COS/PSA 413 Day 11. Agenda Lab 4 Write-ups Corrected –2 A’s, 2 B’s and 1 C –Some need more attention to detail Lab 5 write-ups due Oct 19 Wednesday Lab

COS/PSA 413

Day 11

Agenda

• Lab 4 Write-ups Corrected– 2 A’s, 2 B’s and 1 C– Some need more attention to detail

• Lab 5 write-ups due Oct 19 Wednesday• Lab 6 tomorrow in OMS

– Projects 7-1, 7-2, 7-3, and 7-4 (same projects in Chap 6 of 2e) – For Project 7-2 create the excel file before you get to the lab

• Next week we have two labs (7&8 on data acquisition)• Assignment 3 posted (due Oct 21)• Capstone Proposals Over due

– See guidelines in WebCT– 9 require some modifications (emails sent)– First Progress report Due on October 21 – Timing of proposal and progress reports is 10% of Grade

• Exam 2 on Oct 21 (Friday)– Chaps 5-8, 10 M/C (30 Points) , 10 Short Answer (30 points), 5 Essays (40 points) Open Book,

Open Notes, 70 min. time limit.• Today we will discuss Data Acquisition

– Chap 9 in both books (has significant changes!)

Data Acquisition

Chapter 9

Learning Objectives

• Determine the Best Acquisition Method• Plan Data Recovery Contingences• Use MS-DOS Acquisition Tools• Use GUI Acquisition Tools• Acquire data on Linux Computers• Use Other Data Acquisition Tools

Determining the Best Acquisition Method

• Three ways– Bit-stream disk-to-image file

– Bit-stream disk-to-disk

– Sparse data copy of a file or folder

• Bit-stream disk-to-image file– Most common method

– Can make more than one copy

– EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

Determining the Best Acquisition Method (continued)

• Bit-stream disk-to-disk– When disk-to-image copy is not possible– Consider disk’s geometry CHS configuration– SafeBack, SnapCopy, Norton Ghost 2002

• Sparse data copy– Creates exact copies of folders and files– For large disks– PST or OST mail files, RAID servers

Determining the Best Acquisition Method (continued)

• When making a copy, consider:– Size of the source disk

• Lossless compression might be useful

• Use digital signatures for verification

– Whether you can retain the disk– How much time you have– Location of the evidence

Determining the Best Acquisition Method

DoubleSpace (DriveSpace) – An MS-DOS disk compression utility distributed with MS-DOS 6.0 and 6.20.

Algorithm – A formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point.

Lossless Compression (Lossy Compression) – A compression technique that can lose data but not perceptible quality when a file is restored. Files that use lossy compression include JPEG and MPEG.

Planning Data Recovery Contingencies

• Create a duplicate copy of your evidence image file

• Make at least two copies of digital evidence– Use different tools or techniques

• Copy host-protected area of a disk drive as well– Image MaSSter Solo

• HAZMAT and environment conditions

Planning Data Recovery Contingencies

HAZMAT concerns: - Does the evidence location have adequate

electrical power? - Is there enough light at the evidence

location or do you have to bring floodlights, flashlights, or other kinds of lighting?

- Is the temperature of the evidence location too warm, too cold, or too humid?

Using MS-DOS Acquisition Tools

• Original tools

• Fit on a forensic boot floppy disk– Require fewer resources

• DriveSpy– Data-preservation commands– Data-manipulation commands


Viewing Absolute and Logical Sectors1. Navigate to the Tools folder of the work

folder.2. Type DriveSpy at the command prompt.3. At the SYS prompt, type D0.4. Note the numbers for the start and end

sectors, and select a number between those, such as 2344.

5. At the D0 prompt, type Sector 2344. A sector map will appear.



Viewing Absolute and Logical Sectors Continued...

6. Press Esc to return to the D0 prompt.7. Type P1 to use the Partition mode.8. At the D0P1 prompt, type Sector 2344.9. Pres Esc to return to the D0P1 and then

type exit.


Understanding How DriveSpy Accesses Sector Ranges

• First method– Absolute starting sector, total number of sectors– Example 0:1000,100 (primary master drive)

• Second method– Absolute starting sector-ending sector– Example 0:1000-1100 (101 sectors)

• Moving data– CopySect 0:1000,100 1:2000,100


Saving a Partition with SavePart1. Navigate to the Tools folder and run

Toolpath.bat. If necessary create a folder called Chapter in your work folder and a subfolder called Chapter inside Chap09.

2. Change to the Chap09\Chapter folder.3. Type DriveSpy at the command prompt.4. At the SYS prompt, type DriveSpy to start

DriveSpy.5. At the SYS prompt, type Drives.



Saving a Partition with SavePart Continued…6. At the SYS prompt, type D0.



Saving a Partition with SavePart Continued...7. At the D0 prompt, type Part 1.



Saving a Partition with SavePart Continued...8. Insert a floppy disk that contains a few

files into the floppy drive. At the D0P1 prompt, type Drive A.

9. At the DA prompt, type Part 1 to access the partition level.

10. At the DAP1 prompt, type SavePart C:\work folder\Cha09\Chapter\Case_9sp.ima to copy the partition to the floppy disk to an image file Case_9sp.ima on your hard disk.



Saving a Partition with SavePart Continued...11. At the DAP1 prompt, type exit to Close

DriveSpy.



Restoring the Case_9sp.ima Image File1. At an MS-DOS prompt, navigate to the

Tools folder on your work folder, type Toolpath.bat. Then type cd C:\work folder\Chap09\Chapter and navigate to Chap09\Chapter folder in your work folder.

2. AT the command prompt, type DriveSpy.3. At the SYS prompt, type Output

Chap2rp2.txt to create the output file.


Restoring the Case_9sp.ima Image File Continued...

4. At the SYS prompt, type Drive A to access the floppy drive. At the DA prompt, type Part 1 to access the partition level of the floppy disk.

5. At the DAP1 prompt, type WritePart Case_9sp.ima to restore the image file you created in Chap09\Chapter. When a warning appears, type Y to continue. It will take a few minutes to restore the image file.




Restoring the Case_9sp.ima Image File Continued...

6. At the DAP1 prompt, type exit to close DriveSpy. Reboot to Windows.


Copying Sectors from One Drive to Another:

1. Access a command prompt, and navigate to the Tools folder.

2. AT the command prompt, type DriveSpy to start DriveSpy.

3. At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap09rp3.txt to record the commands you see and the results.

4. At the SYS prompt, type Drives to connect to your workstation.



Copying Sectors from One Drive to Another Continued...

5. At the SYS prompt, type Copy Sect 1:0,1665216 3:0 to copy Drive 1 from absolute sectors 0 to 1665216 to Drive 3 starting at absolute sector 0.

6. When a warning appears showing the source and destination drives, verify that they are correct by typing Y to continue. Copying the sectors may take a few minutes. When it has finished, DriveSpy displays Done! And returns to the SYS prompt.



Copying Sectors from One Drive to Another Continued...

7. At the SYS prompt, type exit to close DriveSpy. Then reboot your computer.


Saving Sectors in DriveSpy1. Access a command prompt and navigate

to the Tools folder of your work folder. At the command prompt, type DriveSpy.

2. At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp4.txt to create an output file to record your actions and results.

3. At the SYS prompt, type Drives to determine which drive to copy.

4. At the SYS prompt, type D3 to access the drive you want to copy. Substitute the number for your drive as necessary.


Saving Sectors in DriveSpy: Cont.5. At the D3 prompt, type P1 to select the

partition that contains the sectors you want to copy.

6. At the D3P1 prompt, type SaveSect 3:0-415232 C:\work folder\Chap09\Chapter\Case_9s.dat to copy sectors 0 to 415232 to a data file named Case_9s.dat.

7. At the D3P1 prompt, type exit to close DriveSpy.



Using the WriteSect Command:1. Access a command prompt and navigate

to the Tools folder of your work folder. At the command prompt, type DriveSpy.

2. At the SYS prompt, type Output C:\work folder\Chap09\Chapter\Chap9rp5.txt to record the commands you use and their results in an output file.

3. At the SYS prompt, type Drives to list the system recognized drives. Select the drive to which you want to copy data from.

4. At the SYS prompt, type D3 to access the drive.


Using the WriteSect Command: Cont.5. At the SYS prompt, type D3 to access the

drive you want. Substitute the number for your drive as necessary.

6. At the D3 prompt, type WriteSect C:\work folder\Chap09\Chapter\Case_9s.dat 3:0 to start transferring data to absolute sector 0 on Dive 3. Substitute drive and folder names for those on your system as necessary.

7. Type Y when a warning appears.8. At the D3 prompt, type exit to close DriveSpy.

Using Windows Acquisition Tools

Preparing for a Data Acquisition with FTK Explorer

1. Boot a forensic workstation with Windows using an installed write-blocker such as Digital Intelligence FireChief.

2. Connect the evidence disk to a write-blocking device or the FireChief write-block bay.

3. Connect the target disk o the FireChief writeable bay.


Acquiring Evidence With FTK Explorer (Imager)

1. Click the Start button, point to the Programs, point to AccessData, point to Forensic Toolkit, and then click FTK Explorer. (Imager)=

2. Click File on the menu bar, and then click Image Drive. The Select Local Drive dialog box opens.



Continued…3. Click the Select a drive list arrow, and

then click the drive for which you want to create an image, such as D: (MS-DOS_6_FAT). If your workstation is running Windows 98 and the drive you are acquiring is an NTFS or Ext2fs drive, click the Physical option button to access the drive for acquisition. Then click OK. The Export Disk Image dialog box opens.


Acquiring Data on Linux Computers

Disadvantages of using the dd command;

- You need to know advanced UNIX shell scripting and commands.

- You must specify the number of blocks per save-set volume to create a volume.

- You might not be able to use the dd command on your PC, depending on the distribution and version of Linux you are using.

- You cannot use the dd command to automatically adjust drive geometry to the match the target drive, as with the DriveSpy CopySect command.

Using Other Forensics Acquisition Tools

SafeBack does the following: - Creates disk-to-image files. - Copies from source disk to an image on a

tape drive. - Copies from a source disk to a target disk,

adjusting the target drive’s geometry to match the source drive.

- Copies from a source disk to a target disk using a parallel port laplink cable.

- Copies a partition to an image file.

Using Other Forensics Acquisition ToolsSafeBack does the following: - Compresses acquired files to reduce the

volume save-set sizes.SafeBack provides the following four

programs: - Master.exe – The main SafeBack utility

program. - Remote.exe – For connecting two

computers and transferring data with a parallel port laplink.

- Restpart.exe – For restoring a partition that is saved separate from the entire suspect’s disk.

- Tapsi.exe – For connecting SCSI devices for your data acquisition.

Chapter Summary

- You can acquire digital evidence from disk drives in three ways: creating a bit-stream disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file.

- Several tools on the market allow you to restore disks that are larger or smaller than the suspect’s source drive.

Chapter Summary

- Lossless compression is an acceptable method for computer forensics because it does not alter the data in any way. Lossy compression alters the data and is not acceptable.

Chapter Summary

- Because you are dealing with electronic data, you need to protect your bit-stream digital evidence and make contingency plans in case software or hardware doesn't work, or you encounter a failure during an acquisition. The most common time-consuming technique to preserve evidence is creating a duplicate copy of your evidence image file. Also make sure that you make at least two data acquisitions using two different methods.

Chapter Summary

- The partition gap is an area where information can be stored. DriveSpy’s SavePart command can retrieve this information.

- Some command-line tools can be dangerous, such as the CopySect command. It will not notify you that it is about to write over critical information. You must keep a careful log of what sectors you are writing to and from.

Chapter Summary

- Windows data acquisition tools add convenience and ease of use to the forensics investigation. They also enable you to use hot-swappable devices such as Zip and Jaz drives. However, you must write-protect your evidence and access the host-protected area of a disk.

Chapter Summary

- You can use a built-in Linux command called dd to make a bit-stream disk-to-disk copy, disk-to-image file, block-to-block copy, or block-to-file copy. You can also use the dd command to write directly to a tape drive. You can use the gzip command to compress the image files and minimize your storage needs.

Chapter Summary

- In addition to DriveSpy, FTK Explorer, and the Linux dd command, you can use other data acquisition tools that are commercially available, including SnapBack DatArrest from Columbia Data Products and SafeBack from NTI.

Documents

COS/PSA 413 Day 11. Agenda Lab 4 Write-ups Corrected –2 A’s, 2 B’s and 1 C –Some need more attention to detail Lab 5 write-ups due Oct 19 Wednesday Lab