Week 2 - Evidence Acquisition 1 - Hard Drives
Evidence Acquisition 1 - Hard Drives
- Acquire image/copy of original evidence
- Authenticate the image
- Analyse the data on the copy only
- Forensic acquisition should be performed correctly, or it may invalidate the results of later analysis
- Spinning disk
- Solid state/Flash
- RAM
- Cloud
Connection to forensic system:
- Firewire
- IDE
- Sata
- SCSI
- USB
- Hardware
- DD
- EnCase
- FTK Imager
- preferred method
- Includes slack and unallocated space
- Error Handling
- Gets the logical drive
- Many logical partitions per physical drive
- Can be useful in RAID configuration as logical partitions can span multiple drives
- Bit by bit copy of drive
- Same size image as original
- Expert Witness format (Encase format)
- A container of evidence and metadata (includes hash values)
- Can be compressed
- Advanced Forensic format
- A container of evidence and metadata
- Format for Encase v7
- More extensible than E01
- A container of evidence and meta data (including Hash values)
- These are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive
- May also provide drive protection by limiting the speed of the drive attached to the blocker
- Can be either hardware or software based
- Sits in-between the PC and the storage device
- Monitors the commands that are being issued and prevents the computer from writing data to the storage device
- Modified the interrupt table on the PC
- If another element has control over the controller, then stuff can be written to the device.
- Use a one-way hash function to create a fingerprint of the data.
- This then can be referred to make sure that the data remains unmodified
- It is one way and cannot be reversed back to the data given to the function.
- Strong collision resistance
