Data acquisition is the first pro-active step in forensic investigation process. The aim of forensic data acquisition is to extract every bit of information present on the victim’s hard disk and create a forensic copy to use it as evidence in the court [1].

The first principle when examining electronic evidence is to keep data held on storage medium unchanged. For embedded systems this principle is more challenging than it looks at first sight. Once exhibits have been seized an exact sector level duplicate (or “forensic duplicate”) of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition. The duplicate is created using a hard-drive duplicator or software imaging tools such as EnCase, FTK Imager, DCFLdd, IXimager, Guymager, TrueBack or FDAS (Fast Disk Acquisition System). The original drive is then returned to secure storage to prevent tampering [2].

Why to create a Duplicate Image?

Digital data is more susceptible to loss, damage, and corruption unless the investigators preserve and handle it properly. Prior to examination, the investigator should forensically image or duplicate the electronic device data and keep two or more copies. Forensic investigators should only use image for their investigation [1].

How does Data Acquisition Work?

Professional data acquisition entails creating a bit-perfect copy of digital media evidence, either on-site where the device is kept, or, if the device can be transported, in a clean room or a forensics lab.

The storage device is first connected to a “write blocking” device, which prevents any binary code from being altered or modified during the process. Then a mirror image or “clone” of the drive is created on a separate storage device to be examined later. After the initial acquisition, the original device is placed in a secure storage, and the forensic examiner conducts all forensic investigation only on the copy.

The purpose of working on a copy of the evidence is to leave the original media intact, which allows verifying the evidence at a later date.

Acquired media is often referred to as an “image” and is generally stored in one of several open or proprietary formats, the most common being EnCase, which employs a proprietary, compressible, EnCase Evidence File Format (EEFF). During the acquisition process, such software creates a unique numerical code, called a verification “hash” of the media, which allows an analyst to later confirm that the image and its contents are accurate and unaltered. The EnCase Evidence File Format stores a hash for every 64K of data along with an appended MD5 hash of the entire media.

The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as “hashing”, to ensure that the evidence is still in its original state [3].

Data Acquisition and Duplication Steps:

  1. Prepare a chain of custody document.
  2. Enable write protection on the evidence media.
  3. Sanitize the target media.
  4. Determine the data acquisition format.
  5. Determine the best acquisition method.
  6. Select the data acquisition tool.
  7. Acquire the data.
  8. Plan for contingency.
  9. Validate data acquisitions.

Types of Data Acquisition:

  1. Live Data Acquisition: It is the process of acquiring data from working computer (either locked or in working condition) that is already powered on. Volatile data is fragile and lost when system loses power or user switches it off. Such data resides in registries, cache and RAM. Since RAM and other volatile data are dynamic, a collection of this information should occur in real time.
  2. Static Data Acquisition: It is the process of acquiring non-volatile data or unaltered data that remains in the system even after shutdown. Investigators can recover such data hard drives as well as slack space, swap files and unallocated drive space. Other sources of non-volatile data include CD-ROMs, USB thumb drives, smartphones and PDAs.

The static acquisition is usually applicable for the computers the police had seized during the raid and include an encrypted drive.

Rules of Thumb:

Rule of thumb refers to the best practice of a process that helps to ensure a favorable outcome on application. In the case of digital forensics investigation, “The better the quality of evidence, the better the analysis and likelihood of solving the crime”.

  1. Do not work on original digital evidence. Work on the bit-stream image of a suspicious drive/file to view the static data.
  2. Always produce two copies of the original media. The first is the working copy to be used for analysis. The second is the library/control copy that is stored for disclosure purposes or in the event that is working copy gets corrupt.
  3. If performing a drive to drive imaging, use clean media to copy to shrink-wrapped new drives.
  4. Once the duplication of original media is done, verify the integrity of copies to the original.

Some of the best Data Acquisition and Duplication tools (Hardware):

  1. Ultrakit
  2. Forensic falcon
  3. Atola Insight Forensic
  4. XRY Office
  5. T3iu Forensic SATA Imaging Bay
  6. Cellebrite UFED Touch & UFED Pro series, etc.

Data Acquisition and Duplication tools (Software):

  1. EnCase Forensic
  2. Forensic tool kit
  3. X-Ways Forensic
  4. ProDiscover Forensic
  5. MacQuisition
  6. Magnet RAM Capture
  7. RAID Recovery for Windows
  8. DriveSpy
  9. F-Response Imager
  10. Forensic Replicator
  11. R-Drive Imager,etc.

The forensic investigators can also use linux built-in imaging tools & linux command dd to copy data from disk drive [1].

References:

  1. CHFI Module 4, “Data Acquisition and Duplication”.
  2. “Data Acquisition from electronic evidence” [Online] (http://www.computerforensicsspecialists.co.uk/blog/data-acquisition-from-electronic-evidence) Accessed on 23/7/2018.
  3. “How does data acquisition work” [Online] (https://www.digitalforensics.com/digital-forensics/data-evidence-acquisition) Accessed on 23/7/2018.