際際滷

際際滷Share a Scribd company logo

Computer Forensics and investigation module 3

Download as PPTX, PDF
S
ssuserec53e73

Computer Forensics and investigation module 3

1 of 16
Download to read offline
CADX 105 COMPUTER FORENSICS AND INVESTIGATION Module II
Storage Formats for Digital Evidence Raw Format In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bitstream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format . This format has unique advantages and disadvantages to consider when selecting an acquisition format. The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most forensics tools can read the raw format , making it a universal acquisition format for most tools. One disadvantage of the raw format that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected. Several commercial acquisition tools can produce raw format acquisitions and typically perform a validation check by using Cyclic Redundancy Check (CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA- 1 or later) hashing functions. These validation checks, however, usually create a separate file containing the hash value.
Proprietary Formats Most commercial forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendors analysis tool, such as the following: The option to compress or not compress image files of a suspect drive, thus saving space on the target drive The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details
Advanced Forensic Format Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced Forensic Format (AFF) . This format has the following design goals: Capable of producing compressed or uncompressed image files No size restriction for disk-to-image files Space in the image file or segmented files for metadata Simple design with extensibility Open source for multiple computing platforms and OSs Internal consistency checks for self-authentication
In digital Forensics, there are 2 types of acquisitions: Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. For both types, there are 4 methods of collecting data: 1. Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create one or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files. 2. Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disks geometry to match the original drive. 3. Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited. Best Acquisition Method
4. Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesnt need to examine the whole drive. To determine the appropriate acquisition method, the investigator must consider the following: The size of the source disk. Can you retain the source disk as an evident or must you return it to the owner? Time to do perform the acquisition. Location of the evidence
Contingency Planning for Image Acquisitions As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as FTK Imager Lite and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. Different acquisition tools use different methods to copy data, and one tool might, for example, make more attempts to copy corrupted areas of a drive. So using more than one tool can be helpful in making sure data has been copied correctly. If you have only one tool, however, consider making two images of the drive with the same tool, especially for critical investigations. With many tools, you can make one copy with no compression and compress the other copy. Remember that Murphys Law applies to digital forensics, too: If anything can go wrong, it will. Some acquisition tools dont copy data in the host protected area (HPA) of a disk drive. Check the vendors documentation to see whether its tool can copy a drives HPA. If not, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as Belkasoft or ILookIX IXImager, with a write-blocker, Image MASSter Solo, or X-Ways Replica. These tools can read a disks HPA.
Microsoft has added whole disk encryption with BitLocker to its newer operating systems, such as Windows Vista, 7, 8, and 10, which makes performing static acquisitions more difficult. As part of contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole diskencrypted drives currently involves decrypting the drives, which requires the users cooperation in providing the decryption key. Most whole disk encryption tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption is that data isnt altered, in that free and slack space arent changed. The biggest concern with whole disk encryption is getting the decryption keythat is, the password or code used to access encrypted data. If you can recover the whole disk key with tools such as Elcomsoft Forensic Disk Decryptor, mentioned previously, you need to learn how to use it to decrypt the drive. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key.Note
Validating Data Acquisitions Probably the most critical aspect of computer forensics is validating digital evidence. The weakest point of any digital investigation is the integrity of the data you collect, so validation is essential. In this section, you learn how to use several tools to validate data acquisitions. Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a digital fingerprint. With a few exceptions, making any alteration in one of the fileseven changing one letter from uppercase to lowercase produces a completely different hash value. These exceptions, known as collisions, have been found to occur in a small number of files with MD5, and SHA-1 might also be subject to collisions. For forensic examinations of data files on a disk drive, however, collisions are of little concern. If two files with different content have the same MD5 hash value, a comparison of each byte of a file can be done to see the differences. Currently, several tools can do a byte-by-byte comparison of files.
Linux Validation Methods Linux is rich in commands and functions. The two Linux shell commands shown earlier in this chapter, dd and dcfldd, have several options that can be combined with other commands to validate data. The dcfldd command has other options that validate data collected from an acquisition. Validating acquired data with the dd command requires using other shell commands. Current distributions of Linux include two hashing algorithm utilities: md5sum and sha1sum. Both utilities can compute hashes of a single file, multiple files, individual or multiple disk partitions, or an entire disk drive. Validating dd-Acquired Data As shown earlier, the following command produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an incrementing extension of .aa, .ab, .ac, and so on: To validate all segmented volumes of a suspect drive with the md5sum utility, you use the Linux shell commands shown in the following steps. For the saved images, remember to change to the directory where the data was saved, or list the exact path for the saved images. To use sha1sum instead of md5sum, just replace all md5sum references in commands with sha1sum. The drive should still be connected to your acquisition workstation.
Windows Validation Methods h Unlike Linux, Windows has no built-in hashing algorithm tools for digital forensics. However, many Windows third-party programs do have a variety of built-in tools. These third-party programs range from hexadecimal editors, such as X-Ways WinHex or Breakpoint Software Hex Workshop, to forensics programs, such as OSForensics, Autopsy, EnCase, and FTK. Commercial forensics programs also have built-in validation features. Each program has its own validation technique used with acquisition data in its proprietary format. For example, Autopsy uses MD5 to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash. If the hashes dont match, Autopsy notifies you that the acquisition is corrupt and cant be considered reliable evidence. In Autopsy and many other forensics tools, however, raw format image files dont contain metadata. As mentioned, a separate manual validation is recommended for all raw acquisitions at the time of analysis. The previously generated validation file for raw format acquisitions is essential to the integrity of digital evidence. The saved validation file can be used later to check whether the acquisition file is still good. In FTK Imager Lite, when you select the Expert Witness Compression (.e01) or the SMART (.s01) format, additional options for validation are displayed. This validation report also lists the MD5 and SHA-1 hash values. The MD5 hash value is added to the proprietary format image or segmented files. When this image is loaded into FTK, SMART, or X-Ways Forensics (which can read only .e01 and raw files), the MD5 hash is read and compared with the image to verify whether the acquisition is correct.
Performing RAID Data Acquisitions Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. Size is the biggest concern because many RAID systems are now pushing into exabytes or more of data. The following sections review common RAID configurations and discuss ways to acquire data on these large storage devices. Understanding RAID Redundant array of independent disks (RAID) is a computer configuration involving two or more physical disks. Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure. As technology improved, RAID also provided increased storage capabilities. Several levels of RAID can be implemented through software (known as software RAID) or special hardware controllers (known as hardware RAID). Software RAID is typically implemented from the host computers OS. Hardware RAID uses its own controller as well as a processor and memory connected to the host computer
The following are concepts that are often associated with RAID: Striping: Data is split across many drives. Mirroring: Data is replicated between multiple drives. Parity: This is a determined number used to recreate data mathematically.
Different RAID Levels RAID-0 (Stripping) RAID-1 (Mirroring) RAID-2 (Bit-Level Stripping with Dedicated Parity) RAID-3 (Byte-Level Stripping with Dedicated Parity) RAID-4 (Block-Level Stripping with Dedicated Parity) RAID-5 (Block-Level Stripping with Distributed Parity) RAID-6 (Block-Level Stripping with two Parity Bits)
Acquiring RAID Disks Theres no simple method for getting an image of a RAID servers disks. You need to address the following concerns: How much data storage is needed to acquire all data for a forensics image? What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardware firmware vendors RAID 5, 10, or 15? Is it another unknown configuration or OS? If its a RAID 1, 10, or 15 server, do you need to have all drives connected so that the OS sees their contents? Some older RAID 1 systems required connecting both drives to make the data readable, which might also apply to RAID 10 and 15. Do you have an acquisition tool capable of copying the data correctly? Can the tool read a forensic copy of a RAID image? Can the tool read split data saves of each RAID disk, and then combine all images of each disk into one RAID virtual drive for analysis?
With the larger disks now available, copying small RAID systems to one large disk is possible, similar to the way non-RAID suspect drives are copied. For example, a small server running eight 36 GB SCSI drives in a RAID 0 tower requires about a 300 GB SATA or IDE (PATA) drive. Less data storage is needed if a proprietary format acquisition is used with compression applied. All forensics analysis tools can analyze an image because they see the acquired data as one large drive, not eight separate drives. Several forensics vendors have added RAID recovery features. These vendors typically specialize in one or two types of RAID formats. The following are some vendors offering RAID acquisition functions: Guidance Software EnCase X-Ways Forensics AccessData FTK Runtime Software R-Tools Technologies

Recommended

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
Guide to computer forensics and investigation.ppt
Guide to computer forensics and investigation.pptGuide to computer forensics and investigation.ppt
Guide to computer forensics and investigation.ppt
MaluOffice
data acquisition in computer forensics and
data acquisition in computer forensics anddata acquisition in computer forensics and
data acquisition in computer forensics and
ssuserec53e73
Deft
DeftDeft
Deft
saddamhusain hadimani
Lecture 4 - Data Acquisition1234_MH.pptx
Lecture 4 - Data Acquisition1234_MH.pptxLecture 4 - Data Acquisition1234_MH.pptx
Lecture 4 - Data Acquisition1234_MH.pptx
muhammadosama0121
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
willemvandrunen
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revised
peterchanws
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
iam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdfiam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdf
mukhtaransarcloth
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
Kblblkb
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
V鱈ctor Capetillo
dataacquisition.pdf
dataacquisition.pdfdataacquisition.pdf
dataacquisition.pdf
Jayaprasanna4
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
n|u - The Open Security Community
File000127
File000127File000127
File000127
Desmond Devendran
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
marysherman2018
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
lizabonilla
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
KatherineJack1
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
sweetsour2017
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
LillieDickey
Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73

More Related Content

Similar to Computer Forensics and investigation module 3 (20)

Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
iam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdfiam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdf
mukhtaransarcloth
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
Kblblkb
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
V鱈ctor Capetillo
dataacquisition.pdf
dataacquisition.pdfdataacquisition.pdf
dataacquisition.pdf
Jayaprasanna4
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
n|u - The Open Security Community
File000127
File000127File000127
File000127
Desmond Devendran
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
marysherman2018
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
lizabonilla
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
KatherineJack1
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
sweetsour2017
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
LillieDickey
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
warren142
iam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdfiam giving you entire process of油油forensc duplication;the response.pdf
iam giving you entire process of油油forensc duplication;the response.pdf
mukhtaransarcloth
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
Kblblkb
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
V鱈ctor Capetillo
dataacquisition.pdf
dataacquisition.pdfdataacquisition.pdf
dataacquisition.pdf
Jayaprasanna4
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docxComputer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
n|u - The Open Security Community
File000127
File000127File000127
File000127
Desmond Devendran
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
marysherman2018
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
lizabonilla
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
KatherineJack1
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
sweetsour2017
Cis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer newCis 562 week 11 final exam strayer new
Cis 562 week 11 final exam strayer new
LillieDickey

More from ssuserec53e73 (6)

Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73
Module 3 continuation of computer forensic
Module 3 continuation of computer forensicModule 3 continuation of computer forensic
Module 3 continuation of computer forensic
ssuserec53e73
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessorDLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
Computer Forensics -Introduction and the details
Computer Forensics -Introduction and the detailsComputer Forensics -Introduction and the details
Computer Forensics -Introduction and the details
ssuserec53e73
COMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.pptCOMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73
Module 3 continuation of computer forensic
Module 3 continuation of computer forensicModule 3 continuation of computer forensic
Module 3 continuation of computer forensic
ssuserec53e73
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessorDLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
Computer Forensics -Introduction and the details
Computer Forensics -Introduction and the detailsComputer Forensics -Introduction and the details
Computer Forensics -Introduction and the details
ssuserec53e73
COMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.pptCOMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73

Recently uploaded (20)

Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
pinkdvil200
Fuel part 1.pptx........................
Fuel part 1.pptx........................Fuel part 1.pptx........................
Fuel part 1.pptx........................
ksbhattadcm
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptxPOWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
MarilenQuintoSimbula
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Ajaz Hussain
Useful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷sUseful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷s
Celine George
How to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 EmployeeHow to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 Employee
Celine George
Computer Application in Business (commerce)
Computer Application in Business (commerce)Computer Application in Business (commerce)
Computer Application in Business (commerce)
Sudar Sudar
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
Association for Project Management
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
Association for Project Management
Research & Research Methods: Basic Concepts and Types.pptx
Research & Research Methods: Basic Concepts and Types.pptxResearch & Research Methods: Basic Concepts and Types.pptx
Research & Research Methods: Basic Concepts and Types.pptx
Dr. Sarita Anand
EDL 290F Week 3 - Mountaintop Views (2025).pdf
EDL 290F Week 3 - Mountaintop Views (2025).pdfEDL 290F Week 3 - Mountaintop Views (2025).pdf
EDL 290F Week 3 - Mountaintop Views (2025).pdf
Liz Walsh-Trevino
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18
Celine George
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, TuluThe Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
DrIArulAram
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
Storytelling instructions...............
Storytelling instructions...............Storytelling instructions...............
Storytelling instructions...............
Alexander Benito
N.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity BriefingN.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity Briefing
Mebane Rash
Year 10 The Senior Phase Session 3 Term 1.pptx
Year 10 The Senior Phase Session 3 Term 1.pptxYear 10 The Senior Phase Session 3 Term 1.pptx
Year 10 The Senior Phase Session 3 Term 1.pptx
mansk2
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷sHow to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
Celine George
The Constitution, Government and Law making bodies .
The Constitution, Government and Law making bodies .The Constitution, Government and Law making bodies .
The Constitution, Government and Law making bodies .
saanidhyapatel09
Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1 2024 Lesson Plan M1...
pinkdvil200
Fuel part 1.pptx........................
Fuel part 1.pptx........................Fuel part 1.pptx........................
Fuel part 1.pptx........................
ksbhattadcm
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptxPOWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
POWERPOINT-PRESENTATION_DM-NO.017-S.2025.pptx
MarilenQuintoSimbula
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Ajaz Hussain
Useful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷sUseful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷s
Celine George
How to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 EmployeeHow to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 Employee
Celine George
Computer Application in Business (commerce)
Computer Application in Business (commerce)Computer Application in Business (commerce)
Computer Application in Business (commerce)
Sudar Sudar
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
Association for Project Management
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
Association for Project Management
Research & Research Methods: Basic Concepts and Types.pptx
Research & Research Methods: Basic Concepts and Types.pptxResearch & Research Methods: Basic Concepts and Types.pptx
Research & Research Methods: Basic Concepts and Types.pptx
Dr. Sarita Anand
EDL 290F Week 3 - Mountaintop Views (2025).pdf
EDL 290F Week 3 - Mountaintop Views (2025).pdfEDL 290F Week 3 - Mountaintop Views (2025).pdf
EDL 290F Week 3 - Mountaintop Views (2025).pdf
Liz Walsh-Trevino
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Rass MELAI : an Internet MELA Quiz Prelims - El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18
Celine George
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, TuluThe Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
The Dravidian Languages: Tamil, Telugu, Kannada, Malayalam, Brahui, Kuvi, Tulu
DrIArulAram
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
Storytelling instructions...............
Storytelling instructions...............Storytelling instructions...............
Storytelling instructions...............
Alexander Benito
N.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity BriefingN.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity Briefing
Mebane Rash
Year 10 The Senior Phase Session 3 Term 1.pptx
Year 10 The Senior Phase Session 3 Term 1.pptxYear 10 The Senior Phase Session 3 Term 1.pptx
Year 10 The Senior Phase Session 3 Term 1.pptx
mansk2
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷sHow to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
Celine George
The Constitution, Government and Law making bodies .
The Constitution, Government and Law making bodies .The Constitution, Government and Law making bodies .
The Constitution, Government and Law making bodies .
saanidhyapatel09

Computer Forensics and investigation module 3

  • 1. CADX 105 COMPUTER FORENSICS AND INVESTIGATION Module II
  • 2. Storage Formats for Digital Evidence Raw Format In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bitstream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format . This format has unique advantages and disadvantages to consider when selecting an acquisition format. The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most forensics tools can read the raw format , making it a universal acquisition format for most tools. One disadvantage of the raw format that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected. Several commercial acquisition tools can produce raw format acquisitions and typically perform a validation check by using Cyclic Redundancy Check (CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA- 1 or later) hashing functions. These validation checks, however, usually create a separate file containing the hash value.
  • 3. Proprietary Formats Most commercial forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendors analysis tool, such as the following: The option to compress or not compress image files of a suspect drive, thus saving space on the target drive The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details
  • 4. Advanced Forensic Format Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced Forensic Format (AFF) . This format has the following design goals: Capable of producing compressed or uncompressed image files No size restriction for disk-to-image files Space in the image file or segmented files for metadata Simple design with extensibility Open source for multiple computing platforms and OSs Internal consistency checks for self-authentication
  • 5. In digital Forensics, there are 2 types of acquisitions: Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. For both types, there are 4 methods of collecting data: 1. Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create one or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files. 2. Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disks geometry to match the original drive. 3. Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited. Best Acquisition Method
  • 6. 4. Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesnt need to examine the whole drive. To determine the appropriate acquisition method, the investigator must consider the following: The size of the source disk. Can you retain the source disk as an evident or must you return it to the owner? Time to do perform the acquisition. Location of the evidence
  • 7. Contingency Planning for Image Acquisitions As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as FTK Imager Lite and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. Different acquisition tools use different methods to copy data, and one tool might, for example, make more attempts to copy corrupted areas of a drive. So using more than one tool can be helpful in making sure data has been copied correctly. If you have only one tool, however, consider making two images of the drive with the same tool, especially for critical investigations. With many tools, you can make one copy with no compression and compress the other copy. Remember that Murphys Law applies to digital forensics, too: If anything can go wrong, it will. Some acquisition tools dont copy data in the host protected area (HPA) of a disk drive. Check the vendors documentation to see whether its tool can copy a drives HPA. If not, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as Belkasoft or ILookIX IXImager, with a write-blocker, Image MASSter Solo, or X-Ways Replica. These tools can read a disks HPA.
  • 8. Microsoft has added whole disk encryption with BitLocker to its newer operating systems, such as Windows Vista, 7, 8, and 10, which makes performing static acquisitions more difficult. As part of contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole diskencrypted drives currently involves decrypting the drives, which requires the users cooperation in providing the decryption key. Most whole disk encryption tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption is that data isnt altered, in that free and slack space arent changed. The biggest concern with whole disk encryption is getting the decryption keythat is, the password or code used to access encrypted data. If you can recover the whole disk key with tools such as Elcomsoft Forensic Disk Decryptor, mentioned previously, you need to learn how to use it to decrypt the drive. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key.Note
  • 9. Validating Data Acquisitions Probably the most critical aspect of computer forensics is validating digital evidence. The weakest point of any digital investigation is the integrity of the data you collect, so validation is essential. In this section, you learn how to use several tools to validate data acquisitions. Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a digital fingerprint. With a few exceptions, making any alteration in one of the fileseven changing one letter from uppercase to lowercase produces a completely different hash value. These exceptions, known as collisions, have been found to occur in a small number of files with MD5, and SHA-1 might also be subject to collisions. For forensic examinations of data files on a disk drive, however, collisions are of little concern. If two files with different content have the same MD5 hash value, a comparison of each byte of a file can be done to see the differences. Currently, several tools can do a byte-by-byte comparison of files.
  • 10. Linux Validation Methods Linux is rich in commands and functions. The two Linux shell commands shown earlier in this chapter, dd and dcfldd, have several options that can be combined with other commands to validate data. The dcfldd command has other options that validate data collected from an acquisition. Validating acquired data with the dd command requires using other shell commands. Current distributions of Linux include two hashing algorithm utilities: md5sum and sha1sum. Both utilities can compute hashes of a single file, multiple files, individual or multiple disk partitions, or an entire disk drive. Validating dd-Acquired Data As shown earlier, the following command produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an incrementing extension of .aa, .ab, .ac, and so on: To validate all segmented volumes of a suspect drive with the md5sum utility, you use the Linux shell commands shown in the following steps. For the saved images, remember to change to the directory where the data was saved, or list the exact path for the saved images. To use sha1sum instead of md5sum, just replace all md5sum references in commands with sha1sum. The drive should still be connected to your acquisition workstation.
  • 11. Windows Validation Methods h Unlike Linux, Windows has no built-in hashing algorithm tools for digital forensics. However, many Windows third-party programs do have a variety of built-in tools. These third-party programs range from hexadecimal editors, such as X-Ways WinHex or Breakpoint Software Hex Workshop, to forensics programs, such as OSForensics, Autopsy, EnCase, and FTK. Commercial forensics programs also have built-in validation features. Each program has its own validation technique used with acquisition data in its proprietary format. For example, Autopsy uses MD5 to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash. If the hashes dont match, Autopsy notifies you that the acquisition is corrupt and cant be considered reliable evidence. In Autopsy and many other forensics tools, however, raw format image files dont contain metadata. As mentioned, a separate manual validation is recommended for all raw acquisitions at the time of analysis. The previously generated validation file for raw format acquisitions is essential to the integrity of digital evidence. The saved validation file can be used later to check whether the acquisition file is still good. In FTK Imager Lite, when you select the Expert Witness Compression (.e01) or the SMART (.s01) format, additional options for validation are displayed. This validation report also lists the MD5 and SHA-1 hash values. The MD5 hash value is added to the proprietary format image or segmented files. When this image is loaded into FTK, SMART, or X-Ways Forensics (which can read only .e01 and raw files), the MD5 hash is read and compared with the image to verify whether the acquisition is correct.
  • 12. Performing RAID Data Acquisitions Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. Size is the biggest concern because many RAID systems are now pushing into exabytes or more of data. The following sections review common RAID configurations and discuss ways to acquire data on these large storage devices. Understanding RAID Redundant array of independent disks (RAID) is a computer configuration involving two or more physical disks. Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure. As technology improved, RAID also provided increased storage capabilities. Several levels of RAID can be implemented through software (known as software RAID) or special hardware controllers (known as hardware RAID). Software RAID is typically implemented from the host computers OS. Hardware RAID uses its own controller as well as a processor and memory connected to the host computer
  • 13. The following are concepts that are often associated with RAID: Striping: Data is split across many drives. Mirroring: Data is replicated between multiple drives. Parity: This is a determined number used to recreate data mathematically.
  • 14. Different RAID Levels RAID-0 (Stripping) RAID-1 (Mirroring) RAID-2 (Bit-Level Stripping with Dedicated Parity) RAID-3 (Byte-Level Stripping with Dedicated Parity) RAID-4 (Block-Level Stripping with Dedicated Parity) RAID-5 (Block-Level Stripping with Distributed Parity) RAID-6 (Block-Level Stripping with two Parity Bits)
  • 15. Acquiring RAID Disks Theres no simple method for getting an image of a RAID servers disks. You need to address the following concerns: How much data storage is needed to acquire all data for a forensics image? What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardware firmware vendors RAID 5, 10, or 15? Is it another unknown configuration or OS? If its a RAID 1, 10, or 15 server, do you need to have all drives connected so that the OS sees their contents? Some older RAID 1 systems required connecting both drives to make the data readable, which might also apply to RAID 10 and 15. Do you have an acquisition tool capable of copying the data correctly? Can the tool read a forensic copy of a RAID image? Can the tool read split data saves of each RAID disk, and then combine all images of each disk into one RAID virtual drive for analysis?
  • 16. With the larger disks now available, copying small RAID systems to one large disk is possible, similar to the way non-RAID suspect drives are copied. For example, a small server running eight 36 GB SCSI drives in a RAID 0 tower requires about a 300 GB SATA or IDE (PATA) drive. Less data storage is needed if a proprietary format acquisition is used with compression applied. All forensics analysis tools can analyze an image because they see the acquired data as one large drive, not eight separate drives. Several forensics vendors have added RAID recovery features. These vendors typically specialize in one or two types of RAID formats. The following are some vendors offering RAID acquisition functions: Guidance Software EnCase X-Ways Forensics AccessData FTK Runtime Software R-Tools Technologies
AboutCopyright
息 2025 際際滷