Image Acquisitions

00:00

hi and welcome to everyday digital forensics. I'm your also Sunday said, And in today's mantra, we're gonna go over image acquisition.

00:08

So in this video, we're gonna go into some concepts that you may have seen before. This is a recap before we jump into the demos. So we're gonna talk about the digital investigation process. Some general guidelines are data accusation,

00:23

tools and methods for acquisition and then our live and dead accusations.

00:28

So what is a digital investigation?

00:31

Did your investigation focuses on some type of digital device that has, um, involved in a crime or an incident?

00:39

So the device could typically and be involved in a physical crimes such as Surcin, or was

00:44

at a GPS location point or has executed some malicious digital attacks, such as pushing out a worm or remote, that stopping into a machine that you don't have authorizations into?

00:57

And then what are the five steps in a digital investigation?

01:02

Our first up is identification. This is where we identify the type of evidence, and if it's relevant to the crime, validate that the evidence is available and functional. So a cell phone that's broken you can turn on you can't access any of the memory spaces is not a viable functional

01:19

item to search for evidence and then any of the friends dictator you have, you must verify the integrity off that data.

01:27

Our preservation is preserving the state of the digital crime and reducing the amount of evidence that may be overridden. So duplicate copies of the original image is highly recommended. Before performing the analysis,

01:41

then our collection is using this imaging, such as their life and dead acquisition processing, will create a collection of the devices and the images. And then the data must be preserved to be able to be considered in the court of law.

01:55

Then we have the analysis phase in our rented digit investigation. This is where we define generic characteristics of the object for what you're searching for,

02:05

and then look for that object in a collection of data.

02:07

Using this, we are able to collect evidence to support and disprove our publicists. Lastly, we have reporting, So reporting is a documentation of all actions from those that you wanted to do. A timeline of the analysts efforts, your train of custody, anything that revert and help someone

02:27

to reproduce your efforts

02:29

is part of the reporting,

02:32

So your problem data acquisition is

02:36

opposition is the process of securing an image for later examination. This process involves using a right block media either hardware software to ensure that there's no change of the evidence during the accusation portion. So you may be create an image off a devised. But if it's live and they're still processes running,

02:55

you won't fully get the state of the digital crime.

02:59

The goal of forensic accusations to create a forensics copy of the piece of media that suitable for as evidence in the court of all that preserves the state of the crime scene.

03:08

Sorry data accusation process takes one bite from the original storage to the destination storage that repeats for the next fight.

03:16

These trunks are typically in 152 bites, which is the size of sector size

03:23

that are transferred each side on. When you're performing the accusation, it is possible that during errors you made

03:30

be writing zeros instead of the actual data.

03:34

Let's say this is our source storage,

03:38

and we want to create the same image here,

03:43

so we're in the copy one bite

03:46

at a time

03:46

over to our destination.

03:50

Now a quick review. One bite is eight bits, so we're not just taking one of these values were taking this whole set of values,

04:00

and then one bite is equal to eight bits, and as we go down the chain of conversion, we can always take

04:06

our bites are kilobytes or megabytes and our gigabytes of data and transfer that over.

04:14

So now let's do the first set. We'll take

04:15

our values in our first offset of eight bits and copy that bite over. Now we'll do it for the next and following down the path as we copy by part, fight over to the new section on. So we've copied

04:30

everything.

04:31

I did little sections just to display the conversion, but typically you do this sector size, which is 152 and trying to relate over at once.

04:45

So some accusation tools. You have a right blockers. Do you have both the hardware and a software? Our software is more of a right of the system, as a hardware is. Anything

04:55

that's connecting to the device prevents a system from writing, so there's different levels of bright blockers. You have both your hardware and software. Some examples of accusation tools is your F Take a imager.

05:08

You can actually create this images of different formats. Using that tool autopsy allows you to fate

05:14

images is as well as examining the image itself or other data sources,

05:19

and then X ways is another tool.

05:21

So to perform tests on these common accusation tools, we have the National Institute of Standards and Technology, and I asked he

05:30

that will perform these different tests on the new tools as they come out to ensure that their meeting the standards

05:36

and then there's a project within, and I see that is set to develop requirements and test cases for these digital images. So these tools are used within the professional Rome, and they're actually tested by N i S T.

05:51

So live versus dead accusation. Your life accusation is performed on the operative system. So this is with the assistance of the operating system. You have data flowing. You have your network traffic, your volatile memories such as your round, anything. That's if something is being written on the file. You have you have temporary files that are actually also be ridden.

06:12

So you're performing the investigation on these suspects machine the machine is on, and a wrist is that an attacker could have modified the operating system or other fouls to generate false stated during the acquisition. So

06:26

because you have that live network signal, there's always the off chance that as you perform the accusation, someone is

06:33

has access to the machine that is

06:35

de leaving or modifying the data,

06:39

and it's that accusation You have a system, as is issue with this is it's an additional process to get volatile memory of the last state of machine, as you'd have to go directly to the trips themselves.

06:50

So I hope you enjoyed today's video as we went over the digital investigation process.

06:55

Talked about some of the general guidelines in your in your friend six investigation process

07:00

when over data accusation and some of the tools and methods for your accusations and then talk about the difference between dead and alive acquisitions. So for this module, we're gonna be using a lot of the cyber dad I t labs in order to create images using some of the different tools that we talked about. So one of the tools is gonna be Rdd

07:19

command line tool.