Summary

This document provides an overview of data acquisition methodology, including steps, tools, and considerations for forensic investigations. The document focuses on the methodology's importance in preserving the integrity and accuracy of evidence during forensic analysis.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Data Acquisition Methodology If Computer...

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Data Acquisition Methodology If Computer is On? S o Data Acquisition Methodology While performing forensic data acquisition, potential approaches must be carefully considered, and methodologies aimed at protecting the integrity and accuracy of the original evidence must be followed. Data acquisition must be performed as per departmental or organizational policies and in compliance with applicable standards, rules, and laws. In addition, investigators should perform the data acquisition process in a forensically sound manner and authenticate the acquired image’s integrity by using hash algorithms. Figure 20.11: Block diagram of data acquisition methodology Module 20 Page 2277 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics There following are steps involved in the forensic data acquisition methodology. They are discussed elaborately in the rest of this section. 1. Determining the data acquisition method 2. Determining the data acquisition tool 3. Sanitizing the target media 4. Acquiring volatile data 5. Enabling write protection on the evidence media 6. Acquiring non-volatile data 7. Planning for contingency 8. Validating data acquisition Module 20 Page 2278 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 1: Determine the Best Data Acquisition Method O Aninvestigator needs to identify the best data acquisition method suitable for the investigation, depending on the situation the investigator is presented with O These situations include: Logical/Sparse * Size of the suspect drive * Time required to acquire the image = Whether the investigator can retain the suspect drive O Example: = |n case the original evidence drive needs to be returned to the owner, as in the case of a discovery demand for a civil litigation case, check with the requester (lawyer or supervisor) whether logical acquisition of the disk is acceptable. If not, you may have to go back to the requester. Full Image O Investigators need to acquire only the data that is intended to be acquired Step 1: Determine the Best Data Acquisition Method The data acquisition method that must be adopted depends on the situation that the investigator is presented with. Logical/Sparse Full Image Figure 20.12: Determine data acquisition method The following are some key factors that must be considered in determining the data acquisition method. 1. Size of the suspect drive: If the suspect drive is large in size, the investigator must opt for disk-to-image copying. Further, if the size of the target disk is significantly smaller than that of the suspect drive, investigators need to adopt methods to reduce the data size such as the following: o Using Microsoft disk compression tools such as DriveSpace and DoubleSpace, which exclude slack disk space between the files Module 20 Page 2279 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics o Using compression methods that use an algorithm to reduce the file size. Archiving tools like PKZip, WinZip, and WinRAR can help to compress files. o Testing lossless compression by applying an MD5, SHA-2, or SHA- 3 hash on a file before and after compression. The compression is successful only if the hash values match. In some cases, when the suspect drive is too large, forensic investigators can utilize the following techniques: o Use tape backup systems like Super Digital Linear Tape (SDLT) or Digital Audio Tape/Digital Data Storage (DAT/DDS) o Use SnapBack and SafeBack, which have software drivers to write data to a tape backup system from a suspect drive through the standard PCI/SCSI 2. Time required to acquire the image: The time required for data acquisition increases with increasing sizes of the suspect drives. For example, a suspect drive of 1 TB might require over 11 hours for the completion of the data acquisition process. In such cases, investigators need to prioritize and acquire only those data that are of evidentiary value. By acquiring only those data that are required for investigation, investigators can reduce both time and effort. 3. Whether the suspect drive can be retained: o If the investigator cannot retain the original drive, as in a discovery demand for a civil litigation case, they should check whether logical acquisition is acceptable in court. o If the investigators can retain the drive, they must create a copy of it using a reliable data acquisition tool, as most discovery demands provide only one opportunity to capture data. Module 20 Page 2280 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 2: Select the Data Acquisition Tool Mandatory Requirements The tool should not change the original content @ ® The tool should log 1/0 errors in an accessible and readable form, O Investi rsn ® Rl AT IR D CECID including the type of the error and location of the error choose the The tool must have the ability to pass scientific and peer review. based on the type of Results must be repeatable and verifiable by a third party if @ acquisition technique necessary they choose. When it The tool should alert the user if the source is larger than the comes to imaging @® destination tools, they need to choose the tools that The tool should create a bit-stream copy of the original content satisfy certain @ when there are no errors in accessing the source media requirements. The tool should create a qualified bit-stream copy (a qualified bit- stream copy is defined as a duplicate except in identified areas of the ® bit-stream) when 1/0 errors occur while accessing the source media Step 2: Select the Data Acquisition Tool It is of paramount importance to choose the right tool in the forensic data acquisition process, and this depends on the type of acquisition technique used by the forensic investigator. Imaging tools must be validated and tested to ensure that they produce accurate and repeatable results. These tools must satisfy certain requirements, some of which are mandatory (features and tasks that the tool must possess or perform), while some are optional (features that are desirable for the tool to possess). Mandatory requirements The following are the mandatory requirements for every tool used for the disk imaging process: = The tool must not alter or make any changes to the original content = The tool must log I/O errors in an accessible and readable form, including the type and location of the error = The tool must be able to compare the source and destination, and alert the user if the destination is smaller than the source = The tool must have the ability to pass scientific and peer review. Results must be repeatable and verifiable by a third party, if necessary = The tool must completely acquire all visible and hidden data sectors from the digital source = The tool must create a bit-stream copy of the original content when there are no errors in accessing the source media Module 20 Page 2281 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics The tool must create a qualified bit-stream copy (a qualified bit-stream copy is defined as a duplicate except in identified areas of the bit-stream) when 1/0O errors occur while accessing the source media The tool must copy a file only when the destination is larger or equal to the size of the source, and document the contents on the destination that are not a part of the copy Tool documentation must be correct, i.e., the user should get expected results by executing it as per the tool’s documented procedures Optional requirements The following are optional requirements that are desirable for tools used in the disk imaging process: The tool should compute a hash value for the complete bit-stream copy generated from a source image file, compare it with the source hash value computed at the time of image creation, and display the result on a disk file The tool should divide the bit-stream copy into blocks, compute hash values for each block, compare them with the hash value of original block data computed at the time of image creation, and display the result on a disk file The tool should log one or more items on a disk file (items include tool version, subject disk identification, any errors encountered, tool actions, start and finish run times, tool settings, and user comments) The tool should create a qualified bit-stream duplicate and adjust the alignment of cylinders to cylinder boundaries of disk partitions when the destination is of a different physical geometry The tool should create a bit-stream copy of individual partitions as per user direction The tool should make the source disk partition table visible to users, and record its contents The tool should create an image file on a fixed or removable magnetic or electronic media that is used to create a bit-stream copy of the original The tool should create a bit-stream copy on a platform that is connected through a communications link to a different platform containing the source disk Module 20 Page 2282 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser