PDA

View Full Version : A small write up on Data acquisition



babloo
12-09-2011, 11:50 PM
Hi Please find the write up here (http://blog.pardhasaradhi.info/2011/12/a-look-at-digital-acquisition/). Your feedback is important :)

abhaythehero
12-10-2011, 06:30 PM
Very nice and useful writeup.

Know very little about this but would like to suggest that usage of dd command illustration for acquisition would also have been nice. (Although I suspect that it is not used much now and replaced by tools).
Also how sterilization process is also done for storage medium of forensic image .. I think where one has to compulsorily make all the bits of HDD zero as manufacturers of a new storage medium won't guarantee that. That was done by some Linux utility also .. I don't seem to remember it.

Thanks for the post :) Hope you all make such a detailed one for analysis by Autopsy.

babloo
12-13-2011, 10:41 AM
Hi abhay

If you see the post clearly i have explained a tool called AIR where you can use the tool to wipe the drive / zero imaging which means overwriting the disk , you are absolutely correct dd is a famous tool till now but these most of the GUI tools is developed on dd and its advancements like dc3dd and more.so i didn't concentrated to explain the dd tool.

For the analysis part , i have a couple of lists in my pocket let me complete it one by one :)

Hope you people see these posts informative and helpful

Hackuin
12-20-2011, 01:50 PM
zeroing disk with a software is tired job. Had a very bad experience with dd/encase.

However, Tableau TD1 Forensic Duplicator (http://www.forensicpeople.com/products.asp?tProductGroupId=1&tProductId=11)made the job done little quick, almost 50% faster.

neo
12-22-2011, 05:15 PM
Nice writeup Babloo... FTK imager is covered in very detail.

AnArKI
12-22-2011, 06:40 PM
Great writeup mate......last time I dealt with some system forensics was some 3 yrs back....gr8 fan of FTK,especially luv their filecarving features and Rainbow crack integrations....now back to the topic....about acquisition is it recommended to go for a imaging using software or hardware write blockers.....which mode would be acceptable in the court of law....

babloo
12-23-2011, 01:54 PM
thanks all

Hackuin:Zeroing the disk using hardware is really reduces the time line while imaging but always funds matters ;)

AnArKI . The main thing courts looks into is data shouldn't be tampered whether you use hardware / software that really doesn't matter for courts , but as a Forensics expert you should assure them data integrity and availability . While you use software's sometime's its really a big challenge to make the image without any changes in the disk.For live images these software's are really good.

My preference would be for Hardware write blockers,though i didn't use them the process seems to be pretty safe.