file000129

Module XVI – Data Acquisition and Duplication

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: White House Email Forensics Case Won’t be Easy to Crack

Source: http://www.fcw.com/



Scenario

Adams Central Band’s Director Jeremy Johnson, 26, of 227 West South St., was formally charged on September 21, 2006 with seven counts of child seduction and 41 counts of possession of child pornography. Investigators found hundreds of images of child pornography on Johnson’s home computer.

Johnson was accused of seducing a senior female student at Adams Central when she was aged 18. Johnson had been taking part in a special sharing service over the Internet and appeared to have been trading child porn back and forth with other collectors.

Det. Sgt. Steve Cale and Det. Gary Burkhart initiated the investigation and collected Johnson’s Desktop computer and his laptop. During investigation, they found that there were over 500 images that appeared to be of children less than 18 years of age in a state of nudity engaged in various stages of sexual activity. They also found some e-mails that consisted of pornographic messages.

Source: http://www.news-banner.com/index/news-app/story.4999



Module Objective

• Determining the Best Data Acquisition Methods• Understanding the Data Recovery Contingencies• Data Acquisition Tools• The Need for Data Duplication• Data Duplication Tools

This module will familiarize you with:



Module Flow

Data Acquisition Methods

Need for Data Duplication Data Acquisition Tools

Data Recovery Contingencies

Data Duplication Tools



Data Acquisition



Data Acquisition

Forensic data acquisition is a process of collecting information from various media in accordance with certain standards for the purpose of analyzing its forensic value

Some common terminologies used in data acquisition:

• The small signal increment that can be detected by a data acquisition systemResolution:

• Commonly used terminology, but supports only one connection at a time and transmission distance up to 50 feetRS232:

• Rarely used terminology, but supports communication to more than one device on the bus at a time and supports transmission distances of approximately 5,000 feetRS485:

• Speed at which a data acquisition system collects data normally expressed in samples per secondSample Rate:

• Denotes how a signal is inputted to a data acquisition deviceSingle-ended

Input



Types of Data Acquisition Systems

Serial Communication Data Acquisition Systems

• It is used when the actual location of the data is at some distance from the computer

• Communication standards such as RS232 and RS485 are used in this system depending on the distance to be supported

USB Data Acquisition Systems

• Peripheral devices such as printers, monitors, modems, and data acquisition devices can be attached with the use of USB

• It is an easy option as it requires only one cable to connect the data acquisition device to the PC



Types of Data Acquisition Systems (cont’d)

Data Acquisition Plug-in Boards

• These boards are directly plugged into the computer bus• Each board has unique I/O map location

Parallel Port Data Acquisition Systems

• Parallel port used for the printer connection is used for the data acquisition device

• It supports high sample rate even if the distance between the computer and acquisition device is limited



Determining the Best Acquisition Methods

• Creating a bit-stream disk-to-image file• Making a bit-stream disk-to-disk copy• Creating a sparse data copy of a folder or file

Forensic investigators acquire digital evidence using the following methods:



Data Recovery Contingencies

Investigators must make contingency plans when data acquisition fails

To preserve digital evidence, investigators need to create a duplicate copy of the evidence files

In case the original data recovered is corrupted, investigators can make use of the second copy

Use at least two data acquisition tools to create copy of the evidence incase the investigator’s preferred tool does not properly recover data



Data Acquisition Mistakes

Choosing wrong resolution for data acquisition

Using wrong cables and cabling techniques

Not enough time for system development

Making the wrong connections

Having poor instrument knowledge



Data Duplication



Data Duplication

Data duplication is useful for the preservation of the original evidence

Preserve the data

• All the tests to be carried out on the data are generally carried out on the copy of the original data keeping the original data safe

Never work on the original data

• Use special tools and software for imaging the data devices• This data will be treated as forensically sound copy



Issues with Data Duplication

Data duplication may contaminate the original data

Contaminated data is not accepted as evidence

There are chances of tampering the duplicate data

Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed

If the original data is contaminated, then important evidence is lost which causes problems in the investigation process



Data Duplication in a Mobile Multi-Database System

Duplication of the database results in fault tolerance

It can be used even if the software and hardware fails

Data duplication increases the reliability of the system

Requests for particular data items can be handled by different nodes concurrently

It increases the response time and gives an improved performance



Data Duplication System Used in USB Devices

Data duplication method is used to control the data transmission between USB devices

Data is transmitted between two USB devices without the help of the computer

The duplication system consists of at least serial interface engine circuit, a CPU, and a data buffer unit

CPU is connected between the source SUB and target USB with the help of serial interface engine circuit

Data buffer is used as a memory buffer space while the digital data is transmitted between the source and the destination USB devices



Data Backup

Backup is the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe

Backup approach can be categorized as local, remote, online, or offline

It is important to:

• Restore the original data after a data breach or disaster• Restore some files if they are accidentally deleted or corrupted

It may serve as an image file that can be used for forensic investigation and analysis of evidence in a cyber crime

It may be used as an evidence in trials of computer crimes



Data Acquisition Tools and Commands



MS-DOS Data Acquisition Tool: DriveSpy

DriveSpy enables the investigator to direct data from one particular sector range to another sector

It provides two methods in accessing disk sector ranges:

A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS and non-DOS partitions

Configurable logging capabilities to document the investigation (keystroke-by-keystroke if desired)

The ability to create and restore the compressed forensic images of the drive partitions

Full scripting capabilities to automate processing activities



Using Windows Data Acquisition Tools

Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices

These tools can use Firewire to connect hard disks to the forensic lab systems

Data acquisition tools in Windows cannot acquire data from the host protected area of the disk



FTK Imager

FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3, as well as HFS and HFS+ file systems



Acquiring Data on Linux

Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive

This command can make a bit-stream disk-to-disk file, disk-to-image file, block-to-block copy/ block-to-file copy

The “dd” command can copy the data from any disk that Linux can mount and access

Other forensic tools such as AccessData FTK and Ilook can read dd image files

• dd if=/*source* of=/*destination*where:if = infile, or evidence you are copying (a hard disk, tape, etc.)source = source of evidence of = outfile, or copy of evidencedestination = where you want to put the copy

Syntax:



dd Command

dd if=<source> of=<target> bs=<byte size>("USUALLY" some power of 2, not less than 512 bytes(ie, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number.) skip= seek= conv=<conversion>

Suppose a 2GB hard disk is seized as evidence. use DD to make a complete physical backup of the hard disk:

•dd if=/dev/hda of=/dev/case5img1

Copy one hard disk partition to another hard disk:

•dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

Make an ISO image of a CD:

•dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc

Copy a floppy disk:

•dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

Restore a disk partition from an image file:

•dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror

Copy ram memory to a file:

•dd if=/dev/mem of=/home/sam/mem.bin bs=1024



Extracting the MBR

To see the contents of MBR, use this command:

•# dd if=/dev/hda of=mbr.bin bs=512 count=1# od -xa mbr.bin

The dd command, which needs to be run from root, reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics, or IDE drive) and writes them to the mbr.bin file

The od command prints the binary file in hex and ASCII formats



Netcat Command

•dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

Source Machine

•netcat -l -p 1234 | dd of=/dev/hdc bs=16065b

Target Machine



dd Command (Windows XP Version)

Linux dd utility ported to Windows:

dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5 --md5out=d:\images\PhysicalDrive0.img.md5



Mount Image Pro

Mount Image Pro is a computer forensics tool for Computer Forensics investigations. It enables the mounting of:

• EnCase • Unix/Linux DD images • SMART • ISO

It mounts image files as a drive letter under the Windows file system

It maintains the MD5 HASH integrity which can be tested by the reacquisition of the mounted drive and a comparison of MD5 checksums

It will also open EnCase password protected image files without the password



Mount Image Pro



Snapshot Tool

Snapshot is a Data acquisition tool



Snapback DatArrest

SnapBack Live, which allows it to perform a "True Image Backup" of a server while it is live and in use

If the "bad guys" see you coming and start deleting files, DatArrest recovers all the files, including the deleted files

The DatArrest Suite provides the ability to copy:

• Server hard drive to tape • PC hard drive to tape • Server or PC hard drive to removable media • Hard drive to hard drive • Tape to tape



Data Acquisition Toolbox

Data Acquisition Toolbox provides tools for analog input, analog output, and digital Input/Output

It supports variety of PC-compatible data acquisition hardware

• Customizing the acquisition process• Accessing built-in features of hardware devices• Incorporating the analysis and visualization features• Saving data for post-processing• Updating test setup for result analysis

Data Acquisition Toolbox enables:



Data Acquisition Toolbox: Screenshot



Data Acquisition Tool: SafeBack

SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives

It is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition

It creates a log file of all transactions it performs



Hardware Tool: Image MASSter Solo-3 Forensic

The ImageMASSter Solo-3 Forensic data imaging tool is a light weight, portable hand-held device that can acquire data to one or two evidence drives at speeds exceeding 3GB/Min

Designed exclusively for Forensic data acquisition

Figure: Image MASSter Solo-3 Forensic



Image MASSter Solo-3 Forensic (cont’d)

• MD5 and CRC32 Hashing• Touch Screen User Interface• High Speed Operation• Built in Write Protection• Built in FireWire 1394B and USB

2.0 Interface• Captures to Two Evidence Drives

Simultaneously• Multiple Capture Methods• WipeOut• Audit Trail and Logs• Multiple Media Support• Upgradeable

Features:

• Device Configuration Overlay (DCO) Option

• Host Protected Area (HPA) Option• WipeOut DoD Option• WipeOut Fast Option• LinkMASSter Application• Linux-DD Capture Option

Software features:

Figure: Image MASSter Solo-3 Forensic



Image MASSter: RoadMASSter -3

Road MASSter 3 is a portable computer forensic lab used to:

• Acquire data• Preview and image hard drives• Analyze data in the field

It is designed to perform both as a fast and reliable hard drive imaging and data analysis

It can acquire or analyze data from FireWire 1394A/B, USB, IDE, SATA, SAS, and SCSI

Figure: Road MASSter-3



Image MASSter: Wipe MASSter

Wipe MASSter is designed to erase and sanitize hard drives

It ensures that there are no traces of the previous data on the hard drive

Intuitive menu provides simple pattern-based scan to sanitize the hidden partition on any hard drive

Figure: Wipe MASSter



Image MASSter: DriveLock

Image MASSter DriveLock device is a hardware write protect solution which prevents data writes

It has four versions:

• Serial-ATA DriveLock Kit USB/1394B• DriveLock Firewire/USB• DriveLock IDE• DriveLock In Bay



Hardware Tool: LinkMASSter-2 Forensic

The LinkMASSter 2 is High Speed Forensic Data Acquisition device that provides the tools necessary to seize data from a Suspect’s unopened Notebook or PC using the FireWire 1394A/B or USB 1.0/2.0 interface

The device supports the MD5, CRC32 or SHA1 hashing methods during data capture, ensuring that the transferred data is an exact replica of the suspect’s data without modification

Seize the data from P-ATA, S-ATA, SCSI or Notebook drives

Data transfer rates can exceed 3GB/min

Figure: Link MASSter -2 Forensic



LinkMASSter-2 Forensic (cont’d)

Features:

• FireWire 1394B and USB 2.0 Interface• MD5 and CRC32 and SHA1 Hashing• Forensic Toolkit Graphical User

Interface• High Speed Operation• Multiple Capture Methods• Write Protection• Multiple Media Support• WipeOut• Audit Trail and Logs

Software Features:

• LinkMASSter Application• Hashing• Single Capture Option• Linux-DD Capture Option• Intelligent Capture Option• WipeOut DoD Option• WipeOut Fast Option

Figure: Link MASSter-2 Forensic



Hardware Tool: RoadMASSter-2

The RoadMASSter -2 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis

This computer forensic system is built for the road with all the tools necessary to acquire or analyze data from today’s common interface technologies including FireWire, USB, Flash, ATA, S-ATA, and SCSI

This computer forensic portable lab is used by law enforcement agencies as well as corporate security to acquire data and analyze data in the field




RoadMASSter-2 (cont’d)

• MD5 and CRC32 and SHA1 Hashing

• Forensic Toolkit Graphical User Interface

• High Speed Operation• Multiple Capture Methods• Built in Write Protection• Built in LinkMASSter FireWire

1394B and USB 2.0 Interface• Multiple Media Support• Preview and Analyze• WipeOut• Audit Trail and Logs

Features:

• WipeOut DoD Option• WipeOut Fast Option• LinkMASSter Application• Linux-DD Capture Mode• Single Capture Mode• Intelligent Capture Mode

Software Features:




Logicube: Echo PLUS & Sonix

• It is the portable hard drive cloning solution• Data Transfer Rate: Speeds up to 1.8 GB/min (UDMA 2 Mode)• Hard drive duplication: Single-target, drive-to-drive duplicator

for IDE, UDMA, and SATA drives

Echo PLUS

• Sonix transfers data to and from a hard drive at 3.3GB/min• It allows the user to configure up to 24 partitions for various

loads and applications

Sonix



Logicube : OmniClone Xi Series

• The OmniClone Xi supports UDMA-5 transfer speeds for cloning IDE, EIDE, UDMA, & SATA drives at up to 3.5 GB/min10 Xi

• All information with current system software release is stored on the Omniclone's 64 MB compact flash card2 Xi

Figure: OmniClone 2XiFigure: OmniClone 10Xi



Logicube : OmniClone Xi Series (cont’d)

• It offers an optional Database software program that enables the user to scan and log hard drive cloning sessions which include hard drive make, model, serial number, and firmware revision

5 Xi

Figure: OmniClone 5Xi



Logicube: OmniPORT

Forensic OmniPort device allows immediate access to the majority of the current USB Flash devices

It captures and deploys data to or from most USB Flash drives

It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards using USB Card readers, and 2.5” and 3.5” external USB drives

It can be connected directly to a PC’s motherboard and booted as an IDE device

It allows data cloning to or from the attached USB drive by the Logicube Echo Plus, Sonix, OmniClone 10Xi/5Xi/2Xi, Forensic Talon

Figure: OmniPORT



Logicube: OmniWipe & Clone Card Pro

• OmniWipe sanitizes multiple IDE, EIDE, UDMA, and SATA drives simultaneously at up to 2.3GB/min

• It performs quick one-pass wipe and high-speed Security Erase

OmniWipe

• It is a PCMCIA adapter that allows hard drive data recovery transfer rates up to 175 MB/Min

• It clones the data to and from a laptop computer

Clone Card ProFigure: OmniWipe



Logicube: Forensic MD5

Forensic MD5 is a forensic hard disk data recovery system for law enforcement, corporate security, and cybercrime investigation

It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min

It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of the suspect and evidence drives

Forensic MD5 Features:

• Number of connectivity options• MD5 verification • Creates DD images• Field-Tested ruggedized case• On-site reporting• It is portable• Unidirectional data transfer

Figure: Forensic MD5



Logicube: Forensic Talon

Forensic Talon Features:

• Advanced keyword search• MD5 or SHA-256 Authentication• Unidirectional data transfer• Creates DD images on-the-fly• HPA and DCO capture• Portable and high-speed data capturing

Forensic Talon is a forensic data capture system specifically designed for the requirements of law enforcement, military, corporate security, and investigators

It simultaneously images and verifies data up to 4 GB/min

It captures IDE/UDMA/SATA drives, and can capture SCSI drives via USB cable

Figure: Forensic Talon



Logicube: RAID I/O Adapter

RAID I/O Adapter enables the Forensic Talon to capture a suspect RAID drive pair directly to 1 destination drive, and 1 suspect drive to 2 destination drives

Features of RAID I/O Adapter:

• Captures RAID-0, RAID-1, and JBOD configurations• Supports MD5/SHA-256 scan and keyword search mode

during any 1-to-2 capture• Supports both native and DD image operation modes during

1-to-2 and 2-to-1 capturing• Supports drive defect scan and WipeClean modes during 1-

to-2

Figure: RAID I/O Adapter



Logicube: GPStamp

• Computes the exact location of capture in 3D space; accurate to within 50 meters

• Adds accurate latitude, longitude, and time to the capture report and log

• It is capable of acquiring satellites and fixes within most buildings

GPStamp Features:

Logicube GPStamp is a device that produces a verified fix on the location, time, and date of the data captured

Investigators can bolster their credibility by specifying when and where data captures are performed

Figure: GPStamp



Logicube: Portable Forensic Lab

The Portable Forensic Lab (PFL) is a portable computer forensic field lab housed in a special ruggedized carrying case

This tool gives the investigator a head start, often cutting the time to acquire critical data

The PFL includes all that a computer forensic examiner needs to such as:

• Data capture evidence at high speed from multiple sources• Browse data from multiple types of digital media• Analyze the data capture material using computer forensic

analysis software such as FTK from AccessData

Figure: Portable Forensic Lab



Logicube: CellDEK

Logicube CellDEK is a cell phone data extraction device which identifies devices by brand, model number, dimensions, and photographs

It is portable and compatible with over 1100 of the most popular cell phones and PDAs

It captures the data within 5 minutes and displays on screen, and prompts for downloading to a portable USB device

Investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab

Figure: CellDEK



Logicube: Desktop WritePROtects

Logicube Desktop WritePROtects is a data recovery adapter used to protect the hard drives

It has two versions:

• IDE Destop WritePROtect• SATA Destop WritePROtect

It allows only a small subset of the ATA specification commands to flow to the protected drive and blocks all other commands

It connects via IDE or SATA cable to the HDD forensic tools for data capture

It guarantees read-only access when analyzing the captured or cloned drive under Windows

Figure: Desktop WritePROtects



Logicube: USB Adapter

• Store/restore images to a network server• Modify a drive's contents• Defragment the master drive• Reformat the master drive• Manage partitions using third party

software

It allows the investigator to:

USB Adapter allows for cloning and drive management directly through the USB (1.1 or 2.0) port on a PC or laptop

It is capable of cloning at speeds up to 750 MB/min

Figure: USB Adapter



Logicube: Adapters

• F-ADP-1.8• F-ADP-COMP-FL• F-ADP-DOM• F-ADP-HITACHI-DS• F-ADP-STND• F-ADP-STND-3A• F-ADP-STND-6A• F-ADP-ZIF• F-ADP-IDE

OmniClone IDE laptop Adapters

• F-ADP-SCSI-50• F-ADP-SCSI-80

OmniClone SCSI Adapters



Logicube: Cables

• F-CABLE-30A• F-CABLE-5• F-CABLE-9• F-CABLE-RP10• F-CABLE-RP15• F-CABLE-RP2• F-CABLE-RP5• F-CABLE-SOL

OmniClone IDE Cables

• F-CABLE-SAS5• F-CABLE-SATA• F-CABLE-SATA18• F-CABLE-SATAEP• F-CABLE-SATAXI

OmniClone SATA Cables



Logicube: Cables (Cont’d)

• F-CABLE-RP2U• F-CABLE-RP5U• F-CABLE-RP10U• F-CABLE-RP15U• F-CABLE-SOLU• F-CABLE-5U• F-CABLE-9U• F-CABLE-30U• F-CABLE-XI, F-CABLE-2XI• F-CABLE-5XI, F-CABLE-10XI

OmniClone UDMA IDE Cables

• F-CABLE-SCSI• F-CABLE-SCSI2• F-CABLE-SCSI4

OmniClone SCSI Cables



Data Duplication Tools



Data Duplication Tool: R-drive Image

R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes

Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk

R-Drive can create partitions with various compression levels freely without stopping Windows OS

These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz disks



R-drive Image: Screenshot



Data Duplication Tool: DriveLook

• Indexes the hard drive for the text that was written to it• Searches through a list of all words stored on the drive• View the location of words in the disk editor• Switches between different views • Uses image file as input • Access remote drives through serial cable or TCP/IP

The DriveLook Tool has the following features:



Drivelook: Screenshot



Data Duplication Tool: DiskExplorer

DiskExplorer aides examiners to investigate any drive and recover data

Two versions of DiskExplorer exist:

• DiskExplorer for FAT• DiskExplorer for NTFS

The tool also has provisions to navigate through the drive by jumping to:

• Partition table• Boot record• Master file table• Root directory



DiskExplorer: Screenshot



Save-N-Sync

The quickest, easiest, and economical way to synchronize small number of folders

It allows you to synchronize and backup files from a source folder on one computer to a target folder on a second networked computer or storage device



Save-N-Sync



Hardware Tool: ImageMASSter 6007SAS

The ImageMASSter 6007SAS is the only hard drive duplication unit in the market that supports SAS (Serial Attach SCSI) hard drives

It copies simultaneously at high speed from SATA/SAS/SCSI/IDE hard drives to any 7 SAS/SATA/IDE target hard drives

It is a Windows based machine with one Giga-Bit Network connection, which allows downloading or uploading files to or from drives using network drive

Figure: Image MASSter 6007SAS



ImageMASSter 6007SAS (cont’d)

• High Speed Copy Operation• SAS and SATA duplicator• SCSI Duplicator• Server Migration• All Operating Systems can be copied• Multiple Copy Modes• Supports Any File System• Network Connectivity• WipeOut• Mount and Modify Drives• Hot Swap Drives• Scale Partitions• Windows based

Features:

• MultiMASSter• IQCOPY• Auto Scale and Format Partitions• Image Copy• WipeOut DoD• WipeOut Fast Option• Store Log Information• Error Detection and Verification• Manage User Defined Settings

Software Features:

Figure: Image MASSter 6007SAS



Hardware Tool: Disk Jockey IT

Designed exclusively for IT data duplication

The Disk Jockey IT data imaging tool is a light weight, portable hand-held device that can copy data to one or two target drives at speeds exceeding 2GB/Min

Mirror two hard disk drives for real-time backup (RAID level 1) and data is stored simultaneously on both drives

Data can be copied from one disk to another without using a computer at speeds of up to 2 GB/min

Figure: Disk Jockey IT



Disk Jockey IT (cont’d)

• Standalone HD Mode• Mirroring • Spanning• Fast Disk to Disk Copies• Disk Copy Compare / Verification• Hard Disk Read Test• Two levels of erase

Features:

Figure: Disk Jockey IT



SCSIPAK

SCSIPAK is a set of system tools which extend the support of tape drives under Microsoft Windows NT and Windows 2000 operating systems

It is a software and tape based data conversion-duplication system

Data can be downloaded from a tape or optical disk and then written simultaneously upto seven drives at once

The image file from the tape or optical medium is stored under NT along with an index file which contains details of tape file and set marks, directory partitions, or unused optical sectors

This allows for the duplication of even complex format tapes and optical disks



IBM DFSMSdss

A reliable utility to quickly move, copy, and backup data

Functions:

• Moves and replicates data• Manages storage space efficiently• Backups and recovers data• Converts data sets and volumes

FlashCopy in DFSMSdss:

• FlashCopy provides a fast data duplication capability • This option helps to eliminate the need to stop applications for extended

periods of time in order to perform backups and restores



Tape Duplication System: QuickCopy

QuickCopy is the premier tape duplication system for data/software distribution applications

It is a complete production system for software and data distribution

• Duplicate Master tape to one or more Target tapes • Duplicate from Master Images stored on hard drives • Multi-tasking for mixed jobs • 100% Verification of all copies made at user option • Microsoft NT Operating System and User Interface

(GUI) • Available CD-R copying with QuickCopy-CD option

Features:

Figure: QuickCopy



DeepSpar: Disk Imager Forensic Edition

• Reading the status of each retrieved sector

• Data being imaged• Types of imaging files

Visualize the imaging process by:

DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic-specific functionality and used to handle disk-level problems

Figure: Disk Imager Forensic Edition



DeepSpar: 3D Data Recovery

• This phase deals with drives that are not responding, and drives that appear functional and can be imaged, but produces useless data

• Recommended tool: PC-3000 Drive Restoration System

Phase 1:

Drive Restoration

• This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as a stable platform for phase 3

• Recommended tool: DeepSpar Disk Imager

Phase 2:

Disk Imaging

• This phase involves rebuilding the file system, extracting user’s data, and verifying the integrity of files

• Recommended tool: PC-3000 Data Extractor

Phase 3:

Data Retrieval

DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional approach to data recovery centered on the following three phases:



Phase 1 Tool: PC-3000 Drive Restoration System

• Designed for the data recovery of businesses• Universal utilities give faster drive diagnostics• Repairs the drive and secures every data of the user• Software included with PC-3000 features a user-friendly

Microsoft Windows XP/2000 interface• PC-3000 has built-in features to treat particular drives

for their most common failures

Features of PC-3000 Drive Restoration System:

PC-3000 Drive Restoration System tool is used for drive restoration

It fixes firmware issues for all hard disk drive manufacturers and virtually all drive families

Figure:PC-3000 Drive Restoration System



Phase 2 Tool: DeepSpar Disk Imager

The disk imaging device built to recover bad sectors on a hard drive

DeepSpar Disk Imager Features:

• Retrieves up to 90 percent of bad sectors• Special vendor-specific ATA commands are used that

pre-configure the hard drive for imaging• Reduces the time it takes to image a disk with bad sectors• Failing hard drives are imaged with care and intelligence• Real-time reporting gives a window on the type and

quality of data imaging

Figure: Disk Imager



Phase 3 Tool: PC-3000 Data Extractor

• Retrieves the user’s data from drives with damaged logical structures

• Allows to analyze the logical structure of a damaged drive and depending on the severity of damage, selects specific files that the user wants to recover

• If the drive's translator module is damaged, it creates a virtual translator to create a map of offsets and copies the necessary data

PC-3000 Data Extractor Features:

PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses and fixes file system issues

It works in tandem with PC-3000 hardware to recover data from any media (IDE HDD, SCSI HDD, and flash memory readers)



MacQuisition

MacQuisition is a forensic acquisition tool used to safely image Mac source drives using the source system

• Identifies the source device• Configures the destination’s location• Images directly over the network• Uses the command line• Log case, exhibit, and evidence tracking numbers and notes• Automatically generates MD5, SHA1, and SHA 256 hashes

Features:



MacQuisition: Screenshot

Step1: Source Identification

Step3: Case Information



MacQuisition: Screenshot (cont’d)

Step5: Imaging/ Status Information



Athena Archiver

Athena Archiever is an email archiving and storage management system

Features:

• Tag and organize millions of emails instantly

Email review and classification

• Ensure email compliance with regulations and acceptable use policies

Enforceable email policy management

• It moves the bulk of email information stored to cheaper near line drives, which can be replicated offsite to ensure high level of reliability

Flexible storage management



Summary

Investigators can acquire data in three ways: creating a bit-stream, disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file

Data duplication is essential for the proper preservation of the digital evidence

Windows data acquisition tools allow the investigator to acquire evidence from a disk with the help of removable media such as USB storage devices

Forensic investigators use the built- in Linux command “dd” to copy data from a disk drive

The SavePart command retrieves information about the partition space in the hard disk

file000129

Business

data acquisition devices

data acquisition mistakes

original data

eccouncil copyright

best data acquisition

data acquisition device

sparse data copy

best acquisition methods