You can image the drive using a FastBloc write-blocker by following these steps:
1. Attach the suspect drive to the FastBloc hardware write-blocker.
2. Attach the FastBloc hardware to your imaging system.
3. Load EnCase.
4. Click Acquire.
5. You are prompted to choose the source of the data, as shown next. In this case, leave the defaults as they are; we are going to image a local drive attached to the FastBloc device. (In Chapter 5, we cover acquiring drives over networks.) Leave the Include checkboxes set to their defaults. Click Next.
6. In the Choose A Drive screen, select the drive you will be imaging. The FastBloc device has been identified as “GSI FastBloc,” as shown next. Select that drive. Note that you select the icon for the physical disk and not the volume E. The physical disk gives you a complete image of the drive, while the volume E would give you an image of only one logical partition. You should always choose to image the physical disk to reduce the risk of missing data.
7. At the Identification screen, you’ll notice that you’re required to supply the same information you supplied for the EnCase DOS version, but here the fields are all on one screen. Fill out all fields as shown here and click OK.
8. In the Output File screen, choose the options shown in the following illustration. Make sure you set the Evidence File Path to your image drive, and then click Finish.
9. The image will now be acquired. You can view the status of the acquisition by double-clicking the blinking status bar on the bottom-left of the screen. You can also cancel imaging from this dialog box:
10. After a message box tells you that imaging is completed, click OK and then remove the suspect drive from the system and place it in an anti-static bag for storage.
Image the Drive Using Linux and dd Unlike Windows, Linux will not write to any device attached to it, nor does it attempt to determine the file system and mount any device attached to it. Instead, you can image a suspect drive in Linux without the use of a hardware write-blocker using the following steps (although there is nothing wrong with using a write-blocker):
1. Power down the Linux system.
2. Attach the suspect drive to the Linux system.
3. Power up the Linux system.
4. Determine the device name of the suspect drive. You can normally do this by inspecting the messages log or viewing /proc/partitions.
5. Run the following command to image the device:
dd if =/dev/
6. This creates a single file that is an image of the entire physical disk of the suspect drive. Here suspect drive represents the device name of the suspect drive, such as /dev/sda or/dev/hdb, and /some dir/imagename is the full path and name of the file to which you want the image to be written.
7. Create an MD5 hash of the drive using the following commands.
md5sum
8. Then use
md5sum /dev/
9. Compare the results to verify that the image is complete.
10. Power down the Linux system and place the suspect drive in an anti-static bag for storage.
A modified version of dd, dcfldd, is also available. This version of dd has been modified for a forensic examiner. For more information, go to http://dcfldd.sourceforge.net/.
Image the Drive Using SMART SMART is the only commercial Linux forensic suite available today. SMART, written by ASRdata and found at www.asrdata.com, is a forensic suite that is capable of performing all the common forensic tasks performed by other products such as EnCase. In addition, SMART gives you the power of the Linux operating system. When an image is accessed through SMART, it can be mounted as a local file system and browsed and searched with all of the open-source tools available to the investigator.
Here’s how you image a drive in SMART:
1. Power down the Linux system.
2. Attach the suspect drive to the Linux system.
3. Power up the Linux system.
4. Load SMART.
5. Choose the device you want to acquire; then right-click it and choose Acquire.
6. In the Acquire window, select the number of copies of the device you want to make and the hashing algorithm you would like to use. As shown next, one copy will be made using the MD5 hashing algorithm.
7. Click the Image 1 tab and type in the name of the image and its description.
8. Click the area next to Save Data To and choose the directory where this data should be stored, as shown next. Click Okay and the imaging begins.
Image the Drive Using Helix Helix is an open-source Linux LiveCD distribution maintained by e-fense, Inc., that comes modified not to mount drives on boot, thus creating a readonly environment. This distribution was available free but is now available for a fee from www.e-fense.com/helix. Here’s one way to image a drive in Helix:
1. Power down the system.
2. Attach the suspect drive to the Linux system.
3. Place the CD-ROM in the system.
4. Power up the Linux system.
5. Click the link Boot Into The Helix Live CD.
6. Choose Applications | Forensics & IR | Adepto.
7. Type in your name and a unique evidence name for this image; then click Go.
8. Choose the drive you are going to acquire, and note the information provided in your chain of custody; then click the Acquire tab.
9. Fill in the Image Name field to match the evidence name you used in step 7.
10. Fill in the Image Notes field to include whose computer this is and any additional information about it.
11. In the Mount Point field, type the name of the directory to which you are going to write the data on your disk, or type in an external device you have already mounted.
12. Select the Use Advanced Options checkbox and make any adjustments as you see fit.
13. Click Start.
14. When the image is successfully created, “IMAGE VERIFIED” is displayed.
Image the Drive Using FTK Imager AccessData provides a free Windows-based forensicimaging tool named FTK Imager, available at www.accessdata.com/downloads.html. FTK Imager not only allows you to create an image in multiple evidence formats (EnCase, SMART, Raw, Sparse), but it also allows you to access images, export and recover deleted files from images, and convert images from one type to another. With FTK Imager, you can take advantage of the USB write-protect feature introduced in Windows XP SP2 to create images of USB connected drives in Windows. Here’s how to do it:
1. Download the registry modification files located at www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/.
2. Access the Disable USB Write hack to prevent writing to the original evidence drive.
3. Attach your original evidence drive to your computer via a USB enclosure or a device of your choice.
4. Load the FTK Imager.
5. Choose File | Create Disk Image to open the Select Source dialog box.
6. Select Physical Drive, and then click Next.
7. In the Select Drive dialog box, choose the physical drive to acquire and then click Finish.
8. In the Create Image dialog box, click Add.
9. In the Select Image Type dialog, select the image type; choose Raw (dd), as all forensic tools support it. Then click Next.
10. In the Evidence Item Information dialog, fill in the information about the original evidence drive; then click Next.
11. In the Select Image Destination dialog, type the directory where you want to store the image and type in a name for the image. Then click Finish.
12. Click Start to start creating the image. You’ll see a dialog box similar to the one shown next.
13. After the drive is imaged, FTK Imager will let you know whether the hashes matched.
14. Unplug the USB device.
15. Run the Enable USB Write registry modification. You downloaded it in step 1.
If you want to make
a copy of a running system, you can also do this using FTK Imager. Place the executable on a thumb drive and then attach it to the suspect system along with your storage drive or network share attached. Then follow all the same steps in this section except for the USB write-blocking.
Step 6: Record Cryptographic Hashes
You have successfully created images of your suspect media. You now need to record the cryptographic hashes created by your imaging programs. A cryptographic hash is any mathematical function that can take in a varying length of data to create a fixed-length output that mathematically represents the entire data set in such a way that it is statistically infeasible that two different data sets could ever have the same result. Typically, we use MD5, or Message Digest 5, as our cryptographic hash function, since it is an industry standard within the forensic world.
This is a very important step. The MD5 hash that is created will allow you to demonstrate that not only does the image you have created have an exact one-for-one correspondence with the original suspect drive, but that any analysis that you perform has not modified the image in any way and thus represents the same data that would have been extracted from the original suspect drive. If one bit of the contents of the drive is changed, the MD5 hash will be different.
Step 7: Bag and Tag
Now that you have completed the collection and imaging process, you need to label the drive that your forensic image has been written to and store it in a safe place. Although you can use any type of labeling, we recommend that you use some kind of peel-and-stick preprinted drive label so you can easily work with your image drives without worrying about the labels falling off. For a safe storage place, we recommend at a minimum that you place the drive in an anti-static bag. The bagged and tagged image drive should then be stored in a location with no access to unauthorized personnel. Specifically, you must be able to testify to the fact that the image drive was placed in some kind of locked room, filing cabinet, or drawer to which only you and other authorized individuals have access.
The suspect drive at this point may or may not be bagged and tagged for remote storage, depending on your scenario. A properly validated image drive will stand as original evidence in a court of law, so the suspect drive becomes a supplemental source of verification and recovery if the image drive(s) were to fail. While we recommend that you store the suspect drive with the image drive, on many occasions this may not be possible, and the actual drive will be returned back into operation in the suspect system. We would like to reiterate at this point that you should avoid using the original drive in the future and access only the forensic image.
Move Forward
Now that you have created your image(s) and documented your evidence, you can move forward with the next part of your investigation, the analysis—that is, of course, if you are lucky enough to have a case that involved only one system. Otherwise, you will have a lot more evidence to collect and systems to work with. Forensics is a science, and with such a strong word comes a lot of paperwork. If you are the type of person who cannot stay organized enough to keep up with this paperwork, you may want to hand the case over to someone who can. Repeatable processes are what will stand up in court and are the things that you should consider implementing as quickly as possible.
Unverifiable Images
Now that you have an image and a hash of an image, do you have any way of putting these two together? Hopefully, your answer is yes. If no, you just created an image of a system that will be difficult to use as evidence. According to the federal rules of evidence, an image must have some kind of automated mechanism that allows for a duplicate to be shown to be an exact copy of the original. In the computer forensics world, this usually comes down to some kind of hash, typically MD5, and a mechanism that allows for continuous self-validation of the evidence you create. By self-validation, we mean that within the contents of the image it can be seen and proven that the image has not been modified without referring back to the original suspect media.
Countermeasure: Image Verification
You can verify an image in a number of ways, but depending on the tool you used to create the image, you may be limited to one.
Verifying an Image with EnCase
If you have added an Image to an EnCase case, it will automatically begin verifying your image. However, you can manually verify the image after acquiring it from within the acquisition or unlicensed version using the following steps:
1. Load EnCase.
2. Choose Tools | Verify Single Evidence File.
3. Choose the icon of the evidence file you want to verify and click Open.
4. The verification status will appear on the bottom-left of the EnCase window. The verification should show 0 errors. The verification is now completed.
Verifying a Raw Image
If you have a raw image created with a tool such as dd, you can still verify the image. Retrieve the previously documented hash that you created when you first created the dd image, and then run the following command in Linux:
md5sum “image file”
The md5sum should be the same as the hash you created earlier.
COMMON MISTAKES IN EVIDENCE COLLECTION
Examiners make several common mistakes in evidence collection. Some are technical and others are procedural. Reading this section will alert you to what investigators have learned are easily avoidable pitfalls. We hope that you can avoid the mistakes of others by following the advice in this section.
System Downtime
Most people are not familiar with computer forensic processes, and they will not understand that a system will have to be down for some time while it is imaged. On average, a DOS acquire images at about 10GB an hour, without compression. In an EnCase acquire in Windows, you can expect 20GB an hour, without compression. Compressing during acquisition is actually slower in DOS than acquiring without compression. Acquiring with compression in Windows can be fast if your processor is at least a Pentium 4 or equivalent. Linux acquires are faster than either, as they do not have the overhead of the evidence file creation that EnCase brings, but Linux imaging is still a lengthy process. Hardware imaging devices, if they are available, advertise even faster transfer rates but the downtime risk still exists.
Countermeasure: Communicate with Clients
Make sure that you communicate with your client(s), and make sure that the client, internally or externally, tells you how large the drive is and to what type of system it is attached. This way, you can respond to the client with an estimate of the downtime depending on the acquisition methodology used for the system. It could be that you decide to create the image at night or that the user can use another system while you image his or her system.
Some mission-critical systems, however, cannot be taken offline. In these cases, you have to go to the judge and opposing counsel to attempt to work out an arrangement to produce backups of the live system. The best way to prevent unnecessary conflicts is to communicate as much information about the process as you can without divulging any sensitive information.
CHAPTER 5
REMOTE INVESTIGATIONS AND COLLECTIONS
In today’s business climate, corporations face an array of security issues on a daily basis, including wrongful termination lawsuits, e-discovery requests, employee performance issues, whistle-blower investigations, intellectual property theft, and employee harassment issues. In addition, new government regulations hold organizations to updated standards for securing and responding to incidents in their environments. These types of challenges are forcing current forensic approaches to evolve because traditional forensic investigative techniques cannot meet the increasing demand. Not only has the forensic practitioner’s workload increased, but global logistics, extremely large data sets, increased network complexity, workplace privacy, legal issues, and unrealistic time frames are impacting his or her ability to perform investigations.
This chapter discusses a number of approaches and tools designed for the changing investi
gative landscape. Moreover, this chapter touches on many of the technical, legal, and organizational challenges that come with utilizing some of these newer investigative methods.
PRIVACY ISSUES
Before you carry out any type of remote investigation or collection, ensure that the appropriate end user policies are in place. In performing an investigation, you must consider the issue of “reasonable expectation of privacy” and how the corporate culture may affect your remote investigation. Many organizations don’t want their employees to think they are being watched continually because it lowers morale. Therefore, you must employ effective controls and methods to protect the corporation and its employees.
Hacking Exposed Page 11