Imaging a system can be a very effective way of preserving evidence. In this video, you’ll learn about system imaging and some strategies for obtaining system data without directly imaging a storage drive.
<< Previous Video: Order of VolatilityNext: Capturing Network Traffic and Logs >>
If we’re collecting data from a hard drive or from a digital storage media, we may want to grab an image of that drive. We would like an exact representation of that drive that we could copy off somewhere else. And if we ever needed to reference what was on that drive, we have an exact duplicate in time frozen, that we would be able to see what’s going on.
Now when you start looking in forensics of hard drives, there’s a lot of information on the drive. Some of the information on the drive has been deleted, but as you know, when you delete files from a hard drive, you aren’t actually deleting the file, you’re simply removing a pointer to the file. So having an exact duplicate of the file, one that you’d like to create on what we usually refer to as a bit-for-bit copy. Sometimes it’s called a byte-for-byte copy, which means we’re going to every bit on the drive, and we’re copying exactly the contents of that drive from one drive to another.
We aren’t copying the files. We aren’t just saying copy file from point A to point B. We’re saying copy every single bit on that drive and duplicate that bit on an image that we’re creating. We want to get every single bit of data we possibly can get there. And often when you’re going back and trying to understand what happened, if somebody deleted some files but they didn’t actually do a secure delete, the information you need might still be on that drive. So you want to be in a position that you could recover that information if at all possible.
Usually you have some software– a boot DVD, a specific LINUX image that you could use to boot up some imaging software that can do this. There are a number of forensics imaging, live CDs, or live DVDs, that you could boot a system from and do some of these forensic system captures.
Now sometimes this bootable device isn’t available, or doing it by software perhaps isn’t the best way go about it. You’d like to remove the disk from the system itself and plug it into a device that will allow you to do a copy of that disk, but ensure that nothing could ever write to the disk. And to do that, you would need one of these hardware-based blockers. What you do is plug your drive in, and it’s a one-way device. It’s a one-way bridge that will allow you to read anything you would like from that media.
Some of these are pretty complex. It can be a standard hard drive, SATA, IDE, SCSI, USB. You plug-in some media into that, and you can only read. It is impossible to write to that media. These are specifically built, as the name says, as forensics. This is so you can be assured that you would not be modifying anything on that particular drive.
There’s some of these that are built to be internal to a system, some that are built to be external to a system. This happens to be one for ESAT– external SATA connections– so that you can then plug-in firewire and SATA connections, and have that data roll off to other disks. It’s very portable in that way.
If there are backup tapes, or backup images, or backup systems from a computer, make sure you get those as well. Don’t forget there might be some really good data from what was on this machine stored somewhere else. And if they’re very good at doing backups, that could actually help you in doing some forensics and understand what did this system have on it yesterday, the day before, or last week, or even further, depending on how many backup tapes you happen to have, or backup images you happen to have.
So all of these sources are going to be very useful to you, especially if you’re gathering information and wanting to recreate what was on that particular hard drive.