Acquistion

From Wikibooks, open books for an open world
Jump to: navigation, search


The first pro-active step in any digital forensic investigation is that of acquisition. The inherent problem with digital media is that it is readily modified; even just by accessing files. For this reason analysts obtain a "bit copy" of the media using specialist tools which stop modification occurring.

Working from a copy is one of the fundamental steps to making a forensic investigation audit-able and acceptable to a court. Another fundamental part of the process is the ability to verify the accuracy of the evidence produced; acquisition and verification are key concepts in preparing digital media for investigation.

Acquisition[edit]

A hard drive attached to a portable write blocker

Prior to the availability of very large storage capacity the acquisition process usually consisted of creating a bit-perfect copy of the digital media evidence. This is usually conducted with the media connected to a write blocking device which stops it from being modified during the process. After being acquired the physical media is placed in secure storage the forensic analyst conducts the forensic investigation on the copy.

The aim of working on a copy of the evidence is to leave the original media intact - which allows for any evidence to be verified (proven accurate) at a later date.

Write blockers can take two forms; hardware or software (you can see a picture of a hardware write blocker to the right). The hardware devices are more reliable, stopping all write commands from reaching the digital media. Software writer blockers are less reliable and tend to be proprietary.

Acquired media is usually refereed to as an "image", they are stored in a number of open and proprietary formats. The popular EnCase software employs a proprietary, compressible, "EnCase Evidence File Format" (EEFF). Other open formats such as RAW (i.e. a simple bit copy) are used by programs such as "FTK Imager".

During acquisition forensic tools create a verification hash of the media, this allows an analyst to later confirm that the image and its contents are accurate (see "Verification" below).

Example For example; the EnCase Evidence File Format stores a hash for every 64K of data along with an appended MD5 hash of the entire media

Live acquisition[edit]

A "live" acquisition is where data is retrieved from a digital device directly via its normal interface; for example switching a computer on and running programs from within the operating system. This has some level of risk, as data is likely to be modified. This process is rapidly becoming the more common approach as disk drive capacities increase to the point where they are impractical to 'image' and technology such as 'cloud computing' means that you cannot even access the hardware in many cases [1]

However there are also advantages to live acquisition - for example it allows you to capture the contents of RAM. Where a computer is found turned on, prior to seizure, it is sometimes beneficial to make a live acquisition of the RAM in case it contains information deleted from the hard drive (for example temporary documents).

Such an acquisition is often done by non-technical personnel, or at least personnel not trained in computer forensics, which creates the added risk of a mistake deleting important data. A variety of tools exist to help with this process and to make it accessible to non-technical personnel. For example Microsoft recently released a free suite of tools (available only to law enforcement) to capture information from a live Windows system. The software, called COFEE, fits on a USB pen drive and contains various automated tools to recover RAM and system log files.

Verification[edit]

References[edit]

Introduction to Digital Forensics
Documenting evidence Acquisition