Hard Disk Data Acquisition

Disk acquisition is a technique involving making out copies of the target hard drive of the system under observation to be brought later to a forensic laboratory for a dead analysis. The image is an exact replica of the crime scene where an investigator would be delving into it to trace the crime occurred.

General Acquisition Procedure

The usual process for acquiring involves byte by byte copying of the original device image into the storage space intended for analysis and repetition till all bytes are copied. This is same as manual copying of artefacts by hand while reading an original artefact. computers would do the same thing but bytes would vary from multiple bytes from 512 bytes to hundreds of bytes in a single go. Disk sectors would limit the data transfer rates in terms of multiples of 512. When bad sectors are encountered the tool would simply write zeros in the resultant data. Abstraction of data from various layers would result in some of the data being lost, so it is advisable to start from the lowest logical layer where the evidence is supposed to be there as possible. Maximum cases would involve investigator obtaining all the sectors of the targeted disk. Losing data from the sector side may deploy the services of a recovery specialist. To further bank on the need to obtain data on the disk level, one should consider the specific scenarios-

Acquisition on the volume level would involve copying of each sector in the partition, this may involve recovery of deleted files present in the partition but bars away the analysis of sectors not lying in the partition, for example, a disk that has DOS partitions may not use sectors 1 to 62, and they could contain hidden data. If we acquired at the volume level, the hidden data would be lost.

A scenario where a backup utility was used and copying of only allocated files took place. In this case, recovery of deleted files wouldn’t be possible and lack of temporal data access would further hide away the hidden file partition folder systems. When only a backup is the only available data, and the investigator needs for this kind is very critical is in a corporate environment where a server is not responding because its disks were wiped with 0s and then rebooted. The last backups information for the same might provide specific information clues about the access to the system and whether an attacker had compromised it. This is usually done by an intrusion detection system where the log is maintained automatically about the access, modification times of the system on a user basis. The retrieval of information would only involve the copying of logs and then preservation steps taking place. This process of acquisition is again done at the disk level to analyse all kinds of data.

Dead Versus Live Acquisition

Disk acquiring process can either be a dead process or a live process. A dead process would involve imaging of disk of the suspect system without using the operating system tools of the suspect’s system while relying on the hardware of his, which includes using CD-drive and floppy drive which usually is trustable. The dead term refers only to the status of the operating system and due to the lockdown of the hardware system, this definition is not extended over to the hardware. This allows the use of hardware resources to take part in the acquiring system.

A live acquisition, on the other hand, will make use of the operating system of the suspect and it does not mitigate the risk of conducting a live acquisition where the attacker has modified the system enough to the point that the system acquiring will be severely compromised if any process takes place. This adds to the viability and veracity of the forensic document obtained. This is done by Attackers in the form of installation of rootkits into systems that they compromise which only falsifies the information provided to the investigator.

The rootkits employ a strategy to hide the running process and hide malicious files in the system where suspected activities may be taking place. usually, this will be done by an attacker after installing and compromising the system. It also is possible that attacker with help of a rootlet will change the data present on the sector of the disk which is being employed by the investigator. Resulting evidence would be mismatched from the original evidence and hence verifiability wouldn’t be happening correctly. So common practise would not employ any live acquisition process at all if possible. Usually if at all live acquisition has to take place the investigator must employ the acquisition under the DOS file system using a floppy or install a Linux OS, which will render all rootkits inoperable or useless. Hardware tempering is very unlikely or very difficult and can be looked away with, usually in case of OEM supplied hardware, which is very difficult to tamper with.