Scribd
Upload
33 views76 pages

Data Acquisition in Computer Forensics

Uploaded by

Nguyễn Bình
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views76 pages

Data Acquisition in Computer Forensics

Uploaded by

Nguyễn Bình
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

om

.c
Guide to Computer Forensics

ng
and Investigations

co
an
Fourth Edition
th
o ng
du

Chapter 4
u
cu

Data Acquisition

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Objectives

om
.c
• List digital evidence storage formats

ng
• Explain ways to determine the best acquisition

co
method

an
• Describe contingency planning for data acquisitions
th
ng
• Explain how to use acquisition tools
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Objectives (continued)

om
.c
• Explain how to validate data acquisitions

ng
• Describe RAID acquisition methods

co
• Explain how to use remote network acquisition

an
tools
th
ng
• List other forensic tools available for data
o
acquisitions
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Understanding Storage
an
Formats for Digital Evidenceth
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding Storage Formats for
Digital Evidence

om
.c
• Two types of data acquisition

ng
– Static acquisition

co
• Copying a hard drive from a powered-off system

an
• Used to be the standard

th
• Does not alter the data, so it's repeatable
ng
– Live acquisition
o
du

• Copying data from a running computer



u

Now the preferred type, because of hard disk encryption


cu

• Cannot be repeated exactly—alters the data


• Also, collecting RAM data is becoming more important
– But RAM data has no timestamp, which makes it much
harder to use
CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding Storage Formats for
Digital Evidence

om
.c
• Terms used for a file containing evidence data

ng
– Bit-stream copy

co
– Bit-stream image

an
– Image
– th
ng
Mirror
o
– Sector copy
du

• They all mean the same thing


u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding Storage Formats for
Digital Evidence

om
.c
• Three formats

ng
– Raw format

co
– Proprietary formats

an
– Advanced Forensics Format (AFF)
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Raw Format

om
• This is what the Linux dd command makes

.c
• Bit-by-bit copy of the drive to a file

ng
• Advantages

co
– Fast data transfers

an
– Can ignore minor data read errors on source drive
th
ng
– Most computer forensics tools can read raw format
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Raw Format

om
• Disadvantages

.c
– Requires as much storage as original disk or data

ng
– Tools might not collect marginal (bad) sectors

co
• Low threshold of retry reads on weak media spots

an
• Commercial tools use more retries than free tools

th
– Validation check must be stored in a separate file
ng
• Message Digest 5 ( MD5)
o
du

• Secure Hash Algorithm ( SHA-1 or newer)


u

• Cyclic Redundancy Check ( CRC-32)


cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Proprietary Formats

om
.c
• Features offered

ng
– Option to compress or not compress image files

co
– Can split an image into smaller segmented files

an
• Such as to CDs or DVDs

th
• With data integrity checks in each segment
ng
– Can integrate metadata into the image file
o
du

• Hash data
u

• Date & time of acquisition


cu

• Investigator name, case name, comments, etc.

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Proprietary Formats

om
.c
• Disadvantages

ng
– Inability to share an image between different tools

co
– File size limitation for each segmented volume

an
• Typical segmented file size is 650 MB or 2 GB

th
• Expert Witness format is the unofficial standard
o ng
– Used by EnCase, FTK, X-Ways Forensics, and
du

SMART
u
cu

– Can produce compressed or uncompressed files


– File extensions .E01, .E02, .E03, …

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Advanced Forensics Format

om
• Developed by Dr. Simson L. Garfinkel of Basis

.c
Technology Corporation

ng
• Design goals

co
– Provide compressed or uncompressed image files

an
th
– No size restriction for disk-to-image files
ng
– Provide space in the image file or segmented files
o
for metadata
du

– Simple design with extensibility


u
cu

– Open source for multiple platforms and OSs

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Advanced Forensics Format
(continued)

om
.c
• Design goals (continued)

ng
– Internal consistency checks for self-authentication

co
• File extensions include .afd for segmented image

an
files and .afm for AFF metadata
• AFF is open source th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Determining the Best
an
Acquisition Method th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Determining the Best Acquisition
Method

om
.c
• Types of acquisitions

ng
– Static acquisitions and live acquisitions

co
• Four methods

an
– Bit-stream disk-to-image file
th
ng
– Bit-stream disk-to-disk
o
– Logical
du

– Sparse
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Bit-stream disk-to-image file

om
• Most common method

.c
ng
• Can make more than one copy

co
• Copies are bit-for-bit replications of the original

an
drive

th
• Tools: ProDiscover, EnCase, FTK, SMART,
ng
Sleuth Kit, X-Ways, iLook
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Bit-stream disk-to-disk

om
• Used when disk-to-image copy is not possible

.c
– Because of hardware or software errors or

ng
co
incompatibilities

an
– This problem is more common when acquiring older

th
drives ng
• Adjusts target disk’s geometry (cylinder, head, and
o
du

track configuration) to match the suspect's drive


• Tools: EnCase, SafeBack (MS-DOS), Snap Copy
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Logical Acquisition and Sparse
Acquisition

om
.c
• When your time is limited, and evidence disk is

ng
large

co
• Logical acquisition captures only specific files of

an
interest to the case
th
– Such as Outlook .pst or .ost files
o ng
• Sparse acquisition collects only some of the data
du

– I am finding contradictory claims about this—wait


u
cu

until we have a real example for clarity

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Compressing Disk Images

om
.c
• Lossless compression might compress a

ng
disk image by 50% or more

co
• But files that are already compressed, like

an
th
ZIP files, won’t compress much more
ng
– Error in textbook: JPEGs use lossy compression
o
du

and degrade image quality (p. 104)


u

• Use MD5 or SHA-1 hash to verify the image


cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Tape Backup

om
.c
• When working with large drives, an alternative is

ng
using tape backup systems

co
• No limit to size of data acquisition

an
– Just use many tapes
• But it’s slow th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Returning Evidence Drives

om
.c
• In civil litigation, a discovery order may require you

ng
to return the original disk after imaging it

co
• If you cannot retain the disk, make sure you make

an
the correct type of copy (logical or bitstream)
th
– Ask your client attorney or your supervisor what is
ng
required—you usually only have one chance
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Contingency Planning for
an
Image Acquisitions th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Contingency Planning for Image
Acquisitions

om
.c
• Create a duplicate copy of your evidence image file

ng
• Make at least two images of digital evidence

co
– Use different tools or techniques

an
• Copy host protected area of a disk drive as well
th
ng
– Consider using a hardware acquisition tool that can
o
access the drive at the BIOS level (link Ch 4c)
du

• Be prepared to deal with encrypted drives


u
cu

– Whole disk encryption feature in Windows Vista


Ultimate and Enterprise editions

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Encrypted Hard Drives

om
.c
• Windows BitLocker

ng
• TrueCrypt

co
• If the machine is on, a live acquisition will capture

an
the decrypted hard drive
th
ng
• Otherwise, you will need the key or passphrase
o

– The suspect may provide it


du

– There are some exotic attacks


u
cu

• Cold Boot (link Ch 4e)


• Passware (Ch 4f)
• Electron microscope (Ch 4g)
CuuDuongThanCong.com https://fb.com/tailieudientucntt
Using Acquisition Tools

om
• Acquisition tools for Windows

.c
– Advantages

ng
• Make acquiring evidence from a suspect drive more

co
convenient

an
– Especially when used with hot-swappable devices
– Disadvantages
th
ng
• Must protect acquired data with a well-tested write-
o
du

blocking hardware device


u

• Tools can’t acquire data from a disk’s host protected


cu

area

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Windows Write-Protection with USB
Devices

om
• USB write-protection feature

.c
– Blocks any writing to USB devices

ng
co
• Target drive needs to be connected to an internal

an
PATA (IDE), SATA, or SCSI controller

th
• Works in Windows XP SP2, Vista, and Win 7
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring Data with a Linux Boot CD

om
• Linux can read hard drives that are mounted as

.c
read-only

ng
• Windows OSs and newer Linux automatically

co
mount and access a drive

an
• Windows will write to the Recycle Bin, and
th
sometimes to the NTFS Journal, just from booting
ng
up with a hard drive connected
o
du

• Linux kernel 2.6 and later write metadata to the


u
cu

drive, such as mount point configurations for an


ext2 or ext3 drive
• All these changes corrupt the evidence
CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring Data with a Linux Boot CD

om
• Forensic Linux Live CDs mount all drives read-only

.c
– Which eliminates the need for a write-blocker

ng
co
• Using Linux Live CD Distributions

an
– Forensic Linux Live CDs

th
• Contain additional utilities
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Forensic Linux Live CDs

om
• Configured not to mount, or to mount as read-only,

.c
any connected storage media

ng
• Well-designed Linux Live CDs for computer

co
forensics

an
th
– Helix ng
– Penguin Sleuth
o
du

– FCCU (French interface)


u

• Preparing a target drive for acquisition in Linux


cu

– Modern linux distributions can use Microsoft FAT


and NTFS partitions

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring Data with a Linux Boot CD
(continued)

om
• Preparing a target drive for acquisition in Linux

.c
(continued)

ng
– fdisk command lists, creates, deletes, and verifies

co
partitions in Linux

an
– mkfs.msdos command formats a FAT file system
th
ng
from Linux
o
• Acquiring data with dd in Linux
du

– dd (―data dump‖) command


u
cu

• Can read and write from media device and data file
• Creates raw format file that most computer forensics
analysis tools can read

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring data with dd in Linux

om
.c
• Shortcomings of dd command

ng
– Requires more advanced skills than average user

co
– Does not compress data

an
• dd command combined with the split command
th
– Segments output into separate volumes
o ng
• dd command is intended as a data management
du

tool
u
cu

– Not designed for forensics acquisitions

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring data with dcfldd in Linux

om
• dcfldd additional functions

.c
– Specify hex patterns or text for clearing disk space

ng

co
Log errors to an output file for analysis and review

an
– Use several hashing options

th
– Refer to a status display indicating the progress of
ng
the acquisition in bytes
o
du

– Split data acquisitions into segmented volumes with


numeric extensions
u
cu

– Verify acquired data with original disk or media data

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with ProDiscover
Basic

om
• Connecting the suspect’s drive to your workstation

.c
– Document the chain of evidence for the drive

ng
– Remove the drive from the suspect’s computer

co
– Configure the suspect drive’s jumpers as needed

an
– Connect the suspect drive to a write-blocker device
– th
ng
Create a storage folder on the target drive
o
• Using ProDiscover’s Proprietary Acquisition Format
du

– Image file will be split into segments of 650MB


u
cu

– Creates image files with an .eve extension, a log file


(.log extension), and a special inventory file (.pds
extension)

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with ProDiscover
Basic (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with ProDiscover
Basic (continued)

om
.c
• Using ProDiscover’s Raw Acquisition Format

ng
– Select the UNIX style dd format in the Image Format

co
list box

an
– Raw acquisition saves only the image data and hash

th
value ng
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager

om
• Included on AccessData Forensic Toolkit

.c
ng
• View evidence disks and disk-to-image files

co
• Makes disk-to-image copies of evidence drives

an
– At logical partition and physical drive level
– Can segment the image file
th
ng
• Evidence drive must have a hardware write-
o
du

blocking device
u
cu

– Or the USB write-protection Registry feature enabled


• FTK Imager can’t acquire drive’s host protected
area (but ProDiscover can)
CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
• Steps

ng
– Boot to Windows

co
– Connect evidence disk to a write-blocker

an
– Connect target disk
– th
ng
Start FTK Imager
o
– Create Disk Image
du

• Use Physical Drive option


u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Capturing an Image with AccessData
FTK Imager (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
an
Validating Data Acquisitions
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Validating Data Acquisitions

om
.c
• Most critical aspect of computer forensics

ng
• Requires using a hashing algorithm utility

co
• Validation techniques

an
– CRC-32, MD5, and SHA-1 to SHA-512
th
ng
• MD5 has collisions, so it is not perfect, but it’s still
o

widely used
du

• SHA-1 has some collisions but it’s better than MD5


u
cu

• A new hashing function will soon be chosen by


NIST

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Linux Validation Methods

om
• Validating dd acquired data

.c
– You can use md5sum or sha1sum utilities

ng
– md5sum or sha1sum utilities should be run on all

co
suspect disks and volumes or segmented volumes

an
• Validating dcfldd acquired data
th
– Use the hash option to designate a hashing
o ng
algorithm of md5, sha1, sha256, sha384, or sha512
du

– hashlog option outputs hash results to a text file that


u
cu

can be stored with the image files


– vf (verify file) option compares the image file to the
original medium

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Windows Validation Methods

om
.c
• Windows has no built-in hashing algorithm tools for

ng
computer forensics

co
– Third-party utilities can be used

an
• Commercial computer forensics programs also
have built-in validation features
th
ng
– Each program has its own validation technique
o
du

• Raw format image files don’t contain metadata


u
cu

– Separate manual validation is recommended for all


raw acquisitions

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Performing RAID Data
an
Acquisitions th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Performing RAID Data Acquisitions

om
• Size is the biggest concern

.c
– Many RAID systems now have terabytes of data

ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID

om
• Redundant array of independent (formerly

.c
―inexpensive‖) disks (RAID)

ng
– Computer configuration involving two or more disks

co
– Originally developed as a data-redundancy measure

an
• RAID 0 (Striped)
th
ng
– Provides rapid access and increased storage
o

– Lack of redundancy
du

• RAID 1 (Mirrored)
u
cu

– Designed for data recovery


– More expensive than RAID 0

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
• RAID 2

.c
– Similar to RAID 1

ng
– Data is written to a disk on a bit level

co
– Has better data integrity checking than RAID 0

an
th
– Slower than RAID 0 ng
• RAID 3
o
du

– Uses data striping and dedicated parity


u

• RAID 4
cu

– Data is written in blocks

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
.c
• RAID 5

ng
– Similar to RAIDs 0 and 3

co
– Places parity recovery data on each disk

an
• RAID 6
th
ng
– Redundant parity on each disk
o

• RAID 10, or mirrored striping


du

– Also known as RAID 1+0


u
cu

– Combination of RAID 1 and RAID 0

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Understanding RAID (continued)

om
.c
ng
co
an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring RAID Disks

om
.c
• Concerns

ng
– How much data storage is needed?

co
– What type of RAID is used?

an
– Do you have the right acquisition tool?
– th
ng
Can the tool read a forensically copied RAID image?
o
– Can the tool read split data saves of each RAID
du

disk?
u
cu

• Older hardware-firmware RAID systems can be a


challenge when you’re making an image

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Acquiring RAID Disks (continued)

om
• Vendors offering RAID acquisition functions

.c
– Technologies Pathways ProDiscover

ng
– Guidance Software EnCase

co
– X-Ways Forensics

an
th
– Runtime Software ng
– R-Tools Technologies
o
du

• Occasionally, a RAID system is too large for a


u

static acquisition
cu

– Retrieve only the data relevant to the investigation


with the sparse or logical acquisition method

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Using Remote Network
an
Acquisition Tools th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Using Remote Network Acquisition
Tools

om
• You can remotely connect to a suspect computer

.c
via a network connection and copy data from it

ng
• Remote acquisition tools vary in configurations and

co
capabilities

an
• Drawbacks
th
ng
– LAN’s data transfer speeds and routing table
o
conflicts could cause problems
du

– Gaining the permissions needed to access more


u
cu

secure subnets
– Heavy traffic could cause delays and errors
– Remote access tool could be blocked by antivirus
CuuDuongThanCong.com https://fb.com/tailieudientucntt
Remote Acquisition with ProDiscover
Investigator

om
• Preview a suspect’s drive remotely while it’s in use

.c
• Perform a live acquisition

ng
co
– Also called a ―smear‖ because data is being altered

an
• Encrypt the connection
• Copy the suspect computer’s RAM
th
ng
• Use the optional stealth mode to hide the
o
du

connection
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Remote Acquisition with ProDiscover
Incident Response

om
• All the functions of ProDiscover Investigator plus

.c

ng
Capture volatile system state information

co
– Analyze current running processes

an
– Locate unseen files and processes

th
– Remotely view and listen to IP ports
ng
– Run hash comparisons to find Trojans and rootkits
o
du

– Create a hash inventory of all files remotely


u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
PDServer Remote Agent

om
• ProDiscover utility for remote access

.c
ng
• Needs to be loaded on the suspect computer

co
• PDServer installation modes

an
– Trusted CD
– Preinstallation
th
ng
– Pushing out and running remotely
o
du

• PDServer can run in a stealth mode


u
cu

– Can change process name to appear as OS function

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Remote Connection Security Features

om
.c
• Password Protection

ng
• Encrypted communications

co
• Secure Communication Protocol

an

th
Write Protected Trusted Binaries
ng
• Digital Signatures
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Remote Acquisition with EnCase
Enterprise

om
• Remotely acquires media and RAM data

.c
ng
• Integration with intrusion detection system (IDS)

co
tools

an
• Options to create an image of data from one or

th
more systems
ng
• Preview of systems
o
du

• A wide range of file system formats


u
cu

• RAID support for both hardware and software

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Other Remote Acquisition Tools

om
.c
• R-Tools R-Studio

ng
• WetStone LiveWire

co
• F-Response

an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Remote Acquisition with Runtime
Software

om
.c
• Compact Shareware Utilities

ng
– DiskExplorer for FAT

co
– DiskExplorer for NTFS

an
– HDHOST (Remote access program)
• Features for acquisition th
o ng
– Create a raw format image file
du

– Segment the raw format or compressed image


u
cu

– Access network computers’ drives

CuuDuongThanCong.com https://fb.com/tailieudientucntt
om
.c
ng
co
Using Other Forensics-
an
Acquisition Tools th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Using Other Forensics-Acquisition
Tools

om
.c
• Tools

ng
– SnapBack DatArrest

co
– SafeBack

an
– DIBS USA RAID
– th
ng
ILook Investigator IXimager
o
– Vogon International SDi32
du

– ASRData SMART
u
cu

– Australian Department of Defence PyFlag

CuuDuongThanCong.com https://fb.com/tailieudientucntt
SnapBack DatArrest

om
.c
• Columbia Data Products

ng
• Old MS-DOS tool

co
• Can make an image on three ways

an
– Disk to SCSI drive
th
ng
– Disk to network drive
o

– Disk to disk
du

• Fits on a forensic boot floppy


u
cu

• SnapCopy adjusts disk geometry

CuuDuongThanCong.com https://fb.com/tailieudientucntt
NTI SafeBack

om
.c
• Reliable MS-DOS tool

ng
• Small enough to fit on a forensic boot floppy

co
• Performs an SHA-256 calculation per sector copied

an

th
Creates a log file ng
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
NTI SafeBack (continued)

om
.c
• Functions

ng
– Disk-to-image copy (image can be on tape)

co
– Disk-to-disk copy (adjusts target geometry)

an
• Parallel port laplink can be used

th
– Copies a partition to an image file
o ng
– Compresses image files
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
DIBS USA RAID

om
• Rapid Action Imaging Device (RAID)

.c
– Makes forensically sound disk copies

ng
– Portable computer system designed to make disk-to-

co
disk images

an
– Copied disk can then be attached to a write-blocker
th
ng
device
o
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
ILook Investigator IXimager

om
• Iximager

.c
– Runs from a bootable floppy or CD

ng
– Designed to work only with ILook Investigator

co
– Can acquire single drives and RAID drives

an
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
ASRData SMART

om
• Linux forensics analysis tool that can make image

.c
files of a suspect drive

ng
• Capabilities

co
– Robust data reading of bad sectors on drives

an
th
– Mounting suspect drives in write-protected mode
ng
– Mounting target drives in read/write mode
o


du

Optional compression schemes


u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt
Australian Department of Defence
PyFlag

om
• PyFlag tool

.c
– Intended as a network forensics analysis tool

ng
– Can create proprietary format Expert Witness image

co
files

an
– Uses sgzip and gzip in Linux
th
o ng
du
u
cu

CuuDuongThanCong.com https://fb.com/tailieudientucntt

You might also like