Introduction to the basic concepts of digital forensic image acquisition, hardware/software write-blocking techniques and forensic image formats
*
*
*
Subscribe to the YouTube channel:
https://youtube.com/channel/UC4bvx2ub2h7F_FrZKF9QGIg
2. FORENSIC ACQUISITION
• Forensic acquisition is the process of acquiring a
forensically sound copy or image of the device or media
to analyze.
• “Forensically sound” means that the we shall be able to
verify that the image is an exact copy of the original and
the procedure used to acquire it shall be documented.
3. FORENSIC IMAGE
• A forensic image is a bit by bit copy of the media to acquire
and the basis on which the examiner works to extract the
evidence.
• It’s not simply cloning the file system, it’s a copy of all the raw
disk (or partition) sectors.
• The original media must not be altered in any way!
• The integrity of the image file shall be verified and I/O errors
logged.
4. ACQUISITION SCENARIOS
• Two scenarios when acquiring a forensic image: the hard
drive can be removed or not from the suspect computer.
• In the first case, the drive should be attached to a
forensic workstation using a write blocking mechanism.
• In the second case, we can use a forensic live cd, booted
in forensic mode.
5. WRITE BLOCKING METHODS
• Write blocking mechanisms can be implemented in
hardware or software.
• Hardware write blockers are devices that protect the
drive from writes and could have different type of
connectors
(SATA,IDE,USB,FireWire...)
• Are quite expensive but their use is preferable.
6. SOFTWARE WRITE BLOCKING
• Software write blocking is quite a controversial topic.
• Simply mounting a drive as read-only doesn’t fully
guarantee that it is not written!
• Various techniques have been developed.
7. SOFTWARE WRITE BLOCKING
• An example is the Linux write blocker kernel patch written
by M.Suhanov. (https://github.com/msuhanov/Linux-
write-blocker)
• It blocks the write commands at the device driver level.
• But requires the kernel to be recompiled.
8. FORENSIC IMAGE FORMATS
• A raw image is a duplicate of all the sectors of a disk or
partition.
• It contains no additional metadata.
• Can be obtained by tools like dd (Data Dump). Variants of
‘dd’ have been developed for forensics.
9. FORENSIC IMAGE FORMATS
• Another open forensic format is the Advanced Forensic
Format (AFF)
• It supports compression and encryption of images.
• AFFlib package to convert and manage AFF images.
10. FORENSIC IMAGE FORMATS
• Proprietary formats: Expert Witness Format (EWF) and
SMART
• Both support compression and encryption of images.
• libewf package to convert and manage ewf images.