Data Acquisition Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
made everyone welcome back to the course of the last month when we talked about
hard disk and file system. So again, we just kind of took that 10,000 foot view of Hardison file system. So So you could understand the components of that
in this video, we're gonna start off our discussion on data acquisition,
So just a quick process may question
the DD command is used in Microsoft windows to acquire data. Is that gonna be true or false?
***? If you guess false, you are correct. So the DD command is actually used in Lenox. We'll talk about that a little later on.
So did acquisition. So basically, as the name implies, we're trying to extracting information or obtain the information. And then when we always want to create a copy of it writes, we want to create a copy. We'll talk about different types of copies a little later on as well
get all that information. We analyze it. That, of course, we want to be able to present in a court of law. So the data acquisition process is very important in that aspect, right? If we acquire the data incorrectly, well, if we don't make copies if we don't maintain our chain of custody than
generally. Generally speaking, it's not gonna be admissible in a court of law, right? So and that's he had in game, right? We want to get their civilly
or criminally, we want to be able to have that evidence to prove our case. He right? Or if we're working, working as an investigator proved the case of our, you know, our prosecution
and the different types of data acquisitions we have live, and Static acquisition will talk about each one of those in just a little bit
live acquisition. So this could be used to acquire the volatile nature. Right? So we talked about that a little bit, much of one difference between volatile and non violent home. So and I also gave some examples as well. So things like your ram system, time processes, command history,
you know, driver information, etcetera, etcetera.
That type of stuff is gonna be involved. Hell data. So that's the information that we want to get. Because if we turn off the device or if power's cut to the device, then that data goes away, right? So we can't acquire
So, uh, speaking of powered on the device mine actual loss will be aside from just being at the screen where you could just look at it might also be a locked or it also might be a sleep mode, so just keep that in mind as well.
Now we would also use a live acquisition in a situation where someone's got an encrypted drive if we don't the pass phrase or password or the person's already long get to it, where they've got the drive decrypted at that particular point in time. So we obviously would not be doing a lot of acquisition to get an encrypted drive right? We're not gonna just
get a bunch of encrypted information
because it doesn't help us at all,
So there's there's no point that so. But if we know the past, freeze. If we know the password or, you know the suspect is already loved into stuff when we can acquire it, then we would do the live acquisition.
So along the lines of all felt data collection. So, of course, we want to plan ahead. We won't establish a trusted command shell so we can get out of information transmission swords method we want to consider what we're gonna be grabbing that information with writing for doing it remotely or, you know, the swords method, right? How restored this stuff? Are we security? How are we securing it?
We also want to maintain integrity, right? So the hashing aspect
to maintain integrity and say yes, this is the information we got
also recorded The daytime command history is part of a chain of custody documentation again, the chain of custody, and they're reporting the information that we've acquired
static acquisition. So, uh, obviously, this is our data as we talked about the mantra one, this is our data that if we turned the power off, it's still around. Rights or USB, are slacks based swat file, et cetera, et cetera.
But you'll generally see this, like in police seizures. But keep in mind that police can also sees, you know, do live acquisition, right? If the suspect has the device on the police sees it. That guess what? Live acquisition.
So media sanitation.
Uh, the main thing to remember here is actually taking a look at this
SP 888 that talks about media said a sanitation, but keep in mind of clear prints Destroy. Basically, we're trying to wipe all the information off a particular medium. Right. So, like your hardware component, uh, whatever the case might be, we want to wipe all the data off there
on based on you know who you work for. For example, let's say you work with classified information.
There's different protocols that if, you know, you're just, you know, you know, using a General West workstation. If your private sector employer that doesn't have any real proprietary information on it, you know your process is going to be different than if it's like the same. You're CIA, right? So just keep that in mind, you know, n'est sp 800 s a d A. Is definitely something
you want to take a look at for the exam.
So different types of data acquisition formats. So we've got raw proprietary, and then also ff we should talk about what that is in just a moment.
So raw. So basically here this is that again, as the name implies that raw data, right? So it creates simple sequential flat files. You definitely want to memorize that for your exam.
Fascinated transfers. It's also a prisoner of the universal acquisition for bad from most tools that are out there and hustle them are also the most Katelyn that people do now, a couple things to keep in mind that it also requires as kind of a downside. It requires state disk space or
more dis space in the original disk where data set
and then also different free tools might actually might not actually collect marginal sectors. So keep that in mind as well. If you're not using a proprietary tool, you may be missing stuff with raw form ready.
Speaking of proprietary, so proprietary a surname applies is some company. You know, somebody owns this stuff, right? They created the development. They sell it,
did that develop it. But anyways, they buy it and they said,
uh so here we have the option to compress in these files. A suspect, Dr. You know, also David integrity checks that you know, so hashing built in, we could split the image up. We could, you know, integrate meta data. So things like our date and time
a couple of downsides, right? The ability, since it's proprietary, the inability to sherry images between tools now some of them will work together, but some home don't. So just keep that in mind.
And also file size limitations based on that particular venue,
a f F advanced forensic format. So this one's actually open source, and it does incorporate made of data. There's also no size limit on distant image format, so keep that in mind. These are just some examples of what we could use.
So in this video, we talked about different types of data formats. We also talked about generalized information on data Acquisition is, well, Asli versus Static Acquisitions
and the next video we're gonna talk about dental collection and different types of data collection we can do.
Up Next