Module 3

Computer Forensics
Part 2
19. Evidence collection in disk :-
 Now a day's hard disk is a permanent storage media in a computer and today
it is possible to get maximum size hard disk.

 Hard drive contains from one to a few platters like flat, round disks. The
platters are stacked one on top of another on a shaft that goes through an
opening in the center of every platter, similar to Lpa(Link Pack area) on an old
fashioned record player

 There is a motor connected to the spindle that rotates the platters, which are
made of some inflexible material and are covered with a magnetic substance.

 Electromagnetic heads compose data onto the disks in the type of magnetic
motivations and read the recorded data from them.

 Data can be written in the both sides of each platter. On the tracks, the
information is written. The tracks are divided into sectors. A particular bit of
data resides in an exact sector of an exact track on an extract platter.

1
20. Forensic Duplication
A Forensic duplication is an accurate copy of data that is created with the goals
of being admissible as evidence in legal proceedings.

Forensic Duplicate:
A file that contains every bits of information from the source in a raw
bitstream format. In a process of forensic duplication, 5GB of drive results in 5GB
of forensic data. No extra data is stored within the file, except in the case where
errors occurred in a read operation from the original.

Tools that create forensic duplicates: dd, FTK imager, Access data, Dfcldd (US
DOD Computer Forensics lab version of the dd command).

21. Rules of Forensic Duplication

Thumb Rule:
1. Make two copies of the original media (digital evidence).
(a) One copy becomes the working copy on which investigation
will be done.
(b) One copy is a library/control copy for future reference.
(c) Verify the integrity of the copies

2. The working copy is used for the analysis.

3. The library copy is stored for disclosure purposes or in the event that the working
copy becomes corrupted.

4. If performing a drive to drive imaging (not an image file), use clean media to copy.

5. the integrity of all images using Hash value.

2
22. Importance of Forensic Duplication
1. Working from a duplicate image provides following features:
a) Preserves the original digital evidence
b) Prevents inadvertent alteration of original digital evidence during
examination.
c) Allows recreation of the duplicate image, if necessary.

2. Digital evidence can be duplicated with no degradation from copy to copy:

a) This is not the case with most other forms of evidence

23. Forensic Duplicate as Admissible Evidence:-

Digital evidence should satisfy minimum criteria of legal standards. It should
satisfy best evidence rules. Even the process which has been followed by the
investigator to collect digital evidence also comes under inspection. The
investigation process/duplication process as well as evidence should justify best
evidence rule.

Some standards are given by the United States, known as Federal Rules of
evidence (FRE).

1. FRE 1002 requires an original to prove the content of a writing, record or

photograph. This means the item or information presented in court must be
original. It follows from the best evidence rule: copying can introduce errors.

2. FRE 1001(3) states that if data are deposited in a computer or alike device, any
printout or other output readable by sight, shown to reflect the data precisely is
an “original”.

3
 3. FRE 1003 states that a duplicate is admissible to the same extent as an original
if:
(a) An honest question is elevated to the authencity of the original or
(b) In the circumstances, it would be partial to confess the identical in lieu of
the original.

24. Tools Required in Forensic Duplicate:-

Forensic duplication tools must satisfy the following criteria:

1. The tool shall make a bitstream duplicate or an image of an original disk or

partition.
2. The tool shall not alter the original disk.
3. The tool will be able to verify the integrity of a disk image file.
4. The tool shall log I/O errors.
5. The tool’s documentation shall be correct.
6. The tool should create a mirror image or forensic duplicate of the original
storage media.
7. The tool must be able to handle read errors.
8. The tool should not make any changes to the source medium.
9. The tool must have the capability to be held up to scientific review. Results
must be verifiable by a third party.
10. If there are no errors accessing the source, then the tool shall create a
bitstream duplicate or image of the source.
11. If there are I/O errors accessing the source, then the tool shall create a
qualified bitstream duplicate or image of the source.
12. The tool shall log I/O errors in an accessible and readable form, including
the type of error and location of the error.
13. The tools shall be able to access disk drives through one or more well
defined interfaces.
14. Documentation shall be correct, insofar as the mandatory and any
implemented optional requirements are concerned, that is, if a user

4
 following the tool’s documented procedures produces the expected result,
then the documentation is deemed correct.
15. If the tool copies a source to a destination that is larger than the source,
then it will document the contents of the areas on the destination that are
not part of the copy.
16. If the tool copies a source to a destination that is smaller than the source,
then the tool will notify the user, truncate the copy and log this action.

25. Qualified Forensic Duplicate(QFD) :-

 The file that stores every bit of information from the source is referred to as
qualified forensic duplicate in the altered form.

 In-band hashes and empty sector compression are the example of two altered
forms.

 In some tools, it may read a number of sectors from the source. After reading a
number of sectors, it will create a hash from that group of sectors and write the
sector group followed by hash value to the output file.

 Tools that create Qualified Forensic Duplicate output files:

1. SafeBack 2.EnCase 3. FTK Imager

26. Restored Image:-

 A restored image is what you get when you restore a forensic duplicate or a
qualified forensic duplicate to another storage medium. The restoration process
is more complicated than it sounds.

 As the forensic duplicate is restored to the destination hard drive, the partition
tables are updated with the new values.

5
  Restored image may involve some modifications in the original image.

 To create a qualified forensic duplicate, tools like SafeBack, EnCase or dd can be

used. There is no need to restore EnCase and dd.

27. Mirror Image:-

 A mirror image is created from hardware that does a bit-by-bit copy from one
hard drive to another. Hardware solutions are very fast, pushing the theoretical
maximum data rate of the IDE or SCSI interfaces.

 Investigators do not make a mirror image very often, because it introduces an

extra step in the forensic process, requiring the examiner to create a working
copy in a forensically sound manner.

 If your organization has the ability to keep the original drive, seized from the
computer system being investigated, you can easily make working copies. If the
original drivee must be returned, the analyst will still be required to create a
working copy of the mirror image for analysis.

28. Forensic Image Format:-

Most IR teams will create and process three primary types of forensic images:
Complete disk, partition and logical.
Each has it’s purpose and your team should understand when to use one rather
than another.

6
a) Complete Disk Image:
 The process for obtaining a “couple disk image” is intended to duplicate
every addressable allocation unit on the storage medium.
 A physical image is a complete image of all the contents of a storage
device, a so called bitstream copy.
 A bitstream copy involves the copy of all areas of a storage device.
Because a bit stream copy is a bit-by-bit copy of the original storage
device.
 It will also includes the unallocated areas of a storage device like host
protected areas(HPAs) and drive configuration overlays(DCOs). This means
you will be able to perform data recovery on this copy, something that is
not possible with a normal copy.
 Being the most through of the three options, the process allows an
examiner to review data contained in drive management blocks,
OEM(original equipment manufacturer) recovery partitions, any user
generated partition and unallocated sectors that may have held data at
one time.

7
b) Partition Image:

 Most forensic imaging tools allow you specify an individual partition, or

volume, as the source for an image.
 A partition image is a subset of a complete disk image and contains all of
the allocation units from an individual partition on a drive. This includes
the unallocated space and file slack present within that partition. Even if
you image each partition on a drive, there are other parts on a disk that
contains data.
 Reserved areas at the beginning or finish of the drive, area in between
partitions and any united area will not be captured. Because a partition
image does not capture all the info on a drive, it is taken solely under
special circumstances.

c) Logical Image:

 A logical image is less of an “image” and more of a simple copy and it is the
type of duplication we referred to previously as a “simple duplication”. It’s
possible due to legal constraints you are not allowed to capture anything
more than the files located in a certain folder.
 Creating a logical image is the best way to only capture the data in a
folder, a nothing more.
 One major drawback of a logical image is that you do not capture any
unallocated data. If the suspect has deleted important files prior to the
creation of the logical image, there is no way to recover them with a
logical image.

8
29. Perform Forensic Duplication of Hard Drive:-
To create the forensic duplicate of hard drive the following tools are used.
1. dd and dcfldd
2. ODD (open data duplicator)

1. Creating forensic duplicate using dd and dcfldd:

 The dd tool is the part of the GNU software suite, afterwards dd was improved
by the programmers and re-released as dcfldd. The dd tool is very reliable to
create the true forensic duplicate.
 The dd tool performs a complete bit by bit copy of the original. While using the
dd tool simply transposing a single character may destroy evidence, so one must
have to be familiar with the dd tool before using it as well as with the Unix
environment address storage device.

 The steps require for duplicating hard drive using dd are:

1. Create a boot media

2. Perform the duplication with dd. In certain situations,

duplication will be stored in a series of files that are sized to fit
on a particular media type (such as CDs or DVDs) or file system
type (such as files under 2.1 GB). This is known as Segmented
image. So, to perform the duplication, following things need
to be performed.

 Write the script to perform hard drive duplication.

 Write down the source device name
 Write down the output file name and set the output file size
 Use the dd command

9
 3. It is also possible to create the duplicate without splitting the
output file in Linux. To create such type of duplicate, calculate
MD5 sum of the entire drive in one pass over the source hard
drive.

The following is a bash shell script that will create a true forensic duplicate of a hard
drive and store the image on the local storage hard drive. In this script:

If: specifies input files

of: specifies output files
bs: specifies byte size/ how much data is transferred in one operation
count: how many blocks to transfer
skip: number of blocks to skip at the beginning of input file
conv: specifies data conversion
10
2. Creating forensic duplicate using Open Data Duplicator (ODD):

 The ODD is an open source tool which follows the client server model. This client
server model allows the investigator to perform forensic duplications on a
number of computer systems simultaneously over a local LAN.

 The software can be used on a single forensic system because both haves can be
run on the same computer system. ODD can perform additional functions on the
data as it is being processed. ODD includes modules that will calculate checksums
and hashes, perform string searches and extract files based on the file headers.

 The ODD package is having three portions:

i. Bootable CD-ROMs: These are similar to the Trinux Linux distribution
ii. Server-side application: The server will perform most of the
processing of the duplicate image, including the calculation of hashes,
string searches and the storage of the true forensic duplication.
iii. Client-side application: This portion may be run locally if one is
duplicating drives on a forensic workstation.

 When the forensic duplication of hard drive using ODD is performed, firstly it
detects the location of the ODD server. Then the ODD server detects the device
and files which one can use to direct ODD for the duplication of some portions.
After detecting the device, the next step is processing.

 The process stores the forensic image and perform simple string searches and
extract certain types of files based on their file headers. One can also manage
some notes using the Notes plug in which give the information like the case
number, the computer’s date and time, the actual date and time and the system
description.

11
  The Carv plug-in is used to extract a certain number of bytes from the incoming
data stream, based on file headers. For example, if one has selected gif and jpg
for extraction, once the duplication has completed, the carved files may be found
in a directory on the ODD server.

30. How to QFD of Hard Drive using SafeBack:-

 SafeBack, a small application, that is designed to run from a DOS boot floppy.
 Requires a clean DOS environment ready on a boot floppy. It is offered by New
Technologies Inc (NTI).
 Imaging a system with SafeBack is fairly simple but time consuming.

 Four Operating modes:

1. Backup function -> Produces a forensically sound image files for the source
media.
2. Restore function -> Restores forensically sound image file
3. Verify function -> Verifies the checksum values within an image file.
4. Copy function -> Used to restore and backup all the operations in one section.

 Text authors prefer to use the Backup function to create an image file for
creating a qualified forensic duplicate.
 SafeBack includes a logging function that records options used for each session.

12