Guide to Computer Forensics and Investigations Fourth EditionUnderstanding Storage Formats for Digital EvidenceRaw FormatProprietary FormatsAdvanced Forensics FormatAdvanced Forensics Format (continued)Determining the Best Acquisition MethodDetermining the Best Acquisition Method (continued)Slide 9Slide 10Contingency Planning for Image AcquisitionsUsing Acquisition ToolsWindows XP Write-Protection with USB DevicesWindows XP Write-Protection with USB Devices (continued)Capturing an Image with ProDiscover BasicCapturing an Image with ProDiscover Basic (continued)Slide 17Slide 18Capturing an Image with AccessData FTK ImagerCapturing an Image with AccessData FTK Imager (continued)Slide 21Validating Data AcquisitionsWindows Validation MethodsPerforming RAID Data AcquisitionsUnderstanding RAIDUnderstanding RAID (continued)Slide 27Slide 28Slide 29Acquiring RAID DisksUsing Remote Network Acquisition ToolsRemote Acquisition with ProDiscoverRemote Acquisition with ProDiscover (continued)SummarySummary (continued)Chapter 4Data AcquisitionGuide to Computer Forensicsand InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Understanding Storage Formats for Digital Evidence•Three formats–Raw format–Proprietary formats–Advanced Forensics Format (AFF)Guide to Computer Forensics and Investigations 3Raw Format•Makes it possible to write bit-stream data to files•Advantages–Fast data transfers–Can ignore minor data read errors on source drive–Most computer forensics tools can read raw format•Disadvantages–Requires as much storage as original disk or data–Tools might not collect marginal (bad) sectorsGuide to Computer Forensics and Investigations 4Proprietary Formats•Features offered–Option to compress or not compress image files–Can split an image into smaller segmented files–Can integrate metadata into the image file•Disadvantages–Inability to share an image between different tools–File size limitation for each segmented volumeGuide to Computer Forensics and Investigations 5Advanced Forensics Format•Developed by Dr. Simson L. Garfinkel of Basis Technology Corporation•Design goals–Provide compressed or uncompressed image files–No size restriction for disk-to-image files–Provide space in the image file or segmented files for metadata–Simple design with extensibility–Open source for multiple platforms and OSsGuide to Computer Forensics and Investigations 6Advanced Forensics Format (continued)•Design goals (continued)–Internal consistency checks for self-authentication•File extensions include .afd for segmented image files and .afm for AFF metadata•AFF is open sourceGuide to Computer Forensics and Investigations 7Determining the Best Acquisition Method•Types of acquisitions–Static acquisitions and live acquisitions•Four methods–Bit-stream disk-to-image file–Bit-stream disk-to-disk–Logical disk-to-disk or disk-to-disk data–Sparse data copy of a file or folderGuide to Computer Forensics and Investigations 8Determining the Best Acquisition Method (continued)•Bit-stream disk-to-image file–Most common method–Can make more than one copy–Copies are bit-for-bit replications of the original drive–ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook•Bit-stream disk-to-disk–When disk-to-image copy is not possible–Consider disk’s geometry configuration–EnCase, SafeBack, SnapCopyGuide to Computer Forensics and Investigations 9Determining the Best Acquisition Method (continued)•Logical acquisition or sparse acquisition–When your time is limited–Logical acquisition captures only specific files of interest to the case–Sparse acquisition also collects fragments of unallocated (deleted) data–For large disks–PST or OST mail files, RAID serversGuide to Computer Forensics and Investigations 10Determining the Best Acquisition Method (continued)•When making a copy, consider:–Size of the source disk•Lossless compression might be useful•Use digital signatures for verification–When working with large drives, an alternative is using tape backup systems–Whether you can retain the diskGuide to Computer Forensics and Investigations 11Contingency Planning for Image Acquisitions•Create a duplicate copy of your evidence image file•Make at least two images of digital evidence–Use different tools or techniques•Copy host protected area of a disk drive as well–Consider using a hardware acquisition tool that can access the drive at the BIOS level•Be prepared to deal with encrypted drives–Whole disk encryption feature in Windows Vista Ultimate and Enterprise editionsGuide to Computer Forensics and Investigations 12Using Acquisition Tools•Acquisition tools for Windows–Advantages•Make acquiring evidence from a suspect drive more convenient–Especially when used with hot-swappable devices–Disadvantages•Must protect acquired data with a well-tested write-blocking hardware device•Tools can’t acquire data from a disk’s host protected areaGuide to Computer Forensics and Investigations 13Windows XP Write-Protection with USB Devices•USB write-protection feature–Blocks any writing to USB devices•Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller•Steps to update the Registry for Windows XP SP2–Back up the Registry–Modify the Registry with the write-protection feature–Create two desktop icons to automate switching between enabling and disabling writes to USB deviceGuide to Computer Forensics and Investigations 14Windows XP Write-Protection with USB Devices (continued)Guide to Computer Forensics and Investigations 15Capturing an Image with ProDiscover Basic•Connecting the suspect’s drive to your workstation–Document the chain of evidence for the drive–Remove the drive from the suspect’s computer–Configure the suspect drive’s jumpers as needed–Connect the suspect drive–Create a storage folder on the target drive•Using ProDiscover’s Proprietary Acquisition Format–Image file will be split into segments of 650MB–Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)Guide to Computer Forensics and Investigations 16Capturing an Image with ProDiscover Basic (continued)Guide to Computer Forensics and Investigations 17Guide to Computer Forensics and Investigations 18Capturing an Image with ProDiscover Basic (continued)•Using ProDiscover’s Raw