Introduction

Data acquisition is usually one of the first steps in the digital forensic process. A data acquisition is the task of collecting digital evidence from electronic media. There are two ways to perform an acquisition: statically or live.

I will refer to the word image in this post quite a bit, it is the data a forensics acquisition tool collects.

Storage formats

There are three main ways that an image file can be stored as.

• Raw format: Used to write bit-stream data to files. The output is a flat file of a suspect’s drive.
  • Fast data transfer
  • Ignore minor data read errors on the source drive.
  • Most common format for most tools.
  • Disadvantage is it requires as much storage space as the original disk.
  • ‘dd’ in Linux is a common way to capture an image in a raw format.
• Proprietary format: These formats compliment specific vendor’s tools.
  • Option to compress or not compress image files.
  • Integrate metadata into the image, such as date and time of acquisition and the hash value.
  • CAUTION: Can’t share image between different tools.
  • File size limitations for each segmented volume.
• Advanced Forensic Format (AFF):
  • Provide Compressed or Uncompressed images.
  • No size restriction for disk-to-image files.
  • Space in the image file for metadata.
  • .afd file extension for segmented image files and .afm for AFF metadata.

Volatile vs Non-volatile data

It’s important to understand the difference between volatile and non-volatile memory in regards to digital forensics.

• Volatile memory is deleted when a system is shutdown.
• Non-volatile memory is not lost when a system is shutdown.

Examples of volatile data include: RAM, cache memory, active or listening network connections, and running applications. Example of non-volatile data include: hard drives, optical drives, and USB drives.

Live vs. Static acquisitions

At a high level, a live acquisition can collect volatile and non-volatile data. A static acquisition collects non-volatile data and is tougher to get memory (memory dump, pagefile, and swapfile can recover some memory).

A live acquisition is the preferred method to use because:

• RAM can be captured. This allows an investigator to see how the system was used before imaging.
• It helps bypass encryption (will go more in-depth in a later post) on hard drives as a user performing the acquisition is already logged-into the system.

Static acquisitions used to be the preferred way as this made less changes to the data than a live acquisition. If an investigator documents the changes he’s made during a live acquisition, then they will be fine when completing a report.

Acquisition Methods

This section will go over different ways to collect data for an investigation. These methods will work whether it is a live or static acquisition.

• Disk-to-image: The most common method and many commercial tools can read image file.
  • Make one or more copies (images) of a suspect’s drive. These copies are a bit-by-bit duplicate of the original drive.
• Disk-to-disk: This is used when disk-to-image is not possible due to software or hardware errors. This is common when acquiring older drives.

The above methods can take several hours. The below methods are preferred if you need to collect key evidence in as little time as possible. KAPE is a great tool to perform these types of acquisitions.

• Logical acquisition: A common method where you capture only specific files of interest to the case.
• Sparse acquisition: Similar to a logical acquisition but also captures unallocated (deleted) data.

NOTE: If the source disk is very large and a disk-to-image or disk-to-disk capture is needed, make sure you have a target disk or space to store a copy of the suspect’s drive.

Tools

There are plenty of tools that exist that can perform an acquisition. Some popular ones include:

• FTK Imager
• EnCase
• ProDiscover
• ‘dd’ command in Linux

I plan on demonstrating how to acquire an image using FTK Imager and possibly EnCase in a future lab. Stay tuned!

References

• Champlain College DFS 500 (Storage section)
• Guide to Computer Forensics and Investigations – 6th Edition by Bill Nelson, Amelia Phillips, Christopher Steuart
• Volatile vs nonvolatile memory