Q. How should I get data off digital storage media?
- Find or obtain the right equipment to read data from the drive - including power, I/O hardware (e.g. USB), and possibly a fan (for hard drives)
- Be sure to attach drives in a read-only configuration - mount as read-only and use a hardware write-blocker if you can
- Generate disk images as well as copies of individual files
a patched version of dd with added features for computer forensics
dd is a free, standard Unix/Linux utility that can be used to generate raw disk images.
DiscFerret is a combination of hardware and software that allows a standard desktop computer to read, analyse and decode the data on almost any floppy disc, and most MFM and RLL hard disc drives. http://discferret.com/wiki/DiscFerret
A USB 5.25" floppy controller that plugs into any computer's USB port and enables you to attach a 5.25" floppy drive. http://www.deviceside.com/fc5025.html
FTK Imager - AccessData. http://www.accessdata.com/support/product-downloads
FTKImager is a commercial (but free to download) tool for creation - as raw (dd), SMART, E01 or AFF - and basic navigation of disk images. One can also use FTK Imager to extract files and metadata from disk images. NOTE: This is not the same product as FTK, which has many other features and requires paying for a license to run.
Guymager (Linux). http://guymager.sourceforge.net/
Free, open source disk imaging tool.
A USB-based floppy controller designed specifically for reliability, precision, and getting low-level reads suitable for software preservation. http://www.kryoflux.com/
OSFClone - PassMark Software. http://www.osforensics.com/tools/create-disk-images.html
A free tool to create and verify disk images in raw, AFF (Advanced Forensic Format) or dc3dd.
Brezinski, Dominique, and Tom Killalea. "Guidelines for Evidence Collection and Archiving." Request for Comments 3227. 2002. http://www.ietf.org/rfc/rfc3227.txt
This document was designed to "provide System Administrators with guidelines on the collection and archiving of evidence relevant to...a security incident," but it provides a good summary of the main steps and considerations related to forensic acquisitions that can be useful to information professionals.
Carrier, Brian. File System Forensic Analysis. Boston, MA: Addison-Wesley, 2005. [Note: The appendix about The Sleuth Kit and Autopsy is now quite out of date. For more current information, see instead: http://www.sleuthkit.org/]
"This is an advanced cookbook and reference guide for digital forensic practitioners. File System Forensic Analysis focuses on the file system and disk. The file system of a computer is where most files are stored and where most evidence is found; it also the most technically challenging part of forensic analysis. This book offers an overview and detailed knowledge of the file system and disc layout. The overview will allow an investigator to more easily find evidence, recover deleted data, and validate his tools. The cookbook section will show how to use the many open source tools for analysis, many of which Brian Carrier has developed himself."
Farmer, Dan, and Wietse Venema. Forensic Discovery. Upper Saddle River, NJ: Addison-Wesley, 2005. [Note: The appendix about the coroner's toolkit and related software is now quite out of date. For more current information, see instead the Forensics Wki - http://www.forensicswiki.org/.]
"The authors draw on their extensive firsthand experience to cover everything from file systems, to memory and kernel hacks, to malware. They expose a wide variety of computer forensics myths that often stand in the way of success. Readers will find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for writing one's own forensic tools."
- Jarocki, John. "Forensics 101: Acquiring an Image with FTK Imager." June 18, 2009. http://computer-forensics.sans.org/blog/2009/06/18/forensics-101-acquiring-an-image-with-ftk-imager/
Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley, 2006. [See especially: "Acquiring a Forensic Duplication" (161-204), "Common Forensic Analysis Techniques" (207-246), "Forensic Duplication and Analysis of Personal Digital Assistants" (515-570), "Forensic Duplication of USB and Compact Flash Memory Devices" (571-576), "Forensic Analysis of USB and Compact Flash Memory Devices" (577-594).]
"In this book, a team of world-class computer forensics experts walks you through six detailed, highly realistic investigations and provides a DVD with all the data you need to follow along and practice. From binary memory dumps to log files, this DVD's intrusion data was generated by attacking live systems using the same tools and methods real-world attackers use. The evidence was then captured and analyzed using the same tools the authors employ in their own investigations. This book relies heavily on open source tools, so you can perform virtually every task without investing in any commercial software. You'll investigate environments ranging from financial institutions to software companies and crimes ranging from intellectual property theft to SEC violations. As you move step by step through each investigation, you'll discover practical techniques for overcoming the challenges forensics professionals face most often."
Thomas, Susan, Renhart Gittens, Janette Martin, and Fran Baker. "Capturing directory structures." In Workbook on Digital Private Papers. 2007. http://www.paradigm.ac.uk/workbook/record-creators/capturing-directory-structures.html
"Capturing the directory structure of an archive creates a record of the [original] order of digital materials accessioned by the repository. This can be achieved using screenshots, but generating a textual file allows the archivist to record all the information in one file that can be searched."
Last updated on 08/26/13, 9:16 pm by callee