Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Data Acquisition
  • What to do if
  • Post Mortem vs. Alive Data
  1. Obtaining Evidences

Forensic Acquisition

Data Acquisition

  • Typically occurs in the "system preservation" phase.

  • Although it might also occur on a running system.

  • This is an import phase.

    • if not done properly data can be lost forever.

    • it must be done in a way that does not undermine its legal validity.

What to do if

The computer is off → remove the power cord.

The computer is on:

  • Take a picture of the screen

  • Are destructive processes running? → remove the power cord

  • Do a memory dump and get network connections status → this may destroy or contaminate pieces of evidence.

    • when you cannot turn off a server.

    • to get passwords or encryption keys stored in RAM.

    • to monitor malicious software network activities.

Information analysis layers on storage media:

  • physical – from the first to the last bit of the storage media.

  • volume – it is not possible to get unallocated sectors, partition tables, or hidden areas.

  • file – file copies (e. g. backup tools) are less likely to retrieve deleted files.

  • application – each application has its own encoding or file format.

Other media:

  • network and volatile memory.

  • each medium as its own recommended procedures.

Copying storage media.

  • the bigger the block size, the faster the acquisition.

  • But if there are sectors with errors, all blocks will be invalid.

  • The acquisition block size should match the sector size.

    • for HDD the sector size is 512 bytes.

    • For SSD sector size depends on the brand, model, and capacity.

  • Data acquisition should include the complete storage medium (physical level).

    • Including unallocated sectors,

    • Hidden areas: HPA or DCO – in this case, 2 acquisitions are recommended.

      • one with the hidden area in place, and another with the hidden areas disabled.

Data acquisitions from storage media:

  • Making a storage medium forensic copy

    • requires another storage medium of equal or bigger size, although many tools can create compressed image files.

  • Reading the data

    • through the BIOS – old BIOS doesn’t support large storage drives → may report the wrong drive size.

    • direct access – is the best choice, but not supported by all tools.

Post Mortem vs. Alive Data

Acquisition post mortem.

  • The OS is shut down.

  • Suspect hardware can be used using a trusted OS to boot it.

    • Caution: new PCs boot too fast and we might not be able to change the boot order.

  • The NSA scandal showed that we cannot always trust the hardware.

    • Spyware inside HDDs’ firmware.

  • Although it is less likely to happen than software tampering.

Alive.

  • the OS is running and used to perform the acquisition.

    • There is the risk of the OS having been tampered with and returning wrong data.

    • e.g. rootkits that hide processes and files to avoid detection.

  • The online acquisition should be performed only in special situations.

Last updated 1 year ago