HD Data Acquisition Chapter 3
Download
Report
Transcript HD Data Acquisition Chapter 3
Structure of Case File
Case #
Case Files
Image
dd image
Hash code
Case Index
FTK
Report
Doc
Recovered files
E-mails
Photos
Etc.
Forensic Work Station
Clean install of the OS
Clean install of all apps
Clean install of all forensic packages
Keep all evidence and case related info on
an external clean hard drive
After case is “completed” physically archive
the external hard drive
Wipe the operational hard drive
HD Data Acquisition
Imaging the Hard Drive
1.
2.
3.
4.
5.
Acquisition Layers
Write Blockers
Media Preparation
Imaging
Integrity Hashes
Imaging Digital Media
Hash the media
Make an exact copy of the media
Everything
Errors, deleted stuff
Hash the image
Prove it is an exact copy
Compare with hash of the original
MD5, SHA1, SHA256
Acquisition Layers
Device
Partition
File
Physical Layer
Logical Layer
Logical Layer
Always acquire data at the lowest possible layer. Acquire
every sector on the disk. Your tools can abstract the
raw data at any level.
Acquisition Tools
Know what your tools do
Test them
Validate them
1.
2.
3.
Test plan
Test report
NIST - http://www.cftt.nist.gov/disk_imaging.htm
http://nij.ncjrs.gov/publications/Pub_search.asp?category=
99&searchtype=basic&location=top&PSID=55&sort=da
te#nijpubs
Imaging Hardware Setup
Forensics
Workstation
Write
Blocker
Suspect
Media
Forensic
Storage
External
Write Blockers
Cannot touch the suspect media
Evidence cannot be altered
Important to verify
Test, test, test
Hardware and Software
Always use hardware
Be careful of read only and read/write blockers
Write Blockers
1.
HW
1.
Paraben
2.
$249.95 - $2000
Tableau
$249.95 - $2000
2.
SW
3.
Modifies interrupt table
NIST Reports
1.
ttp://www.cftt.nist.gov/software_write_block.htm
Write Blocker
Tableau T8
Inputs
USB
Outputs
USB, Firewire
Write Blocker
On/Off Switch
USB Device
Inputs
IDE, SATA
Outputs
USB, Firewire
Write Blocker
Tableau T35e
Write Blocker
On/Off Switch
IDE Device
SATA Cable
Write Blocker
Paraben
Inputs
IDE
Outputs
USB, Firewire
Write Blocker
On/Off Switch
IDE Device
Case Storage Media
Preparation
External hard drive storage
Zero all sectors
32 bit checksum = 0
32 bit sum with carry bit added
Use WinHex
Partition
Format NTFS
Particulars
Start up Helix live CD
Zero drive
Partition Drive
dd if=/dev/zero of=/dev/sdb
fdisk /dev/sdb
Etc.
mkntfs /dev/sdb
Imaging
Exact copy of drive
Cannot be changed
Must be verifiable
HW/SW
Reading the Source
1.
2.
3.
4.
Read device directly
Extended INT13h
Use the BIOS
May lie about the size
INT13h
Dead vs Live acquisition
Error handling
1.
logging, bad blocks
Imaging Apps
FTK Imager
EnCase
WinHex
Open Source
Bootable memory stick
dd – Windows (Garner), linux
Helix
Defense Computer Forensic Labs
dcfldd
dc3dd
Output Format of Image
1.
Separate drive
A single file – ease of use
Multiple files – facilitate archiving on DVDs
1.
2.
1.
2.
Raw or Custom
3.
160 Gbytes ~~ 27 DVDs
dd can be interpreted by every thing
EnCase has imbedded info
Hash codes & errors
1.
Interlaced
EnCase saves in a proprietary format
2.
Separate file
dcfldd save hashes in a separate file
3.
Nothing
dd save hash in a separate file
Can calculate an MD5 hash
Image Formats
dd – Raw bit for bit copy
E01 – EnCase format
.001
Includes file description, hashes, etc.
.e01
Uses zLib compression
AD1 – AccessData Custom Content Logical Image
S01 – SMART linux formats
SMART format
Integrity Hashes
1.
2.
3.
4.
CRC, MD5, SHA, SHA1, SHA256
By device
By partition
By sector
dd
Standard on all linux distros
Windows
http://gmgsystemsinc.com/fau/
Create a directory at root level
C:\bin
Add that path to your path environment variable
Control Panel\System Properties\environment variables\system variables\path – edit
Append C:\bin
Add sysinternals
Using dd
Unix command structure
Included with all Unix/Linux/BSD distros
http://unxutils.sourceforge.net/
Windows version is available
http://www.gmgsystemsinc.com/fau/
#dd input output options
#dd if=suspect.drive of=E:\Case\image\captured
Input Sources
Linux
/dev/hda
/dev/sda
/dev/fd0
/dev/mem
–
–
-
ATAPI device
SCSI device
Floppy
RAM
Windows
\\.\PhysicalDevice0 – IDE bus 0 master device
\\.\PhysicalMemory - RAM
Output Sources
Windows
F:\Images\Case-08001
Linux on another drive internal
/dev/hdb1 – Saved onto the slave drive on IDE bus 1
Usually an external USB hard drive is mounted
/media/FlashDisk/hda-evidence.data
Options
bs=n, ibs, obs
Block size is n bytes, in or out or both
skip=n
Skip n blocks
count=n
Copy n blocks
Must declare block size prior to skip/count
#dd if=/dev/sda1 of=/root/lynn.dd bs=4096 count=1
Example
#dd if=/dev/sda1 of=/home/lynn/example.dd bs=512 count=1
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
00000e0:
00000f0:
0000100:
0000110:
0000120:
0000130:
0000140:
0000150:
0000160:
0000170:
0000180:
0000190:
00001a0:
00001b0:
00001c0:
00001d0:
00001e0:
00001f0:
eb3c
0200
dfe7
4d45
8ed1
384e
66a1
0288
6616
6089
c348
0072
6174
fb7d
bb07
e1cd
3b00
3d7d
0696
6603
4a4a
4a52
d2f7
c0cc
8bf4
5e0b
b04e
5379
0a44
6573
6573
0000
904d
0200
0300
2020
bcf0
247d
1c7c
5602
0346
46fc
f7f3
3926
324e
b47d
00cd
16cd
72e8
c746
7dcb
461c
8a46
5006
f691
020a
8a56
4975
544c
7374
6973
7320
7461
0000
5344
00f8
8001
2020
7b8e
248b
2666
80c3
1c13
8956
0146
382d
7409
8bf0
10eb
1926
5b8a
f429
ea03
668b
0d32
536a
f7f6
ccb8
24cd
06f8
4452
656d
6b20
616e
7274
0000
4f53
ff00
2905
4641
d9b8
c199
3b07
1073
561e
feb8
fc11
7417
83c7
ac98
efa0
8b55
5624
7d8c
0000
d066
e4f7
016a
4287
0102
1361
c341
2020
206d
6572
7920
0d0a
0000
352e
3f00
8f93
5431
0020
e83c
268a
eb33
0346
2000
4efe
60b1
203b
4074
fd7d
1a52
be0b
d989
200f
c1ea
e203
1091
caf7
807e
6172
bb00
2020
6973
726f
6b65
0000
0000
3000
ff00
804e
3620
8ec0
0172
57fc
c98a
0e13
f7e6
61bf
0bbe
fb72
0c48
ebe6
b001
7c8b
4ef2
b6c8
10eb
46fc
8b46
761a
020e
0b40
0060
2020
7369
72ff
7920
0000
00ac
0204
3f00
4f20
2020
fcbd
1c83
7506
4610
d18b
8b5e
0000
a17d
e6eb
7413
a0fc
bb00
fcc7
894e
668b
5e0f
1356
1896
8af2
7504
7501
666a
0d0a
6e67
0d0a
746f
0000
bfcc
0100
0000
4e41
33c9
007c
eb3a
80ca
98f7
7611
0b03
e8e6
f3a6
dca0
b40e
7deb
00e8
46f0
f6c6
46f8
b6c8
feeb
9233
8ae8
b442
4203
00eb
6720
ff0d
5072
2072
0000
55aa
.<.MSDOS5.0.....
........?...?...
......)....NO NA
ME
FAT16
3.
....{.... .....|
8N$}$....<.r...:
f..|&f;.&.W.u...
..V....s.3..F...
f..F..V..F....v.
`.F..V.. ....^..
.H...F..N.a.....
.r9&8-t.`....}..
at2Nt... ;.r....
.}.}[email protected]...
.........}....}.
.....&.U.R......
;.r.[.V$..|...F.
=}.F.)}...N..N..
..}..... ...f.F.
f.F.f..f....^...
JJ.F.2....F..V..
JRP.Sj.j...F...3
......B...v.....
.........~..u..B
[email protected].
^.Iu...A...`fj..
.NTLDR
..g
System missing..
.Disk error...Pr
ess any key to r
estart..........
..............U.
Md5 Hash
#dd if=/dev/sda1 bs=512 count=1 | md5sum > hash.txt
#cat hash.txt
D41d8cd98f00b204e9800998ecf8427e
#dd if=/dev/sda1 bs=512 count=1 | sha1sum > hash.txt
#cat hash.txt
d41d8cd98f00b204e9800998ecf8427e
dcfldd
Very much like dd
dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \
errlog=error_log1 \
hash=md5 hashwindow=4096 hashlog=hash_dmp1 \
hashformat="#hash#" >> report
However lets you make multiple copis of
the image
dcfldd if=/dev/mem of=/home/image of=/media/storage/image2
Bad Sectors
Bad Sectors are treated differently
Hashes may be different
Some imagers zero fill
One hash is calculated by ignoring the sector
The other using the zero fill after imaging
Hard to explain in court
Remedies
dclfdd
conv=noerror,sync
hashconv=after
This converts bad sectors to zeroes
Continues if an error is encounter
This calcs the hash after the conversion for the device hash
Can be questioned in court
Hard to explain in court
Better solution
Use small hash window
Compare all the hashes of the small chuncks
Hashwindow=1M hashlog=hash-dump
Show that on the bad sector hashes don’t agree
dc3dd
Makes dd similar to dcfldd
Written Jesse Kornblum
Maintained by DoD Cyber Crime Center
dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \
errlog=error_log1 \
hash=md5 hashwindow=4096 hashlog=hash_dmp1 \
hashformat="#hash#" >> report
•
•
•
•
•
•
•
Pattern writes.
Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1,
SHA-256, and SHA-512.
Progress meter with automatic input/output file size probing
Combined log for hashes and errors
Error grouping. Produces one error message for identical sequential errors
Verify mode.
Ability to split the output into chunks with numerical or alphabetic extensions
dd_rescue
Sort of like dd
However some of the options are not called
the same
Ddrescue
Copies data from one device to another
Attempts to correct block errors
Usually does a really good job
Can take a long time if the drive is hosed
Not forensically sound
ddrescue (GNU)
Sort of like dd_rescue
However some of the options are not called
the same
ddrescue
Copies data from one device to another
Attempts to correct block errors
Usually does a really good job
Can take a long time if the drive is hosed
Not forensically sound
X-Ways Software Technology AG
Builds WinHex
Very good hexadecimal editor
$300
And X- Forensics Ways
Excellent Forensics package
$1000
Access Data Corp.
FTK – Forensics Tool Kit
1.70, 1.72, 1.80, 2.0, 2.2, 3.2
$3000 - 4000
PRTK – Password Recovery Toolkit
Registry Viewer
FTK Imager
Free
Spinrite
Fast
Accurate
Does over write the
drive
Not forensically sound
Great if you are
desperate
Recovers a lot of data
off of an injured drive
$89.00
Lab Today
Dry Run
Use dd on the hard drive in the workstation
Only capture the first 100 sectors or so
Look at the image in WinHex
Save it, you will need it next week