Archive for September, 2013

One cheap and easy way for a disk acquisition without the need to buy an expensive physical write-blocker is using a USB external drive or a cable-connecting device (USB IDE/SATA external connector) along with changing the Windows Registry key to enable write-protection.

To update the registry, there are 3 tasks:

  1. Backup the Registry in case something fails while modifying the keys.
  2. Modify the Registry key to enable the write-protection feature.
    1.   Go to (\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet)
    2. Right-Click the Control Key -> New -> Key
    3. Type in the Key Name: StorageDevicePolicies
    4. Press Enter
    5. Right-Click the newly created key called StorageDevicePolicies -> New -> DWORD Value
    6. Type at the right side, WriteProtect
    7. Press Enter
    8. Right-Click the newly created Dword value and click on Modify
    9. Change the value from 0 to 1
    10. Click OK

NOTE: you can export the key and save it for future uses to simplify the process of updating the Registry Key and also to minimize error every time you need to write-block a USB device.

  1. Save the exported Registry Files for future uses.

 

For more information, search for “USB Registry write-blocker”

 

 

Source: GCFI, ed4, Ch4

Advertisements

Dealing with digital evidence falls under the Murhpy’s Law: “If anything can go wrong, it will go wrong!” Therefore, investigators need to take precautions to protect the evidence. Investigators should make a duplicate of the disk-to-image file and keep the original image intact for emergencies in case if something go wrong. It is the most common and time-consuming technique for preserving an evidence.

So, the standard practice is to make at least 2 images of the collected evidence. It is also advised to create each image with a different imaging tool, if possible, such as ProDiscover, FTK, or X-Ways Forensics. If there’s only one imaging tool, it is suggested to create an image with compression and another with no compressions with tools like EnCase or ProDiscover.

Keep in mind, there are many acquisition tools that don’t copy data in the Host Protected Area (HPA) unless using a hardware acquisition tool that can access the drive at the BIOS level like ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica. 

 

Source: GCFI, 4th ed, Ch4

In digital Forensics, there are 2 types of acquisitions: 

  1. Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid.
  2. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. 

For both types, there are 4 methods of collecting data: 

  1. 1.    Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create on or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files.
  2. 2.    Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disk’s geometry to match the original drive.
  3. 3.    Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
  4. 4.    Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesn’t need to examine the whole drive.

To determine the appropriate acquisition method, the investigator must consider the following:

  1. The size of the source disk.
  2. Can you retain the source disk as an evident or must you return it to the owner?
  3. Time to do perform the acquisition.
  4. Location of the evidence

 

Source: GCFI, 4th ed, Ch4