CHAPTER 8
Capturing Evidence
We’ll Cover
 
image   Creating a forensic image of a hard drive
image   Creating a forensic image of an external storage drive
image   Creating a forensic image of a network share
 
This chapter discusses how to capture evidence, in the form of a forensic image, from various sources. We will also discuss what you can and cannot recover from each source. Because you should always try to create a forensic image with a forensically sound method, we’ll discuss the best methods for capturing images. We’ll also describe the methodology and tools available for capturing images of mobile devices and other devices where we don’t have the ability to make a forensic image without modifying the original evidence. (Note that this chapter does not cover the steps required to capture such evidence, because those processes tend to change quickly as technology advances.)
LINGO
When used to create a forensic image, a forensically sound method does not alter the original evidence. This means that some kind of write protection exists to prevent or intercept possible changes to the disk.
In Actual Practice
There are times when forensically sound methods won’t exist for capturing images from a device. In those situations, you must document in your notes the fact that no other reasonable alternatives were available and, if possible, document what changes your process will make to the evidence so you can exclude those changes from any possible analysis in a separate document.
Creating Forensic Images of Internal Hard Drives
Hard drives are the most common storage devices that you will forensically image. You can create forensically sound images of the entire contents of hard drives. The following sections cover two options for creating a forensic image in a forensically sound matter with free tools: FTK Imager using a hardware write blocker and FTK Imager using a software write blocker.
LINGO
In this chapter, the drive we are imaging is called the evidence drive, or original evidence, to indicate the hard drive we are imaging versus the storage drive to which we are writing the evidence.
FTK Imager with a Hardware Write Blocker
If you have chosen to purchase a hardware write blocker, you can use the following steps to create a forensic image with FTK Imager. Before you start, be sure that you have removed the evidence drive from the suspect’s computer.
image Note
When you order a write blocker, as with all of your other forensic equipment, you should read its manual before you begin using it. Some write blockers can be configured to become read/write, so always know your equipment. If your write blocker supports read/write, make sure it’s set to read-only before continuing! Otherwise, you could modify the evidence!
 
1.  With the write blocker turned off but the power connected, attach the evidence drive to the write blocker.
image
2.  Connect the write blocker to your forensics computer using the fastest port you have available—in this example, I use external SATA (eSATA).
3.  Turn on the write blocker. Here you can see a powered on write blocker with status LEDs lit.
image
4.  Run FTK Imager as Administrator.
5.  From the top of the main screen, click the Create Disk Image icon, as shown here:
image
6.  In the Select Source dialog, select Physical Drive and then click Next.
image
7.  In the Select Drive dialog, select the hard drive you have attached from the drop-down list. Then click Finish.
image
8.  In the Create Image dialog, click the Add button to tell the program where to store the image.
image
9.  In the Select Image Type dialog, select the type of forensic image you want to make. I have selected Raw (dd). Then click Next.
image
IMHO
Choosing which forensic image type to create depends on what you plan to do with the forensic image once you have created it. I like to create raw dd images because every tool supports them. Some people choose e01 (EnCase’s format), AFF (Advanced Forensics Format), or s01 (SMART Format) because they know the only tool(s) they plan to use with the forensic image supports their format and they want the capabilities that the forensic image type supports. For instance, e01 images can be compressed and password protected. AFF files can be compressed and encrypted, and SMART images are just compressed raw images. When in doubt, choose Raw (dd) if you have the space to store it.
10.  In the Evidence Item Information dialog, fill in the information to match your Chain of Custody form, as detailed in Chapter 5. Refer to Table 8-1 and Figure 8-1 to see how to fill in the fields.
image
Table 8-1   Evidence Item Fields
image
Figure 8-1   Filling out the Evidence Item Information dialog
image Note
Just because you choose one type of forensic image does not mean you are stuck with it forever. FTK Imager can also convert between forensic image types, so if in the future you need the image in another format, you can change it without reimaging the original evidence. Migrating between forensic image formats will not change the forensic hash of the evidence contained within it.
LINGO
Message Digest 5, or MD5, is a 128-bit value that uniquely represents a data set of any size that is computed with it. Every time a piece of data is computed with the MD5 algorithm, it will have the same value unless the data has changed. Many people refer to these values as electronic fingerprints because they uniquely represent the content of a piece of data. If even a single byte of data is changed, the resulting hash will change.
LINGO
Secure Hashing Algorithm 1, or SHA1, is a 160-bit value, and unlike MD5, it has no known current weaknesses. The SHA1 hash and the MD5 hash provide additional validation that the data has not been altered. If even a single byte of data is changed, the resulting hash will change.
11.  In the Select Image Destination dialog, choose the storage drive where you want to store the forensic image and type the name of the image, excluding the extension; this will be added for you depending on the type of image you have chosen. Then click Finish.
image
12.  In the Create Image dialog, choose options at the bottom of the dialog. I usually select Verify Images After They Are Created and Precalculate Progress Statistics. Then click start. Figure 8-2 shows the forensic imaging in process.
image
image
Figure 8-2   The forensic image being created
13.  Once the image is created, verification will begin based on the options you chose.
image
14.  After the image verification finishes, the Drive/Image Verify Results screen will show you whether the hashes matched; if so, the forensic image was successfully created and stored on your storage device. See Figure 8-3.
image
Figure 8-3   Verification shows that hashes match
image Note
What are we verifying? As the forensic image is being created and data is being read from the evidence drive, FTK Imager is building two hash values named MD5 and SHA1. Once the imaging process completes successfully, we then compute the MD5 and SHA1 hashes of the forensic image we created. If the hashes match, then our forensic image was successfully stored on our storage disk. If the imaging process fails, the storage disk may have bad sectors and you will need to redo the forensic image.
In Actual Practice
If you are reading data from a bad evidence drive to begin with, you may not get hash verifications. The only way to know whether the evidence drive is corrupted is to attempt to reimage the evidence drive to a known good storage drive to see if you get the same error. If you get the same error, document the issue in your chain of custody form and do not return the evidence drive to service because it will likely die soon. If an issue is raised with the forensic image in the future, you have the option of having the evidence drive sent for repair with a data recovery company.
15.  With the verification complete, click Close and you will see a dialog showing that the image was created successfully.
image
16.  Update your chain of custody forms to indicate that the forensic image successfully complete and verified, and then power off your write blocker.
image Note
All of the details about the drive’s make, model, serial number, verification hashes, and options selected will be stored in a text file named after your image on the storage drive where the evidence was created.
FTK Imager with a Software Write Blocker
The only difference in methodology between software write blocking and hardware write blocking with FTK Imager are the first steps you take. This example assumes you are running Windows 7.
image Note
All of your USB ports will be write blocked using this method. That means you must either have enough internal storage to store the forensic image within your system or another type of interface with which to attach an external storage drive to your system.
 
1.  Download the disableusbwrite.reg registry modification from our web site at www.learndfir.com. Then double-click the file to start it.
2.  Click Yes to indicate that you want to apply the change.
image Note
If you are running Windows XP, you will have to reboot at this point. Windows 7 users can switch between USB write enabled and disabled between device plug-ins.
 
3.  Your system is now software write blocked on its USB ports. Attach the drive to a USB port, as shown in Figure 8-4.
image
Figure 8-4   Attaching the drive via USB
4.  Follow steps 1 through 6 from the hardware write blocking section to have FTK Imager create your forensic image. Instead of attaching a write blocker though, just attach the drive using a USB drive bay or USB-to-SATA kit.
5.  In the Select Drive dialog, select a USB device to image.
image
6.  Fill out the Evidence Item Information dialog.
image
7.  Save this image with a new name so you have both images created with two methods now on the D: drive.
image
In Figure 8-5, you can see that the software write protection worked and our hashes are the same as the hashes produced from the hardware write blocking method.
image
Figure 8-5   Software write blocking produces same hashes
image Note
Don’t forget that once your imaging is finished and successful, you need to apply the other registry key so that you can write to USB devices again (after you’ve removed the evidence from your system)—unless you want to leave your systems USB ports in a permanent read only state for external storage.
In Actual Practice
When working with methods such as software write blocking, which relies on the operating system to be successful, it is always wise to test your system before relying on it. Any service pack or system change can break a feature, especially one that is not well known or publically supported by Microsoft. When in doubt, test it out. Test that your system does not change the disk by running a test image of a drive with a known hash first to verify it does not write.
Creating Forensic Images of External Drives
If you have an external storage device and you do not want to remove the drive from its external enclosure for imaging, you can attach it to your system for imaging within the enclosure.
image Note
Although there are multiple types of external drives, this discussion focuses on the most popular kind, USB, in this example. If you are dealing with an external drive for which you do not have either software or hardware write blocking support, consider Raptor (covered later in this chapter) or Win PE (not covered in this book) boot disks. Either solution allows you to have all connected and recognized devices be treated as read-only so that you can forensically image them.
 
We can create forensically sound images of the entire contents of external drives that appear as physical disks to the operating system. Here again you have a choice of hardware or software write blocking. When creating a forensic image in a forensically sound matter with free tools, you can use FTK Imager using a USB write blocker, FTK Imager using software write blocking, and write blocking with Raptor for Linux. The following examples will demonstrate how to acquire a USB thumb drive.
FTK Imager with a USB Write Blocker
Here you can see a USB write blocker with a thumb drive plugged in:
image
Figure 8-6 shows the Select Drive dialog, where a USB device has been selected to image. Other than the hardware device used to write block, the procedure for creating an image from the thumb drive is the same as that for a hard drive. In Figure 8-7, you can see the hash verification for the USB write-blocked image.
image
Figure 8-6   Selecting a USB storage device to forensically image
image
Figure 8-7   Hash verification results for USB write-blocked image
FTK Imager with a Software Write Blocker
Using the same registry modification we used for software write blocking a hard drive, you can attach an external USB storage drive to our system and have it be write blocked. You would then follow the same steps as you followed in the preceding examples. In Figure 8-8, you can see that the hashes match between the methods.
image
Figure 8-8   Matching hashes between the two write-blocking methods.
Software Write Blocking on Linux Systems
If you are dealing with external storage that is not USB-based, or if you want to image a suspect’s computer using her computer to do so, you can use one of the many customized Linux boot CDs that are configured to treat all drives as read-only until told otherwise. This example uses Raptor (http://forwarddiscovery.com/Raptor).
Follow these steps:
 
1.  Download the Raptor ISO from the web site http://forwarddiscovery.com/Raptor.
2.  Burn the ISO to CD-ROM.
3.  Boot either your system or the suspect’s system off of the Raptor CD (depending on which system you are using to make the forensic image), making sure that the system is set to boot from CD-ROM in the BIOS.
image Tip
If I am imaging with the suspect’s computer, I will attempt to remove any drive cables from the evidence drive if it is accessible before attempting to boot from CD-ROM. Doing this prevents any accidental boots to the evidence drive.
 
4.  Choose the default from the Raptor boot menu.
5.  Click the Raptor Toolbox icon, which is the second icon from the top left and has a red border, as shown next:
image
6.  Choose the drive you want to image and where you want to store the forensic image, as shown next:
image
Notice that we are imaging the physical disk /dev/sda and writing it out to a dd (Raw) image located on a drive that was already formatted, with the volume name “evidence.”
 
7.  Select the Verify After Creation option to do the same hash verification we would do in FTK Imager or any other tool. Once this is set, click Start.
image Note
As you can see, I am working within VMware in this example, so I can make good screenshots. The only difference in your system will be the names of the devices you are selecting.
 
8.  The Imaging progress bar will appear:
image
9.  The verification progress bar will start once imaging finishes:
image
10.  Once the verification is done, a text file that has been written to your storage disk will be opened, showing the hash values generated in the verification process:
image
Creating Forensic Images of Network Shares
If you are being asked to capture the contents of a network share, I would recommend using a tool like FTK Imager to create an AD1 image. The AD1 image type allows you to store standard files and directories within a forensic image to prevent their modification and allow you to verify their contents at a later date by hash.
In Actual Practice
Other reasons to create logical images (such as AD1s or encases L01s) include dealing with encrypted data. If you find data within your forensic image that your tool can’t decrypt within itself, you’ll have to export that data out and then decrypt it. Since you want to bring that data back into your tool for analysis, putting it within a logical image prevents accidental changes to the data.
We can preserve all contents of a file or directory and its associated metadata, but we cannot recover deleted files from a network share unless we forensically image the server that is hosting it.
Capturing a Network Share with FTK Imager
To capture a network share with FTK Imager, follow these steps:
 
1.  Load FTK Imager as you did in the preceding examples and click the Create Disk Image icon.
2.  In the Select Source dialog, choose the Contents Of A Folder option, as shown next. Then click Next.
image
3.  In the next dialog, click Yes to accept the limitations of the AD1 format.
image
4.  In the Select File dialog, click the Browse button in the Source Selection field to find the network share you want to collect:
image
5.  With the network path selected, click Finish.
image
6.  In the Create Image dialog, add a destination where the AD1 image will be stored, as in the preceding examples. In the same dialog, click the Add button.
image
7.  In the Evidence Item Information dialog, fill out the evidence information. Then click Next.
image
8.  In the Select Image Destination dialog, choose where you want to store the forensic image, and then click Finish.
image
9.  In the Create Image dialog, click Start.
image
10.  Verify that the hashes matched, as shown next:
image
You now have created a forensic image that contains the contents of a network share. You can export data and copy the image as many times as you need without worrying about changing any of the data contained within.
Mobile Devices
Mobile devices include iPhones, Androids, Blackberries, tablets, and other devices being invented as we write this. Mobile devices change rapidly, as do the forensically sound methods that work with them, often changing with each version of the device. This means that any method we document within this book may no longer work with the newest device in your possession by the time you read this. With that in mind, we recommend looking to our blog (www.learndfir.com) and YouTube channel (www.youtube.com/learnforensics) to learn the current methods available to acquire the mobile device you are working with
Servers
If you are dealing with servers and want to capture data without having to power off the system and remove the drives, we recommend turning back to Chapter 7 to learn about live imaging, RAID, storage area network (SAN), and network attached storage (NAS). To learn more, turn to the Hacking Exposed Computer Forensics books or our blog (www.learndfir.com).
We’ve Covered
Creating a forensic image of internal hard drives
 
image   Understand forensically sound evidence.
image   Create a forensic image with a write blocker.
image   Use registry tweaks to make your USB ports read only.
image   Understand the difference between an evidence drive and a storage drive.
Creating a forensic image of an external storage drive
 
image   Learn the different types of write blocking available for external drives.
image   Create a forensic image using the Raptor boot CD.
image   Convert between image formats.
Creating a forensic image of a network share
 
image   Know the benefits of logical images for data storage.
image   Learn how to forensically image mobile devices.
image   Learn how to image SANs and RAIDs.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.137.67