🏹
Medhat
  • 🔍Data Acquisitions
  • 🔄Data Representation & Files Examination
  • đź’ľRecovering a Corrupted Disk – MBR Case
  • đź‘‘Useful Resources
  • File System
  • Windows Forensics
Powered by GitBook
On this page

Data Acquisitions

Acquisition

What is Acquisition? Acquisition is making a forensic copy of evidence, which could be any type of media (Hard disk drive, USB, CD/DVD, etc.).

  • In order to avoid many problems (which we’ll talk about in a few slides) an investigator should NEVER conduct his/her analysis on the actual physical machine.

  • Instead, they should always take an image of the machines they encounter during an investigation, so that they can analyze it later.

Data Acquisition is the process of taking an image from a machine.

Why do we Acquire?

There are many reasons which justify why you, as an investigator, should NEVER work directly on the suspected machine.

  • First, you might end up damaging evidence while searching and working.

  • Second, in many cases, you’ll find that the client you’re working for cannot afford to let you keep the machine till the end of your investigation.

Volatility: Data volatility is defined as the rate or the likeliness for a change on a data set. In other words, how easy it is for a set of data stored on some medium to change. A change could either be alteration or destruction

  • For example, the data stored in the computer’s RAM is more volatile than the one stored on that hard disk; a restart would erase the data stored in RAM unlike the data stored on the hard disk.

Types of Data Acquisition:

Static Acquisition is gathering non volatile data. In other words, gathering the data that remains intact after the system’s reboots or goes down.

Such acquisition is usually performed on hard disks and Flash disks.

Dynamic Acquisition is gathering volatile data usually while the device is still running.

In this technique we are interested with the data that will get lost if the system goes down

There is also another type of acquisition usually referred to as Dead Acquisition

Dead acquisition refers to the attempt to acquire data from the suspect’s machine without the operating system assistance. This is usually done with the help of the machine’s hardware.

The reason why there is a need for Dead Acquisition over the normal acquisition is that in many cases, the suspect’s OS cannot be trusted

Some attackers may install tools (such as Rootkits) that manipulate the OS’s behavior.

Storage formats

Raw Format is the simplest format to save an image. As the name suggests, the data is read from the source device’s disk and written on a file.

  • That image file can be mounted later and analyzed for evidences.

Using raw format offers fast transfer rate, and since it is popular on most forensic tools, it gives the investigator the flexibility of moving between different frameworks and compare their outputs.

One popular tool to image a disc in raw format is the DD tool, which is available for both Linux, by default, and Windows (with RawWrite Studio).

  • DD allows the investigator to image a disk in raw format and split the file into multiple files for the ease of use.

The general syntax for DD is simple.

dd if=[src] of=[dst]

The if parameter specifies the source drive and of specifies the destination. It is possible to use the –b options to split the image into multiple parts. This can be done through command pipelining.

dd if=[src] | split -b 1000m

Executing this command would result in splitting the image file into many 1 GB parts.

  • Many commercial tools for imaging implement their own file format.

  • Proprietary tools also use compression for more space efficiency but make the imaging and the analysis process slower

Some of the famous proprietary formats are:

  • Expert Witness Format (EWF) which is used by EnCase.

  • IDIF, IRBF, IEIF used by ILook Investigator

  • sgzip used by PyFlag.

Advanced Forensics Format (AFF): is an open image format developed by Basis Technology

AFF based tools copy the data from the suspect’s device in 16 MB blocks (usually called Pages)

However, there are some issues the investigator needs to take into consideration while copying an image:

• First, when copying, make sure that the copy is an exact replica of the original image.

• Make sure that the original source is safe from tampering. Otherwise, all the work done on the images will be rejected, since there will be no way to prove that the presented evidence is authentic.

• Make sure that the copying process will not alter the original image or corrupt parts of it.

Acquisition methods:

  1. The first way is from disk drive to image file (imaging)

Imaging a drive creates what is called a “forensic image”. The advantage of this method is scalability and efficiency.

  • The investigator would be able to create as many images as needed and all the only thing needs is enough space to save the images

An example is the system partition “C:.” In this situation, you could only create a copy of this particular partition, also referred to as a forensic image.

  1. The second one is from disk drive to disk drive (cloning)

Sometimes the source disk isn’t the whole physical disk but a partition from it. For example, if the machine has one HDD with two partitions (C:\ and D:). If the investigator wants to image the D:\ partition only, then it is considered Logical Disk Drive to Disk Drive acquisition.

Disk Drive to Disk Drive (clone) on the other hand, mirrors the suspect’s hard disk content into another hard disk.

Instead, the investigator will selectively forensic copy a list of defined folders and files. Also, the investigator could copy all the bytes residing within the unused (unallocated) parts of the HDD.

  • HDD volume capacity is very big and might take hours to forensically image or clone the drive

  • The investigator must either know what to select for acquisition and have a checklist, or, he will leave some evidence behind.

Choosing an Acquisition method:

There is no one right method that works every time. Different cases have different circumstances, and with different circumstances, different methods are needed.

Disk vs. Image:

  • Using images is more efficient as one storage device with enough space could hold multiple images. However, sometimes, due to bugs or errors, it is not possible to produce a digital image of a hard disk.

  • So using the Disk to Disk method is a much better solution even though it takes a new physical hard disk for every data acquisition disk.

Sparse vs. Logical Disk:

  • Both Sparse Acquisition and Logical Disk to Disk imaging are good options when the time is limited.

  • Sparse acquisition is usually faster than Logical Disk to Disk. However, if evidence resides on a file that isn’t preconfigured into the tool’s list, it won't be collected, unless you specify it manually. While Logical Disk to Disk will take more time (depending on the volume's size) it will mirror everything within that partition.

Live data Acquisition

  • Live Data acquisition is used to collect data while the machine is running.

  • • Usually an investigator looks for volatile data during live acquisition. Volatile data resides in a memory that can’t hold the data after a reboot

  • Volatile data usually resides in RAM and cache.

  • Sometimes, volatile data is as important as it is fragile. As running processes use RAM, it is very likely to find stored passwords, messages, domain names and IP address belonging to those processes.

  • It is worth mentioning that there might be volatile data stored on a non-volatile medium. such files are Temporary files and log files.

  • Log files are frequently trimmed and rounded, and temporary files are often automatically deleted.

some example of the data we collect during acquisition and some of the tools used:

  • SYS Info is a generic term that describes Basic system information about the machine, the running OS, its configuration and the installed applications.

  • OS configuration is also an important thing to collect. Configurations such as: These could help an investigator in uniquely identifying a machine or proving that two files came from the same origin. • installed languages • time zones • uptime • installed updates and hotfixes

  • RAM dump and running processes Knowing what processes were running at the time of the acquisition might be crucial for the investigation.

  • There is a spate investigative process called “Timeline analysis” where the investigator analyzes time stamps and try to find a correlation between the events in the logs and time stamps

  • Networking configurations are also important, especially when there is a network attack. Details such like number of NICs and their modes, MAC and IP addresses, could also help the investigator during the investigation

Why Memory Forensics?

There are many cases where most methods of forensics investigation (File, OS, Network) fails to extract the required evidence for the case

Full Disk Encryption, for example, is one case where memory forensic is the way to go.

There are many security solutions which allow a user to encrypt his\her hard disk’s content making normal disk imaging useless

In these cases, one of our best options is to extract the key used for encryption from memory images, just like the one we took

Another example of a situation where we may need memory forensics is when tracing malware, especially rootkits and advanced persistent threats.

we could also find network packets’ contents, Internet browsing data, injected code (in case of malware and BOF attacks) and unpacked executables (packing is usually used to hide malware) in addition to processes data and clipboard’s data.

Analyzing Memory Images

  • Different tools can be used to look for all sort of data (Emails, Chat, etc.).

  • Some tools are designed to identify and protect the evidence provider’s personal data, such as credit card numbers and social security numbers.

Tools

Write Blockers:

are devices that allow the investigator to perform data acquisition while eliminating the chance of damaging or altering the disk’s content.

  • Write Blockers works by blocking the hard disk from writing allowing for safe data acquisition procedure.

  • This is done by filtering out the write commands and preventing it from being executed. Write blockers could either be hardware or software.

Bootable Disks:

  • usually holds a self-contained fully functioning, bootable OS.

  • This allows the investigator to launch an OS on the suspect’s machine without touching and modifying the device’s main disk

Non-writable USB:

  • In many cases, the investigator will have an acquisition tool acquiring data and dumping it onto an external storage, typically a disk with a USB connection

  • The problem is that this disk contains the evidence might be altered by Windows when connected to it; this would damage the evidence’s integrity.

  • It can be activated from the registry and it’ll prevent the write access on the USB devices preserving the evidence integrity.

First, we need to access the registry editor. From the start menu we type Regedit.

Next, access HKLM/SYSTEM/ CurrentControlSet/Control. Then create a new key called “StorageDevicePolicies.

Inside the key we created, we need to create a value called “WriteProtect” and double click on it.

Finally, double click on the newly created key and change its value from 0 to 1.

FTK Imager is one of the most famous tools in the forensics world. The tool allows the investigator to acquire various types of storage devices and store them in different formats for analysis.

It is extremely important to remember to use Write Blockers when acquiring images for a hard disk, so that it won’t destroy or alter important data on the disk.

In the first example, we’ll create an image for a disk on our lab machine and see how to mount it.

From File, select Create Disk Image

Here we can select what type of media we are trying to image. For this example, let’s take an image of the whole physical Disk

This window allows us to select which physical disk we want to image, in case we had multiple storage devices

Next, we need to select which format we want to save our image file as.

each image usually has metadata with it that describes details about the image. The next windows allows us to insert our metadata into the image we made

And finally, we can enter the name and select the destination of our soon to be created image

This should take a while, depending on the media’s size. Again: It is important to remember to use write blockers before starting.

After the imaging is done, the verification results appear. It is important to save those results and document them as part of the chain of custody

We can now find the image we created, alongside another file which contains the image’s metadata.

The text file will contain the metadata we entered, as well as other auto generated fields and the verification data.

From the File menu, we can load the image by selecting Add Evidence Item

We can also use FTK imager to mount an image that we’ve previously acquired.

For our testing purposes, we’ll select Image mounting instead of adding evidence.

Now, we need to select the image we want to mount and its mounting name and press mount

We can unmount the image from the same window.

Live Response Tools

Live Response Collection is a very handy framework from Bambiraptor, which can collect various and useful information from a machine. The tool offers many acquisition types; each one is used depending on the data we’re interested in.

Memory Forensic Tools

Volatility Framework:

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License for the extraction of digital artifacts from volatile memory (RAM) samples.

When using volatility, we should first determine the OS that the image was taken from with the imageinfo flag. Volatility will analyze the image and give suggestions.

Once we have the profile name, we should supply it with every command with the --profile flag.

volatility --profile=Win7SP0x64 pslist –f img_mem.dmp

Validating evidence

Validating evidence is usually performed through Hash Functions.

The resulting string is considered a fingerprint for the input. Any change no matter how small it is to the source file will result in totally different hash output

Hash strings can be used to prove that the file has not been tampered with because any changes to the file will result in changing the hash value when re-computed.

Exploring Evidence

When you mount the forensic image or device, you will be able to explore the contents of the acquired system as if you were browsing your own files on your computer, but with the Read-Only protection

mount -o ro,loop,show_sys_files,streams_interace=windows, 
offset=2048 evidence.raw /mnt/case002

Within the file, usually, those stamps would be in hexadecimal notation. And it is up to the analysis tool’s responsibility to interpreter those hexadecimal characters to a human-readable form

One great tool out there that handles time issues properly is Dcode. Decode is a tool which can convert the timestamps from various time formats to more human readable

-----

NextData Representation & Files Examination

Last updated 1 year ago

FTK Imager

đź‘Ť
🔍
example of using Volatility, to list what processes were running inside the memory of the suspect’s system
Page cover image