Bruce Nikkel 2_1_acquisition_tools.pdf

• completeness - every (accessible) sector of a drive
• sector zero to sector n (last sector of drive)
• no modification of evidence drive
• report/log all I/O errors
• tool user documentation must be correct

Can be a seperate step, or is built into forensic tools

Dataintegrity is guarantied through cryptographic hashes.

• These can be validated at a later time
• changing one single bit is detected
• piece-wise hashing can also be done where the hash of individual files, data blobs, etc... is taken.

• lshw -class disk
• lspci
• lsusb
• lsscsi
• lsblk
• dmesg

• photograph of drive
• S.M.A.R.T data
• hdparm -l /dev/sda
• smartctl -x /dev/sda

Smart data is digital information that is formatted so it can be acted upon at the collection point before being sent to a downstream analytics platform for further data consolidation and analytics.

Always double-check source and destination devices!!!

The dd command:

• copies data blocks from input to output
• can be used to copy disk sectors to file
• don't forget: no file copying, but sector copying

Basic syntax

• dd if=myinputfile of=myoutputfile

Copying disk sectors:

• dd if=/dev/sda of=myoutputfile

DD = "Dangerous and Deadly"

Forensic acquisition tools based on dd:

• dcfldd
• dc3dd

Additional features they include:

• cryptographic hashing
• improved error handling
• logging of errors and activity
• performance optimization
• hash verification checking
• live progress monitoring

Forensic images are HUGE

• plan carefully, they can take hours or days
• forensic file formatsn have compression
• dd has no compression, but can be piped into gzip, there is no seeking

Seeking = searching