Summary

This document provides an overview of data acquisition methods, particularly for computer forensics investigations. It covers both "live" and "dead" acquisition procedures.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 6: Acquire Non-volatile...

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 6: Acquire Non-volatile Data Non-volatile data can be acquired in both live acquisition and dead acquisition. It mainly involves acquiring data from a hard disk There is no significant difference in the amount of data acquired from a hard disk between the live and dead acquisition methods Live Acquisition of a hard disk is performed by using remote acquisition tools (e.g. netcat), and bootable CDs or USBs (e.g. CAINE); while dead acquisition involves removing the hard disk from the suspect drive, connecting it to a forensic workstation, write-blocking the hard disk, and running a forensic acquisition tool on the disk Copyright © by EC-Councll. Al All Rights Reserved. Reproduction is Strictly Prohibited. Step 6: Acquire Non-volatile Data Non-volatile data can be acquired from a hard disk both during live and dead acquisition processes. Investigators can use remote acquisition tools such as netcat, or bootable CDs or USBs via tools such as CAINE to perform live acquisition of a hard disk. The dead acquisition process can be performed via the following steps: = Remove the hard drive from the suspect drive = Connect it to a forensic workstation to perform the acquisition = Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents = Run any forensic acquisition tool suitable for the purpose of acquiring/collecting data Module 20 Page 2289 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 6: Acquire Non-volatile Data (Using a Windows Forensic Workstation) 0Q To acquire forensic image of a hard disk during dead acquisition, remove the hard disk, connect it to a forensic workstation, enable write-blocker, and run a forensic imaging tool (e.g. AccessData FTK Imager) on the workstation 0O AccessData FTK Imager is a disk imaging program which can preview recoverable data from a disk of any kind and also create copies, called forensics images, of that data AN 4 " [P] e[Tlyes e oa% [ 1| [ | bus btes | Vo W tarie (GRS AR P OV s ete 98 35 5 Dovwaten: [Cmrs e s rage e 01 R - e [Fm wovimt vowmt marmwiidy momn sy ] om | | " g : imae e v.. | e http.//occessdata.com ot User Guatte, presa13 M. P04 U Gue, e 00 P e o Copyright © by EC Cl. All Rights Reserved. Al Reproduction is Strictly Prohibited Step 6: Acquire Non-volatile Data (Using a Windows Forensic Workstation) To acquire a forensic image of a hard disk during dead acquisition, investigators need to remove the hard disk, connect it to a forensic workstation, enable a write-blocker, and run a forensic imaging tool such as AccessData FTK Imager on the workstation. = AccessData FTK Imager Source: https://accessdata.com FTK Imager is a data preview and imaging tool. It can also create perfect copies (forensic images) of computer data without making changes to the original evidence. Features @) Create forensic images of local hard drives, CDs and DVDs, thumb drives, or other USB devices, entire folders, or individual files from various places within the media Enables previewing files and folders on local hard drives, network drives, CDs and DVDs, thumb drives, or other USB devices Enables previewing the contents of forensic images stored on a local machine or a network drive Enables mounting an image for a read-only view that leverages Windows Internet Explorer to display the content of the image exactly as the user saw it on the original drive Exports files and folders from forensic images Recovers files that have been deleted from the Recycle Bin, but have not yet been overwritten on the drive Module 20 Page 2290 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics o Creates hashes of files to check the integrity of the data by using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) Bl Bl AccessData FTK Imager 33..2 AccessData FTK Imager B _ Fle View Mode Heb Help e eadaaG HEsa-m GHEsa-m @O0 @ 0B EE waEY. Y. File List [File x Name Name ]I S'uel'l'ype Sizel'l'ype lDueModfied |DueModfied I| Select Image ASel«t Image Destination X Image Destination Folder [C:\Users\Admin\Pictures [C\Users\Admn\Pictures Browse I Image Fiename (Exciudng Extension) [image Fie 001 FragmertSze MWS-:'MB)[— For Rw, Raw, EDY. EO1. ardand AFFAFFfommes: formats: 0

Use Quizgecko on...
Browser
Browser