Mumbai University Solution: Ethical Hacking and digital Forensics

May 2023

Q 4: a: Explain the importance of forensic duplication and its methods.

Working from a duplicate image provides following features:

(a) Preserves the original digital evidences.

(b) Prevents inadvertent alteration of original digital evidence during examination.
(c) Allows recreation of the duplicate image, if necessary.
(d) Digital evidence can be duplicated with no degradation from copy to copy

Creating a Forensic Duplicate of a Hard Drive : (Static Data Acquisition)

1. Duplicating with dd and dcfldd : For creating a true forensic duplicate image, dd utility is the most
efficient tool. dd will perform bit-for-bit copy of the original, as long as the operating system kernel
recognizes the storage medium. However, it is expensive.
2. Creating a Linux Boot Media : Preparation for duplication using Linux is difficult from the methods
that we discuss in this section. But using Linux is worthy, as it can be the most flexible boot environment
in the toolbox.
3. Performing a Duplication with dd : Sometimes, to fit on a specific media type, such as CD/DVD or
file systems with files fewer than 2.1 GB, duplication will be stored in a series of files. This is usually
referred to as segmented image.
4. Duplicating with the Open Data Duplicator : The new open source tool is ODD. To perform forensic
duplication simultaneously on a number of computers over a Local LAN, the client-server model is
followed by this tool. To use the software on single forensic workstations, you need to run both halves on
the same computer.
Live System Duplication
• A live system duplication is defined as the creation of an image of media in a system that is
actively running.
• This situation is not preferred but is sometimes the only option. For example, the system may be
an extremely business-critical system that cannot be taken down except during very short
maintenance windows.
• In other situations, you may be faced with encrypted drives that would not be accessible after the
system was shut down.
• Performing a live image will make minor modifications to the system, but you will be able to get
an image.
• Be sure to document exactly what you did, including the tool you used, the procedure you
followed, what services may be running, and the exact dates and times.
• You will want that information in case someone “challenges” the fact that you modified the
system.
• Another potential downside to live imaging is that the source media is a moving target. As you
are creating the duplicate, changes to the contents of the media are occurring
• Also, the operating system may have certain data cached in memory that has not yet been
committed to the media.
• Special care must be taken when creating a live image. Because there is no write protection in
place, you can mistakenly write the image back to the source drive— destroying evidence in the
process.
• You also must take care in what type of software you use and how you use it.
• You should not copy or install anything to the source drive —use tools that can run directly from
external media or network shares.
• You should try to use software that is “lightweight” to minimize the impact to the source system.
• We frequently use the FTK Imager Lite version to perform live images. The process is nearly
the same as for a static image, with two main differences:

4: a: methods

1. Hardware Write Blockers :

• The write blockers are generally protocol bridges that contain changed code or an ASIC
designed to intercept a set of the protocol’s commands.
• With these in your kit, you will faithfully duplicate SATA, PATA, SCSI, SAS, and USB
devices.
• Refer to the NIST CFTT site for current information on hardware write blockers.

2. Image Creation Tools :

• The three main tools we tend

• to use are a unit DC3dd, AccessData’s FTK Imager, and Guidance Software’s Encase.
Each has its pros and cons that build it additional or less appropriate for a given scenario.
Q 4: b: Define the following terms:

a. Bit stream image: Forensic duplicate stores every bit of information from source in a raw
bitstream format. In a process of forensic duplication, 5GB of drive results in 5GB of
forensic data.
b. Chain of custody: Chain of custody is nothing but the requirement that you may be able to trace
the location of evidence from the moment it was collected to the moment it was presented in a
judicial proceeding.

Chain of custody indicates the collection, sequence of control, transfer and analysis. It also
documents details of each person who handled the evidence, date and time it was collected or
transferred, and the purpose of the transfer. It demonstrates trust to the courts and to the client that
the evidence has not tampered.

c. Evidence custody form: Document involving all changes in physical and electronic
evidence seizure, custody, control, transfer, analysis, and disposition.
d. Evidence bags: An evidence bag is a specialized type of bag which is used to take and store
evidence. In general, an evidence bag will be designed to be particularly hardy, so that it will not
break or tear with the evidence inside, especially because an evidence bag might be used for any
of a number of different kinds of evidence.
e. Repeatable findings: Repeatable findings means there are always the same results when the same
process is used with the same test items, operator, and equipment inside the same laboratory.
f. Forensic workstations: The forensic workstation includes tools to create pristine disk images, as
well as a variety of analysis tools. A computer specifically designed for forensic investigations.
g. Qualified forensic duplicate: The file that stores every bit of information from the source is
referred to as qualified forensic duplicate in the altered form.
h. Restored image: Restoration of a forensic duplicate or qualified forensic duplicate to
another storage media results in restored image. It is a complicated process. As the forensic
duplicate is restored to the destination hard drive, the partition tables are updated with the
new values.
i. Mirror image: A mirror image is created from hardware that does a bit-for-bit copy from
one hard drive to another. Hardware solutions are very fast, pushing the theoretical
maximum data rate.
j. Volatile data: Data on a live system that is lost after a computer is powered down.