Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
hi and welcome to everyday digital forensics. I'm your also Sunday said, And in today's mantra, we're gonna go over image acquisition.
So in this video, we're gonna go into some concepts that you may have seen before. This is a recap before we jump into the demos. So we're gonna talk about the digital investigation process. Some general guidelines are data accusation,
tools and methods for acquisition and then our live and dead accusations.
So what is a digital investigation?
Did your investigation focuses on some type of digital device that has, um, involved in a crime or an incident?
So the device could typically and be involved in a physical crimes such as Surcin, or was
at a GPS location point or has executed some malicious digital attacks, such as pushing out a worm or remote, that stopping into a machine that you don't have authorizations into?
And then what are the five steps in a digital investigation?
Our first up is identification. This is where we identify the type of evidence, and if it's relevant to the crime, validate that the evidence is available and functional. So a cell phone that's broken you can turn on you can't access any of the memory spaces is not a viable functional
item to search for evidence and then any of the friends dictator you have, you must verify the integrity off that data.
Our preservation is preserving the state of the digital crime and reducing the amount of evidence that may be overridden. So duplicate copies of the original image is highly recommended. Before performing the analysis,
then our collection is using this imaging, such as their life and dead acquisition processing, will create a collection of the devices and the images. And then the data must be preserved to be able to be considered in the court of law.
Then we have the analysis phase in our rented digit investigation. This is where we define generic characteristics of the object for what you're searching for,
and then look for that object in a collection of data.
Using this, we are able to collect evidence to support and disprove our publicists. Lastly, we have reporting, So reporting is a documentation of all actions from those that you wanted to do. A timeline of the analysts efforts, your train of custody, anything that revert and help someone
to reproduce your efforts
is part of the reporting,
So your problem data acquisition is
opposition is the process of securing an image for later examination. This process involves using a right block media either hardware software to ensure that there's no change of the evidence during the accusation portion. So you may be create an image off a devised. But if it's live and they're still processes running,
you won't fully get the state of the digital crime.
The goal of forensic accusations to create a forensics copy of the piece of media that suitable for as evidence in the court of all that preserves the state of the crime scene.
Sorry data accusation process takes one bite from the original storage to the destination storage that repeats for the next fight.
These trunks are typically in 152 bites, which is the size of sector size
that are transferred each side on. When you're performing the accusation, it is possible that during errors you made
be writing zeros instead of the actual data.
Let's say this is our source storage,
and we want to create the same image here,
so we're in the copy one bite
at a time
over to our destination.
Now a quick review. One bite is eight bits, so we're not just taking one of these values were taking this whole set of values,
and then one bite is equal to eight bits, and as we go down the chain of conversion, we can always take
our bites are kilobytes or megabytes and our gigabytes of data and transfer that over.
So now let's do the first set. We'll take
our values in our first offset of eight bits and copy that bite over. Now we'll do it for the next and following down the path as we copy by part, fight over to the new section on. So we've copied
I did little sections just to display the conversion, but typically you do this sector size, which is 152 and trying to relate over at once.
So some accusation tools. You have a right blockers. Do you have both the hardware and a software? Our software is more of a right of the system, as a hardware is. Anything
that's connecting to the device prevents a system from writing, so there's different levels of bright blockers. You have both your hardware and software. Some examples of accusation tools is your F Take a imager.
You can actually create this images of different formats. Using that tool autopsy allows you to fate
images is as well as examining the image itself or other data sources,
and then X ways is another tool.
So to perform tests on these common accusation tools, we have the National Institute of Standards and Technology, and I asked he
that will perform these different tests on the new tools as they come out to ensure that their meeting the standards
and then there's a project within, and I see that is set to develop requirements and test cases for these digital images. So these tools are used within the professional Rome, and they're actually tested by N i S T.
So live versus dead accusation. Your life accusation is performed on the operative system. So this is with the assistance of the operating system. You have data flowing. You have your network traffic, your volatile memories such as your round, anything. That's if something is being written on the file. You have you have temporary files that are actually also be ridden.
So you're performing the investigation on these suspects machine the machine is on, and a wrist is that an attacker could have modified the operating system or other fouls to generate false stated during the acquisition. So
because you have that live network signal, there's always the off chance that as you perform the accusation, someone is
has access to the machine that is
de leaving or modifying the data,
and it's that accusation You have a system, as is issue with this is it's an additional process to get volatile memory of the last state of machine, as you'd have to go directly to the trips themselves.
So I hope you enjoyed today's video as we went over the digital investigation process.
Talked about some of the general guidelines in your in your friend six investigation process
when over data accusation and some of the tools and methods for your accusations and then talk about the difference between dead and alive acquisitions. So for this module, we're gonna be using a lot of the cyber dad I t labs in order to create images using some of the different tools that we talked about. So one of the tools is gonna be Rdd
command line tool.
Another one would be after Kate Imager, and then our third demo would be according of all time memory, using that memory extraction. Love Hope you enjoyed today's video and I'll catch the next one.
Computer Investigations and Forensic Lab: Creating an Image with DD
Image Forensics Capstone Lab: Creating an Image with FTK Imager
Memory Extraction and Analysis Lab: Acquiring Volatile Memory
Android Operating System