chapter4dataacquisition

chapter4dataacquisition内容摘要：

age with ProDiscover Basic • Connecting the suspect’s drive to your workstation – Document the chain of evidence for the drive – Remove the drive from the suspect’s puter – Configure the suspect drive’s jumpers as needed – Connect the suspect drive – Create a storage folder on the target drive • Using ProDiscover’s Proprietary Acquisition Format – Image file will be split into segments of 650MB – Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension) 22 Capturing an Image with ProDiscover Basic (continued) 23 24 Capturing an Image with ProDiscover Basic (continued) • Using ProDiscover’s Raw Acquisition Format – Select the UNIX style dd format in the Image Format list box – Raw acquisition saves only the image data and hash value 25 Capturing an Image with AccessData FTK Imager • Included on AccessData Forensic Toolkit • View evidence disks and disktoimage files • Makes disktoimage copies of evidence drives – At logical partition and physical drive level – Can segment the image file • Evidence drive must have a hardware writeblocking device – Or the USB writeprotection Registry feature enabled • FTK Imager can’t acquire drive’s host protected area 26 Capturing an Image with AccessData FTK Imager (continued) 27 • Steps – Boot to Windows – Connect evidence disk to a writeblocker – Connect target disk to writeblocker – Start FTK Imager – Create Disk Image • Use Physical Drive option Capturing an Image with AccessData FTK Imager (continued) 28 Capturing an Image with AccessData FTK Imager (continued) 29 Capturing an Image with AccessData FTK Imager (continued) 30 Capturing an Image with AccessData FTK Imager (continued) 31 Capturing an Image with AccessData FTK Imager (continued) 32 Validating Data Acquisitions • Most critical aspect of puter forensics • Requires using a hashing algorithm utility • Validation techniques – CRC32, MD5, and SHA1 to SHA512 33 Linux Validation Methods • Validating dd acquired data – You can use md5sum or sha1sum utilities – md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes • Validating dcfldd acquired data – Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 – hashlog option outputs hash results to a text file that can be stored with the image files – vf (verify file) option pares the image file to the original medium 34 Windows Validation Methods • Windows has no builtin hashing algorithm tools for puter forensics – Thirdparty utilities can be used • Commercial puter forensics programs also have builtin validation features – Each program has its own validation technique • Raw format image files don’t contain metadata – Separate manual validation is remended for all raw acquisitions 35 Performing RAID Data Acquisitions • Size is the biggest concern – Many RAID systems now have terabytes of data 36 Understanding RAID • Redundant array of independent (formerly “inexpensive”) disks (RAID) – Computer configuration involving two or more disks – Originally developed as a dataredundancy measure • RAID 0 – Provides rapid access and increased storage – Lack of redundancy •。