Forensic acquisition is the process of extracting the digital contents from seized evidence so that they may be analyzed. This is commonly known as taking a forensic image of a hard drive, but it actually involves more than just that. The main reason you want to extract the contents is that you want to conduct your analysis on a copy of the evidence and not on the original. Throughout the process, preserving the integrity of the original evidence is paramount. To acquire the original digital evidence in a manner that protects and preserves the evidence, the following steps are generally considered best practices:
1. Prepare the destination media. You will need a place to store the digital contents of your seized evidence. This destination may be a removable hard drive or a storage area network (SAN). You must ensure that the destination is free of any content that may taint the evidence. The best way to do this is to securely wipe the media by overwriting it with a fixed pattern of ones and/or zeroes.
2. Prevent changes to the original. The simple act of attaching a device to a computer or duplicator will normally cause its contents to change in small but potentially significant ways. To prevent any changes at all, you must use write-protection mechanisms such as hardware write blockers (described later in this chapter). There are also forensic acquisition software products that enable software-based write protection, but it is almost always better to use physical ones.
3. Hash the original evidence. Before you copy anything, you should take a cryptographic hash of the original evidence. Most products support MD5 and SHA-1 hashes. Though these protocols have been shown to be susceptible to collisions and are no longer recommended for general use, we have seen no pushback from the courts on their admissibility in criminal trials.
4. Copy the evidence. A variety of applications will let you do a forensic copy of digital media, including the venerable dd utility in Linux systems. What these applications all have in common is that they perform complete binary copies of the entire source medium. Copying the files is not enough because you might not acquire relevant data in deleted or unallocated spaces.
5. Verify the acquisition. After the copy is complete, you take a cryptographic hash of the copy and compare it to the original. As long as they match, you will be able to perform analyses of the copy and be assured that it is perfectly identical to the original.
6. Safeguard the original evidence. Because you now have a perfect copy of the evidence, you store the original in a safe place and ensure nobody gains access to it.
Published on Sat 02 December 2017 by Ralph Holdsworth in Security with tag(s): forensics