Data Acquisition Part 2

00:01

Hey, everyone, welcome back to the course. So the last video we talked about different types of data acquisition formats Wessel talking live Ursus static acquisition.

00:10

So in this video, we're gonna talk about some data collection.

00:15

So different forms of data collection. We can do so distant image from the most popular one. Just a disc watch more sparse. We'll talk about each one of those.

00:24

So this is the image, especially our bit to bit replication or bit by bit replication. So basically, we're getting all the information rights with every single bit we're replicating. That very time consuming also takes a lot of memories, so just keep that in mind based on what you're trying to acquire. This may not be the best format for you, right?

00:43

There's some different tools that can do it. Encase the sleuth kit X ray, forensics, pro discover, etcetera, etcetera. Again, there's a ton of tools that may be mentioned on the ch EF eye exam if you decided to take it. So my best recommendation to you is figure out the particular area, for example, like that acquisition you know,

01:02

dynamic Mel, where analysis

01:03

static, mellower analysis network forensics Just learned that the most common tools that are in use,

01:08

uh, and that should help you significantly with the exam

01:14

justice. So, for example, over using older software hardware. Um, this is probably the best way to do it. Or at least one of the

01:22

most common wings I would think based on older heart software. So, for example, for trying to do like dogs for something like that, we might not be able to get a copy because compatibility issues. So just keep that in mind as well. Now, sometimes criminals to use old or some four and the hopes that nobody remembers it, right? Well, not remembers a. But

01:41

the hopes that nobody has skill with it these days to be able to get the data from. So

01:45

keep that in mind that you may, if you decided working as an investigator, you might actually see that, you know, different types of criminals may be using very, very old software.

01:56

A couple tools. We could use our in case you get an X rays. Forensics. Most of the proprietary tools could be used for multiple aspects of an investigation. So not just state acquisition. When other things as well, so you'll see a lot of the names over and over again throughout the course. But keep in mind that they may not be necessarily the ones

02:15

that you may see tested on the exam.

02:16

So just just again, my recommendation of that aspect is learn each type of thing you're gonna do, learn the most common tools for it. Right? So So again, I use example of, like, malware

02:28

learned that common tools for dynamic analysis versus, you know, static analysis

02:32

network forensics data prefer database forensics, etcetera. So just keep all that in mind for the exam.

02:39

Watchful acquisition. So you'll see this more commonly in, like, he Discovery s O, for example, the attorney comes to you, Says it's okay. You know, I want one. All the Microsoft Outlook email files. Right. So So you go in and you collect only the PS Trost files on. And here you go, attorney. There you go. Even though you might know is an investigator like, we really should check these of the spots the attorneys like I don't care.

03:00

I just want these ones.

03:01

And then also, uh, another example. There's like raid. So, for example, we just want, like very specific records instead of copying the entire right. Dr Just wanted certain records off

03:12

sparse acquisition very similar to a logical the only difference here, being that this one collects fragments of analogue hated dinner. Where is logical? Doesn't necessarily do that.

03:23

So Dee dee, we have seen this in our precinct. Question. Dee dee is again. It's a Lennox command. So it stands for data dump if you want to impress your friends and that basically, this one is designed for data management, right? So it's not the greatest forensic tool, but it can be good to get some information right so it produces in a rough format.

03:42

It's not very user friendly

03:44

when D. C F L D D. Came out. So this one add some more features, like the ability to lock errors,

03:51

hashing ability,

03:52

the ability to split the data acquisition into segment of volumes on but also the ability with a hashing to verify the acquired data with the original disk

04:02

so different tools that we could use again. This is not an all inclusive list. These are some of the ones that are kind of the most common ones in the material, so I would definitely just make sure you know these s o Dr Spy Pro Discover Forensics access data. FT can mature f response safe back in deep s'more.

04:20

Just a couple of post assessment questions. So question number one, the DD command allows you to log errors. Is that gonna be true or false?

04:30

***? If he said false, you are correct. So the actual has her here is gonna be the D c f L D D Command is the one that allows you to log. Cares if you remember that the D C F L D D command had some more features, and one of those is the ability to log ares

04:47

The question over to here. We would use a logical acquisition for a raid server where the right server was too large to make a full copy. Is that gonna be true or false?

04:59

All right, so we know that was gonna be true, right? Because we had talked about that with logical acquisition, that one of the aspects we could do on a rate servers, we could just take the information that we actually need.

05:09

Marcel, this video We wrapped up our discussion on dead acquisition,

05:13

and we talked about data collection

05:15

in the next video over to go over a lab