Data Acquisitions

00:00

hi and welcome to every day. Did your forensics. I'm your host, just sending, he said. And in today's module of digital Discovery, we're gonna go over data acquisitions.

00:10

So what is the date? Our position. This is the process of securing an image for later examination.

00:16

The process usually involves taken a right bocker on the media to ensure that there's no changes of evidence that result from the acquisition process.

00:25

So in the event that you're performing a data acquisition, you'll have a right blocker device. It could either be a hardware or software that prevents anything from being written or created on the suspects machine as you're performing investigation. This helps preserve the state at which the device is at the point of the digital crime scene.

00:43

The overall goal of forensics data acquisition is to create a forensic copy of a piece of media

00:48

that is suitable for use in the court of law.

00:53

So what are the types of data acquisition

00:59

We have Live versus debt acquisition.

01:03

So in today's video, we're going to review the acquisition process. Talk about some of the common accusation tools,

01:10

talk about some direct versus bios access that can be used during organization and then the differences between the Live versus Dead Accusation.

01:19

The general accusation process typically involves copying one bite from the original storage device to a destination storage. Then we'll go ahead and repeat for the next bite, and then we'll continue this process until we've copied the original

01:30

to the destination.

01:33

The acquisition process typically works in chunks of 152 bites, which is the size of a sector,

01:38

and these are the amount of data. This is the amount of data that's typically transferred each time

01:44

there is in the event that tools may encounter marriage when performing eggs. Accusation.

01:48

Therefore, zero is typically read it into the destination drives. This is a common occurrence if anything had occurred during the accusation. So if you're performing investigation and you see nothing but zeros,

02:00

it could be that the error had occurred.

02:04

Some of the accusation tools when performing are your right blockers. You have your hardware in yourself or tools.

02:09

Some examples of accusation tools is FCK imager, autopsy and ex way forensics.

02:15

These also support the analysis off the image after the fact,

02:21

but they can help you create an actual image off a device. There's other tools for accusation. These are just some that I mentioned,

02:29

and then the National Institute of Standards and Technology conducts tests on common accusation tools. So for them to be actually supported in the court of law,

02:39

they have to be properly tracked by and I S t There's also computer forensics tool testing CFT T, which is a project within the

02:50

and I ste

02:52

in which they helped to develop requirements and test cases for these imaging tools.

02:57

One of the methods to access data on a disk

03:02

we have direct and bio access.

03:06

A direct access is typically performed by an operating system or an accusation tool. So some of the tools that you mentioned earlier help our direct access.

03:15

This access the hardware directly, and this tool itself must know the hardware details.

03:22

So in order to perform access via the BIOS, which is basic input output system, this is typically performed by the operative system or an accusation tool that fits this type of access. You access the hard drive via the bios,

03:37

and the BIOS has to be aware of all the hard word details.

03:40

One of the risk of performing this access is you may receive incorrect information about the disc.

03:46

So if the BIOS is configured to believe that this size is eight gigs but actually 12 during your accusation, you're only store the 1st 8 gigs you'll never have access to the remaining for, thus losing some evidence. There's two methods for bios. Checking for decides, but we're not going to get into that.

04:06

It's another difference between live and an accusation.

04:10

Live accusation is what it says were performing accusation on assistance advice. With the assistance of the operative system,

04:16

the suspects system is on. There's processes running, network flowing, information constantly moving. There's a lot of volatile information in a live accusation. So one of the risk is that the attacker could modify the OS or other files to generate false data during the accusation.

04:34

Then there's a Dan accusation. This is performed on a suspect system without the assistance of the operative system. So what does that mean? The systems actually turned off and using hardware and software on a forensics workstation, you're pulling out the image off the device.

04:50

Very minimum ball town information can be retrieved through the debt accusation,

04:58

so in today's lecture, we

05:00

talked about the generic

05:01

accusation process went over. Some common accusation tools and right blockers reviewed the differences between direct versus bios, access and differentiated live versus debt accusation.