1
Q
Data Acquisition
A
- making a forensic copy of evidence, which could be any type of media
- hard disk drive, USB, CD/DVD, etc
2
Q
Why do we Acquire?
A
- NEVER work directly on a suspected machine
- 1st: you might end up damaging evidence
- 2nd: the client likely cannot afford to not have the machine to keep working on
- 3rd: with only one copy, there is no way for multiple teams or investigators to work on the same case in parallel
3
Q
What is important to remember about the first image taken?
A
- You’re not supposed to work on the first image you take
- The original image needs to be saved, and copies are made to do the actual work on
4
Q
Order of Volatility?
A
- registers
- cpu cache
- RAM
- HDD
- External and Secondary storage devices
5
Q
What are the two types of data acquisition?
A
- static
- dynamic/live
6
Q
Static Acquisition
A
- gathering non-volatile data
- gathering the data that remains intact after the system reboots or goes down
- hard disks, flash discs
7
Q
Dynamic Acquisition
A
- gathering volatile data while the system is still running
8
Q
Which type of acquisition is typically done first?
A
- dynamic; higher risk of losing live data
9
Q
Raw Format
A
- simplest format to save an image
- data is read from the source device’s disk and written on a file
- the image file can be mounted later and analyzed for evidence
10
Q
What are the benefits of Raw Format?
A
- offers a faster transfer rate
- popular on most forensic tools; gives flexibility to move between different frameworks
11
Q
What are some things to be aware of with Raw Format?
A
- takes up the same space as the original target device drive’s size
- neglects small errors on the source disk
12
Q
What tool allows a disk to be imaged and split into multiple smaller files?
A
- DD tool
13
Q
Proprietary Format
A
- commercial tools implement their own file format
- compress the data for space efficiency, but makes the imaging and analysis process slower
14
Q
What are the advantages of using proprietary formats?
A
- space efficiency
- all the case related metadata
- data are on a single file
- allows investigator to do all work on a single framework (imaging, analysis, and reporting modules are all on the same tool)
15
Q
What are the disadvantages of using proprietary formats?
A
- slower due to the compression/decompression and encoding/decoding processes
- binds the investigator to the framework since the proprietary format cannot cross platforms
16
Q
What are the most notable proprietary formats?
A
- EWF (Expert Witness Format) from Encase
- IDIF, IRBF, IEIF from ILook Iinvestigator
- sgzip from PyFlag
17
Q
Open Source Format
A
- AFF (Advanced Forensics Format)
18
Q
Data Acquisition vs. Copying
A
- Imaging IS NOT copying
- Imaging mirrors the device’s entire storage on a file
- Copying mirrors only the “useful” data from the source device
19
Q
What needs to be considered when copying an image?
A
- Make sure that the copy is an exact replica of the original image
- make sure the original image is safe from tampering
- make sure the copying process will not alter the original image
20
Q
What are the two acquisition methods?
A
- from disk drive to image file (imaging)
- from disk drive to disk drive (cloning)
21
Q
Imaging
A
- mirrors the suspect’s hard drive content into an image file
- imaging a drive creates what is called a “forensic image”
- the advantage of this method is scalability and efficiency
- a forensic image does not have to be for a full disk drive; you may only copy a particular partition
22
Q
Cloning
A
- disk drive to disk drive
- mirrors the suspect’s hard disk content into another hard disk
- this result is a second disk that is exactly similar to the source disk (clone)
23
Q
Live Acquisition
A
- used to collect data while the machine is running
- usually looking for volatile data
- volatile data resides in a memory that can’t hold the data after a reboot
- usually resides in RAM and cache
24
Q
Why is volatile data so fragile?
A
- the data is not JUST lost on reboot
- processes running on the machine use the RAM and cache continually
- any move made on the machine will have an impact on the device’s RAM
25
Why is volatile data so important?
- it is very likely to hold passwords, messages, domain names, and IP addresses belonging to those processes
- very important in cases such as malware analysis and hunting
26
What tool may allow an investigator to extract and decrypt traffic going between malware and it's operator?
- encryption key
27
SYS info
- generic term that describes basic system information about the machine, the running OS, its configuration, and the installed applications
- EX: OS version, build, product key, computer name, accounts, CPU model, RAM size, etc.
28
OS Configuration
- installed languages
- time zones
- uptime
- installed updates and hotfixes
29
RAM Dump and Running Processes
- knowing what processes were running at the time of the acquisition might be crucial for the investigation
- it should help the investigator know what to look for when analyzing the RAM dump acquired
30
Time Stamps
- play a major role in crime reconstruction
31
Network Configurations
- important when there is a network attack
| - details such as: number of NICs, MAC and IP addresses
32
Write Blockers
- device that allow data acquisition to take place, while eliminating the chance of damaging or altering the disk's contents
- blocks the hard disk from writing by filtering out write commands and preventing them from being executed
33
Bootable Disks
- usually hold a self-contained fully functioning, bootable OS
- this allows the investigator to launch an OS on the suspect's machine without touching and modifying the device's main disk
34
How is write protect on Windows 7 and later enabled?
- Regedit
- Access HKLM /SYSTEM/CurrentControlSet/Control
- New > Key named "StorageDevicePolicies"
- Create a new Value (DWORD 32-bit) inside the Key called "WriteProtect"
- Double click the newly created Key and change value to '1'
35
Volatility Framework
- completely open collection of tools, implemented in Python under GNU General Public License
- allows for the extraction of digital artifacts from volatile memory (RAM) samples
- support memory dumps in raw format, Microsoft crash dump, hibernation file, and virtual machine snapshot
- pre-installed with Kali Linux
- also comes as an exe to run on Windows
