Professional Documents
Culture Documents
Presented by:
IBRAHIM YUSOF
SAUFI BUKHARI
WHAT IS DIGITAL FORENSIC?
• Branch of forensic science which involves forensic
investigation on digital materials
• Objectives:
– Explain current state of a digital artifact (registries,
storage, documents, packets)
– Analyze information inside digital artifacts to be used as
digital evidence
– Recover deleted or lost information
– Analyze how the system is being
compromised
BASIC STEPS IN DIGITAL FORENSIC
Identification: identify
the system that will be
investigated
Examination and
Collection: obtain
analysis: examine digital
digital evidence using
evidence to discover
disk imaging technique
specific evidence
WHAT IS DISK IMAGING?
• Process of duplicating hard disk drive or other
storage devices sector by sector rather than
separated files
• Operates below file-system layer (NTFS,Ext2,Ext3)
• Preserves the content, structure, and accounting of
the files
• Allows compression and archiving of the image file
to save storage space
APPLICABLE DISK IMAGING TOOLS
• Commercial software:
– AccessData Forensic Tool Kit (FTK) Imager
– Guidance Software EnCase
• Open-source software:
– dd: originally developed for UNIX/LINUX system now available for
other OS’s such as Windows
– dcfldd: enhanced version of dd developed by U.S. Department of
Defense Computer Forensics Lab with integrity verification capability
– dd_rescue & GNU ddrescue: another enhanced version of dd with
intelligent error recovery
– aimage: advanced forensic format (AFF) imaging tool with intelligent
error recovery, compression and verification
WHY USE OPEN-SOURCE TOOLS?
• Advantages:
– Save cost
– Can be shared and customized freely
• Disadvantages:
– Require expertise to configure and use
– Most of them do not offer graphical user interface (GUI) to
ease the user
• Require execution of raw disk imaging command
• Example: dcfldd if=/dev/hda of=/media/disk bs=32K
hash=md5 md5log=/media/disk/md5log.txt
FORENSIC DISK IMAGING
• Adopts normal disk imaging functionalities
• Advanced functionalities:
– Integrity verification (checksum and hashing)
– Metadata (details about data) preservation
– Imaging logs generation
• Must satisfy digital forensic requirements for disk imaging
– The tool shall not alter the original
– The tool shall perform imaging even if there are I/O errors
– The tool shall compute hash or checksum value and perform
verification
– The tool shall produce accurate and correct documentation
Normal
Normal
Forensic
Forensic
WHY USE FORENSIC DISK IMAGING?
• Prepares the exact duplication of the digital
evidence for analysis
• Avoids performing analysis on the original digital
evidence to prevent damage or modification
• Allows the original digital evidence to be duplicated
unlimitedly
BEST TOOLS FOR FORENSIC DISK IMAGING
• dcfldd
– On-fly hashing (hashing is performed during data transfer
from source to destination)
– Image verification and splitting
– Logs generation into external applications
• aimage
– Image verification, compression, and archiving
– Hashing (sha1, md5, sha256)
– Metadata preservation
– Logs generation
HOW TO PERFORM DISK IMAGING?
• Preparations:
– Source hard disk or other storage devices attached to the
target system
– Destination hard disk (external hard disk) USB attachable
much larger than the source hard disk size
– Live CD (Linux): contains disk imaging tool and digital
forensic analysis utilities
CONTINUED…
• Hardware setup:
Normal mode
Q&A