Forensic Acquisition

Data Acquisition

Typically occurs in the "system preservation" phase.
Although it might also occur on a running system.
This is an import phase.
- if not done properly data can be lost forever.
- it must be done in a way that does not undermine its legal validity.

What to do if

The computer is off → remove the power cord.

The computer is on:

Take a picture of the screen
Are destructive processes running? → remove the power cord
Do a memory dump and get network connections status → this may destroy or contaminate pieces of evidence.
- when you cannot turn off a server.
- to get passwords or encryption keys stored in RAM.
- to monitor malicious software network activities.

Information analysis layers on storage media:

physical – from the first to the last bit of the storage media.
volume – it is not possible to get unallocated sectors, partition tables, or hidden areas.
file – file copies (e. g. backup tools) are less likely to retrieve deleted files.
application – each application has its own encoding or file format.

Other media:

network and volatile memory.
each medium as its own recommended procedures.

Copying storage media.

the bigger the block size, the faster the acquisition.
But if there are sectors with errors, all blocks will be invalid.
The acquisition block size should match the sector size.
- for HDD the sector size is 512 bytes.
- For SSD sector size depends on the brand, model, and capacity.
Data acquisition should include the complete storage medium (physical level).
- Including unallocated sectors,
- Hidden areas: HPA or DCO – in this case, 2 acquisitions are recommended.
  - one with the hidden area in place, and another with the hidden areas disabled.

Data acquisitions from storage media:

Making a storage medium forensic copy
- requires another storage medium of equal or bigger size, although many tools can create compressed image files.
Reading the data
- through the BIOS – old BIOS doesn’t support large storage drives → may report the wrong drive size.
- direct access – is the best choice, but not supported by all tools.

Post Mortem vs. Alive Data

Acquisition post mortem.

The OS is shut down.
Suspect hardware can be used using a trusted OS to boot it.
- Caution: new PCs boot too fast and we might not be able to change the boot order.
The NSA scandal showed that we cannot always trust the hardware.
- Spyware inside HDDs’ firmware.
Although it is less likely to happen than software tampering.

Alive.

the OS is running and used to perform the acquisition.
- There is the risk of the OS having been tampered with and returning wrong data.
- e.g. rootkits that hide processes and files to avoid detection.
The online acquisition should be performed only in special situations.

Last updated 1 year ago

What to do if

The computer is off → remove the power cord.

The computer is on:

Take a picture of the screen

Are destructive processes running? → remove the power cord

Do a memory dump and get network connections status → this may destroy or contaminate pieces of evidence.

when you cannot turn off a server.
to get passwords or encryption keys stored in RAM.
to monitor malicious software network activities.

Information analysis layers on storage media:

physical – from the first to the last bit of the storage media.

volume – it is not possible to get unallocated sectors, partition tables, or hidden areas.

file – file copies (e. g. backup tools) are less likely to retrieve deleted files.

application – each application has its own encoding or file format.

Other media:

network and volatile memory.

each medium as its own recommended procedures.

Copying storage media.

the bigger the block size, the faster the acquisition.

But if there are sectors with errors, all blocks will be invalid.

The acquisition block size should match the sector size.

for HDD the sector size is 512 bytes.
For SSD sector size depends on the brand, model, and capacity.

Data acquisition should include the complete storage medium (physical level).

Including unallocated sectors,
Hidden areas: HPA or DCO – in this case, 2 acquisitions are recommended.
- one with the hidden area in place, and another with the hidden areas disabled.

Data acquisitions from storage media:

Making a storage medium forensic copy

requires another storage medium of equal or bigger size, although many tools can create compressed image files.

Reading the data

through the BIOS – old BIOS doesn’t support large storage drives → may report the wrong drive size.
direct access – is the best choice, but not supported by all tools.

Post Mortem vs. Alive Data

Acquisition post mortem.

The OS is shut down.

Suspect hardware can be used using a trusted OS to boot it.

Caution: new PCs boot too fast and we might not be able to change the boot order.

The NSA scandal showed that we cannot always trust the hardware.

Spyware inside HDDs’ firmware.

Although it is less likely to happen than software tampering.

Alive.

the OS is running and used to perform the acquisition.

There is the risk of the OS having been tampered with and returning wrong data.
e.g. rootkits that hide processes and files to avoid detection.

The online acquisition should be performed only in special situations.