F8a-Hard disk data acquisition Dr. John P. Abraham Professor UTPA
Direct vs. BIOS access • Operating system or acquisition software access hard disk directly and copies it. • Access it through BIOS. Here the BIOS takes care of the hardware details. When BIOS is used there isa risk that it may return incorrect information about the disk. If the BIOS thinks that the disk is 8GB, but it is actually 12 GB, the INT13h will only give you access to the first 8GB.
Dead vs. Live acquisition • Dead, we boot with a different drive, not involving the suspect system. • Live, the suspect is still running, we try to copy it without shutting it down. The attacker may have altered the system for you not to get a good copy. Attacker frequent installs rootkits which gives false information to users, by hiding files or processes.
Error handling • A copying tool should be able to handle errors caused by physical problem. If only a limited number of sectors is damaged, the tool may place 0s in the copy for those sectors. • ATA disk may have host protected areas (HPA) that can’t be copied. A tool should be able to handle it. Reading the native max address would be larger than identify_device reading, in case of HPA. (these are ATA commands that can be executed by the tool). Similar situation may exist with device configuration overlay.
Hardware write protectors • Devices that sits in the connection between a computer and storage device that prevents you from mistakenly writing the source disk. • http://www.mykeytech.com/nowrite.html nowrite device costs $500.00. • Software solution that modifies the interrupt table • http://www.cftt.nist.gov/software_write_block.htm
Destination location • Copy entire disk to a new disk (cloned copy). Best to have an identical size disk that is cleaned by writing all zeros first. • Make a file on a disk called an image. The OS will not try to mount it automatically. Tools will allow to make smaller pieces that will fit on CDs. A raw image contains only the data from the source. An embedded image contains data and additional descriptive data about the acquisition, such as hash values, date and time, etc. Can have raw image, then a separate file for descriptive data. The image file could also be compressed.
Network-based acquisition • Good for live acquisition. • Particularly when you do not have the correct adaptors or interface. Encryption is good when network is used.
Hash values • Hash values should be recorded on the drive and also must be printed and kept separately with time and signatures. After all some else may modify the data and recalculate the hash.
Recovering deleted partitions • It is possible the attacker has deleted a partitions so it will not be visible to operating systems. • Partitions recovery tools. They work by assuming that a file system was located in each partition and each has a signature value. For example, FAT has a signature of 0x55 and 0xAA in bytes 510 and 511 of the first sector. The partition recovery tools search for these signatures. • http://www.brzitwa.de/mb/gpart/index.html gpart.
RAID systems • Very difficult • Easiest to DD the final version of the RAID • Otherwise, copy each drive individually, then reconstruct the RAID.
Encrypted files • Real challenge to the investigator • Need to know the key or password and the encryption method.