Data Acquisition with AccessData FTK Imager
In computer forensics, data acquisition is a very crucial step that should be carried out with a lot of care [1]. Data acquisition refers to the process of obtaining data from computer drives (hard disks, USB drives, floppy disks, and other storage media) so as to collect evidence relating to the case that is being examined. Acquisition is normally done by creating a forensic image from the disk being investigated [2]. There are several tools that can be used to achieve this process, some of the popular tools include EnCase, ProDiscover Basic, Sleuth Kit, and AccessData FTK Imager [3].
In this investigation process, the investigator will use AccessData FTK Imager for data acquisition. AccessData FTK imager is a tool for data imaging and preview that enables a forensic investigator examine computer evidence [4]. Three files were created on a 4GB USB drive then deleted. The investigator has been assigned the task to recover the files without damaging them. The first step achieving this is to acquire the USB drive image. The following steps were followed while acquiring the image:
Select ‘Create Disk Image’ from the File dropdown menu on the FTK imager window as shown in figure 1, select the ‘physical drive’ option and click next.
On clicking ‘next, a new window will pop pup with the label ‘source drive selection’ as shown in figure 2. Select the USB drive that is suppose to be investigated from the dropdown menu then click on ‘finish’.
On clicking finish, another window will be displayed asking the investigator to add the image destination, that is, where the image will be save as shown in figure 3. Click on ‘add’.
When you click on ‘add’ a window like the one sown in figure 4 will pop up that requires the investigator to select the time of image he/she wants to create. For this case, Raw type is selected because it is uncompressed and makes a bit-by-bit copy of the original. Click ‘next’.
After clicking on next, a window prompting the investigator to key in Evidence item information will come up as shown in figure 5. Fill in the information correctly and click on ‘next’.
Figure 5: Entering Evidence Item Information
On clicking next, another window will pop up asking you to choose the destination folder. Select your preferred folder, name the image, then click on ‘finish’ as shown in figure 6.
On choosing the destination folder and naming the image, a pop-up window will come up asking you to select if you want to verify the image after they are created as shown in figure 7. Check on the check-box and click on ‘start’.
When you click on start, the image creation process will start as shown in figure 8. Wait for the process to complete.
When the image creation process has completed, a pop-up will come up automatically showing image verify results as shown in figure 9. Click on ‘close’.
If you want to see the image summary, click on ‘image summary’ and details about the image will be displayed as shown in figure 10 below.
Data Recovery with ProDiscover Basic
After checking on the summary, click on ‘ok’ the exit the AccessData FTK Imager program and then browse to the folder where you saved the image as shown in figure 11. This is the last step in data acquisition process.
Data recovery is the process of restoring back lost data from a damage disk or that may have been deleted intentionally or accidentally [5]. This process is crucial and should be carried out carefully. The figure 12 below shows the screenshot of the files before being deleted.
Now, the data recovery process will start. ProDiscover Basic will be used to recover the files deleted from the USB drive. After installing the ProDiscover Basic program, start it. A window like the one shown in figure 14 will pop up. Create a new project by filling in the project number and project file name. and click ‘open’.
Figure 14: Creating new project using ProDiscover Basic
On clicking open, the main window of the ProDiscover Basic will be displayed as shown in figure 15. Right click on ‘Image’ just beneath the ‘content view’ available on the left menu and click on ‘add’.
On clicking ‘add’ a pop-up window will pop-up prompting the user to select the image file as shown in figure 16. Browse to the folder where the image was saved during acquisition and select the image file.
The image will be loaded to the program. On the left menu again, click on ‘image’ below ‘content view’ and select the image that you just loaded. The content of the image will be displayed as sown in figure 17.
To recover the files, right click on the files that were deleted and choose ‘copy file’ option as shown in figure 18 below.
Upon selecting the copy file option, a window will pop up asking the user to select the location to copy the file as shown in figure 19. Browse for the USB drive and save it there.
Repeat the process for the remaining two files. After you are done, open the USB drive and all the three files would have been restore as shown in figure 20 below. Open the files to check if the content is similar to that of the original files.
The investigator was able to recover all the files. The content of the files had not been corrupted or Modified.
After recovering the data, it is essential to analyze the files to check for any data corruption or modification [6]. Hex Editor software was used to identify for any hidden data in the files. Data analysis checks for data integrity and completeness [7]. Hex editor was used to analyze the content of the MIT162949.docx word document after it was recovered. To check for any hidden data, the investigator activated the ‘show hidden data’ available on the bottom-right of the program window [8]. Click on ‘file attributes’ and select ‘show hidden data’. The results were displayed as shown in figure 21. This process was repeated for the portrait image and the excel file as shown in figure 22 and 23 respectively. The investigator found out all the three files had no hidden data.
Data Analysis with Hex Editor
Data validation is the process of ascertaining if the data entered is valid and meets the set rules of that field [9]. Nevertheless, data validation does not check for accuracy, it just checks for validity. The following are some of the data validation methods.
Required field validation- this validation technique is mostly used when filling in online forms. The user cannot proceed until the filed require has been filled.
Range Validation- this method checks to ascertain whether the data entered falls within a specified range. No values are accepted if it falls out of the set range.
Type validation- this validation method is used to check for ascertain the data types of the fields. For instance, in the excel file the subject column was set to general data type and that of marks was set to number. Type validation was carried to ensure that no other data type is allowed in the field.
Presence validation- this validation method ensures that data is available where it is required. Presence validation was carried on all the three files.
Copying a drive in a forensic or investigation process requires expertise. It is not like the normal copy and paste process. In forensic analysis, when copying a drive or an image, all the properties of the original source should be maintained, that is, bit-by-bit copying [10]. There exist three data copying techniques. They include disk-to-disk, sparse data copy, and logical disk-disk copy. The choice of copy method depends on the investigation circumstance.
Disk-to-disk is a flexible and common method of copying data and can be used to make several copies of the original source [10]. Tools like EnCase, ProDiscover, Sleuth Kit, SMART, and FTK Imager can be used.
Logical acquisition is a method of copying data when time available is limited. Tis method is used when specific only specific are needed for the case. Sleuth Kit can be used for logical acquisition.
Sparse data copying collects fragments of deleted data especially OST or PST mail files and RAID servers [5]. EnCase software can be used to carry out sparse data copying.
Conclusion
It is necessary for analyst to adhere to order of volatility while collecting digital evidence because it describes the order of collecting the digital evidence. Highly volatile evidence should be collected first and the sequence is maintained until the least volatile data is collected. Furthermore, it is important to choose the most appropriate acquisition tool relevant to a case under investigation. It essential to validate acquisition always using in-built tools like Hex editor to ascertain for completeness and integrity.
References
[1] S. Moramarco, “Digital Forensics”, InfoSec Resources, 2016. [Online]. Available: https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/#gref. [Accessed: 26- Aug- 2018].
[2] N. Cahyani, B. Martini, K. Choo and A. Al-Azhar, “Forensic data acquisition from cloud-of-things devices: windows Smartphones as a case study”, Concurrency and Computation: Practice and Experience, vol. 29, no. 14, p. e3855, 2016.
[3] R. Montasari, “A standardised data acquisition process model for digital forensic investigations”, International Journal of Information and Computer Security, vol. 9, no. 3, p. 229, 2017.
[4] C. De Alwis, “Evidence Acquisition Using Accessdata FTK Imager”, Forensic Focus – Articles, 2018. [Online]. Available: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/. [Accessed: 26- Aug- 2018].
[5] T. OTW, Hackers-arise.com, 2016. [Online]. Available: https://www.hackers-arise.com/single-post/2016/10/10/Digital-Forensics-Part-3-Recovering-Deleted-Files. [Accessed: 26- Aug- 2018].
[6] J. Marshall, “Examining the Raw Data on Your Hard Drive with a Hex Editor”, Tierradatarecovery.co.uk, 2014. [Online]. Available: https://tierradatarecovery.co.uk/examining-the-raw-data-on-your-hard-drive-with-a-hex-editor/. [Accessed: 26- Aug- 2018].
[7] M. Hörz, “HxD – Freeware Hex Editor and Disk Editor | mh-nexus”, Mh-nexus.de, 2018. [Online]. Available: https://mh-nexus.de/en/hxd/. [Accessed: 26- Aug- 2018].
[8] D. Hayes, A practical guide to computer forensics investigations. Indianapolis, Indiana: Pearson, 2015.
[9] N. Gilani, “Types of Validation Checks | Techwalla.com”, Techwalla, 2018. [Online]. Available: https://www.techwalla.com/articles/types-of-validation-checks. [Accessed: 26- Aug- 2018].
[10] C. Eoghan, “Focused digital evidence analysis and forensic distinguishers”, Digital Investigation, vol. 18, pp. A1-A3, 2016.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
