After you identify the physical media you suspect contains evidence, you must make sure you preserve the media before you take any further steps. Preserving the media is absolutely necessary to provide assurance the evidence you acquire is valid.
Chapter 3, 'Computer Evidence,' and Chapter 4, 'Common Tasks,' both emphasize the importance of copying all media first and then analyzing the copy. Unless you must examine a primary, working copy of media, you should always create an exact image of the media and verify that it matches the original before you continue your investigation. It is rare to examine the primary media copy for any investigation that might end up in court . For other investigations, you might be asked to perform a targeted examination on the primary copy of media. For example, assume you are asked to examine a user 's home folder for suspected inappropriate material. It might be impossible or extremely difficult to create a mirror image of the disk drive, but you could scan the disk for existing or deleted files while it is in use. Although examining media while it is in use might not always be the best practice, it is done frequently for informal investigations.
Your choice of which tools to use depends on several factors, including:
Operating system(s) supported
Operating system(s) in which the tool runs
Filesystems the tool supports
Let's look at some tools you can use to create and verify media copies.
Whenever possible, create a duplicate of the primary media, verify the copy, and then examine it. Always invest the time and effort to copy original media for any investigation that might end up in a court of law. For investigations that produce evidence that will not be presented in court, you might need to analyze the primary media copy directly. This is possible and desirable in cases where copying media would cause service interruptions.
The first tool in our list is ByteBack, developed by Tech Assist, Inc. ByteBack is a data recovery and investigative tool that provides more functionality than just disk copying. The ByteBack tool runs in DOS and provides a simple interface for operations. Here is a sample of the cloning/imaging interface.
Some of the features of ByteBack include:
Cloning/Imaging Quickly clones (to same media type) or images (to compressed files) physical sectors of many media types.
Automated File Recovery Automatically recovers most files, including deleted files, on FAT and NTFS volumes including deleted files, files located in slack space, and old formats.
Rebuild Partitions and Boot Records Automatically repairs FAT12, FAT16, FAT32, and NTFS volumes, boot records, and partitions. It can also recover individual files on these volumes.
Media Wipe Quickly overwrites every sector of a drive.
Media Editor Contains a powerful sector editor for viewing and searching raw data.
ByteBack also provides software write blocking for the source drive and automatic CRC and MD5 hash calculation to verify the copy operations. If you need more functionality, ByteBack provides a binary search feature that allows you to search for any character string on the drive, including slack space.
For more information on ByteBack and additional features, visit the company's website at http://www.toolsthatwork.com/byteback.htm .
The dd utility copies and converts files. As briefly discussed in Chapter 5, 'Cap- turing the Data Image: Memory and Disks,' dd is commonly used in forensics to copy an entire environment. You can specify the input and output file, as well as conversion options. This utility takes two basic arguments- if and of . The if argument specifies the input file and the of argument specifies the output file. When using dd to copy individual files, the utility abides by the operating system file size limit, normally 2GB. Larger files will simply be truncated. For example, to copy a simple file from a source (such as /home/michael/sn.txt ) to a destination (such as /tmp/newfile ), you would issue the following command:
dd if=/home/michael/sn.txt of=/tmp/newfile
Using similar syntax, you can copy the hard disk drive located at /dev/hda to an image file named /dev/hdb/case_img using this command:
dd if=/dev/hda1 of=/dev/hdb/case_img
When using the dd utility with device files, you are not limited to a 2GB limit. The current Linux version is GNU dd . GNU dd is found in the fileutils collection, with the latest version at ftp://prep.ai.mit.edu/pub/gnu/fileutils-3.12.tar.gz . You can also find the dd utility on any computer running Unix or Linux. Type man dd in Unix or Linux for a man page entry that describes the command syntax. The Windows dd version is at http://users.erols.com/gmgarner/forensics .
DriveSpy is a DOS-based forensic tool, developed by Digital Intelligence, Inc. Unlike ByteBack, DriveSpy is an extended DOS forensic shell. DriveSpy provides an interface that is similar to the MS-DOS command line, along with new and extended commands. The entire program is only 110KB and easily fits on a DOS boot floppy disk.
DriveSpy provides many of the functions necessary to copy and examine drive contents. All activities are logged, optionally down to each keystroke. If desired, logging can be disabled at will. You can examine DOS and non-DOS partitions and retrieve extensive architectural information for hard drives or partitions. DriveSpy does not use operating system calls to access files, and it does not change file access dates.
Additional functionality includes:
Create disk-to-disk copy (supports large disk drives).
Create MD5 hash for a drive, partition, or selected files.
Copy a range of sectors from a source to a target, where the source and target can span drives or reside on the same drive.
Select files based on name , extension, or attributes.
Search a drive, partition, or selected files for text strings.
Collect slack and unallocated space.
Wipe a disk, partition, unallocated or slack space.
DriveSpy provides basic command-line functionality that is portable enough to carry on a single floppy disk and use at the scene. For pricing and more information, visit the Digital Intelligence, Inc. website at http://www.digitalintel.com/drivespy.htm .
The EnCase product line from Guidance Software is one of the most complete forensic suites available. We cover more of EnCase's functionality and its different products in the 'Forensics Tools' section later in this chapter. EnCase is included in this section due to its drive duplication function.
A set of tools and/or software programs used to analyze a computer for collection of evidence.
In addition to providing tools and a framework in which to manage a complete case, EnCase includes a drive duplicator. The drive imager creates an exact copy of a drive and validates the image automatically. It either creates complete images or splits drive images to economize storage. EnCase can copy virtually any type media, creating an identical image for analysis. EnCase calls this static data support.
EnCase Enterprise Edition also supports volatile data support. This feature takes a snapshot of Random Access Memory (RAM), the Windows Registry, open ports, and running applications. It provides potentially valuable information that is lost when a machine is shut down.
It is also worth mentioning that Guidance Software sells hardware disk-write blockers. Their FastBloc products provide the extra measure of assurance that no writes occur on the device. You can use the write blocker with EnCase or just rely on EnCase to use its own software write blocking to protect the original media if you boot to DOS and not Windows. You can also use FastBloc with non- EnCase software.
The EnCase products currently run on Windows 9 x, Windows 2000, Windows XP, and Windows Server 2003. For more information on the EnCase product line, visit the Guidance Software website at http://www.EnCase.com .
Forensic Replicator, from Paraben Forensic Tools, is another disk imaging tool that can acquire many different types of electronic media. It provides an easy-touse interface, as shown in the following graphic, to select and copy entire drives or portions of drives. It also handles most removable media, including Universal Serial Bus (USB) micro drives. Replicated media images are stored in a format that can be read by most popular forensic programs.
Forensic Replicator also provides the ability to compress and split drive images for efficient storage. The ISO CDRom option allows you to create CDs from evidence drives that can be browsed for analysis. This option can make drive analysis much easier and more accessible for general computers. You don't need to mount a copy of the suspect drive on a forensic computer. You can use searching utilities on a standard CD-ROM drive. Forensic Replicator also offers the option of encrypting duplicated images for secure storage.
Paraben also sells a Firewire or USB-to-IDE write blocker, called Paraben's Lockdown, as a companion product. Forensic Replicator requires a Windows operating system to run. You need to boot into Windows to use the product. For additional information about the Paraben forensic tools product line, see the 'Forensics Tools' section later in this chapter. For more information on the Forensic Replicator product, visit the Paraben Forensic Tools website at http://www.paraben-forensics.com/replicator.html .
FTK (Forensic Toolkit) Imager from AccessData Corporation is a set of forensic tools that includes powerful media duplication features. The 'Forensics Tools' section later in this chapter covers more FTK features. FTK can create media images from many different source formats, including:
NTFS and NTFS compressed
FAT12, FAT16, and FAT32
Linux ext2 and ext3
FTK generates CRC or MD5 hash values, as do most products in this category, for disk-copy verification. FTK provides full searching capability for media and images created from other disk imaging programs. Image formats that FTK can read include:
SafeBack (not V3.0)
FTK Explorer is a Windows-based utility and, therefore, requires that the user boot into a Windows operating system. For more information about FTK Explorer, visit the AccessData Corporation website at http://www.accessdata.com .
Norton Ghost, from Symantec , is not a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original. You can verify the copies you make and ensure each partition is an exact copy, but a complete drive image that is created by using Ghost commonly returns a different hash value than a hash of the original drive. Although Ghost is a handy tool, it may not provide evidence that is admissible in a court of law. The most common uses for Ghost include backup/restore and creating installation images for multiple computers. Even though Ghost's primary use is not forensics, its utility value merits a place in our list of useful tools.
Norton Ghost is a Windows application and requires a Windows operating system. For more information on Norton Ghost, visit the Symantec website at http://www.symantec.com/sabu/ghost/ghost_personal/ .
ProDiscover, from Technology Pathways , is another forensic suite of tools. As with other forensic suites, we will cover additional features in a later section. Also like other forensic suites of software, ProDiscover provides disk imaging and verification features.
ProDiscover provides the ability to create a bit stream copy of an entire suspect disk, including hidden hardware protected area (HPA) sections (patent pending), to keep original evidence safe. As discussed in Chapter 5, the HPA is an area of a hard disk drive that is not reported to the BIOS or the operating system. Some disk drive manufacturers use the HPA to store utilities that are hidden from the operating system. It also automatically creates and records MD5 or SHA1 hashes of evidence files to prove data integrity.
Technology Pathways provides several different versions of ProDiscover, depending on your particular forensic needs. One interesting feature of ProDiscover is that it allows you to capture a disk image over a network. You don't have to be physically connected to the suspect computer. All of Technology Pathways products provide disk imaging and verification and require a Windows operating system. For more information on ProDiscover, visit the Technology Pathways website at http://www.techpathways.com/DesktopDefault.aspx?tabindex=4&tabid=12 .
SafeBack, licensed through New Technologies Inc., creates bit stream images of hard disk drives and drive contents. Although SafeBack is a very good backup and installation image utility, it really shines as a forensic tool. One of the design goals of SafeBack was to produce evidence-grade backups of hard drives. It accomplishes this through its self-authenticating disk imaging process. Version 3.0 of SafeBack implements two hashing processes that are based on the SHA256 algorithm. SHA256 hash values are stored internally to protect them from alteration. All operations are logged and output to an audit file.
SafeBack is a DOS-based utility. For more information on SafeBack, visit the New Technologies Inc. website at http://www.forensics-intl.com/safeback.html .
SMART, from ASR Data Acquisition & Analysis, LLC, is another forensic software suite. The suite is comprised of several tools that are integrated into a full- featured forensic software package. Two tools in the package are SMART Acquisition, which provides disk imaging, and SMART Authentication, which provides verification functionality.
SMART runs in Linux and provides a graphical view of devices in a system. The first step in creating a disk image is to calculate a hash value for the source device.
After SMART generates and stores the hash value, it can create one or more device images. SMART can create multiple image files, use compression, split images to fit on smaller devices, and associate images with existing case files.
We will cover more SMART functionality in a later section. For more information on SMART, visit the ASR Data Acquisitions & Analysis website at http://asrdata.com/SMART/ .
WinHex, from X-Ways Software Technology AG, is a universal hexadecimal editor and disk management utility. It supports recovery from lost or damaged files and general editing of disk contents. Its disk cloning feature is of the most interest for this section.
WinHex can clone any connected disk and verify the process using checksums or hash calculations. WinHex runs in Windows operating systems.
WinHex provides many more features beyond disk imaging and verification. For starters, WinHex provides the functionality to examine, and optionally edit, disk contents. You can also search disks for text strings using WinHex's search engine. Its support of various data types and its ability to view data in different formats make WinHex a valuable forensic tool.
For more information on WinHex and its additional capabilities, visit the X-Ways Software Technology website at http://www.x-ways.net/winhex/index-m.html .