Hi, Leo Dregier here. I want to talk to you guys about data acquisition and drive duplication. All right, let’s take a closer look. Acquisition in itself simply stated means to acquire, right? So, in this case we have to acquire evidence of some sort. Uh, what we’re going to be typically working with is hard drives although it’s not limited to that. It can come in any format. It could come in an SD card. It could come in physical media. It could come in, you know something we have to connect to like logically through a, you know a cable of some sort. Uh, but nonetheless, we are going to acquire that data. So, the basic types here that we’re typically going to connect to is either USB or through a serial cable like an RS232 or 45 cable where literally you just plug in the drive, um, and then run your software and then copy it over. Uh, most of us are going to be fluent with how to do this. It’s really no more difficult than is if we were to plug your cell phone into something and then try to copy or, uh, the data over or connect to that device and image it in some sort. So, you need to physically plug it in, and then we can run a program against it like a file transfer program or something to that, to that effect. So, it’s realistically in theory not that difficult at, at all, okay. Some of the major tools that we’re going to use and talk about; you have some of the more popular ones. Of course, EnCase is a proprietary tool, uh, and I always recommend that you have experience with that, but if you don’t have experience with EnCase, then what you need to focus on is just some of the more open source, uh, more popular tools, okay? So, the first one is DriveSpy. This is an easy program for you to use, um, and you can go through it, and it’s relatively self-explanatory, so we’ll look at that. Also, within FTK, there’s uh, an imager component where you can connect to it and import your evidence. So, through the FTK, forensics toolkit open source modules, uh, you should absolutely without a doubt. I always recommend experience with FTK because it’s about as close to EnCase’s that you’re going to get without realistically using EnCase. And people come up to me all the time, and they say, “You know, I can’t afford a copy of EnCase. I just want to play around at home. I want to get an idea of what the tool does.” Forensics toolkit is that answer. It, you, with what you could learn in forensics toolkit, you could almost translate that or superimpose that into an EnCase conversation. So, without further ado, uh, FTK is the way to learn. Uh, and then of course, the DD command. This is a Linux command, and if you haven’t figured it out yet, you’re going to need to know some Linux. Um, a lot of people try to avoid Linux as much as they can, but realistically Linux is your friend. There’s tons of different flavors. Uh, you can download the ISOs, install them on your, your physical machines, and your laptops, and things like that, or you can just run them a virtual machine. So there’s no better way to get used to different operating systems than in the open source world. So, please learn some Linux skills. Um, but specifically, the DD command is a very, very unforgiving tool. It does exactly what you tell it to do, and it does not prompt you: hey are you sure you want to do this? You tell it to do something, you hit Enter, it just does it. So, you actually have to know how to use this tool in a way that’s not going to, you know, saw off your own arm while you’re using it. Other ways in which you can, you know, get access to data or copy data, you could use uh, Netcat. There’s um, a variety of tools that, uh, have a different beginning but ultimately the theme of these tools they have, uh, capital M-A-S-S-T-E-R in the middle of the tool, so we’ll talk about those when we do the hands-on labs. There’s, uh, specific tools like G, GPStamp, or Write PROtect, or, um, Logicube adapter, and things like that. So, literally no shortage of tools in this section; very, very thin on theory because all we’re doing is copying files at the end of the day or duplicating files, uh, but there are a variety of tools in which you can use to accomplish that. So, let’s go ahead and take a closer look at some hands-on examples.
Welcome to Module 9 of the Computer Hacking and Forensics course. This module opens up with a basic definition of Data Acquisition, drive duplication and the various types of hardware where data physically lives.
Then we explore major tools such as the proprietary nCase and the open source tools such as Drive Spy, FTK, what they are and the benefits of using each.
We’ll also discuss why it’s important to learn Linux and mastering many operating systems.
The hands on demonstrations you’ll engage as part of this Data Acquisition module include the following labs:
- Autopsy Sleuthkit Lab
- Diskexplorer FAT Lab
- FTK Imager Lab
- handle Lab
- listdlls Lab
- PMDump Lab
- PromiscDetec Lab
- Runtime Disk Explorer NTFS Lab
- uptime Lab
22 Hours
Included in your plan
Donate Here to Get This Month's Donor Badge
