-
Flashcards
-
Learn
-
Test
-
Match
-
Flashcards
-
Learn
-
Test
-
Match
Terms in this set [21]
Acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence. If the computer system or device is not owned by the organization, there is the question of whether search or seizure is legally valid. This impacts bring-your-own-device [BYOD] policies. For example, if an employee is accused of fraud you must
verify that the employee's equipment and data can be legally seized and searched. Any mistake may make evidence gained from the search inadmissible.
Data acquisition is also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one. Some evidence will be lost if the computer system is powered off; on the other hand, some evidence may be unobtainable until the system is powered off. Additionally, evidence may be lost
depending on whether the system is shut down or "frozen" by suddenly disconnecting the power.
Data acquisition usually proceeds by using a tool to make an image from the data held on the target device. An image can be acquired from either volatile or nonvolatile storage. The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets
out the general order as follows:
CPU registers and cache memory [including cache on disk controllers, GPUs, and so on].
Contents of nonpersistent system memory [RAM], including routing table, ARP cache, process table, kernel statistics.
Data on persistent mass storage devices [HDDs, SSDs, and flash memory devices]:
Partition and file system blocks, slack space, and free space.
System memory caches, such as swap space/virtual memory and hibernation files.
Temporary file caches,
such as the browser cache.
User, application, and OS files and directories.
Remote logging and monitoring data.
Physical configuration and network topology.
Archival media and printed documents.
System memory is volatile data held in Random Access Memory [RAM] modules. Volatile means that the data is lost when power is removed. A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents
of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device. There are various methods of collecting the contents of system memory.
Viewing the process list in a memory dump using the Volatility Framework. [Screenshot Volatility Framework volatilityfoundation.org.]
Live Acquisition
A specialist hardware or software tool can capture the contents of memory while
the host is running. Unfortunately, this type of tool needs to be preinstalled as it requires a kernel mode driver to dump any data of interest. Some examples for Windows include WinHex [x-ways.net/winhex], Memoryze from FireEye [fireeye.com/services/freeware/memoryze.html], and F-Response TACTICAL [f-response.com/software/tac].
On Linux, a user mode tool, such as memdump [porcupine.org/forensics/tct.html] or dd, can be run against the /dev/mem device file. However, on most modern
distributions, access to this file is blocked. The Volatility Framework [github.com/volatilityfoundation/volatility] includes a tool to install a kernel driver [pmem]. The fmem and LiME kernel utilities provide similar functionality.
Crash Dump
When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file at C:\Windows\MEMORY.DMP. On modern systems, there is unlikely to be a complete dump of all the contents of memory, as these could take up a lot of
disk space. However, even mini dump files, stored in C:\Windows\Minidumps, may be a valuable source of information.
Hibernation File and Pagefile
A hibernation file is created on disk in the root folder of the boot volume when a Windows host is put into a sleep state. If it can be recovered, the data can be decompressed and loaded into a software tool for analysis. The drawback is that network connections will have been closed, and malware may have detected the use of a sleep state and
performed anti-forensics.
The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings.
Disk image acquisition refers to acquiring data from nonvolatile storage. Nonvolatile storage includes hard disk drives [HDDs], solid state drives [SSDs], firmware, other types of flash memory [USB
thumb drives and memory cards], and optical media [CD, DVD, and Blu-Ray]. This can also be referred to as device acquisition, meaning the SSD storage in a smartphone or media player. Disk acquisition will also capture the OS installation, if the boot volume is included.
There are three device states for persistent storage acquisition:
Live acquisition—this means copying the data while the host is still running. This may capture more evidence or more data for analysis and reduce the impact
on overall services, but the data on the actual disks will have changed, so this method may not produce legally acceptable evidence. It may also alert the adversary and allow time for them to perform anti-forensics.
Static acquisition by shutting down the host—this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
Static acquisition by pulling the plug—this means disconnecting the power at the wall socket [not the
hardware power-off button]. This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.
Given sufficient time at the scene, you may decide to perform both a live and static acquisition. Whichever method is used, it is imperative to document the steps taken and supply a timeline for your actions.
There are many GUI imaging utilities, including those packaged with suites such as the Forensic Toolkit and its FTK Imager. You
should note that the EnCase forensics suite uses a vendor file format [.e01] compared to the raw file format used by Linux tools like dd. The file format is important when it comes to selecting a tool for analyzing the image. The .eo1 format allows image metadata [such as the checksum, drive geometry, and acquisition time] to be stored within the same file. The open-source Advanced Forensic Format [AFF] provides similar features.
If no specialist tool is available, on a Linux host you can use
the dd command to make a copy of an input file [if=] to an output file [of=] and apply optional conversions to the file data. In the following sda is the fixed drive:
dd if=/dev/sda of=/mnt/usbstick/backup.img
A more recent fork of dd is dcfldd, which provides additional features like multiple output files and exact match verification.
It is vital that the evidence collected at the crime scene conform to a valid timeline. Digital information is
susceptible to tampering, so access to the evidence must be tightly controlled. Recording the whole process establishes the provenance of the evidence as deriving directly from the crime scene.
To obtain a forensically sound image from nonvolatile storage, you need to ensure that nothing you do alters data or metadata [properties] on the source disk or file system. A write blocker assures this process by preventing any data on the disk or volume from being changed by filtering write commands
at the driver and OS level. Data acquisition would normally proceed by attaching the target device to a forensics workstation or field capture device equipped with a write blocker.
Data Acquisition with Integrity and Non-Repudiation
Once the target disk has been safely attached to the forensics workstation, data acquisition proceeds as follows:
A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function. The output of the function can be described as a
checksum.
A bit-by-bit copy of the media is made using the imaging utility.
A second hash is then made of the image, which should match the original hash of the media.
A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy.
This proof of integrity ensures non-repudiation. If the provenance of the evidence is certain, the threat actor identified by analysis of the evidence cannot deny their actions. The checksums prove that no
modification has been made to the image.
In practical terms, the image acquisition software will perform the verification steps as part of the acquisition process, but in theory you could use separate tools to perform each stage individually.
Preservation of Evidence
The host devices and media taken from the crime scene should be labeled, bagged, and sealed, using tamper-evident bags. It is also appropriate to ensure that the bags have antistatic shielding to reduce the possibility that
data will be damaged or corrupted on the electronic media by electrostatic discharge [ESD]. Each piece of evidence should be documented by a chain of custody form which records where, when, and who collected the evidence, who subsequently handled it, and where it was stored.
The evidence should be stored in a secure facility; this not only means access control, but also environmental control, so that the electronic systems are not damaged by condensation, ESD, fire, and other hazards.
Similarly, if the evidence is transported, the transport must also be secure.
ADVANCED MATH
Verified answer
ADVANCED MATH
Verified answer
ADVANCED MATH
Verified answer
ADVANCED MATH
Verified answer
Recommended textbook solutions