Bruce Nikkel 2_1_acquisition_tools.pdf

Can be a seperate step, or is built into forensic tools

Dataintegrity is guarantied through cryptographic hashes.

• These can be validated at a later time
• changing one single bit is detected
• piece-wise hashing can also be done where the hash of individual files, data blobs, etc... is taken.

• lshw -class disk
• lspci
• lsusb
• lsscsi
• lsblk
• dmesg

• photograph of drive
• S.M.A.R.T data
• hdparm -l /dev/sda
• smartctl -x /dev/sda

Smart data is digital information that is formatted so it can be acted upon at the collection point before being sent to a downstream analytics platform for further data consolidation and analytics.

Always double-check source and destination devices!!!

The dd command:

• copies data blocks from input to output
• can be used to copy disk sectors to file
• don't forget: no file copying, but sector copying

Basic syntax

• dd if=myinputfile of=myoutputfile

Copying disk sectors:

• dd if=/dev/sda of=myoutputfile

DD = "Dangerous and Deadly"

Forensic acquisition tools based on dd:

• dcfldd
• dc3dd

Additional features they include:

• cryptographic hashing
• improved error handling
• logging of errors and activity
• performance optimization
• hash verification checking
• live progress monitoring

Forensic images are HUGE

• plan carefully, they can take hours or days
• forensic file formatsn have compression
• dd has no compression, but can be piped into gzip, there is no seeking

Seeking = searching

Squashfs: compressed file system

• built into kernel, multithreaded - fast
• forensic friendly - can add files, but not delete or modify
• easy and safe to mount as filesystem
• block level compression
• huge file sizes

Forensics need more that just raw images:

• compression
• split files (pieces)
• security (encrypted images)
• builtin hashes, logs
• possible to add meta data
• some are not just drive images

• EnCase EWF - commercial format (oldest, "Expert Witness")
• FTK SMART - commercial format
• Afflib - open source, "Advanced Forensic Format"

• store hashes separatly
• confirm hashes
• hash windows (possibly built inot file format)
• split files

• heat
• old failing disks, bad blocks
• read sectors backward
• kernel errors (dmesg, journalctl)
• bad cables

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.

Write blockers do:

• intercept dangerous commands sent to drive (ATA/SCSI/NVME)
• hardware protection against writing
• software write blockesr also exist (hard to maintain and guarantee)
• Linux kernel flags to set a block device read-only

Write blockers are used because:

• automated OS processes can write to the disc which is not wanted. (indexing, auto-mounting, AV scans, filesystem journals written out, RAID reasembly)
• Human error (wrong commands, drag and drop, mistakes) could cause the modification of the evidence
• Write blockers are part of the standard forensic process.