Professional data acquisition entails creating a bit-perfect copy of digital media evidence, either on-site where the device is kept, or if the device can be transported, in a clean room or a forensics lab.
The storage device is first connected to a “write blocking” device, which prevents any binary code from being altered or modified during the process. Then a mirror image or “clone” of the drive is created on a separate storage device to be examined later. After the initial acquisition, the original device is placed in secure storage and the forensic examiner conducts all forensic investigation only on the copy.
The purpose of working on a copy of the evidence is to leave the original media intact - which allows for any evidence to be verified at a later date.
Acquired media is often referred to as an "image" and are generally stored in one of several open or proprietary formats, the most common being EnCase, which employs a proprietary, compressible, "EnCase Evidence File Format" (EEFF). During the acquisition process, such software creates a unique numerical code, called a verification “hash” of the media, which allows an analyst to later confirm that the image and its contents are accurate and unaltered. The EnCase Evidence File Format stores a hash for every 64K of data along with an appended MD5 hash of the entire media.
DIFSECO’s professional engineers are trained and certified to acquire evidence on-site at a business, factory, plant, institution or home.
ON-SITE DATA ACQUISITION
Do you need digital forensic services conducted on a device that must remain in its current location? Our on-site forensic service technicians can come to you or any remote location. They will simply create a forensically sound carbon-copy of your digital evidence and deliver the copy to be processed in our certified laboratories. We also offer in-house acquisition services through our various regional forensic laboratories. Our copies or images are created using MD5 and SHA-1 protocols to provide proof that no information has been deleted or tampered with during the process.
Internal components (e.g., sound card; video card; network card, including media access control (MAC) address; personal computer memory card international association (PCMCIA) cards).
Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
Retrieve configuration information from the suspect's system through controlled boots.
Perform a controlled boot to capture CMOS/BIOS information and test functionality.
Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive).
Time and date.
Power on passwords.
Perform a second controlled boot to test the computer's functionality and the forensic boot disk.
Ensure the power and data cables are properly connected to the floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected.
Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk.
Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.
Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices.
Drive configuration information includes logical block addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or auto-detect.
Power system down
Whenever possible, remove the subject storage device and perform the acquisition using the examiner's system. When attaching the subject device to the examiner's system, configure the storage device so that it will be recognized.
Exceptional circumstances, including the following, may result in a decision not to remove the storage devices from the subject system:
RAID (redundant array of inexpensive disks). Removing the disks and acquiring them individually may not yield usable results.
Laptop systems. The system drive may be difficult to access or may be unusable when detached from the original system.
Hardware dependency (legacy equipment). Older drives may not be readable in newer systems.
Equipment availability. The examiner does not have access to necessary equipment.
Network storage. It may be necessary to use the network equipment to acquire the data.
When using the subject computer to acquire digital evidence, reattach the subject storage device and attach the examiner's evidence storage device (e.g., hard drive, tape drive, CD-RW, MO).
Ensure that the examiner's storage device is forensically clean when acquiring the evidence.
Write protection should be initiated, if available, to preserve and protect original evidence.
Note: The examiner should consider creating a known value for the subject evidence prior to acquiring the evidence (e.g., performing an independent cyclic redundancy check (CRC), hashing). Depending on the selected acquisition method, this process may already be completed.
If hardware write protection is used:
Install a write protection device.
Boot system with the examiner's controlled operating system.
If software write protection is used:
Boot system with the examiner-controlled operating system.
Activate write protection.
Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g., nonhost specific data such as the partition table matches the physical geometry of the drive).
Capture the electronic serial number of the drive and other user-accessible, host-specific data.
Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools, such as:
Stand-alone duplication software.
Forensic analysis software suite.
Dedicated hardware devices.
Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.