Disk Imaging Approaches

by Chetan Gupta, NII Consulting

Evidence Collection is the heart and soul of the Forensics process. It becomes even more important if the evidence needs to be produced in a court of law. After the investigator has assessed the situation and determined a response strategy, he would move on to acquire the image of the suspect system. The investigator’s best bet is to have a defined methodology for creating an image in a forensically sound manner. The most difficult part of forensic duplication is having the appropriate cabling and hardware

Depending upon the situation, there are three different approaches to forensic duplication:

Image the evidence disk by removing it from the suspect computer and attaching it to the forensics workstation

This method is the most traditional. This is called ‘drive to drive’ acquisition since both the Subject hard drive and Storage hard drive are connected to the same motherboard. The investigator needs to seize the entire system and ship it to the forensics lab. Alternatively, the investigator can carry a forensic workstation (the ‘luggable’ class type) that has removable bays and a lot of storage space for on-site duplication. The investigator documents all the details of the system noting all serial numbers, BIOS information and any visible damage. The evidence drive(s) is attached to the forensic workstation and imaged using SafeBack, imaging tools in the Helix bootable distribution such as Grab and Adeptol Image acquisition software, the UNIX dd command, or Encase.

Image the evidence disk by attaching a hard drive to the suspect computer

The second imaging approach is just as common as the first one. The approach is the same but extra care should be taken to ensure that the hardware performs as you expect it to. If you still have access to the Subject computer, I recommend performing this type of acquisition in the Subject computer’s environment. This will avoid any drive geometry problems that might result if the Subject hard drive is removed from its native environment. So, always acquire in the Subject computer / native environment if possible.

Image the evidence disk by sending the disk image over a closed network to the forensics workstation

Another approach is to sending the image over the network through a parallel cable (slower) or a crossover cable (faster). This involves using a boot disk or CD-ROM that supports different disk types such as IDE, SATA etc. and the network hardware.
A point-to-point connection is usually set up from the evidence system to the forensic system using a standard Ethernet crossover cable or a parallel port cable. The forensic workstation is configured to receive data on a TCP port and redirect it to a local file. If the forensic system has adequate memory and disk space, multiple systems can be imaged at once. This is safe because we can rely on several layers to ensure the integrity of the data.

Key points to note:

  1. After the process has ended, always perform MD5/SHA1 computations on the final image file, as well as the original drive. If the computations match, we are assured that the image has been obtained in a forensically sound manner!
  2. Ideally the investigator would use a special device called Hard Disk write blocker to be sure that he doesn’t accidentally writes on the suspect disk. Hard Disk write blocker is a special device which blocks any write attempt on to the suspect disk. An example of a write blocker is FireFly available at www.digitalintelligence.com

Here is a list of commonly used imaging tools

References

1. An overview of disk imaging tools in computer forensics
2. Security Essentials Toolkit – Forensic Backups

  •  
  •  
  •  
  •  
  •  
  •  
  •  

3 Comments

  1. Hi Chetan,

    This is a great article. This gave me a new way of looking at Security and Computer Forensic process. Even thou’ I understood only 75%, but I think, the articles are worth reading. And, the article by Mr. Mookhey is very interesting.

    And about the magazine: This is great idea, and people like me can learn many things of security and can develop some basic knowledge about the security. Thanks for the great articles.

    All the Best for your efforts.

    Regards,
    kapil.

  2. Hi,

    Good article listing the different techniques.

    Can you and the readers share the amount of time it took them for imaging a drive using the different solutions listed above?

    For example:

    60 Gig 10K rpm – Drive to Drive – with dd – 1.5 hours.
    80 Gig 10K rpm – over network – with Helix – 6 hours .

    Seems like it’s taking forever for me and I am wondering if it’s normal.

    Thanks,
    alert(‘Lets go image so drive…’)

  3. The imaging aspect is only a very small piece of the puzzle, but the simplified explanation provided here is a good introduction for the layperson.

    The bigger issues often involve the seizing, preservation, identification interpretation and documentation of the evidence. There are rules of evidence that need to be followed to allow the data to be admissible. The imaging is a trivial practice accomplished by widely available tools. It’s the human aspect that muddies up the waters.

Comments are closed.