adam's notes

Forensic Acquisition

Acquisition is the process of obtaining a forensically clean copy of data from a device seized as evidence.

  • if computer is not owned by the org,
    • then there is a question of whether the search or seizure is legally valid
    • impacts bring-your-own-device (BYOD) policies
      • e.g., accusing an employee of fraud may require the employee’s equipment and data to be lawfully seized and searched
  • mistakes made while collecting and analyzing evidence will render it inadmissible to court

Data Acquisition

Data acquisition, in digital forensics, is the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.

  • more difficult to capture evidence from a digital crime scene than it is from a physical one
    • Some evidence will be lost if the computer system is powered off
    • some evidence may be unobtainable until the system is powered off
    • evidence may be lost depending on whether the system is shut down or “frozen” by suddenly disconnecting the power
  • usually proceeds by using a tool to make an image from the data held on the target device
    • image can be acquired from either volatile or nonvolatile storage
    • general principle is to capture evidence in the order of volatility
      • from more volatile to less volatile
  • ISOC best practice guide to evidence collection and archiving sets out the general order as follows:
    1. CPU registers and cache memory
      • including cache on disk controllers, graphics cards, and so on
    2. Contents of nonpersistent system memory (RAM)
      • including routing table, ARP cache, process table, kernel statistics
    3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
      • Partition and file system blocks, slack space, and free space
      • System memory caches, such as swap space/virtual memory and hibernation files
      • Temporary file caches, such as the browser cache
      • User, application, and OS files and directories
    4. Remote logging and monitoring data
    5. Physical configuration and network topology
    6. Archival media and printed documents

System Memory Acquisition

System memory is volatile data held in Random Access Memory (RAM) modules.

  • Volatile means that the data is lost when power is removed
  • system memory dump creates an image file that can be analyzed to identify:
    • the processes that are running
    • the contents of temporary file systems
    • registry data
    • network connections
    • cryptographic keys
      • can be a means of accessing data that is encrypted when stored on a mass storage device
    • and more
  • specialist hardware or software tool can capture the contents of memory while the host is running
    • this type of tool needs to be preinstalled
      •  requires a kernel mode driver

Disk Image Acquisition

Disk image acquisition refers to acquiring data from nonvolatile storage.

  • Nonvolatile storage includes:
    • hard disk drives (HDDs)
    • solid state drives (SSDs)
    • firmware
    • other types of flash memory
      • USB thumb drives and memory cards
    • and optical media (CD, DVD, and Blu-ray)
  • can be referred to as device acquisition
    • meaning the SSD storage in a smartphone or media player
  • will also capture the OS installation if the boot volume is included
  • three device states for persistent storage acquisition:
    • Live acquisition
      • means copying the data while the host is still running
      • may capture more evidence or more data for analysis and reduce the impact on overall services
        • but the data on the actual disks will have changed
        • so may not produce legally acceptable evidence
    • Static acquisition by shutting down the host
      • runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself
    • Static acquisition by pulling the plug
      • means disconnecting the power at the wall socket
        • not the hardware power-off button
      • most likely to preserve the storage devices in a forensically clean state
        • risk of corrupting data
  • imperative to
    • document the steps taken
    • supply a timeline and video-recorded evidence of actions taken to acquire the evidence
  • Tools
    • on Linux
      • dd command
        • makes a bit-by-bit copy of an input file, typically used for disk imaging
      • dcfldd
        • recent fork of dd
        • provides additional features like multiple output files and exact match verification.

Graph View

Backlinks