Quick Recap - Last Week

• Digital evidence principles
  • Evidence must be authentic, reliable, and admissible.
  • Follow recognised frameworks (e.g., ACPO guidelines, NIST SP 800-86).
• Chain of custody
  • Document every step: who, what, when, where, how.
  • Ensures integrity & accountability.

• Key message:
  • If evidence is mishandled, it may be ruled inadmissible in court.

What Is Data Acquisition?

• The process of extracting Electronically Stored Information (ESI) from a suspect device or media.
• Must be authentic, verifiable, and admissible in court.
• Always repeatable, auditable, and legally defensible.
• Types:
  • Live - system on; captures volatile data but may alter evidence.
  • Dead - system off; preserves integrity but loses volatile data.

Why Is Acquisition Important?

• The first technical step after identification and preservation.
• Mistakes here can compromise the entire investigation.
• Accuracy at this stage ensures reliable, defensible evidence.
• Today we move from principles to practical acquisition methods.

1. Live Acquisition

• collecting volatile data from a running system.

• Assists in building a timeline of events and identifying possible users.

• Usually followed by dead/static acquisition.

• Captures system data: config, date/time, uptime, processes, command history, open files, clipboard, DLLs, registers, CPU.

• Captures network data: routing tables, ARP cache, connections, configuration.

• Useful for:

  • Accessing unencrypted containers/disks open during operation.
  • Recovering private browsing history and data from cloud services (e.g., Dropbox) via RAM.

Order of volatility

2. Dead (Static) Acquisition

• collecting data from a powered-off system.

• Involves imaging storage devices such as hard drives, DVDs, USBs, flash cards, smartphones.

• Common data recovered: emails, documents, web activity, spreadsheets, slack space, unallocated space, deleted files.

  Temporary files
  System registries
  Event / system logs
  Boot sectors
  Web cache & cookies
  Hidden files

Activity 1 - "Live or Dead?" 5 mins

You are called to a scene where investigators found these systems:

1. A running corporate laptop suspected of leaking data to Dropbox.
2. A powered-off USB flash drive found near the suspect’s desk.
3. A server still active and hosting a database of customer records.

Discuss in a group:

• For each case, would you perform a live or dead acquisition?
• What evidence do you risk losing or altering?
• Which artefacts are most volatile in each scenario?

Acquisition Methods and Formats

1. Bit-stream acquisition: creates a bit-by-bit copy of the entire suspect drive (all sectors, clusters, ambient data).
   • Applies to both live and static acquisitions.
   • More time needed for large disks.

Acquisition Methods (Cont’d)

2. Logical Acquisition

   • Used when time is limited
   • Collects only files relevant to the investigation
   • Examples:
     • Outlook .pst / .ost files in email cases
     • Specific records from large RAID servers

3. Sparse Acquisition

   • Similar to logical acquisition but also collects fragments of unallocated data
   • Allows recovery of deleted files
   • Useful when full drive inspection is not required

Data Acquisition Formats

Rules of Thumb for Data Acquisition

• Never work on the original evidence
• Create a bit-stream or logical image for analysis
• Always produce two or more copies:
  • Working copy - used for analysis
  • Library/control copy - securely stored for disclosure or backup
• Use clean media for storing copies
• Always verify integrity of copies against the original (e.g., hashing)

According to ACPO

Data Acquisition Methodology

Integrity & Accuracy: protect the original evidence at all times. Compliance: follow departmental/organisational policies, standards, rules, and laws. Forensic Soundness: ensure the process does not alter the data. Authentication: verify acquired images with hash algorithms (MD5, SHA-1, SHA-256).

Step 1: Determine the Best Data Acquisition Method

• Choose the most suitable method for the case.
• Key factors: size of drive, time available, ability to retain drive.
• Acquire only relevant data.

Step 2: Select the Acquisition Tool

• Tool must not alter original data.
• Must log errors clearly.
• Results should be repeatable & verifiable.

• Support bit-stream copies (full or qualified).
• Tools, e.g. FTK Imager, EnCase, X-Ways Forensics, dd

Step 3: Sanitise the Target Media

Simple formatting or deleting partitions does not fully remove file data. Sanitise target media before reuse to eliminate any prior data. After the investigation, dispose or re-sanitise media per policy to prevent unauthorised disclosure and ensure confidentiality. Follow recognised standards (e.g., NIST SP 800-88, ISO/IEC 27040) for media sanitisation.

Step 4: Acquire Volatile Data (more in Memory Forenscis Week)

• DON’T: shut down the system before collecting live evidence

• DON’T: trust tools on the suspect system - use your own

• DO:

  • Use small, trusted tools (prefer CLI)
  • Collect:
    • RAM
    • Active processes & logged-on users
    • Open files / libraries
    • Network info (connections, ports, routing tables, ARP cache)

Volatile evidence disappears once power is lost.

Step 5: Acquire Non-Volatile Data

• Involves acquiring data from hard disks
• Two approaches:
  • Live acquisition - via remote tools (e.g., netcat) or bootable media (e.g., CAINE)
  • Dead acquisition - remove disk from suspect machine and image it separately
• Both methods yield a similar amount of data from the hard disk

Essnetial: Enable Write Protection on the Evidence Media

Write protection prevents storage media from being written to or modified. Implemented using hardware or software write blockers. Hardware Write Blocker CRU® WiebeTech® USB WriteBlocker™, Tableau Forensic Bridges Reliable but costly Software Write Blocker SAFE Block, MacForensicsLab Write Controller, Paladin Toolbox Can also configure via Windows Registry

5.1. Using Command-Line Tools: dd & dcfldd

• Linux tools for bit-stream copies (disk-to-disk or disk-to-image).
• Steps: remove suspect disk - connect to workstation - enable write blocker - run dd/dcfldd.

dd Example:

dd if=/dev/hda of=/dev/image.dd

• if = input (e.g., /dev/hda)
• of = output (e.g., image.dd)
• conv=noerror - ignore errors
• conv=notrunc - don’t truncate output

dcfldd: improved dd with hashing + progress display.

5.2 FTK Imager

Free forensic imaging tool from AccessData (now Exterro) Creates bit-by-bit images of drives, partitions, or files Supports multiple formats (E01, AFF, raw) Quick preview of files/folders before acquisition Generates hashes (MD5, SHA-1, SHA-256) for verification Can capture disk images and memory dumps FTK Imager

Step 6 Plan for Contingency

When the hardware or software does not work, or a failure occurs during the acquisition

Step 7: Validate Data Acquisition

• Critical step: ensure digital evidence integrity.
• Use hashing utilities to generate unique values (CRC-32, MD5, SHA-1, SHA-256).
• If two files share the same hash - they are identical, regardless of filename.

Take hash values before and after the investigation to confirm no alteration.

• Linux Methods:
  • Using dcfldd with SHA-256
    • dcfldd if=/dev/sda of=/media/image.dd hash=sha256
  • Using md5sum
    • md5sum /dev/sda

If Hashes Do Not Match

• Possible cause: bad sectors on the evidence drive
• Try to image it again
• If mismatch persists - evidence drive may be failing
• Stop using it, and document the issue in the chain of custody
• If necessary, send drive to a data recovery company

Activity 2 - "Choose Your Imaging Method"

You must image evidence from three different cases. Research or recall which method and format you would use - and why.

Hints:

• Consider speed, tool compatibility, and metadata needs.
• Tools may include dd, dcfldd, FTK Imager, or X-Ways.

Preparing an Image for Examination

• Once the image is collected, the next task is to prepare it for examination.

• Investigators typically use the following combinations:

• dd image - examined on Linux with tools like dd, dcfldd, Sleuth Kit

• E01 (EnCase) image - examined on Windows with tools like FTK, EnCase, X-Ways

• APFS image - examined on Mac with forensic tools supporting APFS

Lab

• Review and complete this week’s activity from here.