06 Data Acquisition and Duplication

SAK 4801 INTRODUCTION TO COMPUTER FORENSICS
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files
Mohd Taufik Abdullah

Department of Computer Science
Faculty of Computer Science and Information Technology
University Putra of Malaysia
Room No: 2.28
Portions of the material courtesy Nelson et. al., and EC-Council

Learning Objectives
At the end of this chapter, you will be able to:
• Determining the best data acquisition methods
• Understanding data recovery contingencies
• Data preservation commands
• Recover deleted files and deleted partitions
• The need for data duplication
• Data duplication tools
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
2
Chapter 6 Outline
 6. Acquiring Data, Duplicating Data, and Recovering Deleted Files

 6.1. Introduction
 6.2. Recovering Deleted Files and Deleted Partition
 6.3. Data Acquisition and Duplication
3
6.1 Introduction
6.1 Introduction
 Before data can be analyzed, it needs to be acquired.
 This means that the data needs to be duplicated so that the person
performing the analysis can work from it without modifying the data.
 This means using any number of tools to duplicate the data so that an exact
sector-by-sector mirror image of the disk is generated.
 This enables the forensic analyst to view any data that is hidden, fragmented, or
deleted.
 Whether data is being duplicated as part of a computer forensic investigation or
to acquire a backup of the data for other purposes,
 it is important that the original data is not modified or corrupted during the
duplication process.
5
6.1 Introduction (Cont.)
 Deleted data can be an issue in any situation dealing with
computers.
 A file may be deleted
 on purpose or by accident,
 as a normal process of an application, or
 as the result of a virus, intrusion, or malicious software.
 In some cases, an entire partition may be lost, causing

everything on a volume to appear unrecoverable.
6
6.2 Recovering Deleted Files and Deleted Partitions
 Recovery of deleted files is the process by which the investigator evaluates and
extracts deleted files from a media and returns it in an intact format
 What happens when a file is deleted?
 The first letter of a file name is replaced by a hex byte code E5h
 Corresponding clusters in FAT marked unused
 Index field in MFT marked with special code NTFS
 The Data in the File system is not erased
 When files are deleted from windows explorer, the deleted file is sent to the Recycle
Bin
 After the Recycle Bin is emptied the data still remains in its original location on the
hard drive for a period of time
 The data will disappear only when the operating system is over written from the
original location where the file was stored
 The “index” application in Windows locates the data that has been destroyed
8
6.2.1 Deleting Files
 Every OS provides a way of removing data from a hard disk to prevent it fill up quickly
from all temporary files, backup files, and other data written to a disk by the OS or
other software installed on a computer.
 A deleted file is any file that has been logically erased from the file system but may
still remain physically on storage media.
 Command line Delete
 the FAT file system uses a file allocation table to keep track of files, whereas NTFS uses
an MFT.
 In using this command, the file that is deleted will have the pointer to that file removed
from the table, but the data will remain on the hard disk.
 This gives you the opportunity to acquire the data using file recovery or forensic
tools
9
6.2.1.1 Command Line Delete
 Deletes file from command prompt
 Two command:
 Del/Delete
 Erase
10
6.2.1.1 Command Line Delete (Cont.)
 DEL/ERASE Switches:
 /p - prompts you for confirmation as to whether you want to delete the file
 /f - Forces the deletion of read-only files
 /s - Deletes the specified files from the current directory and any subdirectories
 /q - Specifies not to prompt for confirmation before deleting files. This is called
quiet mode.
 /a: - Deletes files based on the following attributes:
■ r read-only
■ a archive
■ s system
■ h hidden
■ - prefix used with any of the above attributes, indicating “not”
/? - Displays help
11
6.2.1.2 Moving Files
 Another method of deleting a file
 If the file is moved from one directory to another on the same partition,
 the table used to keep track of where files are stored is updated.
 the file still resides on the same partition, only a pointer to the file’s
location is updated.
 The record showing the file’s location is modified to reflect that it is
now in another directory, but nothing else about the file changes.Any
attributes on the file (such as whether the file is compressed)
remain the same.
12
6.2.1.2 Moving Files (Cont.)
 When a file is moved from one hard disk or partition to another,
 it is actually a multistep process of copying and deleting the file.
 First, a new copy of the file is created on the target partition.
 After the file has been copied, the original file is then deleted.
 This process also requires some housekeeping in the FAT or MFT
tables.
 A new entry is created in the table on the partition where it has
been copied, whereas the record for the deleted file is removed
from the table on its partition.
13
6.2.1.2 Moving Files (Cont.)
 When a file is moved from one partition to another,
 it can offer greater possibilities for recovering a file that has been deleted.
 If a file is moved to another partition and then deleted later,
 the file has essentially been deleted twice.
 As such, you may be able to recover it from the partition on which it was
deleted, and you may also be able to recover it from the partition from which
it was moved.
14
6.2.1.3 Disk Cleanup
 Another way in which files are deleted
 This is done by software after itself deleting
 old setup,
 temporary, and
 backup files when they are no longer needed
 However, sometimes files are not properly removed, and a considerable number of
files may continue to reside on a hard disk
 Command:
 Click Windows Start menu
 All Program
 Accessories
 System Tools
 Disk Cleanup
15
6.2.1.4 Permanently Destroying Data
 Disk erasing software wipes the disk clean by erasing all the files and overwriting the
disk space with a series of ones and zeros
 In doing so, every sector of the disk is overwritten, making the data unrecoverable.
 If anyone attempted to recover data on the disk, they would not be able to retrieve
anything because the data is completely destroyed.
 A degausser or bulk demagnetizer is hardware that can be used to destroy data stored
on magnetic media such as floppy disks and backup tapes.
 a powerful magnet that erases all data from magnetic media so that no one can
retrieve information from it.
 Hard disks can also have data erased with a degausser, performing a low-level format
that erases all data from the disk.
16
6.2.2 Recycle Bin/Trash
 a repository where files are temporarily stored after they are deleted
 give users a second chance to restore a file before permanently deleting it
 allows items to be dragged and dropped into the Recycle Bin icon on the desktop
 When a file is deleted it is sent to the Recycle Bin where it remains until the
Recycle Bin is emptied
 The Restore All button of the recycle bin restores the data to its original
location.
 Once data is deleted from removable media such as floppy disks these files are
not stored in the Recycle Bin
17
6.2.2 Recycle Bin/Trash (Cont.)
 Storage Location of the Recycle Bin.
 The name of this folder depends on the file system and operating system being
used:
 On FAT file systems, the folder is named Recycled. For example, on your C: the
storage location of the Recycle Bin would be C:\RECYCLED.
 On NTFS file systems used by Windows NT, 2000, and XP, this folder is named
Recycler. For example, on your C: the storage location of the Recycle Bin would
be C:\RECYCLER.
 On NTFS file systems used by Windows Vista, this folder is named $Recycle.Bin.
For example, on your C: the storage location of the Recycle Bin would be
C:\RECYCLE.BIN
18
19
 To view these directories, you would need to configure the View settings in Windows
Explorer
 In Windows Explorer, click on the Tools menu, and then click on the Folder Options
menu item. When the Folder Options dialog box appears, click on the View tab,
and uncheck the Hide protected operating system files (Recommended)
checkbox.
 If directory for Recycle Bin is not appeared, type
 Attrib –s –h recycled - for FAT
 Attrib –s –h recycler – for NTFS
 Deleting or emptying files from the Recycle Bin permanently deletes them from system
 They can be recovered only with data recovery or forensic software.
20
6.2.3 Data Recovery in Linux
 Linux or UNIX files can also be deleted from a hard disk in the same way as in Windows
and Macintosh OS
 To delete a file in Linux or UNIX, you would use rm command.
 This command won’t prompt you for any confirmation by default
 Once it is deleted, you will have to rely on data recovery software to restore the
file.
 rm switches
21
6.2.3 Data Recovery in Linux (Cont.)
 The second extended file system (ext2) file system is commonly used in most of Linux
systems
 The design of the ext2 filesystem is such that data can be hidden shows several places
where data can be hidden
 Run a process that keeps the file open and then remove the file
 The file contents are still on disk and the space will not be reclaimed by other
programs
 It is worthwhile to note that if an executable erases itself, its contents can be retrieved
from /proc memory image: command "cp /proc/$PID/exe /tmp/file" creates a copy
of a file in /tmp
22
 shred command
 Provides a more secure way for deleting files in Linux and UNIX
 The file is deleted and overwritten to ensure that it can’t be recovered
 shred switches
23
Tools
 E2undel
 e2Undel is an interactive
console tool that recovers
the data of deleted files in
Linux.
 This tool does not manipulate
internal ext2 structure and
require only read access to
the file system.
 e2Undel contains a library
that allows the investigator
to recover deleted files by
their names.
24
Tools
 R-linux
 R-Linux recovers files from
existing logical disks even
when file records are lost
 R-Linux is a file recovery
utility for the Ext2FS file
system used in Linux OS and
several Unix versions
 R-Linux uses unique
IntelligentScan technology
and a flexible parameter
setting that makes recovery
faster
25
6.2.4 Recovery Deleted Files
 Data written on a hard disk generally stays there unless or until
 it is either overwritten by more data or
 physically erased by a magnet
 Simply deleting the data using operating system file management utilities does not get
rid of the data.
 It only removes the pointer used by the file system to locate that data physically on
the disk.
 The data itself (in the form of the physical changes to the disk’s magnetic surface)
is still there and can be recovered using special recovery software.
 Formatting defines the structure of the disk. Low-level formatting (LLF), which
physically defines where the tracks and sectors are on the disk, does erase data.
 However, modern disks are formatted at the low level at the factory; users do not
perform LLF on today’s IDE and SCSI disks.
26
6.2.4 Recovery Deleted Files (Cont.)
 We do only high-level formatting – a disk is formatted in FAT or formatted in NTFS.
 If a file has not been overwritten or damaged in some way, there is always the
chance that tools can be used to restore the data.
 We need to decide whether to perform data recovery or computer forensics.
 Data recovery is a process of salvaging data that was lost or deleted.
 Seeks to restore data
 Computer forensics is a process of gathering and examining evidence to
establish facts so that accurate testimony and evidence can later be presented
in court or other hearings.
 Seeks to obtain data to be used as evidence in court
 Standard data recovery software

 may not guarantee that the file won’t be modified when it is recovered, or
 May generate temporary files that could damage other data on the disk
27
6.2.4 Recovery Deleted Files (Cont.)
 To preserve data, computer forensics software is necessary
 When using tools, remember that the integrity of the data you are seeking to recover
is paramount, and take whatever actions necessary to keep it from being damaged or
destroyed.
28
6.2.5 Deleted File Recovery Tools
 Data recovery tools are designed to restore data that has been deleted or corrupted
from any number of sources, including hard disks, CDs, DVDs, Blu-ray, HD-DVD, floppy
disks, memory cards used in digital cameras, and other storage media.
 it will scan the media and search for any damaged, corrupted, or deleted files and
display which ones are available for recovery, allowing you to choose which ones will
be restored.
 In some cases, the tools will even repair damaged files so that data can be accessible
again.
29
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
 Undelete
 Used in MS-DOS 5.00 to 6.22
 Example
 Undelete c:\mytextfile.txt
 Undelete switches
/all Automatically restores all of the specified files

/list Lists all files that are available to be restored
/DOS Limits recovery to files that meet the file specifications in the disk directory table
/DR Limits recovery to files in the Delete Tracking File
/DS Limits recovery to files in the SENTRY directory
/load Loads UNDELETE.EXE into memory using information in the UNDELETE.INI
/unload Unloads UNDELETE from memory
/purge Deletes contents of the SENTRY directory
30
Undelete Tools:
 Undelete switches:
/status Displays the type of delete protection on the computer
/S Loads the memory resident portion of UNDELETE and enables the Delete Sentry level of protection
/T Loads the memory resident portion of UNDELETE and enables the Delete Sentry level of protection.
Optional entries may be used to specify the maximum number of entries found in the PCTRACKR.DEL file.
 Active@ UNDELETE and Active UNERASER

 Designed by Active@ Data Recovery Software
 Data recovery software
 Active UNDELETE
 Using this tool, you can recover data from basic and dynamic volumes, including RAID
volumes, and large hard disks that are more than 500 GB in size.
 It also supports recovery from removable storage media such as USB flash drives, ZIP
drives, and memory sticks and cards.
31
Undelete Tools:
 Active@UNERASER
 Active@ UNERASER is another data recovery product available from www.uneraser.com, and it will run
on Windows or DOS. Using this tool, you can access deleted files before Windows even starts, and it
supports local files, compressed files,
 MBR backups and can access sectors of the disk drive with a disk viewer feature. can run from either a
bootable floppy disk or a CD.
 R-Undelete
 Designed by By R-Undelete from r-Tools Technology (www.r-undelete.com)
 Is a tool that restores deleted files, but it also provides an easy-to-use wizard that takes you through
the steps of recovering a file.

 In addition, it provides features that allow you to reconstruct damaged graphics, audio, and video files.
Before recovering a file, you can preview the file to determine if you actually want to restore it or leave
it deleted.
 Can preview the file.
32
Undelete Tools:
 Easy-Undelete
 Easy-Undelete (www.easy-undelete.com) is a tool that will not only restore files
from hard disks using FAT12, FAT16, FAT32, and NTFS file systems but also restore
files from non-Microsoft partitions such as Linux and Macintosh OS X.
 WinUndelete
 Available from www.winundelete.com.
 It allows you to recover files from Microsoft file systems with the original create
and modified storage dates.
 It provides a search feature to scan for specific files, and it allows you to filter
results by extensions and file types. It also allows you to preview certain types of
data before restoring them, such as Microsoft Office documents, images, and plain
text.
33
Undelete Tools:
 Restoration
 A free tool that was written by Brian Kato and is available for download from
software distribution sites such as www.snapfiles.com
 Fast and easy to use.
34
Restoration
35
Undelete Tools:
 Mycroft V3
 Developed by Dibs USA
 Available at www.dibsusa.com
 Runs from a bootable floppy disk
 Provides a search engine that is used to scan a computer for data on disk
 Can be used to determined whether there is evidence on the computer
 Can determine if additional investigation and acquisition of evidence is

necessary.
36
Undelete Tools:
 Recover My Files
 Created by GetData Software Development (www.getdata.com)
 Available at www.recoverymyfiles.com
 Easy to use interface
 Allow you to recover data from hard disks and removable storage media such as
floppy disks, Zip drives, USB, and camera cards.
37
Undelete Tools:
 eData Unerase
 A free tool developed by Octanesoft
 Available at www.octanesoft.com
 Easy to use interface with a wizard that takes you through the steps of recovering
your data
 it allows you to specify whether you want to search for all deleted files or just
specific types of files (for example, pictures, multimedia, documents, and Web
pages)
 It also allows you to restore any files that have been deleted from the Recycle
Bin or using
38
eData Unerase
39
Undelete Tools:
 Recover4all Professional
 A tool for recovering data from FAT12, FAT16, FAT32, NTFS, and RAID volumes
 available at www.recover4all.com.
 allows recovery from encrypted drives that have not been encrypted with EFS,
compressed drives, and Windows ME/XP protected files
 Its interface is easy to use, appearing similar to Windows Explorer
40
Undelete Tools:
 File Scavenger
 A tool developed by QueTek Consulting Corporation
 available at www.quetek.com.
 It allows data to be recovered from hard disks formatted as FAT12, FAT16, FAT32,
NTFS, floppy disks, ZIP disks, memory sticks, flash cards, RAID volumes,
compressed drives, and other media.
 It provides an interface similar to Windows explorer
 It allows you to search for specific files using search strings and wildcards.
41
Undelete Tools:
 VirtualLab
 designed for use on Windows 9x or later, as well as Apple Macintosh computers
running OS 9 or later.
 available at www.binarybiz.com,
 it allows you to recover files from drives using FAT12, FAT16, FAT32, NTFS, HFS, or
HFS Plus partitions.

 It can also be used to recover data from other media, such as Apple iPods, digital
camera cards, and removable storage.
 Also can unformat partition to restore data from a formatted, damaged, or lost
partition
 The retrieved files can be saved to another location such as network drive or
another local disk.
42
Undelete Tools:
 File Recover
 developed by PC Tools Software that is available at www.pctools.com/file-recover/.
 It supports FAT16, FAT32, and NTFS file systems and also IDE/ATA/SCSI hard drives,
including drives larger than 8 GB.
 It provides an easy-to-use interface that allows you to quickly scan for files and
also advanced features that allow you to search by all or part of the filename,
specific extensions, or file size and scan either the logical drive or the physical
hard disk.
43
File Recover
44
Undelete Tools:
 Search and Recover
 Developed by iolo Technologies (www.iolo.com)
 It allows the investigator to quickly recover deleted or destroyed files, folders,
songs, pictures, videos, programs, critical system components, web pages, and
email messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora
 It works with any hard drive or floppy drive, any drive format, and can even recover
deleted items from digital cameras, MP3 players, USB flash drives, and other
portable devices
45
Undelete Tools:
 Search and Recover
46
Undelete Tools:
 Zero Assumption Digital Image Recovery
 Zero Assumption Recovery at www.z-a-recovery.com
 It is a free data recovery tool that works with digital images
 Digital photographs that are deleted from a digital camera can be retrieved using this
tool
 It supports media such as CompactFlash, MemoryStick, SmartMedia etc that can be
accessed through an Operating System

 Version 1.2 supports the following format:
 GIF
 JPEG
 TIFF
 CRW - Canon RAW data
 MOV - QuickTime movie
 WAV - Waveform audio
47
Undelete Tools:
 Other data recovery tools:
 Badcopy Pro at www.jufsoft.com/badcopy/
 SUPERFileRecover at www.superfilerecover.com.
 DiskInternals Uneraser and NTFS Recovery at www.diskinternals.com
 PC Inspector File Recovery is a free tool developed by CONVAR at
www.pcinspector.de/file_recovery/uk/welcome.htm.
 O&O Unerase at www.oosoftware.com/en/products/oounerase/
 Filesaver at www.file-saver.com
 Stellar Phoenix at www.stellarinfo.com
 Restorer 2000 at www.restorer2000.com
48
Undelete Tools:
 Other data recovery tools:
 R-linux is a free data recovery tool developed by r-Tools Technology and is available
at www.data-recovery-software.net/Linux_Recovery.shtml
 PC ParaChute is a backup tool developed by UniTrends and is available at
www.unitrends.com.
 Recycle Bin Replacements
 Diskeeper Undelete from Diskeeper Corporation (www.undelete.com)

 Fundelete at http://fundelete.en.softonic.com.
49
Undelete Tools:
 CD/DVD Data Recovery
 CDRoller at www.cdroller.com
 IsoBuster at www.isobuster.com
 CD Data Rescue developed by Naltech Software (www.naltech.com)
 InDisk Recovery at www.octanesoft.com
 Microsoft Office Repair and Recovery

 OfficeFIX is a suite of products from Cimaware Software (www.cimaware.com)
 Repair My Excel at www.getdata.com
 Repair My Word at (www.getdata.com)
 Compressed Files
 Zip Repair at www.getdata.com
50
Undelete Tools:
 Deleted Images
 eIMAGE Recovery is another tool developed by Octanesoft and is available at
www.octanesoft.com.
 Canon RAW File Recovery Software (CRW Repair) at (www.getdata.com)
 ImageRecall Software (www.imagerecall.com)
 RecoverPlus Pro available at www.arcksoft.com
 Zero Assumption Digital Image Recovery was a free stand-alone digital image
recovery tool developed by Zero Assumption Recovery (www.z-a-recovery.com).
 DiskInternals Flash Recovery at www.diskinternals.com
 PC Inspector Smart Recovery is a free tool developed by CONVAR available at

www.pcinspector.de/smart_media_recovery/uk/welcome.htm.
51
6.2.6 Recovery Deleted Partitions
 Partitioning a hard disk involves dividing the disk into volumes, which generally
 appear to the operating system as logical drives
 identified by different drive letters.
 The disk is divided into logical drives for the purposes of performance and
organization of the data.
 Each logical drive can be formatted separately so that each one uses a different file
system
 partitioning utilities do not erase the data on a disk; they only delete and manipulate
the partition tables
 Generally, partition utilities will delete the entry for that partition in the partition table
so that any space associated with the partition becomes unallocated. Even if the tool
overwrites the first sector (sector 0) of the partition before removing it, a backup
52
6.2.6 Recovery Deleted Partitions (Cont.)
 Delete Partition Using Windows
 Partition can be created and deleted in Windows using the Computer Management
(Local) console.
 To open the console:
1. Right click My Computer
 Click Manage
 Expand Storage
 Click Disk Management
53
Or
2. Click Start
 Click Control Panel
 Click Administrative Tools
 Double Click Computer Management
 Expand Storage
 Click Disk Management
3. Right clicking on partition, logical drive, or volume

 Click Delete Partition
54
Disk Management in the Computer Management Console
55
 Delete Partition from the Command Line
 Needs to type commands from a prompt
 Two commands
 FDISK
 DISKPART
56
 FDISK
 used to create and delete partitions on computers running MS-DOS,Windows
9x,Windows NT, or Windows ME
 Switches:
/MBR Rewrites the MBR
/CMBR <disk> Re-creates the MBR on a specific disk
/PRI: <size> Creates a primary partition
/EXT: <size> Creates an extended partition
/LOG: <size> Creates a logical drive
/Q Prevents rebooting the computer automatically after exiting FDISK
/STATUS Shows current status of hard drives
/ACTOK Forces FDISK not to check disk integrity
/FPRMT Disables prompt for FAT32 support
57
 FDISK
 To create partition, a screen will appear with a number of options
58
 FDISK
 To delete partition, a screen will appear with a number of options
59
 DISKPART
 used to create and delete partitions on computers running Windows
2000,Windows XP, or Windows Vista. Unlike FDISK,
 it doesn’t provide a series of menus that can be navigated to delete partitions
 Command:
ADD Adds a mirror to a simple volume
ACTIVE Marks the current partition as being the active boot partition
ASSIGN Assigns a drive letter or mount point to the selected volume
BREAK Breaks a mirror set
CLEAN Clears the configuration information or all information off the Disk
CONVERT Converts the disk from one format to another. This will allow
you to convert the disk from dynamic to basic, basic to dynamic, MBR
to GPT, or GPT to MBR.
60
 Command:
CREATE Creates a volume or partition
DELETE Deletes a missing disk, selected volume, or a selected partition
DETAIL Provides details about a disk, partition, or volume
EXIT Exits the program
EXTEND Extends a volume
HELP Prints a listing of Help commands
IMPORT Imports a disk group
LIST Prints a list of disks, partitions, or volumes
INACTIVE Marks the current partition as an inactive partition
ONLINE Online a disk that is currently marked as offline
61
 Command:
REM Used to comment scripts
REMOVE Removes a drive letter or mount point
REPAIR Repair a RAID-5 volume
RESCAN Forces DISKPART to rescan the computer for disks and volumes
RETAIN Places a retainer partition under a simple volume
SELECT Moves the focus on an object
62
6.2.7 Deleted Partition Recovery Tools
 When a partition is deleted, its entry in the partition table is removed.
 deleting the partition is similar to removing the table of contents from a book; none of
the information outside of the table is missing, it just requires other methods to find it.
 Tools:
 Active@ Partition Recovery available at www.partition-recovery.com for DOS and
Windows
 Commercial software
 Active@Disk Image at www.disk-image.net
 DiskInternal Partition Recovery at www.diskinternals.com
 GetDataBack at www.runtime.org
 For NTFS and FAT
63
6.2.7 Deleted Partition Recovery Tools (Cont.)
 Tools:
 NTFS Deleted Partition Recovery available at www.techddi.com
 Handy Recovery available at www.handyrecovery.com
 Acronis Recovery Expert available at www.acronis.com
 TestDisk supports Windows and Linux available at www.cgsecurity.org.
 Scaven available at http://pjwalczak.com/scaven/index.php.
 Recover It All! available at www.dtidata.com/recover_it_all.htm
 Partition Table Doctor available at www.ptdd.com
64
6.3 Data Acquisition and Duplicating Data
 Electronic evidence is fragile by nature and can easily be modified, damaged, or
destroyed.
 Even booting a computer can erase temporary files, modify timestamps, or alter other
data in addition to writing data and creating new files to the drive using the boot
process.
 In addition, a computer could be booby trapped so that if a set of keys weren’t pressed
at bootup or an incorrect password was entered, a program or script could run to
reformat the hard disk or overwrite certain data making retrieval of evidence more
difficult or impossible.
 It is because of this that data must be acquired or duplicated from a hard disk before
any analysis takes place.
66
Data Recovery Contigencies
 Investigators must make contingency plans when data acquisition failure occurs
 To preserve digital evidence investigators need to create a duplicate copy of the
evidence files
 In case the original data recovered is corrupted investigators can make use of
the second copy
 Use of at least two data acquisition tools are preferred to create copy of
evidence in case the investigator’s preferred tool does not properly recover
data
67
6.3.1 Data Acquisition Tools
 Data acquisition is the act or process of gathering information and evidence.
 In computer forensics, this means using established methods to acquire data from a
suspect computer or storage media to gain insight into a crime or other incident and
potentially use it as evidence to convict a suspect.
 The goal of data acquisition is to preserve evidence, so any tools that are used should not
alter the data in any way and should provide an exact duplicate.
 To prevent contamination, any data that is duplicated should be stored on forensically
sterile media, meaning that the disk has no other data on it and has no viruses or defects.
 Forensic investigators acquire digital evidence using the following methods
 Creating a bit-stream disk-to-image file
 Making a bit-stream disk-to-disk copy
 Creating a sparse data copy of a folder or file
68
6.3.1 Data Acquisition Tools (Cont.)
 To ensure that all data is acquired, a bit-stream image needs to be made of the suspect
hard drive or other media. This will acquire any
 Deleted files,
 file fragments,
 slack space, and
 other data on the disk.
 If a standard image is created that does not acquire this data, then potential evidence
may be unavailable to you.
 Standard images or clones of a machine can, however, be useful for backing up data or
creating a duplicate of the operating system, applications, and data on the machine in
case a disaster occurs.
69
6.3.1 MS-DOS Data Acquisition Tools
 In the past software tools developed for forensics investigation were created for MS-
DOS
 Investigators still make use of these tools as they are commercially available and easy
to use
 Advantages of MS-DOS acquisition tools
 Fit in a forensic boot disk
 Require fewer resources to make bit-stream files
 User friendly
 Windows data acquisition tools allow the investigator to easily acquire evidence from a
disk with the help of removable media such as USB storage devices
 These tools also can use Firewire to connect hard disks to the forensic lab systems
 Data acquisition tools in Windows cannot acquire data from the host protected area of
the disk
70
6.3.1.1 DriveSpy
 DriveSpy enables the investigator to direct data from one particular sector range to
another sector
 DriveSpy provides two methods in accessing disk sector ranges:
 Defining the absolute starting sector after a comma and the total number of sectors to
be read on the drive
 Listing the absolute starting and ending sectors
 There are two commands in DriveSpy that is used for Data Manipulation:
 The “SaveSect” command
 Used to copy particular sectors on a disk to a file
 It copies the sectors as a bit-stream image so that the file is a duplicate of the
original sectors
 The “WriteSect” command
 Used to regenerate the information acquired through the SaveSect command

71
6.3.1.1 DriveSpy (Cont.)
 The data preservation commands in the DriveSpy application are:
 The “SavePart” command
 Used to create an image file of the specified disk partition of the suspect's drive
 The “WritePart” command

 Counterpart of the “SavePart” command
 Used to recreate the saved partition image file that is created with the “SavePart”
command
72
6.3.1.2 AccessData FTK Explorer
 FTK Explorer acquires data that can
help the investigator understand how
other forensic tools in Windows work
 This tool was first designed to examine
disks and bit-stream disk-to-image
files created by using other forensic
software
 FTK Explorer can make bit-stream
disk-to-image copies of evidence disks
 This tool allows the investigator to
acquire the evidence disk from a
logical partition level or a physical
drive level
73
6.3.1.2 AccessData FTK Explorer
74
6.3.1.3 Encase
 The Encase tool delivers advanced features for computer forensics and
investigations
 It is the primary data acquisition tool that is used by forensic
investigators
 Provides tools to conduct investigations with accuracy and efficiency
 Data can be acquired by:
 Disk to disk
 Disk to network server drive
 Parallel port with a laplink cable to the forensics workstation’s disk

drive
75
6.3.1.3 Encase (Cont.)
76
6.3.2 Acquiring Data on Linux
 Forensic Investigators use the built- in Linux command “dd” to copy data from a disk
drive
 This command can make a bit-stream disk-to-disk file, disk-to-image file, block-to-
block copy/ block-to-file copy
 The “dd” command can copy data from any disk that Linux can mount and access
 Other forensic tools such as AccessData FTK and Ilook can read dd image files
77
6.3.2.1 Dd.exe (Windows XP Version)
 Works on Windows platform
 Detects unauthorized dialers
 User friendly program
 Command Syntax
dd.exe if=\\.\PhysicalDrive0
of=d:\images\PhysicalDrive0. img --
md5sum --verifymd5 --
md5out=d:\images\PhysicalDri
ve0.img.md5
78
6.3.2.2 Snapback Exact
 Server based backup program for
Windows server
 Copies byte by byte images of the
server hard drives to the tape
 Keep tracks of records o Important
features are:
 Full open file management
 Remote administration
 Backup scheduling
79
6.3.2.2 Snapback Exact (Cont.)
80
6.3.2.3 DatArrest
 Supports the tools for Forensic Data Seizure
 Works on all IBM compatible systems

 Recovers the deleted data
 User interface tool
 Any removable drives can back up through DatArrest
81
6.3.2.4 SafeBack
 SafeBack is also a MS-DOS data acquisition tool and can perform
a CRC-32 calculation for each sector copied to ensure data
integrity
 SafeBack creates a log file of all transactions it performs
 Functions:
 Creates disk-to-image files

 Copies data from a source disk to an image on a tape drive –
Copies data from a partition to an image file

 Compresses acquired files to reduce the volume save-set
sizes
82
6.3.2 Hardware Tools
 All methods of acquiring data don’t strictly involve software-
based solutions.
 Hardware used in data acquisition may only provide write
blocking (to prevent data being written to a suspect drive) or
may be full systems that are used to acquire and analyze data in
the field or a forensic lab.
83
6.3.2.1 ImageMASSter Solo-3 Forensic
 A hardware tool developed by Intelligent Computer Solutions (www.icsforensic.com)
designed for computer forensic purposes.
 It is a portable, hand-held device that can acquire data from suspect machines at
speeds exceeding 4 GB per minute.
 it can acquire data from IDE, SATA, and SCSI hard drives.
 Connects the hard disks directly to the machine using
 a drive-to-drive interface or
 external firewire/USB interface,
 can create an exact replica of data from one or two drives simultaneously without any
reduction in speed.
84
6.3.2.2 ImageMASSter Solo-2 Forensic
 Also a hardware tool developed by Intelligent Computer Solutions
(www.icsforensic.com) designed for computer forensic purposes.
 Can create an image of any data on the machine by attaching it to a suspect computer
through a firewire or USB port.
 Uses software to boot the machine
 Data on the origiinal machine is protected during acquisition to write-bocking features
in the device.
85
6.3.2.3 ImageMASSter 60007SAS
 A powerful hardware tool developed by Intelligent Computer Solutions (www.icsforensic.com)
designed for computer forensic purposes.
 Used for creating images of data from suspect machines
 It is a useful part of any forensic lab.
 Can be used to
 duplicate IDE, SAS, SATA, and IDE hard drives,
 migrate server data from SCSI to SAS/SATA.
 acquire data from multiple hard disks
 store multiple images on one hard drive.

 the only duplication system on the market that supports SAS (Serial Attach SCSI) hard drives
 can copy multiple drives simultaneously at high speeds. It also includes a
 1GB network connection that can be used to transfer files to and from a network drive.
 To acquire and analyze data, the system provides a Windows XP-based interface that allows you
to copy data from Windows, Macintosh, and UNIX file systems.
86
6.3.2.4 RoadMASSter-3
 A data acquisition and analysis toll designed for use inside of a forensic lab.
 Also designed by Intelligent Computer Solutions (www.icsforensic.com)
 Designed to create an image and analyze data acquired from suspect hard drives.
 It can connect
 to an unopened computer using Firewire and USB ports, and I
 directly to IDE, SATA, SAS, and SCSI hard drives.
 It can also acquire data from multiple drives to a single target drive, making
acquisition faster.
 Allows you to analyze data immediately. I
 t has a 15-inch color display in its case that allows you to view the data stored in the
image file so that you can determine whether any evidence exists on the machine
while you’re still in the field.
87
6.3.2.5 Disk Jockey IT
 A portable, hand-held hardware tool developed by Diskology and is available at
www.diskology.com.
 It is the smallest write-blocking and disk copy device available for computer
forensics.
 It can be used as a write-blocking device for data acquired using
 Firewire and USB connections to a suspect computer.
 The device can then be connected to a Macintosh or Windows computer in write
protect mode to analyze the data without fear of altering the data.
88
6.3.3 Backing Up and Duplicating Data
 Investigators need to worry about destructive devices that can
be planted in the system by the owner. Evidence can be
destroyed if the investigator is not careful
 Data fragments can be overwritten and data stored in the
Windows swap file can be altered or destroyed

 Data duplication is essential for the proper preservation of
digital evidence
89
6.3.3.1 R-drive Image
 R-Drive Image is an important tool that provides disk image files creation for
backup or duplication purposes
 Disk image file contains exact, byte-by-byte copy of a hard drive, partition or
logical disk
 R-Drive can create partitions with various compression levels freely without
stopping Windows OS
 These drive image files can then be stored in a variety of places, including
various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz
disks
90
6.3.3.1 R-drive Image (Cont.)
91
6.3.3.2 DriveLook
 The DriveLook Tool has the following features:
 Indexes the hard drive for the text that was written to it
 Searches through a list of all words stored on the drive
 View the location of words in the disk editor
 Switches between different views
 Uses image file as input
 Access remote drives through serial cable or TCP/IP
92
6.3.3.2 DriveLook (Cont.)
93
6.3.3.3 DiskExplorer
 DiskExplorer aides examiners to investigate any drive and recover data
 Two versions of DiskExplorer exist:
 DiskExplorer for FAT
 Disk Explorer for NTFS
 The tool also has provisions to navigate through the drive by jumping to:
 Partition table
 Boot record
 Master file table
 Root directory
94
6.3.3.3 DiskExplorer (Cont.)
95
Summary
 Investigators can acquire data in three ways: creating a bit-stream, disk-to-image
file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a
specific folder path or file
 The “SavePart” command retrieves information about the partition space in the
hard disk
 The “dd” command in Linux can make bit-stream disk-to-disk copy and disk-to-
image file copy
96
Summary
 From forensic investigator’s perspective:
 Copy is a process to make a replica of including only file information, not slack
space or unallocated space
 Backup is files copies for future rstoration
 Image is a file copy of complete disk used for duplication or restoration
 Bit-stream image is an exact replica of all sectors including every 1 and 0. This
includes slack space, unallocated space, and the swap file.
 Lossless compression is an acceptable method for computer forensics because it
does not change the data
 Lossy compression alters the data, leading to loss of data
97
End of Chapter 6

06 Data Acquisition and Duplication

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

06 Data Acquisition and Duplication

Încărcat de

Drepturi de autor:

Formate disponibile

SAK 4801 INTRODUCTION TO COMPUTER FORENSICS

Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files

Mohd Taufik Abdullah

Room No: 2.28

Portions of the material courtesy Nelson et. al., and EC-Council

 6. Acquiring Data, Duplicating Data, and Recovering Deleted Files

 6.3. Data Acquisition and Duplication

 as a normal process of an application, or

 as the result of a virus, intrusion, or malicious software.

 In some cases, an entire partition may be lost, causing

 Standard data recovery software

/all Automatically restores all of the specified files

 Active@ UNDELETE and Active UNERASER

bootable floppy disk or a CD.

the steps of recovering a file.

 Can be used to determined whether there is evidence on the computer

 Can determine if additional investigation and acquisition of evidence is

floppy disks, Zip drives, USB, and camera cards.

HFS Plus partitions.

accessed through an Operating System

 Restorer 2000 at www.restorer2000.com

 Diskeeper Undelete from Diskeeper Corporation (www.undelete.com)

 Microsoft Office Repair and Recovery

 RecoverPlus Pro available at www.arcksoft.com

 PC Inspector Smart Recovery is a free tool developed by CONVAR available at

 Click Disk Management

3. Right clicking on partition, logical drive, or volume

 Require fewer resources to make bit-stream files

 Used to copy particular sectors on a disk to a file

 Used to regenerate the information acquired through the SaveSect command

 The “WritePart” command

 Data can be acquired by:

 Disk to network server drive

 Parallel port with a laplink cable to the forensics workstation’s disk

 Works on all IBM compatible systems

 Any removable drives can back up through DatArrest

 Creates disk-to-image files

Copies data from a partition to an image file

 acquire data from multiple hard disks

 store multiple images on one hard drive.

Windows swap file can be altered or destroyed

 Searches through a list of all words stored on the drive

 View the location of words in the disk editor

 Switches between different views

 Uses image file as input

 Access remote drives through serial cable or TCP/IP

S-ar putea să vă placă și