Beruflich Dokumente
Kultur Dokumente
Definition
• Data acquisition is the process of copying
data. For computer forensics, it’s the task of
collecting digital evidence from electronic
media.
• There are two types of data acquisition:
• static acquisitions and live acquisitions
Understanding Storage Formats for Digital Evidence
• In the past, there was only one practical way of copying data
for the purpose of evidence preservation and examination.
Examiners performed a bit-by-bit copy from one disk to
another disk the same size or larger.
• As a practical way to preserve digital evidence, vendors (and
some OS utilities, such as the Linux/UNIX dd command) made
it possible to write bit-stream data to files.
• This copy technique creates simple sequential flat files of a
suspect drive or data set.
• The output of these flat files is referred to as a raw format.
• This format has unique advantages and disadvantages to
consider when selecting an acquisition format.
Advantages
• Fast data transfers
• Capability to ignore minor data
• Read errors on the source drive
Disadvantage
• It requires as much storage space as the original
disk or data set
• They have a low threshold of retry reads on weak
media spots on a drive
Proprietary Formats
• Most commercial computer forensics tools have their own formats for
collecting digital evidence.
Proprietary formats typically offer several features that complement the
vendor’s analysis tool, such as the following:
• The option to compress or not compress image files of a suspect drive,
thus saving space on the target drive
• The capability to split an image into smaller segmented files for archiving
purposes, such as to CDs or DVDs, with data integrity checks integrated
into each segment
• The capability to integrate metadata into the image file, such as date and
time of the acquisition, hash value (for self authentication) of the original
disk or medium, investigator or examiner name, and comments or case
details
Disadvantage
• Inability to share an Image between different vendors’
computer forensics analysis tools
• Another problem with proprietary and raw formats is a file
size limitation for each segmented Volume
Advanced Forensic Format
• Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed
a new open source acquisition format called Advanced Forensic Format
(AFF).
This format has the following design goals:
1. Creating compressed or uncompressed image files
2. No size restriction for disk-to-image files
3. Providing space in the image file or segmented files for metadata
4. Simple design with extensibility
5. Open source for multiple computing platforms and OSs
6. Offer internal consistency checks for self-authentication
Determining the Best Acquisition Method
• There are two types of acquisitions: static acquisitions and live
acquisitions.
• Typically, a static acquisition is done on a computer seized during a police
raid, for example.
• If the computer has an encrypted drive, a live acquisition is done if the
password or passphrase is available—meaning the computer is powered
on and has been logged on to by the suspect.
• Static acquisitions are always the preferred way to collect digital
evidence.
• However, they do have limitations in some situations, such as an
encrypted drive that’s readable only when the computer is powered on or
a computer that’s accessible only over a network.
• For both types of acquisitions, data can be collected with four
methods:
• creating a disk to- image file, creating a disk-to-disk copy,
creating a logical disk-to-disk or disk-to-data file, or creating a
sparse copy of a folder or file.
• Determining the best acquisition method depends on the
circumstances of the investigation.
disk-to-image file
• With this method, you can make one or many copies of a suspect
drive.
• These copies are bit-for-bit replications of the original drive. In
addition, you can use other forensics tools, such as ProDiscover,
EnCase, FTK, SMART, Sleuth Kit, X-Ways Forensics, and ILook, to
read the most common types of disk-to-image files you create
• Sometimes you can’t make a disk-to-image file because of
hardware or software errors or incompatibilities.
• This problem is more common when you have to acquire older
drives
• For these drives, you might have to create a disk-to-disk copy of the
suspect drive. Several imaging tools can copy data exactly from an older
disk to a newer disk
• These imaging tools include EnCase and SafeBack
• To determine which acquisition method to use for an investigation,
consider the size of the source (suspect) disk, whether you can retain the
source disk as evidence or must return it to the owner, how much time
you have to perform the acquisition, and where the evidence is located.
Using Acquisition Tools