The first proactive stage in the forensic investigation process is data collecting. Copying files from one device to another isn’t all that forensic data capture entails. Investigators use forensic data acquisition to extract every bit of information from the victim’s system’s memory and storage to produce a forensic replica. Furthermore, this forensic duplicate must be generated so that the data’s integrity can be verified and used as evidence in court.

3.1 Undertand Data Acquisition Fundamentals

  • Understanding Data Acquisition
    • Data acquisition→is the use of established methods to extract Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident
    • It is a critical step in digital forensics, as an improper acquisition may alter data in the evidence media, and render it inadmissible in a court of law
    • Investigators must be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable in the court
    • Types of Data Acquisition
      • Live Acquisition
        • Involves collecting data from a system that is powered ON
      • Dead Acquisition (Static Acquisition)
        • Involves collecting data from a system that is powered OFF
  • Live Acquisition
    • Live data acquisition involves collecting volatile data from a live system
    • Volatile information assists in determining the logical timeline of the security incident, and the possible users responsible
    • Live acquisition can then be followed by static/dead acquisition, where an investigator shuts down the suspect machine, removes the hard disk, and then acquires its forensic image
    • Types of data captured during live acquisition
      • System Data
        • Current configuration
        • Running state
        • Date and time
        • Command history
        • Current system uptime
        • Running processes
        • Registers
        • CPU
        • Open files
        • Start up files
        • Clipboard data
        • Logged on users
        • DLLs or shared libraries
        • Swap files and temp files
      • Network Data
        • Routing tables
        • ARP cache
        • Network configuration
        • Network connections
    • Apart from obtaining the above data, live acquisition can help investigators obtain
      • Data from unencrypted containers or disks that are open on the system, automatically get encrypted when the system shuts down
      • Private browsing history and data from remote storage services such as Dropbox (cloud service) by examining the Random-Access Memory (RAM)
  • Order of Volatility
    • According to the RFC 3227, below is an example of the order of volatility for a typical system
      • Registers and cache
      • The routing table, process table, kernel statistics, and memory
      • Temporary system files
      • Disk or other storage media
      • Remote logging and monitoring data that is relevant to the system in question
      • Physical configuration, and network topology
      • Archival media
  • Dead Acquisition
    • Dead acquisition is defined as the acquisition of data from a suspect machine that is powered off
    • Dead acquisition usually involves acquiring data from storage devices such as hard drives, DVD-ROMs, USB drives, flashcards, and smartphones
    • Examples of static data: emails, word documents, web activity, spreadsheets, slack space, unallocated drive space, and various deleted files
  • Rules of Thumb for Data Acquisition
    • Do not work on original digital evidence. Create a bit-stream/logical image of a suspicious drive/file to work on.
    • Produce two or more copies of the original media
      • The first is the working copy to be used for analysis
      • The other copies act as the library/control copies that are stored for disclosure purposes or in the event that the working copy gets corrupt
    • Use clean media to store the copies
    • Upon creating copies of original media, verify the integrity of copies with the original
  • Types of Data Acquisition
    • Logical Acquisition and Sparse Acquisition
      • Acquiring bit-by-bit copy of a large disk requires more time. In a situation with time constraints and when the investigator is aware of what files need to be acquired, logical acquisition is an ideal method.
      • Logical acquisition allows an investigator to capture only selected files or files types of interest to the case
      • Examples of logical acquisition include:
        • Email investigation that requires collection of Outlook .pst or .ost files
        • Collecting specific records from a large RAID server
      • Sparse acquisition is similar to logical acquisition, which in addition collects fragments of unallocated data, allowing investigators to acquire deleted files. Use this method when inspection of the entire drive is not required.
    • Bit-Stream Image
      • Bit-stream imaging creates a bit-by-bit copy of a suspect drive, which is a cloned copy of the entire drive including all its sectors and clusters
      • This image contains not just a copy of all the files and folders, but also the ambient data, which allows forensic investigators to retrieve deleted files or folders
    • Bit-stream disk-to-image file
      • It is the most common method used by forensic investigators
      • With this method, one or many copies of the suspect drive can be generated
      • The created image file is a bit-by-bit replica of the suspect drive
      • Tools used: ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc.
    • Bit-stream disk-to-disk
      • Disk-to-image copying is not possible in situations where
        • The suspect drive is very old and incompatible with the imaging software
        • Investigator needs to recover credentials used for websites and user accounts
      • To overcome this situation, investigators can create a disk-to-disk bit-stream copy of the target media
      • Tools used for this imaging process such as EnCase, tableau Forensic Imager, etc. enable investigators to modify the internal components of the target disk so that data obtained aligns well with the suspect drive. This results in smooth data acquisition process.
  • Determine the Data Acquisition Format
    • RAW Format
      • Raw format refers to a bit-by-bit copy of the suspect drive. Images in this format are usually obtained by using the dd command
      • Advantages
        • Evidence search performance is generally higher
        • Supported by most of the forensic tools including the freeware tools such as dd, dc3dd, and dcfldd
      • Disadvantages
        • Does not include any metadata
        • Does not support compression of the image, resulting in the same size as of the suspect media
    • Proprietary Format
      • Proprietary format refers to various image file formats supported by different commercial tools
      • Advantages
        • Support for the compression of the image files
        • Supports segmented image files
        • Image files can include metadata
      • Disadvantages
        • Image file format created by one tool may not be supported by other tool(s)
        • Consumes more time for evidence search than raw format
    • Advanced Forensics Format (AFF)
      • Advanced Forensics Format is an open-source acquisition format with the following design goals
        • No size limitation for disk-to-image files
        • Option to compress the image files using zlib and LZMA algorithms
        • Supports segmented image files
        • Allocates space to record metadata of the image files or segmented files
        • Simple design and customizable
        • Compatible in multiple computing environments
        • Well supported by forensic tools such as Xmount, SleuthKit, FTK Imager, etc.
        • AFF and AFFv3 support file extensions such as .afm for metadata and .afd for image files
    • Advanced Forensic Framework 4 (AFF4)
      • Redesign and revision of AFF to manage and use large amounts of disk images, reducing both acquisition time and storage requirements
      • Referred to as an object-oriented framework by its creators (Michael Cohen, Simson Garfinkel, and Bradly Schatz)
      • Basic types of AFF4 objects: volumes, streams, and graphs. They are universally referenced through a unique URL.
      • Abstract information model that allows storage of disk-image data in one or more places while the information about the data is stored elsewhere
      • Stores more kinds of organized information in the evidence file
      • Offers unified data model and naming scheme

3.2 Understand Data Acquisition Methodology

  • Data Acquisition Methodology
  • Step 1: Determine the Best Data Acquisition Method
    • An investigator needs to identify the best data acquisition method suitable for the investigation, depending on the investigator’s situation. These situations include
      • Size of the suspect’s drive
      • Time required to acquire the image
      • Whether the investigator can retain the suspect’s drive
    • Example
      • If the original evidence drive needs to be returned to the owner in case-specific scenarios, the investigator needs to communicate with the requester and see whether the logical acquisition of the disk is acceptable. If not, they may have to go back to the requester.
    • Investigators need to acquire only the data that is intended to be acquired
  • Step 2: Select the Data Acquisition Tool
    • Investigators need to choose the right tool for data acquisition based on the type of acquisition technique they choose. When it comes to imaging tools, they need to choose the tools that satisfy certain requirements.
      • Mandatory Requirements
        • The tool should not change the original content
        • The tool should log I/O errors in an accessible and readable form, including the type of the error and location of the error
        • The tool must have the ability to pass scientific and peer review. Results must be repeatable and verifiable by a third party if necessary.
        • The tool should alert the user if the source is larger than the destination
        • The tool should create a bit-stream copy of the original content when there are no errors in accessing the source media
        • The tool should create a qualified bit-stream copy (a qualified bit-stream copy is defined as a duplicate except in identified areas of the bit-stream) when I/O errors occur while accessing the source media
        • The tool should copy a file only when the destination is larger or equal to the size of the source, and should document the contents on the destination that are not a part of the copy
        • Tool documentation should be correct, i.e., the user should get expected results by implementing it in accordance with the tool’s documented procedures
      • Other Requirements
        • The tool should be able to compute a hash value for the created image and compare it with the hash value of the original source
        • The tool should divide the bit-stream copy into blocks, compute hash values for each block, and compare them with those of the source data
        • The tool should log one or more items on a disk file (items include tool version, subject disk identification, any errors encountered, tool actions, start and finish run times, tool settings, and user comments)
        • The tool should create a qualified bit-stream duplicate, and adjust the alignment of cylinders to cylinder boundaries of disk partitions when the destination is of a different physical geometry
        • The tool should create a bit-stream copy of individual partitions as per user direction
        • The tool should make the source disk partition table visible to users, and record its contents
        • The tool should create an image file on a fixed or removable magnetic or electronic media that is used to create a bit-stream copy of the original
        • The tool should create a bit-stream copy on a platform that is connected through a communications link to a different platform containing the source disk
  • Step 3: Sanitize the Target Media
    • Investigators must properly sanitize the target media in order to any prior data residing on it, before it is used for collecting forensic data
    • Post investigation, they must dispose of this media by following the same standards, so as to mitigate the risk of unauthorized disclosure of information and ensure its confidentiality
    • The following are some standards for sanitizing media
      • Russian Standard: GOST P50739-95
      • German: VSITR
      • American: NAVSO P-5239-26 (MFM)
      • American: DoD 5220.22-M
      • American: NAVSO P-5239-26 (RLL)
      • NIST SP 800-88
  • Step 4: Acquire Volatile Data

    • Volatile data acquisition involves collecting data that is lost when the computer is shut down or restarted

    • This data usually corresponds to running processes, logged-on users, registries, DLLs, clipboard data, open files, etc.

    • While most of this data is recovered by examining the live system, the approximately same amount of data can be obtained by examining the image acquired from the memory of the system

    • Acquire Volatile Data from a Windows Machine
      • Belkasoft Live RAM Capturer is a forensic tool that allows extracting the entire contents of a computer’s volatile memory
      • It saves the image files in .mem format
    • Acquire Volatile Data from a Linux Machine Using dd (Local Acquisition)
      • In latest versions of Linux systems, the access to kernel memory is restricted to avoid malicious attacks on RAM
      • fmem→is a Linux Kernel Module that creates a device /dev/fmem and provides direct access to the system RAM
      • The investigator should compile a module (of similar kernel version) and load it into the suspect machine to acquire contents of the RAM
      • Command
        • dd if=/dev/fmem of= bs=1MB
    • Acquire Volatile Data from a Linux Machine Using dd and Netcat (Remote Acquisition)
      • To acquire RAM remotely over a network, the investigator has to start a listening session on the forensic workstation using netcat
        • Command
          • nc -l > filename.dd
      • On the suspect machine, the investigator should use dd command and pipe the output using netcat
        • Command
          • dd if=/dev/fmem bs=1024 | nc
      • The acquired memory file is piped to the forensic workstation and saved in the specified path
    • Acquire Volatile Data from a Linux Machine Using LiME (Local Acquisition)
      • Before performing memory acquisition, the investigator has to compile LiME on the suspect machine with respect to system’s kernel version to create a kernel module
      • LiME tool utilizes insmod command to load this kernel module and capture the machine’s RAM in LiME format
        • Command
          • insmod lime-.ko “path= format=lime”
    • Acquire Volatile Data from a Linux Machine Using LiME and Netcat (Remote Acquisition)
      • To acquire RAM remotely over a network, the investigator must start a listening session on a suspect machine using tcp:port
        • Command
          • insmod lime-‘kernel_module’.ko “path=tcp:‘port’ format=lime”
      • On the forensics workstation, the investigator should establish connection with the suspect machine using netcat and dump RAM data over the network
        • Command
          • nc ‘IP Address of the Suspect Machine’:‘port’ filename.mem
      • The acquired memory file is piped to the host machine and saved in the specified path
    • Acquire Volatile Data from a Mac Machine
      • Physical memory acquisition can be performed on Mac using command line tools such as osxpmem or GUI tools such as Cellebrite Digital Collector
      • Physical memory acquisition using Digital Collector
        • Digital Collector→is a data triage and collection tool that helps perform live data acquisition, targeted data collection, triage, and forensic imaging of Mac operating systems
      • Physical memory acquisition using osxpmem
        • OSXpmem→is a memory acquisition tool for macOS. It is a part of the pmem suite created by the developers of Rekall.
        • Syntax
          • sudo osxpmem.app/osxpmem -o
        • Note
          • OSXpmem creates images in AFF4 format
          • The investigator may need to change the file ownership or permissions in order to generate AFF4 format images
  • Step 5: Enable Write Protection on the Evidence Media
    • It is necessary to write protect the suspect drive using write blockers to preserve and protect the evidence contained in it
    • A write blocker is a hardware device or software application that allows data acquisition from the storage media without altering its contents
    • It blocks write commands, thus allowing read-only access to the storage media
      • If a hardware write blocker is used
        • Install a write blocker device
        • Boot the system with the examiner-controlled operating system
        • Examples of hardware devices: CRU® WiebeTech® USB WriteBlockerTM, Tableau Forensic Bridges, etc.
      • If a software write blocker is used
        • Boot the system with the examiner-controlled operating system
        • Activate write protection
        • Examples of software applications: SAFE Block, MacForensicsLab Write Controller, etc.
  • Step 6: Acquire Non-volatile Data

    • Non-volatile data can be acquired in both live acquisition and dead acquisition. It mainly involves acquiring data from a hard disk.

    • There is no significant difference in the amount of data acquired from a hard disk between the live and dead acquisition methods

    • Live Acquisition of a hard disk is performed by using remote acquisition tools (e.g. netcat), and bootable CDs or USBs (e.g. CAINE); while dead acquisition involves removing the hard disk from the suspect drive, connecting it to a forensic workstation, write-blocking the hard disk, and running a forensic acquisition tool on the disk

    • Using a Windows Forensic Workstation
      • To acquire forensic image of a hard disk during dead acquisition, remove the hard disk, connect it to a forensic workstation, enable write-blocker, and run a forensic imaging tool (e.g. AccessData FTK Imager) on the workstation
      • AccessData FTK Imager→is a disk imaging program that can preview recoverable data from a disk of any kind and also create copies, called forensics images, of that data
    • Using a Linux Forensic Workstation
      • Forensic investigators can use the built-in Linux commands dd and dcfldd to copy data from a disk drive
      • These utilities can create a bit-stream disk-to-disk copy, disk-to-image file, block-to-block copy, and block-to-file copy
      • The dd and dcfldd commands can copy data from any disk that Linux can mount and access
      • Other forensics tools such as AccessData FTK and EnCase can read dd image files
      • dd Command Syntax
        • dd if= of= bs=(“USUALLY” some power of 2, not less than 512 bytes i.e, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number) skip= seek= conv =
        • source: where the data is to be read from, target: where the data is to be written, skip: number of blocks to skip at start of input, seek: number of blocks to skip at start of output, conv: conversion options
        • Suppose a 2GB hard disk is seized as evidence. Use dd to create a complete physical backup of the hard disk
          • dd if=/dev/hda of=/dev/case5img1
        • Copy one hard disk partition to another hard disk
          • dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
        • Create an ISO image of a CD
          • dd if=/dev/hdc of=/home/sam/mycd. iso bs=2048 conv=notrunc
        • Restore a disk partition from an image file
          • dd if=/home/sam/partition. image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
        • Copy RAM memory to a file
          • dd if=/dev/fmem of=/home /sam /mem.bin bs=1024
      • dcflddworks similar to the dd command but provides additional features designed for forensic acquisitions. Following are some of the additional features offered by dcfldd over dd
        • Hashing on-the-fly
          • dcfldd can hash the input data as it is being transferred, helping to ensure data integrity
        • Status output
          • dcfldd can provide updates on its progress in terms of the amount of data transferred, and how much longer the operation will take
        • Flexible disk wipes
          • dcfldd can be used to wipe disks quickly, and with a known pattern if desired Image/wipe
        • Verify
          • dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern
        • Multiple outputs
          • dcfldd can output to multiple files or disks at the same time
        • Split output
          • dcfldd can split output to multiple files with more configurability than the split command
        • Piped output and logs
          • dcfldd can send all its log data and output to commands as well as files natively
        • To acquire data from a USB drive
          • Run the commands from a privileged root shell session
          • To acquire a media into a single image, issue the following command: dcfldd if=/dev/sda of=/media/image.dd
        • To split the output image into multiple segments, issue the following command
          • dcfldd if=/dev/sda split=10M of=/media/image.dd
          • This command splits the output image into multiple segments of 10 MB each
    • Using macOS – Single User Mode
      • Single-user mode in Mac Operating System is a basic console that supports command line
      • To boot Mac in Single User mode, press and hold ‘Command + S’, before loading the operating system
      • This mode allows user to operate in a secured environment as there is no interference of network services
      • In Single User mode, the internal hard disk of the system is not mounted for write access and only a few commands are available for execution
      • Because the startup disk is in read-only mode, the integrity of the disk can be preserved
      • In Single User mode, dd command can be used to create an image of the Macintosh hard disk
      • Procedure
        • Boot the system into Single User mode
        • Mount the External USB storage
        • Determine the target disk to create Image
          • Execute the ‘ls’ command to view all the available disks on the ‘/dev’ directory
            • Syntax
              • ls /dev/rdisk*
        • Use ‘dd’ command to create Image of Macintosh HD
          • Syntax
            • dd if= bs=4k conv=noerror,sync of=
        • Creating an image of rdisk0 and storing it in rdisk4
      • The external USB device contains the forensic image of the target disk acquired using ‘dd’ command
      • When the USB device is connected to the forensic workstation, it displays all the partitions that were on the target disk, creating the exact environment before image acquisition
    • Using macOS – Target Disk Mode
      • Target Disk Mode is a type of boot mode in Macintosh computers that allows transfer of files/folders from the internal drive of one Mac to another without booting the MacOS
      • Acquiring Macintosh Image in Target Disk Mode requires
        • Two Mac computers, each with a FireWire or Thunderbolt interface
        • Disable ‘Disk Arbitration’ function to prevent automatic mounting of hard drives
      • Steps involved
        • During power-up of a Macintosh, Press and Hold the “T” key to boot the computer (e.g., the suspect computer) in Target Disk Mode
        • When the firewire icon appears, connect the suspect computer to the Forensic Workstation (a Mac computer) through firewire/thunderbolt cable and the suspect computer appears as an external connected drive
        • Use software such as FTK Imager/dd command to acquire physical image of the suspect computer’s hard drive
        • After conducting forensic data acquisition, ‘Eject’ the externally connected disk and press ‘Power’ button to shut down the suspect computer
        • Finally, disconnect the FireWire/Thunderbolt cable
    • Using a Linux Bootable CD/USB
      • Forensic investigators may face certain challenges while imaging Macs, which include finding compatible firewire ports, removing hard drive from the machine, finding a suitable adaptor for connecting a write-blocker, etc.
      • In such situations, it is preferable to boot a live forensic CD or a USB and acquire an image
      • Step 1: Create a Bootable USB
        • Run Rufus utility and select Caine ISO as Boot Selection
        • Click START and choose ISO image mode
      • Step 2: Boot Mac from the Linux Bootable USB
        • To boot a Mac from a USB device/external drive, Mac’s built-in ‘Startup Manager’ is used
        • Turn ON the Mac, press and hold the ‘option’ key to boot in ‘Startup’ mode
        • In ‘Startup’ mode, the CAINE USB is displayed as ‘EFI Boot
        • After CAINE boots, select ‘Boot Live Debug mode
        • The ‘Mounter’ utility in the CAINE lists the drives that are currently mounted (here, the currently mounted device is the USB containing CAINE distro)
        • Run the ‘df’ command to list the mounted drives
        • The write-blocking method in the CAINE prevents accidental writing operations on any disk as they are locked into read-only mode
      • Step 3: Allow ‘Make WRITEABLE’ option
        • Now, mount an external drive to dump the image of the system’s hard disk
        • By default, CAINE mounts the external drive in read-only mode. To dump the image of the hard disk to the external drive, you need to change it to WRITABLE mode
        • This can be done by using the ‘Mounter’ utility
        • Right-click on the ‘Mounter’ icon and choose ‘Make WRITEABLE’. This allows the ‘write’ option to the newly mounted devices, here the external drive
      • Step 4: Use Guymager for Image acquisition
        • Guymager is a forensic imager designed for media acquisition and runs in Linux
        • Right-click on the drive that has to be imaged and select ‘Acquire Image’ option
        • Provide the ‘Image directory’, which is the destination folder in the externally connected drive where the Image is stored
        • Click ‘START’ to capture image
    • On Mac Using Digital Collector
      • Digital Collector→runs on macOS operating system and is used for volatile/non-volatile data acquisition, targeted data collection, and forensic imaging of Mac computers
  • Acquiring RAID Disks
    • There is no simple method to acquire a RAID server’s disks. Therefore, investigators must consider the following factors before acquiring the data
      • The amount of data storage required to acquire all the data
      • The RAID format used (RAID 0, RAID 1, RAID 2, etc.)
      • The forensic tools that are suitable for imaging the RAID disks and reading these images
      • Whether the tool is capable of reading the split data saved in each RAID disk and combining images of all the disks into a single RAID virtual drive for future examinations
    • Several computer forensics tools are built with capabilities to recover RAID disks. These tools support data acquisition and examination of one or more types of RAID formats.
    • The following is a list of tools that provide RAID acquisition functionality
      • EnCase
      • X-Ways Forensics
      • ProDiscover
    • Investigators should have knowledge of tools that support a particular RAID format, and stay up-to-date on the latest updates rolled out by their vendors R
    • AID systems are often too large for acquisition via physical acquisition methods. Therefore, either sparse or logical acquisition techniques, which recover only data that might be of evidentiary value, are recommended.
    • When you are required to acquire RAID servers with very high storage capacity, consult with the computer forensics vendor to determine the best method to acquire the RAID data
  • Step 7: Plan for Contingency

    • Investigators must prepare for contingencies such as when the hardware or software does not work, or a failure occurs during acquisition

    • Hard Disk Data Acquisition
      • Investigators must create at least two images of the digital evidence collected, in order to preserve it. If one copy of the digital evidence recovered becomes corrupt, investigators can then use the other copy.
    • Imaging Tools
      • If you have access to two or more imaging tools, such as Pro-DiscoverForensics or AccessData FTK Imager, you must create two images of the evidence using at least two of them. In case, you have access to only one tool, make two or more images of the drive using the same tool.
    • Hardware Acquisition Tool
      • Consider using a hardware acquisition tool (such as UFED Ultimate or IM SOLO-4 G3 IT RUGGEDIZED) that can access the drive at the BIOS level to copy data in the Host Protected Area (HPA)
    • Drive Decryption
      • Be prepared to deal with encrypted drives that need the user to provide the decryption key for decrypting. Microsoft includes a full disk encryption feature (BitLocker) with select editions of Windows Vista and later.
  • Step 8: Validate Data Acquisition

    • Validating data acquisition involves calculating the hash value of the target media and comparing it with its forensic counterpart to ensure that the data is completely acquired

    • Hash value calculation generates a unique numeric value for files which is used for preserving data integrity and preventing data alteration

    • If two files contain the same hash value, they are taken to be completely identical even if those are named differently

    • Utility algorithms that produce hash values include

      • CRC-32
        • This is a 32-bit CRC code used as an error detection method during data transmission. If the computed CRC bits are identical to the original CRC bits, it means that no error occurred
      • MD5
        • This is a cryptographic hash function with a 128-bit hash value. The hash value can be used to demonstrate integrity of data, and can be performed on various data types such as files, physical drives, partitions, etc.
      • SHA-1 and SHA-256
        • These are cryptographic hash functions that produce 160-bit and 256-bit message digests respectively
    • Windows Validation Methods
      • Windows computers come with PowerShell utility, which has the ability to run cmdlet
      • The Get-FileHash cmdlet computes the hash value for an evidence file by using the specified hash algorithm
      • This hash value is used throughout the investigation for validating the integrity of the evidence
      • nvestigators can also use commercial computer forensics programs, which have built-in validation features that can be used to validate the evidence files
      • For instance
        • ProDiscover’s .eve files contain metadata in segmented files or acquisition files, including the hash value for the original media
        • When you load the image to ProDiscover, it compares the hash value of this image to the hash value of the original media
        • If the hashes do not match, the tool notifies that the image is corrupt, implying that the evidence cannot be considered reliable
    • Linux/Mac Validation Methods
      • Most Linux distributions provide an option to install and execute dcfldd, which can be used to validate data
      • Mac provides only the dd command, so, you would require an additional hash calculating utility for data validation
      • md5sum and sha1-sum are two hashing algorithm utilities that can be used in Linux to compute hashes of single or multiple files, single or multiple disk partitions, or an entire disk drive
      • Validating Data Acquired with dd
        • dd command allows you to acquire image in single or multiple segments depending on your requirement:
        • Command to acquire an image in a single file
          • dd if=/dev/sda of=/image_sda.dd
      • You can use md5sum utility to validate the image
        • Boot the Linux machine, launch a command line terminal, and point to the directory containing image files. Issue the command md5sum /dev/sda > md5_hashes.txt for calculating hash of the original drive.
        • Now, run the command cat image_sda.dd| md5summd5_hashes.txt to calculate the MD5 hash for the image file, and generate the output to the md5_hashes.txt file
        • Execute the command cat md5_hashes.txt to check if both hashes match by examining the text file. If the two hash values are identical, it indicates that data acquisition is successful. The output would be similar to:
          • 74596214a4ef4119c124896b45ac7ad6 /dev/sda
          • 74596214a4ef4119c124896b45ac7ad6
        • Close the terminal
        • Note: To use other utilities like sha1sum, sha56sum, or sha512sum, replace the md5sum commands with their respective commands
      • Validating dcfldd Acquired Data
        • dcfldd is designed for forensics data acquisition as well as hash calculation (hash and hashlog)
        • Hash options available in dcfldd are sha1, sha256, sha384, sha512, and md5
        • Enter the following command in the terminal to create an image and calculate sha256 hash post data acquisition
          • dcfldd if=/dev/sda split=100M of=/media/image.dd hash=sha256
        • Enter the following command in the terminal to create an image and store its sha256 hash value in a text file
          • dcfldd if=/dev/sda split=100M of=/media/image.dd hash=sha256 hashlog=/media/sha256.txt
        • Navigate to the directory that contains the segmented/split files and enter the ls command to view the files generated with the split command, followed by the sha256.txt file that stores the hash
        • The vf (Verify File) option is another dcfldd command that compares the forensic image with the suspect media. It is applicable only to non-segmented image files. Enter the following command at the shell prompt to use the vf option
          • dcfldd if=/dev/sda vf=image.dd

3.3 Prepare an Image File for Examination

  • Preparing an Image for Examination
    • Scenario 1: The Acquired Evidence is in E01 Format and the Forensic Workstation is Linux
      • Method 1
        • When an investigator is presented with an E01 file, they cannot directly examine the file on a Linux workstation
        • The E01 file must be converted to dd file format using ‘xmount’ to access the mounted volume’s files or directory structure
        • To Convert E01 to dd on Linux
          • Use xmount command to convert E01 image to dd image
            • xmount ‒in [input_image_format] [file_name.E01] [mount_directory]
          • The converted image file can be viewed in the xmount directory
      • Method 2
        • The E01 file must be converted to raw image file format using ‘ewfmount’ to access the mounted volume’s files or directory structure
        • Generate raw image using ’ewfmount’
          • Use ewfmount command to generate raw image from E01 image file
            • ewfmount [file_name.E01] [mount_direcotry]
        • Mount raw image using ‘mount’ command
          • Use mount command to mount the image file
            • mount [raw_image_filenamej] [mount_direcotry] -o ro,loop,show_sys_file, streams_interface=windows
    • Scenario 2: The Acquired Evidence Needs to be Converted to a Bootable VM
      • While performing forensic examination on an image of a system drive, investigators might need to create a live environment of the machine to extract additional artifcacts that may not be discovered in the static analysis
      • To do this, the investigator needs to boot the forensically acquired image file as a Virtual Machine
      • Step 1: Convert the acquired dd image file into a virtual machine file format using QEMU Disk Image Utility
        • qemu-img is a command line too that is used to create, convert, and modify image files offline
        • Assuming that the virtualization platform used for forensics is Hyper-V, we shall convert the dd image to a vhdx file
          • qemu-img convert -f -o vhdx
      • Step 2: Create a new virtual machine by connecting the vhdx file, and start it
      • Step 3: Boot the virtual machine
        • The virtual machine now boots from the forensic image file
        • During a forensic investigation, if the evidence virtual machine is in locked state, the investigator needs to gain authorized access to the system and login to it
        • Upon, successful login, the system runs in a live environment, allowing the investigator to perform a live analysis
    • Scenario 3: The Acquired Physical Hard Disk Contains Windows File System and the Forensic Workstation is Linux
      • When the acquired physical hard disk contains Windows file system and the forensic workstation is Linux, an investigator must follow these steps to mount the evidence and view its files
      • Step 1: Determine the File System type
        • Issue the lshw command in the command line terminal to view the attached hard disk and the file system used in it
        • ’lshw’ is a command-line utility that lists detailed information about various hardware devices available to the machine
      • Step 2: List the partitions available on the evidence hard disk
        • lsblk command lists information about all the blocked devices connected to the system
        • Issue this command to view the partitions on the evidence hard disk
      • Step 3: Mount the Windows File System on Linux using ‘mount’ command
        • Create a mount directory (here, /media/windows) and issue the following command to mount the desired partition on the machine
          • mount -t ntfs-3g -o ro [partition_ number) [mount_directory]
        • After the partition is mounted, the MOUNTPOINT for the partition is updated to /media/windows
    • Scenario 4: The Acquired Evidence Contains APFS File System and the Forensic Workstation is Linux
      • When the acquired evidence contains APFS file system and the forensic workstation is Linux, an investigator can use either mount or losetupor together or (apfs-fuse) or (apfs-fuse and losetup) together to mount the image and view its contents.
      • In the scenario, mounting the evidence will be done using losetup and apfs-fuse together
      • Step 1: Identify an unused loopback device
        • To mount an image, you need to first identify the unused loopback device
        • Issue the following command
          • losetup -f
      • Step 2: Mount the Image file to the unused loopback device
        • Mount the APFS image file to the unused loopback device
          • losetup -r /dev/loop[number] [evidence.dd]
        • This creates a mount point on the machine. You may either view the image contents through he mount point or further mount this loop device using mount or apfs-fuse
      • Step 3: Mount the APFS filesystem
        • Create a mount directory (named apfs), to switch you will be mounting the APFS file system, by issuing the command
          • mkdir /mnt/apfs
        • Mount the APFS file system to the loopback devices by issuing either command
          • mount /dev/loop[number] /mnt/apfs
          • apfs-fuse /dev/loop[number] /mnt/apfs
        • If no error is generated, it can be inferred that image file is successfully mounted
        • Upon successfully mounting the file system, you can view the contents of the image file
  • Viewing an Image on a Windows Forensic Workstation
    • Investigators can use tools such as Autopsy to examine the image files and gain insights on the files located in them
    • Autopsy→is a digital forensics platform and graphical interface for The Sleuth Kit and other digital forensics tools that can be used to investigate activities that occurred on a computer
  • Viewing an Image on a Linux Forensic Workstation
    • Linux workstation supports many file systems and contains advanced tools helpful for conducing forensic investigation
    • Consider a scenario, where the investigator needs to examine a dd image file on a Linux Forensic Workstation
    • Step 1
      • Use fdisk command to list information such as Sector size, Start Sector, Type of the Evidence file, etc.
      • fdisk -l
        • -l, lists the partition table on the specified device
      • The sector start point is required for calculating the offset value before mounting the image file
    • Step 2
      • Create a new directory to mount the image file
      • mkdir [options] directory_name(s)
      • Linux ‘mount’ command is used for mounting a storage device or a file system on Linux Operating System
      • If the mounted image contains multiple volumes, the user can mount one volume at a time by specifying an ‘offset’ to the volume
        • mount -t ntfs -o ro,offset=[value_in_bytes] [dd_image_file_name] [mount_directory]
          • -t, type of file system
          • -o, options
          • ro, read-only
          • The offset is specified in bytes. Take start sector offset (obtained from ‘fdisk’ command-line utility) and multiply it with sector size (in bytes).
      • The volume is mounted in read-only mode and any modifications to files/folders are not allowed
      • Navigate to the mount point directory to view the files/folders in the mounted volume
        • ls -l
      • After conducting forensic examination, unmount the volume
        • umount [mount_directory]
      • Now, calculate the MD5 hash of the image file and compare it with the computed MD5 hash value of the image file before it was mounted
      • Ensure that the MD5 hash values of both the image files match
  • Viewing an Image on a Mac Forensic Workstation
    • Investigators can use tools such as R-Studio to examine the image files and gain insights into the files located in them
    • R-STUDIO→is a data recovery software used for examining and recovering files from various file systems such as NTFS, HFS/HFS+ and APFS (Macintosh)