ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Hard Disk Data Acquisition

Download as PPTX, PDF
T
Taha ?slam YILMAZ

The document discusses various aspects of hard disk data acquisition for digital forensics purposes. It covers the general acquisition procedure, data acquisition layers, requirements for acquisition tools and hardware/software write blockers, and considerations around accessing disks directly versus through BIOS, dead versus live acquisitions, hidden areas like HPA and DCO, and writing output data and image file formats.

1 of 22
Downloaded 14 times
Taha ?slamYILMAZ Computer Engineering TOBB ETU ADEO IWS - Digital Forensics HARD DISK DATA ACQUISITION
Hard Disk Data Acquisition ? System Preservation Phase ? ? Evidence Searching Phase ? Event Reconstruction Phase
General Acquisition Procedure ? ? Copy one byte and repeat the process ? Like copying a letter by hand ? Sector by sector
Data Acquition Layers ? Disk ? Volume ? File ? Application
Acquisition Tool Testing ? National Institute of Standards andTechnology (NIST) ? The Computer ForensicToolTesting (CFTT) ? Results and specifications can be found on their website https://www.cftt.nist.gov/disk_imaging.htm ?
Requirements For Mandatory Features-1 ? The tool shall be able to acquire a digital source using each access interface visible to the tool. ? The tool shall be able to create either a clone of a digital source, or an image of a digital source, or provide the capability for the user to select and then create either a clone or an image of a digital source. ? The tool shall operate in at least one execution environment and shall be able to acquire digital sources in each execution environment. ? The tool shall completely acquire all visible data sectors from the digital source. ? The tool shall completely acquire all hidden data sectors from the digital source.
Requirements For Mandatory Features-2 ? All data sectors acquired by the tool from the digital source shall be accurately acquired. ? If there are unresolved errors reading from a digital source then the tool shall notify the user of the error type and the error location. ? If there are unresolved errors reading from a digital source then the tool shall use a benign fill in the destination object in place of the inaccessible data.
Accessing to Hard Disk ¨C Direct vs BIOS ? Accessing the hard disk directly is the fastest way to get data to and from the disk, but it requires the software to know quite a bit about the hardware. ? The BIOS knows about the hardware, and it provides services to the software so that they can more easily communicate with hardware.
Accessing to Hard Disk ¨C Direct vs BIOS ? When the BIOS is used, there is a risk that it may return incorrect information about the disk. ? If the BIOS thinks that a disk is 8GB, but the disk is really 12GB, the INT13h functions will give you access to only the first 8GB.
Dead vs Live Acquisition ? A dead acquisition occurs when the data from a suspect system is being copied without the assistance of the suspect operating system. ? A live acquisition is one where the suspect operating system is still running and being used to copy data. ? The risk of conducting a live acquisition is that the attacker has modified the operating system or other software to provide false data during the acquisition. ? Attackers may install tools called rootkits into systems that they compromise, and they return false information to a user
Host Protected Area (HPA) ? Special area of the disk that can be used to save data, and a casual observer might not see it. ? The HPA is at the end of the disk and, when used, can only be accessed by reconfiguring the hard disk. ? It could contain hidden data.
Host Protected Area (HPA) ? The READ_NATIVE_MAX_ADDRESS command gives the total number of sectors on the disk ? The IDENTIFY_DEVICE returns the total number of sectors that a user can access ? These two values will be different , if an HPA exists.
Device Configuration Overlay (DCO) ? Similar to an HPA a DCO may contain hidden data.They can exist at the same time. ? A DCO could show a smaller disk size and show that supported features are not supported. ? The DCO allows system vendors configure all HDDs to have the same number of sectors.
Device Configuration Overlay (DCO) ? The DEVICE_CONFIGURATION_IDENTIFY command returns the actual features and size of a disk. ? To remove a DCO, the DEVICE_CONFIGURATION_RESET command is used.
Hardware Write Blockers ? A hardware write blocker sits between a computer and a storage device and monitors the issued commands. ? It prevents the computer from writing data to the storage device. ? Blocks the write commands and allows to read commands to pass.
Requirements For Hardware Write Blockers ? A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device. ? An HWB device shall return the data requested by a read operation. ? An HWB device shall return without modification any access-significant information requested from the drive. ? Any error condition reported by the storage device to the HWB device shall be reported to the host. ? Source: http://www.cftt.nist.gov/hardware_write_block.htm
Software Write Blockers ? The software write blockers work by modifying the interrupt table, which is used to locate the code for a given BIOS service. ? INT13h points to the code that will write or read data to or from the disk. ? When the operating system calls INT13h, the write blocker code is executed and examines which function is being requested. ? If the command is write , software write blocker blocks the commands. If it is a non-write command , blocker pass it to BIOS.
Software Write Blockers
Requirements For Software Write Blockers ? The tool shall not allow a protected drive to be changed. ? The tool shall not prevent obtaining any information from or about any drive. ? The tool shall not prevent any operations to a drive that is not protected. ? Source: http://www.cftt.nist.gov/software_write_block.htm
Writing The Output Data ? We can write the output data either directly to a disk or to a file. ? Disk should be wiped with zeros before acquisitions. ? Original and destination disks should have the same geometries.
Image File Format ? A raw image contains only the data from the source device, and it is easy to compare the image with the source data. ? An embedded image contains data from the source device and additional descriptive data about the acquisition, such as hash values, dates, and times. ? And some tools will create a raw image and save the additional descriptive data to a separate file.
Thank you for listening to me !

Recommended

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
?
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
?
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
Muzamil Amin
?
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
?
File System FAT And NTFS
File System FAT And NTFSFile System FAT And NTFS
File System FAT And NTFS
Inocentshuja Ahmad
?
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
?
Disk Management.pdf
Disk Management.pdfDisk Management.pdf
Disk Management.pdf
RandyGaray
?
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensics
primeteacher32
?
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices Forensics
ArthyR3
?
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
?
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
?
raid technology
raid technologyraid technology
raid technology
Mangukiya Maulik
?
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
?
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
?
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
?
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
?
File system
File systemFile system
File system
Harleen Johal
?
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
?
Chapter 16
Chapter 16Chapter 16
Chapter 16
Ali Broumandnia
?
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
?
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
?
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
?
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
?
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
?
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
?
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
?
File Carving
File CarvingFile Carving
File Carving
Aakarsh Raj
?
HDD Partition
HDD PartitionHDD Partition
HDD Partition
AMZAD KHAN
?
Lec1.ppt
Lec1.pptLec1.ppt
Lec1.ppt
MUHAMMADALIASGHAR10
?
Motherboard.pptx
Motherboard.pptxMotherboard.pptx
Motherboard.pptx
julitapelovello
?

More Related Content

What's hot (20)

Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices Forensics
ArthyR3
?
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
?
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
?
raid technology
raid technologyraid technology
raid technology
Mangukiya Maulik
?
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
?
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
?
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
?
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
?
File system
File systemFile system
File system
Harleen Johal
?
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
?
Chapter 16
Chapter 16Chapter 16
Chapter 16
Ali Broumandnia
?
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
?
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
?
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
?
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
?
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
?
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
?
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
?
File Carving
File CarvingFile Carving
File Carving
Aakarsh Raj
?
HDD Partition
HDD PartitionHDD Partition
HDD Partition
AMZAD KHAN
?
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices Forensics
ArthyR3
?
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
?
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
?
raid technology
raid technologyraid technology
raid technology
Mangukiya Maulik
?
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
?
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
?
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
?
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
?
File system
File systemFile system
File system
Harleen Johal
?
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
?
Chapter 16
Chapter 16Chapter 16
Chapter 16
Ali Broumandnia
?
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
?
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
?
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
?
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
?
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
?
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
?
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
?
File Carving
File CarvingFile Carving
File Carving
Aakarsh Raj
?
HDD Partition
HDD PartitionHDD Partition
HDD Partition
AMZAD KHAN
?

Similar to Hard Disk Data Acquisition (20)

Lec1.ppt
Lec1.pptLec1.ppt
Lec1.ppt
MUHAMMADALIASGHAR10
?
Motherboard.pptx
Motherboard.pptxMotherboard.pptx
Motherboard.pptx
julitapelovello
?
Device drivers by prabu m
Device drivers by prabu mDevice drivers by prabu m
Device drivers by prabu m
Prabu Mariyappan
?
Connecting Hardware Peripheralsnewq.pptx
Connecting Hardware Peripheralsnewq.pptxConnecting Hardware Peripheralsnewq.pptx
Connecting Hardware Peripheralsnewq.pptx
AyeleNugusie
?
5120224.ppt
5120224.ppt5120224.ppt
5120224.ppt
dedanndege
?
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
Hiren Mayani
?
Managing Hardware Devices.pdf
Managing Hardware Devices.pdfManaging Hardware Devices.pdf
Managing Hardware Devices.pdf
SolomonAnab1
?
Protecting Hosts
Protecting HostsProtecting Hosts
Protecting Hosts
primeteacher32
?
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
Detectalix
?
introduction to computer Linux essential.pptx
introduction to computer Linux essential.pptxintroduction to computer Linux essential.pptx
introduction to computer Linux essential.pptx
musomicatherine
?
Operating System.pdf topic of interprocess comunication
Operating System.pdf topic of interprocess comunicationOperating System.pdf topic of interprocess comunication
Operating System.pdf topic of interprocess comunication
ShaliniVerma655521
?
system software and application software.pptx
system software and application software.pptxsystem software and application software.pptx
system software and application software.pptx
zainabshabbir54405
?
IGCSE_ICT_Chapter 1.pptx
IGCSE_ICT_Chapter 1.pptxIGCSE_ICT_Chapter 1.pptx
IGCSE_ICT_Chapter 1.pptx
FatimaWaheed30
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
LadyChristianneBucsi
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
ROLANDOMORALES28
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
ManojKumar409578
?
Introduction to Oerating System By Vinod.ppt
Introduction to Oerating System By Vinod.pptIntroduction to Oerating System By Vinod.ppt
Introduction to Oerating System By Vinod.ppt
pravinligade5
?
OS full chapter.ppt
OS full chapter.pptOS full chapter.ppt
OS full chapter.ppt
KamalishwaranS
?
Windows 1Fundaments.ppt
Windows 1Fundaments.pptWindows 1Fundaments.ppt
Windows 1Fundaments.ppt
karthikvcyber
?
OS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.pptOS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.ppt
naghamallella
?
Lec1.ppt
Lec1.pptLec1.ppt
Lec1.ppt
MUHAMMADALIASGHAR10
?
Motherboard.pptx
Motherboard.pptxMotherboard.pptx
Motherboard.pptx
julitapelovello
?
Device drivers by prabu m
Device drivers by prabu mDevice drivers by prabu m
Device drivers by prabu m
Prabu Mariyappan
?
Connecting Hardware Peripheralsnewq.pptx
Connecting Hardware Peripheralsnewq.pptxConnecting Hardware Peripheralsnewq.pptx
Connecting Hardware Peripheralsnewq.pptx
AyeleNugusie
?
5120224.ppt
5120224.ppt5120224.ppt
5120224.ppt
dedanndege
?
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
Hiren Mayani
?
Managing Hardware Devices.pdf
Managing Hardware Devices.pdfManaging Hardware Devices.pdf
Managing Hardware Devices.pdf
SolomonAnab1
?
Protecting Hosts
Protecting HostsProtecting Hosts
Protecting Hosts
primeteacher32
?
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
Detectalix
?
introduction to computer Linux essential.pptx
introduction to computer Linux essential.pptxintroduction to computer Linux essential.pptx
introduction to computer Linux essential.pptx
musomicatherine
?
Operating System.pdf topic of interprocess comunication
Operating System.pdf topic of interprocess comunicationOperating System.pdf topic of interprocess comunication
Operating System.pdf topic of interprocess comunication
ShaliniVerma655521
?
system software and application software.pptx
system software and application software.pptxsystem software and application software.pptx
system software and application software.pptx
zainabshabbir54405
?
IGCSE_ICT_Chapter 1.pptx
IGCSE_ICT_Chapter 1.pptxIGCSE_ICT_Chapter 1.pptx
IGCSE_ICT_Chapter 1.pptx
FatimaWaheed30
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
LadyChristianneBucsi
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
ROLANDOMORALES28
?
OS-20210426203801.ppt
OS-20210426203801.pptOS-20210426203801.ppt
OS-20210426203801.ppt
ManojKumar409578
?
Introduction to Oerating System By Vinod.ppt
Introduction to Oerating System By Vinod.pptIntroduction to Oerating System By Vinod.ppt
Introduction to Oerating System By Vinod.ppt
pravinligade5
?
OS full chapter.ppt
OS full chapter.pptOS full chapter.ppt
OS full chapter.ppt
KamalishwaranS
?
Windows 1Fundaments.ppt
Windows 1Fundaments.pptWindows 1Fundaments.ppt
Windows 1Fundaments.ppt
karthikvcyber
?
OS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.pptOS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.ppt
naghamallella
?

Recently uploaded (20)

Field Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci ResearchField Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci Research
Vipin Mishra
?
UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1
DianaGray10
?
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
?
UiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilitiesUiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilities
DianaGray10
?
BoxLang JVM Language : The Future is Dynamic
BoxLang JVM Language : The Future is DynamicBoxLang JVM Language : The Future is Dynamic
BoxLang JVM Language : The Future is Dynamic
Ortus Solutions, Corp
?
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Jonathan Bowen
?
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
?
World Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a CrossroadsWorld Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a Crossroads
Joshua Randall
?
The Future of Repair: Transparent and Incremental by Botond De?nes
The Future of Repair: Transparent and Incremental by Botond De?nesThe Future of Repair: Transparent and Incremental by Botond De?nes
The Future of Repair: Transparent and Incremental by Botond De?nes
ScyllaDB
?
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
?
L01 Introduction to Nanoindentation - What is hardness
L01 Introduction to Nanoindentation - What is hardnessL01 Introduction to Nanoindentation - What is hardness
L01 Introduction to Nanoindentation - What is hardness
RostislavDaniel
?
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
?
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTSMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
TanmaiArni
?
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND CTI
?
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
ScyllaDB
?
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
Tsuyoshi Hirayama
?
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
?
Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4
Margaret Maynard-Reid
?
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
?
Future-Proof Your Career with AI Options
Future-Proof Your Career with AI OptionsFuture-Proof Your Career with AI Options
Future-Proof Your Career with AI Options
DianaGray10
?
Field Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci ResearchField Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci Research
Vipin Mishra
?
UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1UiPath Automation Developer Associate Training Series 2025 - Session 1
UiPath Automation Developer Associate Training Series 2025 - Session 1
DianaGray10
?
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
?
UiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilitiesUiPath Document Understanding - Generative AI and Active learning capabilities
UiPath Document Understanding - Generative AI and Active learning capabilities
DianaGray10
?
BoxLang JVM Language : The Future is Dynamic
BoxLang JVM Language : The Future is DynamicBoxLang JVM Language : The Future is Dynamic
BoxLang JVM Language : The Future is Dynamic
Ortus Solutions, Corp
?
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Jonathan Bowen
?
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
?
World Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a CrossroadsWorld Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a Crossroads
Joshua Randall
?
The Future of Repair: Transparent and Incremental by Botond De?nes
The Future of Repair: Transparent and Incremental by Botond De?nesThe Future of Repair: Transparent and Incremental by Botond De?nes
The Future of Repair: Transparent and Incremental by Botond De?nes
ScyllaDB
?
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
?
L01 Introduction to Nanoindentation - What is hardness
L01 Introduction to Nanoindentation - What is hardnessL01 Introduction to Nanoindentation - What is hardness
L01 Introduction to Nanoindentation - What is hardness
RostislavDaniel
?
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
?
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTSMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
TanmaiArni
?
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND Revenue Release Quarter 4 2024 - Finacial Presentation
MIND CTI
?
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
ScyllaDB
?
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
DAO UTokyo 2025 DLT mass adoption case studies IBM Tsuyoshi Hirayama (ƽɽÒã)
Tsuyoshi Hirayama
?
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
?
Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4Build with AI on Google Cloud Session #4
Build with AI on Google Cloud Session #4
Margaret Maynard-Reid
?
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
?
Future-Proof Your Career with AI Options
Future-Proof Your Career with AI OptionsFuture-Proof Your Career with AI Options
Future-Proof Your Career with AI Options
DianaGray10
?

Hard Disk Data Acquisition

  • 1. Taha ?slamYILMAZ Computer Engineering TOBB ETU ADEO IWS - Digital Forensics HARD DISK DATA ACQUISITION
  • 2. Hard Disk Data Acquisition ? System Preservation Phase ? ? Evidence Searching Phase ? Event Reconstruction Phase
  • 3. General Acquisition Procedure ? ? Copy one byte and repeat the process ? Like copying a letter by hand ? Sector by sector
  • 4. Data Acquition Layers ? Disk ? Volume ? File ? Application
  • 5. Acquisition Tool Testing ? National Institute of Standards andTechnology (NIST) ? The Computer ForensicToolTesting (CFTT) ? Results and specifications can be found on their website https://www.cftt.nist.gov/disk_imaging.htm ?
  • 6. Requirements For Mandatory Features-1 ? The tool shall be able to acquire a digital source using each access interface visible to the tool. ? The tool shall be able to create either a clone of a digital source, or an image of a digital source, or provide the capability for the user to select and then create either a clone or an image of a digital source. ? The tool shall operate in at least one execution environment and shall be able to acquire digital sources in each execution environment. ? The tool shall completely acquire all visible data sectors from the digital source. ? The tool shall completely acquire all hidden data sectors from the digital source.
  • 7. Requirements For Mandatory Features-2 ? All data sectors acquired by the tool from the digital source shall be accurately acquired. ? If there are unresolved errors reading from a digital source then the tool shall notify the user of the error type and the error location. ? If there are unresolved errors reading from a digital source then the tool shall use a benign fill in the destination object in place of the inaccessible data.
  • 8. Accessing to Hard Disk ¨C Direct vs BIOS ? Accessing the hard disk directly is the fastest way to get data to and from the disk, but it requires the software to know quite a bit about the hardware. ? The BIOS knows about the hardware, and it provides services to the software so that they can more easily communicate with hardware.
  • 9. Accessing to Hard Disk ¨C Direct vs BIOS ? When the BIOS is used, there is a risk that it may return incorrect information about the disk. ? If the BIOS thinks that a disk is 8GB, but the disk is really 12GB, the INT13h functions will give you access to only the first 8GB.
  • 10. Dead vs Live Acquisition ? A dead acquisition occurs when the data from a suspect system is being copied without the assistance of the suspect operating system. ? A live acquisition is one where the suspect operating system is still running and being used to copy data. ? The risk of conducting a live acquisition is that the attacker has modified the operating system or other software to provide false data during the acquisition. ? Attackers may install tools called rootkits into systems that they compromise, and they return false information to a user
  • 11. Host Protected Area (HPA) ? Special area of the disk that can be used to save data, and a casual observer might not see it. ? The HPA is at the end of the disk and, when used, can only be accessed by reconfiguring the hard disk. ? It could contain hidden data.
  • 12. Host Protected Area (HPA) ? The READ_NATIVE_MAX_ADDRESS command gives the total number of sectors on the disk ? The IDENTIFY_DEVICE returns the total number of sectors that a user can access ? These two values will be different , if an HPA exists.
  • 13. Device Configuration Overlay (DCO) ? Similar to an HPA a DCO may contain hidden data.They can exist at the same time. ? A DCO could show a smaller disk size and show that supported features are not supported. ? The DCO allows system vendors configure all HDDs to have the same number of sectors.
  • 14. Device Configuration Overlay (DCO) ? The DEVICE_CONFIGURATION_IDENTIFY command returns the actual features and size of a disk. ? To remove a DCO, the DEVICE_CONFIGURATION_RESET command is used.
  • 15. Hardware Write Blockers ? A hardware write blocker sits between a computer and a storage device and monitors the issued commands. ? It prevents the computer from writing data to the storage device. ? Blocks the write commands and allows to read commands to pass.
  • 16. Requirements For Hardware Write Blockers ? A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device. ? An HWB device shall return the data requested by a read operation. ? An HWB device shall return without modification any access-significant information requested from the drive. ? Any error condition reported by the storage device to the HWB device shall be reported to the host. ? Source: http://www.cftt.nist.gov/hardware_write_block.htm
  • 17. Software Write Blockers ? The software write blockers work by modifying the interrupt table, which is used to locate the code for a given BIOS service. ? INT13h points to the code that will write or read data to or from the disk. ? When the operating system calls INT13h, the write blocker code is executed and examines which function is being requested. ? If the command is write , software write blocker blocks the commands. If it is a non-write command , blocker pass it to BIOS.
  • 19. Requirements For Software Write Blockers ? The tool shall not allow a protected drive to be changed. ? The tool shall not prevent obtaining any information from or about any drive. ? The tool shall not prevent any operations to a drive that is not protected. ? Source: http://www.cftt.nist.gov/software_write_block.htm
  • 20. Writing The Output Data ? We can write the output data either directly to a disk or to a file. ? Disk should be wiped with zeros before acquisitions. ? Original and destination disks should have the same geometries.
  • 21. Image File Format ? A raw image contains only the data from the source device, and it is easy to compare the image with the source data. ? An embedded image contains data from the source device and additional descriptive data about the acquisition, such as hash values, dates, and times. ? And some tools will create a raw image and save the additional descriptive data to a separate file.
  • 22. Thank you for listening to me !
AboutCopyright
? 2025 ºÝºÝߣ