Data Acquisition Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
17 hours 41 minutes
Difficulty
Beginner
CEU/CPE
18
Video Transcription
00:00
>> Hey everyone, welcome back to the course.
00:00
The last module we talked
00:00
about hard disk and file systems.
00:00
Again, we're just took that 10,000 foot view of
00:00
hard disk file system
00:00
so you can understand the components of them.
00:00
In this video, we're going to start off
00:00
our discussion on data acquisition.
00:00
Just a quick pre-assessment question.
00:00
The dd command is used in
00:00
Microsoft Windows to acquire data.
00:00
Is that going to be true or false?
00:00
If you guessed false, you are correct.
00:00
The dd command is actually used in Linux,
00:00
but we'll talk about that a little later
00:00
on. Data acquisition.
00:00
Basically, as the name applies,
00:00
we're trying to extract the information
00:00
or obtain the information.
00:00
Then what we always want to create a copy of it.
00:00
We want to create a copy and we'll talk about
00:00
different types of copies a little later on as well.
00:00
We get all that information, we analyze it,
00:00
and then of course we want to be able
00:00
to present it in a court of law.
00:00
Now the data acquisition process
00:00
is very important in that aspect.
00:00
If we acquire the data
00:00
incorrectly or if we don't make copies,
00:00
if we don't maintain our chain of custody,
00:00
then generally speaking,
00:00
it's not going to be admissible in a court of law.
00:00
That's the end game. We want to get
00:00
there civilly or criminally.
00:00
We want to be able to have that evidence
00:00
to prove our case.
00:00
Or if we're working as an investigator,
00:00
prove the case of our prosecution.
00:00
Then different types of data acquisitions.
00:00
We have live and static acquisition,
00:00
we'll talk about each one of those in just a little bit.
00:00
Live acquisition. This is going to
00:00
be used to acquire the volatile data.
00:00
We talked about that a little bit in Module 1,
00:00
the difference between volatile and non-volatile.
00:00
I also gave some examples as well.
00:00
Things like your RAM, system, time processes,
00:00
command history, driver information,
00:00
etc, that type of
00:00
stuff is going to be your volatile data.
00:00
That's the information that we want to get because if we
00:00
turn off the device or if power is cut to the device,
00:00
then that data goes away,
00:00
so we can't acquire it.
00:00
Speaking of powered on,
00:00
the device might actually also be aside from just being
00:00
at the screen where you can just look at it,
00:00
might also be locked or it also might be in sleep mode.
00:00
Just keep that in mind as well.
00:00
Now, we would also use live acquisition in
00:00
a situation where someone's got an encrypted drive,
00:00
if we know the passphrase or
00:00
password or the person's already logged
00:00
into it where they've got the drive
00:00
decrypted at that particular point in time.
00:00
We obviously would not be doing
00:00
a live acquisition to get an encrypted drive.
00:00
We're not going to just get a bunch of
00:00
encrypted information
00:00
because that doesn't help us at all.
00:00
There's no point in that.
00:00
But if we know the passphrase,
00:00
if we know the password or
00:00
the suspect is already logged
00:00
into stuff and we can acquire it,
00:00
then we would do a live acquisition.
00:00
Along the lines of volatile data collection,
00:00
of course, we want to plan ahead.
00:00
We want to establish a trusted command shell
00:00
so we can get that information.
00:00
A transmission storage method.
00:00
We want to consider what we're going to
00:00
be grabbing that information with,
00:00
if we're doing it remotely or the storage method.
00:00
How are we storing the stuff? Are we securing it?
00:00
How are we securing it? We also
00:00
want to maintain integrity
00:00
so the hashing aspect to maintain
00:00
>> integrity and say yes,
00:00
>> this is the information we got.
00:00
Also recording the date, time,
00:00
and command history is part of a chain of custody.
00:00
Documentation, again,
00:00
the chain of custody and then
00:00
reporting the information that we've acquired.
00:00
Static acquisition. Honestly,
00:00
this is our data as we talked about in Module 1,
00:00
this is our data that if we turn the power off,
00:00
it's still around so our USB,
00:00
our Slack space, swap file, etc.
00:00
Now you'll generally see this like in police seizures,
00:00
but keep in mind that
00:00
police can also do live acquisition.
00:00
If the suspect has their device on,
00:00
the police sees it, then guess what?
00:00
Live acquisition. Media sanitation.
00:00
The main thing to remember here
00:00
is actually taken a look at
00:00
NIST SP800-88 that talks about media sanitation.
00:00
But keep in mind of clear, purge, destroy.
00:00
Basically, we're trying to wipe
00:00
all the information off a particular media,
00:00
like your hardware component,
00:00
whatever the case might be, we want
00:00
to wipe all the data off there.
00:00
Based on who you work for, for example,
00:00
let's say you work with classified information,
00:00
there's different protocols than if you're
00:00
just using the generalized workstation.
00:00
It's your private sector employer that doesn't have
00:00
any real proprietary information on it.
00:00
Your process is going to be different than if
00:00
it's like the NSA or CIA.
00:00
Just keep that in mind. NIST SP800-88
00:00
is definitely something you
00:00
want to take a look at for the exam.
00:00
Different types of data acquisition formats.
00:00
We've got raw, proprietary,
00:00
and then also AFF,
00:00
which we'll talk about what that is in just a moment.
00:00
Raw, basically here this is,
00:00
again as the name applies a raw data.
00:00
It creates simple sequential flat files.
00:00
You'll definitely want to memorize that for your exam.
00:00
Fast data transfers.
00:00
It's also considered the universal acquisition
00:00
format for most tools that are out there.
00:00
It's also the most common one that people do.
00:00
Now, couple of things to keep in mind
00:00
that as a downside,
00:00
it requires the same disk space or
00:00
more disk space in the original disk or data set.
00:00
Then also a different free tools might not
00:00
actually collect marginal sectors.
00:00
Keep that in mind as well.
00:00
If you're not using a proprietary tool,
00:00
you may be missing stuff with raw formatting.
00:00
Speaking of proprietary,
00:00
a proprietary as the name applies,
00:00
is somebody owns this stuff.
00:00
They create it,
00:00
they develop it, they sell it.
00:00
They may not develop it,
00:00
but anyways they buy it and they sell it.
00:00
Here, we have the option to compress
00:00
image files of suspect drive.
00:00
Also data integrity checks so hashing is built-in.
00:00
We could split the image up,
00:00
we can integrate metadata,
00:00
so things like our date and time.
00:00
A couple of downsides. Since it's proprietary,
00:00
the inability to share images between tools.
00:00
Now, some of them will work together,
00:00
but some of them don't so just keep that in mind.
00:00
Also file size limitations
00:00
based on the particular vendor.
00:00
AFF, advanced forensic format,
00:00
this one is actually open source.
00:00
It does incorporate metadata and
00:00
there's also no size limit on disk-to-image formatting.
00:00
Keep that in mind. These are just some examples
00:00
of what we could use.
00:00
In this video, we talked
00:00
about different types of data formats.
00:00
We also talked about some generalized information on
00:00
data acquisition as well
00:00
as live versus static acquisitions.
00:00
In the next video,
00:00
we are going to talk about data collection
00:00
and different types of data collection we can do.
Up Next