by Chetan Gupta, NII Consulting
Evidence Collection is the heart and soul of the Forensics process. It becomes even more important if the evidence needs to be produced in a court of law. After the investigator has assessed the situation and determined a response strategy, he would move on to acquire the image of the suspect system. The investigator’s best bet is to have a defined methodology for creating an image in a forensically sound manner. The most difficult part of forensic duplication is having the appropriate cabling and hardware
Depending upon the situation, there are three different approaches to forensic duplication:
Image the evidence disk by removing it from the suspect computer and attaching it to the forensics workstation
This method is the most traditional. This is called ‘drive to drive’ acquisition since both the Subject hard drive and Storage hard drive are connected to the same motherboard. The investigator needs to seize the entire system and ship it to the forensics lab. Alternatively, the investigator can carry a forensic workstation (the ‘luggable’ class type) that has removable bays and a lot of storage space for on-site duplication. The investigator documents all the details of the system noting all serial numbers, BIOS information and any visible damage. The evidence drive(s) is attached to the forensic workstation and imaged using SafeBack, imaging tools in the Helix bootable distribution such as Grab and Adeptol Image acquisition software, the UNIX dd command, or Encase.
Image the evidence disk by attaching a hard drive to the suspect computer
The second imaging approach is just as common as the first one. The approach is the same but extra care should be taken to ensure that the hardware performs as you expect it to. If you still have access to the Subject computer, I recommend performing this type of acquisition in the Subject computer’s environment. This will avoid any drive geometry problems that might result if the Subject hard drive is removed from its native environment. So, always acquire in the Subject computer / native environment if possible.
Image the evidence disk by sending the disk image over a closed network to the forensics workstation
Another approach is to sending the image over the network through a parallel cable (slower) or a crossover cable (faster). This involves using a boot disk or CD-ROM that supports different disk types such as IDE, SATA etc. and the network hardware.
A point-to-point connection is usually set up from the evidence system to the forensic system using a standard Ethernet crossover cable or a parallel port cable. The forensic workstation is configured to receive data on a TCP port and redirect it to a local file. If the forensic system has adequate memory and disk space, multiple systems can be imaged at once. This is safe because we can rely on several layers to ensure the integrity of the data.
Key points to note:
- After the process has ended, always perform MD5/SHA1 computations on the final image file, as well as the original drive. If the computations match, we are assured that the image has been obtained in a forensically sound manner!
- Ideally the investigator would use a special device called Hard Disk write blocker to be sure that he doesn’t accidentally writes on the suspect disk. Hard Disk write blocker is a special device which blocks any write attempt on to the suspect disk. An example of a write blocker is FireFly available at www.digitalintelligence.com
Here is a list of commonly used imaging tools