Forensic Duplication- Every storage media consists certain data. For the forensic purpose, the data needs to be copied in a manner that does not change any information available in the device. The common techniques are follows-
- Logical Backup- It copies the directories & directories & files of a logical volume. It does not capture other data that may be present on the media, like deleted files or residual data stored in the slack spaces.
- Bit Stream Imaging- Also known as imaging or cloning, it generates copy of the original media bit-for-bit. It can be done in a disk-to-disk (from target media to another media) or ‘disk-to-file’ (from media to single logical file) fashion ; and requires more space-time.
- Write blocker- These are the hardware or software tools which prevent a computer from writing on a storage media. The suspected storage media is directly connected to the hardware write-blocker, and then the write blocker is connected to the device taking the backup. Similarly, a software write blocker is loaded onto the suspect computer, before the copying device is connected to that.
Precautions:
- The integrity of the original media must be maintained. After the duplication is complete, it should be verified that the copied data is an exact copy of the original data.
- Hash value of the copied data should be calculated to ensure the data integrity.
- The forensic image files (Cyber checksuite “.p01”, Encase”.e01”, or Safeback”.001/.SFB”) must be written as logical files, on a brand new freshly formatted media or forensically wiped sterile media. HDDs should be used only for evidence storage.
- The logical file copies of the forensic image files shall be made on a brand new sterile HDD before travelling back to the office, and labeled as copy of hard drive etc. using barcode. If use of barcode is not possible, serial code with relevant information (like- unit name, year, case number etc.) can be used.
Acquiring data from some common devices:
- Hard Drives of Desktop/ Laptops- Use forensic software like cyber check suite, encase, FTK to image the drives. Be sure to connect the evidence drives to a write blocker so that the OS does not accidentally write to hard drive. The write blockers restricts any data to be written on to the seized hard disk either intentionally or accidentally. The Write Protection device is used as an interface between the seized media and the forensic computer.
When the hard drive (like-SSDs) cannot be removed, the entire device should be taken into the evidence. Connect the suspect computer to the forensic computer with the help of a network crossover cable, boot that from a forensic Distribution (like- Helix or Linen); then connect with the forensic computer and duplicate via forensic tools like-Encase.
- Smartphones- All data like-contrast lists,call records, SMS, MMS, GPS, pictures/videos can be acquired from a cellphone using software like- Cellebrite, Paraben Device Seizure etc. However, while working with a live (switched on) cellphone, necessary precautions like use of network jammers/Faraday bags, should be taken.
- USB Drives- They can easily be imagined by connecting to a forensic machine. However, must use soft/hard-ware write blockers to maintain data integrity.
- Digital Camera- The internal memory as well as the memory card can easily be imaged using same technique and precautions, as for the USB Drives.
How to Seize Digital Evidences? Read More