point of Impact.
  • Linux can access a drive that is not mounted.
  • Live Cds don’t access media automatically which eliminated the need for a write blocker. Configured Not to Mount, or to Read-Only. Following are live cds available to use:
    • SleuthKit
    • Deft
    • Kali Linux
    • Knoppix
    • SANS Investigative Toolkit
Step 1. Using the DD command to create Forensic Image

Hash Value Generation


Step 2. Creating Hash Value for the Image File using MD5
  • Power down the system and remove hard drive.
  • Connect to forensic workstation or hardware or software write blocker to create the image.
  • Write Blocker preserves the integrity of the file metadata.

Diagram 2. Procedure for Dead Acquisition
  • Allow acquisition of data from a storage device without changing the drive’s content.
  • Write commands are blocked.

Types of Write Blockers

  • Hardware write blockers
  • Software write blockers

Hardware write blockers:

  • The device connected between investigator’s PC and storage device.
  • Supported storage interfaces are ATA, SSSI, Firewire (IEEE 1394), USB, SATA.
  • The controller cannot write values to the command register, which writes or erases data on the storage devices.

Software write blockers:

  • A software layer that sits in between the OS and the device driver for the storage device.
  • Prevents all disk requests that use system calls to write data to the storage device.
  • Choose known SWB that are often used. The SWB should not modify a read only disk.
  • The SWB is designed to prevent any operation on the data storage media that are not write protected.
  • Evaluate these on a test system before using SWB on the target system.
  • SWBs: 
    • Read Only Mounter (MAC)
    • ForensicSoft, Safe block (Windows)
    • Linux Write Blocker - It is the small kernel patch to enable Linux software write blocking. The patch utilizes the existing facility of marking a block device as read-only and adds read-only checks to a common low-level spot of the block device driver.

Raw Image

  • Bit-by-bit copy of the drive to a file
  • Advantages
    •  Fast data transfers
    • Can ignore minor data read errors on source drive
    • Most computer forensics tools can read raw format
  • Disadvantages
    • Requires as much storage as original disk or data
    • Tools might not collect marginal (bad) sectors
    •     a) Low threshold of retry reads on weak media spots
    •     b) Commercial tools use more retries than free tools
  • Validation check must be stored in a separate file
    • Message Digest 5 ( MD5)
    • Secure Hash Algorithm ( SHA-1 or newer)

Embedded Image

Includes data from the suspected storage media and additional data about the acquisition (e.g. hash values, dates, times)


  • List and types of Items
  • Description of the steps taken during the investigation
  • List of Custodians
  • Identity and signature of the examiner
  • Results/Conclusion


Data Acquisition

In Computer forensics first and major step is to make an exact copy of the data residing on the evidence hard disk (or another electronic digital storage device). Data acquisition is creating a bit by a bit-perfect copy of the digital media evidence, either on-site, where the device is located, or, if the device can be transported to a secure location.

The two types of the methodology can be distinguished as:
1- Live Acquisition
2- Dead/Offline Acquisition

Data can be saved directly to a disk or to a file.
To disc: 
1. The destination disc must be wiped with zeros before the acquisition starts. 
2. The destination disc must not be mounted in the acquisition system.

Live Acquisition Using Bootable CD

1. Live Bootable Disk is Used.
2. By default Linux is used.
3. Risk: During data acquisition, an attacker can modify data or software can produce tempered data.

Linux Live CD Tools for Computer Forensics


For better research and investigation, developers have created many computer forensics tools. With the increasing use of digital data and mobile phones, digital forensics has become more important. Cyber crimes are also increasing day by day. So developers are also trying to launch more powerful version of the tools, Here are listing of a few important and popular data forensics tools used in Linux.

Use of DD command in Linux

DD Command is used in Live acquisition when using Live bootable CD. Its purpose was to make a bit-by-bit copy of any file, drive, or partition. The file can be saved on a hard disc or other storage media. An image has the advantage not to be automatically mounted in the acquisition system. DD file is Fragmentable in many smaller pieces to fit onto storage media. The basic dd syntax looks something like this:

dd if=<source> of=<destination> filename.dd

For example: dd if=</dev/sda> of=</destination/folder> filename.dd
Note: Before DD we run this command to find all the partitions in the suspect device.
root@kali: ~# cat /proc/partitions
Partition types:
Physical- sda, sdb,sdc,...
Logical - sda1,sda2, sdb1, sdb2,....
Note: When using Live Bootable CD it’s name is by default allocated SDA


MD5 and SHA hash function is used in digital forensic tools to calculate and verify that a data set has not been altered, due to the application of various evidence collection and analysis tools and procedures. The command that is used to create hash value is as follows:

md5sum <data image.dd> >hash-filename.txt or dd



Dead/Offline Acquisition


Dead system acquisition can produce some information, they can’t recover everything. In order to create a forensic image of an entire disk, the imaging process should not alter any data on the disk and that all data, metadata and unallocated space be included.

Generally, computer forensic investigator use the forensic duplicator to create the clone copy or forensic image for further processing and investigation and preparing report. But this method does not capture the volatile data. For cases like malware forensics or need to identify the most recent file used and device like SSD hard disk need to be acquired by live acquisition method. Dead acquisition takes less time to process. The forensic duplicator that is used has inbuilt hardware write blocker.

Write Blockers

  • Allow acquisition of data from a storage device without changing the drive’s content
  • Write commands are blocked.

Types of Write Blockers

  1. Hardware write blockers
  2. Software based write blockers

Hardware write blockers:

  • The device connected between investigator’s PC and storage device.
  • Supported storage interfaces are ATA, SSSI, Firewire (IEEE 1394), USB, SATA.
  • The controller cannot write values to the command register, which writes or erases data on the storage devices.

Software write blockers:

  • A software layer that sits in between the OS and the device driver for the storage device.
  • Prevents all disk requests that use system calls to write data to the storage device.
  • Choose known SWB that are often used. The SWB should not modify a read only disk.
  • The SWB is designed to prevent any operation on the data storage media that are not write protected.
  • Evaluate these on a test system before using SWB on the target system.
  • SWBs: 

    • Read Only Mounter (MAC)
    • ForensicSoft, Safe block (Windows)
    • Linux Write Blocker -
      • It is the small kernel patch to enable Linux software write blocking. The patch utilizes the existing facility of marking a block device as read-only and adds read-only checks to a common low-level spot of the block device driver.

Image File Formats/Extensions

Raw Image

  • Bit-by-bit copy of the drive to a file
  • Advantages
    • Fast data transfers
    • Can ignore minor data read errors on source drive
    • Most computer forensics tools can read raw format
  • Disadvantages
    • Requires as much storage as original disk or data
    • Tools might not collect marginal (bad) sectors
    • Low threshold of retry reads on weak media spots
    • Commercial tools use more retries than free tools
  • Validation check must be stored in a separate file
    • Message Digest 5 ( MD5)
    • Secure Hash Algorithm ( SHA-1 or newer)

Embedded Image

  • Includes data from the suspected storage media and additional data about the acquisition (e.g. hash values, dates, times) 


Other Formats

  • E01 -  
    • International Format. Hash value and case description and some other details are stored in the same file. Whereas in Raw format these details are stored in different file.
  • Advance Forensic Format -
    • Provide compressed or uncompressed image files
    • No size restriction for disk-to-image files
    • Provide space in the image file or segmented files for metadata
    • Open source for multiple platforms and OSs
    • File extensions include .afd for segmented image files and .afm for AFF metadata
  • LX01 -
  • It is EnCase Logical evidence file. This is a file format type used in forensic tool EnCase and it is used for logical data.

Conclusion


  • Secure digital evidence in accordance with departmental guidelines
  • Document hardware and software configuration of the examiner's system.
  • Identify storage devices that need to be acquired. These devices can be internal, external, or both.
  • Document internal storage devices and hardware configuration. 
    • Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface). 
    • Internal components (e.g., sound card; video card; network card, including media access control (MAC) address; personal computer memory card international association (PCMCIA) cards).
  • Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
  • Whenever possible, remove the subject storage device and perform the acquisition using the examiner's system. When attaching the subject device to the examiner's system, configure the storage device so that it will be recognized.
  • When using the subject computer to acquire digital evidence, reattach the subject storage device and attach the examiner's evidence storage device (e.g., hard drive, tape drive, CD-RW, MO).
  • Ensure that the examiner's storage device is forensically clean when acquiring the evidence.
  • Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g., non-host specific data such as the partition table matches the physical geometry of the drive).
  • Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools, such as: 
    • Stand-alone duplication software. 
    • Forensic analysis software suite. 
    • Dedicated hardware devices
  • Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.

No comments:

Powered by Blogger.