Data Acquisition is the use of an established method to extract Electronically Stored Information (EFI) from a computer or a storage medium to gain insight into a crime or an incident. Data acquisition is mostly done and handled by Cyber Forensics Investigators and they must be able to verify the accuracy of the acquired data. There are two categories in data acquisition and they are Live Acquisition and Dead Acquisition.
The live acquisition involves collecting of data from a system that is powered on. That means, it collects volatile data from a live system. Here, the volatile information assists in determining the logical timeline of the security incident, and the possible users responsible. This process can also be performed by using remote acquisition tools. The data captured in live acquisition are:
System Data: Current Configurations, Running State, Date & Time, Running Processes, Swap & Temporary files, Logged-On users, etc.
Network Data: Routing Tables, ARP Cache, Network Configurations, Network Connections, etc.
Dead acquisition can also be called Static Acquisition. This type of acquisition involves collecting data from a system that is powered off. Eg: Hard Disk, DVD-ROMs, USB Drives, Smartphones etc. Performed by removing the storage medium, connecting to forensic workstation, write-blocking the storage medium and running a forensic acquisition tool on the respective storage medium. The data captured in dead acquisition are:
Emails, Word Documents, Web Activity, Deleted Files, Slack Space, etc.
Rules in Data Acquisition
- Do not work on original digital evidence. Create one or more copies and work only on that copied media.
- Use clean media to store copies.
- Create two or more copies of the original media. Because, first copy can be used for analysis and the second copy will be a backup copy if first copy gets corrupted.
- After creating copies of the original media, verify the integrity of the copies with the original one.
Types of Data Acquisition
- Logical Acquisition: In this type of acquisition, it allows an investigator to capture only selected files or file types which is related to the incident. For example, Email files (.pst or .ost).
- Sparse Acquisition: In this type of acquisition, it allows an investigator to capture selected files or file types in addition to fragments of unallocated data, deleted files. This method is used when inspection of entire drive is not required.
Bit-Stream Imaging is the process of creating a bit-by-bit copy of a suspect drive, which is a cloned copy of the entire drive which includes all its sectors and clusters, which allows forensic investigators to retrieve deleted files or folders. There are two types of Bit-Stream Imaging.
- Bit-Stream Disk-to-Image File: Bit-Stream Disk-to-Imaging is a common method in Bit-Stream Imaging. In this type of bit-stream imaging, the media is copied in bit-by-bit format. That means, it will create a bit-by-bit replica of the original media. Tools: ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensic etc.
- Bit-Stream Disk-to-Disk Image File: Bit-Stream Disk-to-Disk Imaging is carried out when the Bit-Stream Disk-to-Imaging is not possible. The reasons for this might be due to very old or incompatible with imaging software or recover credentials used for the sites and accounts. In this type of bit-stream imaging, it will create a disk-to-disk bit-stream copy and also it can adjust target disk’s geometry like head, cylinder, track configurations etc. Tools: Encase, Tableau Forensic Imager etc.
Data Acquisition Formats
The data acquisitions can produce the outputs in 3 formats and they are:
- Raw Format: The outputs in this format can be obtained by ‘dd’ command in Linux. The bit-by-bit copy of the digital evidence media will be in Raw format. This output format allows fast data transferring, minor data read errors on source drive are ignored and it can be read by most of the forensics tools.
- Proprietary Format: This output format is acquired by commercial forensics tools. These tools will collect data and save it in their own format. The main advantage of this format is there will be an option to compress image file, wizard to split an image to multiple segments and also has ability to incorporated metadata (date & time, hash, etc.). But the image file formats might not be supported in other tools.
- Advanced Forensics Format (AFF): This is an Open Source Format. The output file extensions available are .afm — AFF metadata & .afd — segmented image file. In this type of format, there is no size limitation for disk-to-disk imaging. Also provides option to compress, allocated space to record metadata, simple & customizable design, supports multiple computing platforms and OSes, internal consistency check for self-authentication.
Data Acquisition Methodology
- Determine the best data acquisition method. It depends on the situation like size of suspect drive, time required to acquire the image, whether the investigator can retain the suspect drive.
- Select the data acquisition tool. The tool should not change the original content, should log I/O errors, ability to pass scientific and peer review, should alert the user about the source is larger than the destination, should create a bit-stream copy of the original content, and finally it should create a qualified bit-stream copy.
- Sanitize the target media. It is a post-investigation process where disposes the media by a standard to mitigate the risk of unauthorized disclosure of information and ensure confidentiality. Standards like NIST SP 800-88, DoD 5220.22-M, etc.
- Acquire volatile data. The Belkasoft Live RAM Capturer is a Windows forensics tool which the produces the output in .mem format.
- Enable Write-Protection on the evidence. Use write blocker tools which allows read-only access. Some hardware write blockers are USB WriteBlocker, CRU WiebeTech, Tableau Forensic Bridges and the software write blockers are SAFE Block, MacForensicsLab Write Controller etc.
- Acquire the non-volatile data. The AccessData FTK Imager can be used to fetch non-volatile data.
- Plan for contingency. The team must prepare for contingencies when hardware or software does not work or a failure occurs during the acquisition.
- Hard Disk Drive Contingency — Create at least two images of the suspect HDD.
- Imaging Tool Contingency — Use different tools to create images of the copies.
- Hardware Acquisition Tools — UFED Ultimate, IM SOLO-4 G3 IT RUGGEDIZED which helps to access the HDDs at BIOS level to copy data in the Host Protected Area (HPA).
- Hard Disk Drive Decryption — Need to provide decryption key. BitLocker tool.
8. Valid Data Acquisition.
- Calculate the hash & compare it with the target media and forensic media.
- Techniques like hashing and digital fingerprinting can be used.
- Commonly used algorithms are CRC-32, MD5, SHA-1, SHA-256 etc.