TSS3323 DIGITAL FORENSICS

Chapter 4: Data
Acquisition
Watch this video:

 [Link]
Objectives

 List digital evidence storage formats

 Explain ways to determine the best acquisition method
 Describe contingency planning for data acquisitions
 Explain how to use acquisition tools

3
Understanding Storage Formats for
Digital Evidence

 Data in a forensics acquisition tool is stored as an image file

 Three formats
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)

4
 Raw Format
 bit-by-bit, sector-by-sector copy of data from a storage device,
saved without any compression, metadata, or formatting. It
captures everything — including deleted files and unallocated
space. Advantages:
 Fast data transfers
 Ignores minor data read errors on source drive
 Most computer forensics tools can read raw format
 Disadvantages
 Requires as much storage as original disk or data
 Tools might not collect marginal (bad) sectors

5
Proprietary Formats
 Most forensics tools have their own formats
 Features offered
 Option to compress or not compress image files
 Can split an image into smaller segmented files
 Can integrate metadata into the image file
 Disadvantages
 Inability to share an image between different tools
 File size limitation for each segmented volume
 The Expert Witness (eo.) format is unofficial standard

6
 Advanced Forensics Format
 a modern, flexible format used to store forensic images of digital
evidence.
 Developed by Dr. Simson L. Garfinkel as an open-source acquisition
format
 Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files for metadata
 Simple design with extensibility
 Open source for multiple platforms and OSs

Guide to
Computer
7 Forensics and
Investigations
Fifth Edition
Advanced Forensics Format

 Design goals (cont’d)

 Internal consistency checks for self-authentication
 Especially useful when capturing large images due to its ability to segment
files using .afd (image data) and .afm (metadata).
 File extensions include .afd for segmented image files and .afm for AFF
metadata
 AFF is open source

8
 Determining the Best Acquisition
Method
 Determining the best method depends on the circumstances of the
investigation
 Types of acquisitions
 Static acquisitions and live acquisitions
 Static acquisition does not alter original data and ensures integrity.
 Live acquisition is needed when systems are running or encrypted.
 Live data acquisition includes RAM, which is critical in modern investigations.

 Four methods of data collection

 Creating a disk-to-image file
 Creating a disk-to-disk
 Creating a logical disk-to-disk or disk-to-data file
 Creating a sparse data copy of a file or folder
9
Determining the Best Acquisition
Method
Method Definition Output Format Use Case Pros Cons
Creates a bit-by-
bit copy of the Forensic Preserves deleted
1. Disk-to-Image Cannot boot;
entire disk into a Image file preservation and files, metadata;
File large file size
single image file analysis hash verification
(e.g., .dd, .E01)
Clones entire
Needs
content of one Quick duplication
Bootable clone; equal/larger
2. Disk-to-Disk disk directly to Physical disk for backup or
fast in the field target disk; not
another physical investigation
compressed
disk
Copies only active
3. Logical Disk-to- Targeted
files/folders, not Faster, less storage May miss hidden
Disk or Disk-to- Folder or archive acquisition (e.g.,
deleted or slack needed or deleted data
Data File documents only)
space
Copies only
Specific file Least forensic
4. Sparse Data selected files or Quick, minimal
Individual files collection (e.g., depth; may miss
Copy folders with known storage
PDFs, logs) evidence
value
10
Determining the Best Acquisition
Method
 When making a copy, consider:
 Size of the source disk
 Lossless compression might be useful
 Use digital signatures for verification

 When working with large drives, an alternative is using tape backup systems
 Whether you can retain the disk

11
 Contingency Planning for Image
Acquisitions
 Create a duplicate copy of your evidence image file
 Make at least two images of digital evidence
 Use different tools or techniques
 Copy host protected area of a disk drive as well - a hidden section
on a hard drive that is not visible to the operating system or normal
users.
 Consider using a hardware acquisition tool that can access the drive at
the BIOS level
 Be prepared to deal with encrypted drives
 Whole disk encryption feature in Windows called BitLocker makes static
acquisitions more difficult
 May require user to provide decryption key

12
 Using Acquisition Tools
Acquisition tools for Windows
Advantages
Make acquiring evidence from a suspect drive more convenient
 Especially when used with hot-swappable devices

Disadvantages
Must protect acquired data with a well-tested write-blocking
hardware device
Tools can’t acquire data from a disk’s host protected area

13
14 Forensic Acquisition & Analysis Tools
•Write Blockers (prevent data alteration during access)
•[Link]
•Forensic Workstations (e.g., FRED, Talon Ultimate)
•Forensic Duplicators (clone drives, e.g., Logicube)
•Forensic Imagers (e.g., Tableau, FTK Imager devices)
•Chip-off Tools (remove memory chips from devices)
•JTAG Devices (access data via debugging interfaces)
•RAM Acquisition Tools (for capturing volatile memory)
•Forensic Card Readers (for flash media)
Forensic
15 Acquisition & Analysis Tools
• Write Blockers:
• A hardware device that enables forensic investigators to
view the data on a storage device without modifying it.
• This device prevents any writing, modification or deletion
of the data on the storage device.
• Forensic Imaging Devices:
• This device creates an exact copy of the data on the
storage device, including deleted and hidden files.
• It captures a forensic image of the data and stores it in a
secure location.
• Memory Dumpers:
• These devices extract volatile data such as RAM,
caches, and buffers from computers and other devices.
• They allow forensic examiners to analyze the data stored
in volatile memory.
16 The types of devices used
to forensically extract
data from different
storage devices
• JTAG Devices:
• JTAG (Joint Test Action Group) is a standard used to
test and debug circuit boards.
• JTAG devices can be used to extract data from
mobile devices that are not accessible through
standard forensic techniques.
• Chip-Off Tools:
• These devices are used to extract data from storage
devices that have been damaged or are not
accessible through traditional methods.
• Chip-Off tools extract the storage chips from the
device and read the data directly from the chip.
 Capturing an Image with AccessData
FTK Imager Lite
 Included with AccessData Forensic Toolkit
 Designed for viewing evidence disks and disk-to-image files
 Makes disk-to-image copies of evidence drives
 At logical partition and physical drive level
 Can segment the image file
 Evidence drive must have a hardware write-blocking device
 Or run from a Live CD, such as Mini-WinFE

Guide to
Computer
17 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
18 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite
 FTK Imager can’t acquire a drive’s host protected area
 Use a write-blocking device and follow these steps
 Boot to Windows
 Connect evidence disk to a write-blocker
 Connect target disk to write-blocker
 Start FTK Imager Lite
 Create Disk Image - use Physical Drive option
 See Figures on the following slides for more steps

Guide to
Computer
19 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
20 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
21 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
22 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
23 Forensics and
Investigations
Fifth Edition
Capturing an Image with AccessData
FTK Imager Lite

Guide to
Computer
24 Forensics and
Investigations
Fifth Edition
Validating Data Acquisitions

 Validating evidence may be the most critical aspect of computer forensics

 Requires using a hashing algorithm utility
 Validation techniques
 CRC-32, MD5, and SHA-1 to SHA-512

Guide to
Computer
25 Forensics and
Investigations
Fifth Edition
 Data Integrity and Hashing
 Hashing algorithms like MD5, SHA-1, and CRC32 are used to verify data.
 Static acquisitions can be re-verified
 Static acquisition means imaging a powered-off device (e.g., hard drive).
 The data is unchanging during the process
 .You can repeat the hash check later to confirm nothing has been altered.
 ✅ Example: Imaging a seized laptop’s hard drive while it’s shut down.
 Live acquisitions capture evolving data.
 involves imaging a powered-on system (e.g., RAM, active processes).
 The data is changing constantly (e.g., new processes, network activity).
 You cannot re-verify it exactly later because the state keeps changing.
 ✅ Example: Capturing RAM or browsing history from a running PC.
 Always validate image files using hashing before and after acquisition.
Dealing with Encrypted Drives

 • - Whole disk encryption (BitLocker, others) complicates acquisition.

 • - Use tools like Elcomsoft Forensic Disk Decryptor to recover keys.
 • - Live acquisition may be required to capture decrypted content.
Contingency Planning

 • - Create multiple image copies using different tools for redundancy.

 • - Test tools for handling Host Protected Areas (HPA).
 • - Plan for tool failure, encrypted systems, limited time or access.
Best Practices and Recommendations

 • - Use updated forensic tools with documentation support.

 • - Ensure hash values match across original and copied data.
 • - Maintain a chain of custody and proper documentation.
 • - Be prepared with multiple tools and recovery methods.