I was about to post this a week ago but my friends asked me to elaborate it and add some more stuff to it. So it was late and finally i covered the basic stuff.
A simple and common hint : The details what ever disclosed here is absolutely my own opinions, these are only for basic use 🙂
What is Acquisition?
Acquisition saves the state of a digital system so that it can be later analyzed and recovered.
Why is it important?
Acquisition is important when we talk about the digital crimes and backups. Evidences are only accepted by the court if they are untampered. By taking a image we can assure the data integrity followed by hashing / other technique.
We can use Acquisition tools for backup of data, these programmes can be basically used for data availability, even we have similar programmes in windows they do not support more features as other programmes do.
For ex: Hashing, File Listing, etc…
These images can be stored with a Hash value which can be used to verify the data integrity. We can store these images with a password for Data confidentiality using any third party tools. Even some imaging tools provide all the features together.
Types of images:
Some of the most popular image types which are used by some open source and
Commercial forensics tools for analysis and data recovery is
How to justify the integrity of the image?
As earlier said it can be done by hashing of a file, using some third party tools we can generate hash values for all the files with in the image but it’s not necessary for normal backups.
Analyzing the Images?
Analysis is itself a different long process involved in digital investigations, then why did i mentioned it in this post is, analysis is the ultimate reason why we take images ;). To produce the evidences in the court of law we need to analyze the evidences and make a detailed report of the steps of investigations.
Different Software’s used?
For acquisition we have a long list some of the popular and free tools are
Access data FTK imager,
Using Default windows system files for analysis by converting them to Raw dumps!
We can use some of the windows system files as raw dumps for the analysis of system usage and user activity.
The files are listed below
Hiberfil.sys from C:\
Pagefile.sys from c:\
How to convert the files to dumps?
To convert the above listed files we use hiber2dmp and hiber2bin applications and to analyze them we use volatility.
Converting Hiberfil.sys to rawdump
Using hiber2dmp / hiber2bin we can easily convert these files to dumps but as of free edition these only support 32 bit this software can be found here
To convert Pagefile.sys we can use strings command in linux. more details will be explained soon
Using VMware files as an evidence!
We can use VMDK,VHd and dmg files as evidences in some cases , In new version of FTK we can mount these files as images and analyse
VMSN – Vmware snapshot files we can use to check the state of HDD.
Types of imaging:
What is live imaging and Dead imaging?
Live imaging : It is nothing but taking a image when a system is in running state , in this We cannot rely on hashes because the value may be changed as after data is acquired.This can be done by using the software’s mentioned here or using bootable live Cd’s like Matriux , backtrack any other forensics distro
Dead imaging : Also called as Normal imaging , this is done when system is in off state like taking the HDD out and connecting to a write protector and taking the image
Remote imaging : This is done via intranet / internet by selecting the remote and local address with respective to port numbers
Zero Imaging : This is used to wipe out the drive / overwrite the HDD by zeros and one.To do this we can use tools like AIR, Encase and Winhex
Above all mostly used techniques is Live imaging and dead imaging to backup only sterilized hard disk is used.
Why to use these tools ?
Why to use these kind of tools when we have simple and customized command line tools like dd , the answer is ,these single tool can be used for Acquisition ,analysis and recovery , which can be managed by different types of images rather a single file type.Another reason is user friendly.
Various Live CD’s used for Acquisition?
This is a long list which includes the above listed tools and others
How these images are different from one another?
Yes they are different. Every file types has its identity some of file types is explained here. To explain it more simply
E01 provides compression, checks hashes and contains metadata
DD is a basic and old technique to acquire the image , most of the imaging tools are based out of dd itself
For more details on the differences check these links
These only cover basic file types not all.
How to use tools for imaging ?
This is a simple explanation of Acquisition tools, This explanation may vary from user to user.
FTK imager 3.1.0:- A note here this help is not copied from FTK imager help guide, So for proper terms and usage verify FTK user guide too.
Where to download FTK imager?
How to install it?
It’s as simple as Windows application installation.
Importance and how is it different from other?
It’s simple to use, support is available for any problems you face in using, this application supports features like Hashing, File listing, Multi type imaging, Memory capture, live image mounting and can Capture protected registry files.
How to Use FTK imager?
If you are a windows user then its not any more tough to use, it’s a simple user friendly application which will be guided with simple user controls.
The main functionality of FTK imager starts from File Menu, almost all the options related to imaging are covered in this option as you can see the screen shot available
This symbol denotes add a evidence item for analysis / imaging. Types of evidences that can be added are Physical drive, Logical drive,Image file and contents of a folder , for the type of images that are accepted by this in image file please check the available help file from the help menu.
This symbol denotes to add all attached devices for analysis / imaging (here attached devices may be SD cards, External disks, / default disks).
This symbol denotes image mounting , this can be use to mount the images acquired from the HDD by Live imaging or Normal imaging / dead imaging. It supports different types of images some of the mostly used are .E01, .S01, .AFF, .VHD, .vmdk, .ad1, .tar , .zip, .dmg, .gho and others.
This symbol used to remove evidence items used to remove attached evidences.
This symbol used to remove all evidence items which all are attached .
The difference between these two options is when we attach more than one partition / disk as evidences it shows as multiple attached devices to remove one on one we use remove evidence items to remove all in one click we use remove all evidences.
This symbol is used to create the image of the attached disks / imaging by selection of disks . this can be a live imaging / dead imaging.
This symbol is used to export the disk image by selecting this it asks for select the image type which you want to export you can select this from four types as dd, E01, Smart, and AFF. After selecting the image type by filling the details like examiner name and split image size it continues with export.
This Symbol is used to export logical image ( AD1) in ad1 format , of the partitions of a disk / contents of a disk as a image we can use this as a bookmark container for the projects /for a quick references of the entries.
This symbol is used to add the contents in custom image which will be in AD1 format and contents added can be seen in Custom content sources.
In the above figure you can see the other multiple options available in file menu from capture memory we can capture the contents of your memory that is ram and contents of page file .
From Obtain Protected files we can get the restricted registry content files from the machine when a machine is in running state, by which we can actually look into multiple options available for a user for example SAM file can be used to get the key for passwords , SYSTEM file for the user accounts and their counts and many more. check my next post for more details on this files.
Detect EFS Encryyption actually shows you the encrypted files in the imaged loaded / in the disk.
Export options you all know about them 🙂
I don’t think i need to explain this 🙂 from the figure you can get the details.
To preview the data in which mode you can select the option here and you can observe the data in the white space available below file list dialog.
All the options which are explained in File menu is just simply arranged here in this tool box.
This shows you the image / disk and its contents which are added
File List : Used to see the contents of a folder,partition and image
Properties : To check the properties of a file or folder in a image which mainly covered wit mac times and others
Hex Value interpreters: Converts the Hex values in to decimal values according to the Little endian / big endian
Custom content sources:As discussed earlier, here the contents shown that you want to add into AD1 images
View Files:The white space which can be seen below the File list where the preview is available for the image.
Using of FTK:
The above figure shows a dialog which is displayed to the user when we try to add evidences , what sort of source it can be as physical drive, logical drive ,image file of supported types and contents of a folder
If we select Physical drive , next dialog would be similar to the above fig, drop down contains all the connected devices .User have to select the devices according to his requirement.
The above figure shows the FTK imager after a evidence added to it for imaging
In the context menu of the evidence in evidence tree it shows multiple options for the user where he can verify the image , mount it , and list its directories
After selecting export image, it will pop up the above dialog we can acquire image from it ,
On clicking Next , User can select destination types from the above options
by selecting any of the image types from the above options it will direct you to examiner details from their it asks you for the image destination ,name, fragment size,compression and its encryption , encryption technique will change according to the image type.
The new option which is added in FTK 3 version is Image mounting these all are the supported image types which we can mount and use for analysis and recovery.
if we check the context menu of the contents with in the evidence we can observe the export option and adding the specific selection to content image.
when we check the context menu of files in the file list , here also it is same as evidence tree from where you can retrieve single files and its details like mac times , hash values and other .After selecting the file you can check properties tab for more details regarding the file. Hex Value interpreter by selecting the text from view files tab you can check the hex content in decimal . You can change the mode of view by selecting options in Mode.
Where to download AIR?
How to install AIR?
Prerequisites for AIR are:-
- md5deep package
- dc3dd 6.12.3
Some of these packages you can get with Sharutils. It can be downloaded it from (http://packages.debian.org/lenny/sharutils) according to your architecture.
Then go to terminal, go to the place where you saved the package and type:-
sudo apt-get install sharutils(This installs sharutils package)
Download your AIR package from ( http://sourceforge.net/apps/mediawiki/air-imager/)
sudo tar -zxvf air-version (this unzips your package)
chmod +x install-air-version (This gives a executable permission to the file)
./install-air-version (Installs your air package)
It first checks for Perl updated version and downloads it and then starts AIR installation. After completion you will be given a message “All Done”. If you face any problem in installing AIR please check whether you installed libx11-dev and xutils-dev packages. If not please install them then again run AIR installation.
To access AIR, sudo air in terminal.
Importance of AIR and How is it different from other?
AIR supports Compression, Hashing, verification, HD over writing, remote imaging, and zero wiping
How to Use AIR?
AIR stands for Automated Image & Restore, is a GUI front end for dd. It is easy to create and restore digital images, it has the following features
- Image verification via MD5 or SHA1
- Image compression/decompression using gzip/bzip2
- Image over a TCP/IP network uses netcat/cryptcat
- Wiping (zeroing) drives or partitions
We can set a source (a disk / a file) as a target and a destination (A disk / a location to store the image).The source can be a disk to copy the disk contents to another disk / image and vice versa with block size mentioned. We can use multiple options available within the tool like compression, hashing, verification and others.
Compression is a technique which is used to compress the data while imaging to store it with in a minimum space, but this is not recommended unless and until it’s necessary. This tool supports the major compression techniques as bzip2, gzip, tar and others.
Hashing is a technique to ensure the data integrity with in the image , by selecting the hashing technique it will calculate the hash value for you and generates it in the status windows which can be exported in csv / txt format.
To know whether the data is properly imaged / copied we can use verification , to verify the contents we need to select Yes under the verify option.
We can split the image in to pieces if we need to store it in different location one reason to do this can be lack of disk space.
In connected devices we can select the source and destination as CD / HD / Writing zeros to the disk this is mainly done to wipe the Disk for restricting the data recovery but in some cases recovery can be done.Net is to take the image over network internet / intranet we can do this by specifying specific target ip with port number (This has to be explored more as I didn’t used in deep yet).
To start any process you selected click on start, and same for stop. You can observe the status in status windows with Hash values, process of completion.
Encase is a Commercial tool so i don’t want go into it anyway, its little bit tricky and easy if your thorough with the windows apps.
Above these all when i showed this post to my friend for a suggestion for adding more questions he simply asked me what and why should i use this tool for analysis or recovery. well the answer is it depends on your requirement.These are my opnions
Some of the areas where i used this for my personal use to recover deleted files (Really it helped me a lot)
It requires a very unusual mind to undertake the analysis of the obvious. Alfred North Whitehead.
Any comments , suggestions , doubts please post below