SlideShare a Scribd company logo

Hard Disk Data Acquisition

Download as PPTX, PDF
T
Taha İslam YILMAZ

The document discusses various aspects of hard disk data acquisition for digital forensics purposes. It covers the general acquisition procedure, data acquisition layers, requirements for acquisition tools and hardware/software write blockers, and considerations around accessing disks directly versus through BIOS, dead versus live acquisitions, hidden areas like HPA and DCO, and writing output data and image file formats.

Technology
Related topics:
Digital Forensics
1 of 22
Downloaded 14 times
1
2
3
Most read
4
5
Most read
6
7
8
9
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
Taha İslamYILMAZ Computer Engineering TOBB ETU ADEO IWS - Digital Forensics HARD DISK DATA ACQUISITION
Hard Disk Data Acquisition • System Preservation Phase ✔ • Evidence Searching Phase • Event Reconstruction Phase
General Acquisition Procedure • • Copy one byte and repeat the process • Like copying a letter by hand • Sector by sector
Data Acquition Layers • Disk • Volume • File • Application
Acquisition Tool Testing • National Institute of Standards andTechnology (NIST) • The Computer ForensicToolTesting (CFTT) • Results and specifications can be found on their website https://www.cftt.nist.gov/disk_imaging.htm •
Requirements For Mandatory Features-1 • The tool shall be able to acquire a digital source using each access interface visible to the tool. • The tool shall be able to create either a clone of a digital source, or an image of a digital source, or provide the capability for the user to select and then create either a clone or an image of a digital source. • The tool shall operate in at least one execution environment and shall be able to acquire digital sources in each execution environment. • The tool shall completely acquire all visible data sectors from the digital source. • The tool shall completely acquire all hidden data sectors from the digital source.
Requirements For Mandatory Features-2 • All data sectors acquired by the tool from the digital source shall be accurately acquired. • If there are unresolved errors reading from a digital source then the tool shall notify the user of the error type and the error location. • If there are unresolved errors reading from a digital source then the tool shall use a benign fill in the destination object in place of the inaccessible data.
Accessing to Hard Disk – Direct vs BIOS • Accessing the hard disk directly is the fastest way to get data to and from the disk, but it requires the software to know quite a bit about the hardware. • The BIOS knows about the hardware, and it provides services to the software so that they can more easily communicate with hardware.
Accessing to Hard Disk – Direct vs BIOS • When the BIOS is used, there is a risk that it may return incorrect information about the disk. • If the BIOS thinks that a disk is 8GB, but the disk is really 12GB, the INT13h functions will give you access to only the first 8GB.
Dead vs Live Acquisition • A dead acquisition occurs when the data from a suspect system is being copied without the assistance of the suspect operating system. • A live acquisition is one where the suspect operating system is still running and being used to copy data. • The risk of conducting a live acquisition is that the attacker has modified the operating system or other software to provide false data during the acquisition. • Attackers may install tools called rootkits into systems that they compromise, and they return false information to a user
Host Protected Area (HPA) • Special area of the disk that can be used to save data, and a casual observer might not see it. • The HPA is at the end of the disk and, when used, can only be accessed by reconfiguring the hard disk. • It could contain hidden data.
Host Protected Area (HPA) • The READ_NATIVE_MAX_ADDRESS command gives the total number of sectors on the disk • The IDENTIFY_DEVICE returns the total number of sectors that a user can access • These two values will be different , if an HPA exists.
Device Configuration Overlay (DCO) • Similar to an HPA a DCO may contain hidden data.They can exist at the same time. • A DCO could show a smaller disk size and show that supported features are not supported. • The DCO allows system vendors configure all HDDs to have the same number of sectors.
Device Configuration Overlay (DCO) • The DEVICE_CONFIGURATION_IDENTIFY command returns the actual features and size of a disk. • To remove a DCO, the DEVICE_CONFIGURATION_RESET command is used.
Hardware Write Blockers • A hardware write blocker sits between a computer and a storage device and monitors the issued commands. • It prevents the computer from writing data to the storage device. • Blocks the write commands and allows to read commands to pass.
Requirements For Hardware Write Blockers • A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device. • An HWB device shall return the data requested by a read operation. • An HWB device shall return without modification any access-significant information requested from the drive. • Any error condition reported by the storage device to the HWB device shall be reported to the host. • Source: http://www.cftt.nist.gov/hardware_write_block.htm
Software Write Blockers • The software write blockers work by modifying the interrupt table, which is used to locate the code for a given BIOS service. • INT13h points to the code that will write or read data to or from the disk. • When the operating system calls INT13h, the write blocker code is executed and examines which function is being requested. • If the command is write , software write blocker blocks the commands. If it is a non-write command , blocker pass it to BIOS.
Software Write Blockers
Requirements For Software Write Blockers • The tool shall not allow a protected drive to be changed. • The tool shall not prevent obtaining any information from or about any drive. • The tool shall not prevent any operations to a drive that is not protected. • Source: http://www.cftt.nist.gov/software_write_block.htm
Writing The Output Data • We can write the output data either directly to a disk or to a file. • Disk should be wiped with zeros before acquisitions. • Original and destination disks should have the same geometries.
Image File Format • A raw image contains only the data from the source device, and it is easy to compare the image with the source data. • An embedded image contains data from the source device and additional descriptive data about the acquisition, such as hash values, dates, and times. • And some tools will create a raw image and save the additional descriptive data to a separate file.
Thank you for listening to me !

More Related Content

PPT
Digital Forensics
Nicholas Davis
 
PDF
A brief Intro to Digital Forensics
Manik Bhola
 
PPTX
Cyber Security(Password Cracking Presentation).pptx
VASUOFFICIAL
 
PPT
Electornic evidence collection
Fakrul Alam
 
PPT
Linux forensics
Santosh Khadsare
 
PPTX
Data recovery
Abhinav Parihar
 
PPTX
Email investigation
Animesh Shaw
 
PPTX
Data recovery
gupta8741
 
Digital Forensics
Nicholas Davis
 
A brief Intro to Digital Forensics
Manik Bhola
 
Cyber Security(Password Cracking Presentation).pptx
VASUOFFICIAL
 
Electornic evidence collection
Fakrul Alam
 
Linux forensics
Santosh Khadsare
 
Data recovery
Abhinav Parihar
 
Email investigation
Animesh Shaw
 
Data recovery
gupta8741
 

What's hot (20)

PDF
03 Data Recovery - Notes
Kranthi
 
PPTX
Cyber forensic 1
anilinvns
 
PPTX
Analysis of digital evidence
rakesh mishra
 
PDF
Cyber Forensics Module 2
Manu Mathew Cherian
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPTX
Computer forensics
deaneal
 
PPTX
Digital Forensics
Oldsun
 
PPTX
Encase Forensic
Megha Sahu
 
PPTX
Investigation of a cyber crime
atuljaybhaye
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
PPTX
Anti forensic
Milap Oza
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PDF
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
PPTX
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
PDF
A short introduction to multimedia forensics the science discovering the hist...
Sebastiano Battiato
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
PPTX
Mobile Forensics
primeteacher32
 
PPT
Malware forensics
Sameera Amjad
 
03 Data Recovery - Notes
Kranthi
 
Cyber forensic 1
anilinvns
 
Analysis of digital evidence
rakesh mishra
 
Cyber Forensics Module 2
Manu Mathew Cherian
 
Computer forensics toolkit
Milap Oza
 
Computer forensics
deaneal
 
Digital Forensics
Oldsun
 
Encase Forensic
Megha Sahu
 
Investigation of a cyber crime
atuljaybhaye
 
Computer forensics powerpoint presentation
Somya Johri
 
Anti forensic
Milap Oza
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
A short introduction to multimedia forensics the science discovering the hist...
Sebastiano Battiato
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Mobile Forensics
primeteacher32
 
Malware forensics
Sameera Amjad
 
Ad

Similar to Hard Disk Data Acquisition (20)

PDF
cyber forensics and digitalforensics.pdf
mcjaya2024
 
PPT
chapter 4 Device Management systemss.ppt
danielarega25
 
PPT
Lec1.ppt
MUHAMMADALIASGHAR10
 
PPTX
Motherboard.pptx
julitapelovello
 
PPTX
Device drivers by prabu m
Prabu Mariyappan
 
PPTX
Connecting Hardware Peripheralsnewq.pptx
AyeleNugusie
 
PPT
5120224.ppt
dedanndege
 
PPTX
Windows optimization and customization
Hiren Mayani
 
PDF
Managing Hardware Devices.pdf
SolomonAnab1
 
PPTX
Protecting Hosts
primeteacher32
 
PPTX
Intro to digital forensic imaging
Detectalix
 
PPTX
introduction to computer Linux essential.pptx
musomicatherine
 
PDF
Operating System.pdf topic of interprocess comunication
ShaliniVerma655521
 
PPTX
system software and application software.pptx
zainabshabbir54405
 
PPTX
IGCSE_ICT_Chapter 1.pptx
FatimaWaheed30
 
PDF
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
PPT
OS-20210426203801.ppt
ManojKumar409578
 
PPT
Introduction to Oerating System By Vinod.ppt
pravinligade5
 
PPT
OS full chapter.ppt
KamalishwaranS
 
PPT
Windows 1Fundaments.ppt
karthikvcyber
 
cyber forensics and digitalforensics.pdf
mcjaya2024
 
chapter 4 Device Management systemss.ppt
danielarega25
 
Lec1.ppt
MUHAMMADALIASGHAR10
 
Motherboard.pptx
julitapelovello
 
Device drivers by prabu m
Prabu Mariyappan
 
Connecting Hardware Peripheralsnewq.pptx
AyeleNugusie
 
5120224.ppt
dedanndege
 
Windows optimization and customization
Hiren Mayani
 
Managing Hardware Devices.pdf
SolomonAnab1
 
Protecting Hosts
primeteacher32
 
Intro to digital forensic imaging
Detectalix
 
introduction to computer Linux essential.pptx
musomicatherine
 
Operating System.pdf topic of interprocess comunication
ShaliniVerma655521
 
system software and application software.pptx
zainabshabbir54405
 
IGCSE_ICT_Chapter 1.pptx
FatimaWaheed30
 
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
OS-20210426203801.ppt
ManojKumar409578
 
Introduction to Oerating System By Vinod.ppt
pravinligade5
 
OS full chapter.ppt
KamalishwaranS
 
Windows 1Fundaments.ppt
karthikvcyber
 
Ad

Recently uploaded (20)

PDF
August Patch Tuesday
Ivanti
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
August Patch Tuesday
Ivanti
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

Hard Disk Data Acquisition

  • 1. Taha İslamYILMAZ Computer Engineering TOBB ETU ADEO IWS - Digital Forensics HARD DISK DATA ACQUISITION
  • 2. Hard Disk Data Acquisition • System Preservation Phase ✔ • Evidence Searching Phase • Event Reconstruction Phase
  • 3. General Acquisition Procedure • • Copy one byte and repeat the process • Like copying a letter by hand • Sector by sector
  • 4. Data Acquition Layers • Disk • Volume • File • Application
  • 5. Acquisition Tool Testing • National Institute of Standards andTechnology (NIST) • The Computer ForensicToolTesting (CFTT) • Results and specifications can be found on their website https://www.cftt.nist.gov/disk_imaging.htm •
  • 6. Requirements For Mandatory Features-1 • The tool shall be able to acquire a digital source using each access interface visible to the tool. • The tool shall be able to create either a clone of a digital source, or an image of a digital source, or provide the capability for the user to select and then create either a clone or an image of a digital source. • The tool shall operate in at least one execution environment and shall be able to acquire digital sources in each execution environment. • The tool shall completely acquire all visible data sectors from the digital source. • The tool shall completely acquire all hidden data sectors from the digital source.
  • 7. Requirements For Mandatory Features-2 • All data sectors acquired by the tool from the digital source shall be accurately acquired. • If there are unresolved errors reading from a digital source then the tool shall notify the user of the error type and the error location. • If there are unresolved errors reading from a digital source then the tool shall use a benign fill in the destination object in place of the inaccessible data.
  • 8. Accessing to Hard Disk – Direct vs BIOS • Accessing the hard disk directly is the fastest way to get data to and from the disk, but it requires the software to know quite a bit about the hardware. • The BIOS knows about the hardware, and it provides services to the software so that they can more easily communicate with hardware.
  • 9. Accessing to Hard Disk – Direct vs BIOS • When the BIOS is used, there is a risk that it may return incorrect information about the disk. • If the BIOS thinks that a disk is 8GB, but the disk is really 12GB, the INT13h functions will give you access to only the first 8GB.
  • 10. Dead vs Live Acquisition • A dead acquisition occurs when the data from a suspect system is being copied without the assistance of the suspect operating system. • A live acquisition is one where the suspect operating system is still running and being used to copy data. • The risk of conducting a live acquisition is that the attacker has modified the operating system or other software to provide false data during the acquisition. • Attackers may install tools called rootkits into systems that they compromise, and they return false information to a user
  • 11. Host Protected Area (HPA) • Special area of the disk that can be used to save data, and a casual observer might not see it. • The HPA is at the end of the disk and, when used, can only be accessed by reconfiguring the hard disk. • It could contain hidden data.
  • 12. Host Protected Area (HPA) • The READ_NATIVE_MAX_ADDRESS command gives the total number of sectors on the disk • The IDENTIFY_DEVICE returns the total number of sectors that a user can access • These two values will be different , if an HPA exists.
  • 13. Device Configuration Overlay (DCO) • Similar to an HPA a DCO may contain hidden data.They can exist at the same time. • A DCO could show a smaller disk size and show that supported features are not supported. • The DCO allows system vendors configure all HDDs to have the same number of sectors.
  • 14. Device Configuration Overlay (DCO) • The DEVICE_CONFIGURATION_IDENTIFY command returns the actual features and size of a disk. • To remove a DCO, the DEVICE_CONFIGURATION_RESET command is used.
  • 15. Hardware Write Blockers • A hardware write blocker sits between a computer and a storage device and monitors the issued commands. • It prevents the computer from writing data to the storage device. • Blocks the write commands and allows to read commands to pass.
  • 16. Requirements For Hardware Write Blockers • A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device. • An HWB device shall return the data requested by a read operation. • An HWB device shall return without modification any access-significant information requested from the drive. • Any error condition reported by the storage device to the HWB device shall be reported to the host. • Source: http://www.cftt.nist.gov/hardware_write_block.htm
  • 17. Software Write Blockers • The software write blockers work by modifying the interrupt table, which is used to locate the code for a given BIOS service. • INT13h points to the code that will write or read data to or from the disk. • When the operating system calls INT13h, the write blocker code is executed and examines which function is being requested. • If the command is write , software write blocker blocks the commands. If it is a non-write command , blocker pass it to BIOS.
  • 19. Requirements For Software Write Blockers • The tool shall not allow a protected drive to be changed. • The tool shall not prevent obtaining any information from or about any drive. • The tool shall not prevent any operations to a drive that is not protected. • Source: http://www.cftt.nist.gov/software_write_block.htm
  • 20. Writing The Output Data • We can write the output data either directly to a disk or to a file. • Disk should be wiped with zeros before acquisitions. • Original and destination disks should have the same geometries.
  • 21. Image File Format • A raw image contains only the data from the source device, and it is easy to compare the image with the source data. • An embedded image contains data from the source device and additional descriptive data about the acquisition, such as hash values, dates, and times. • And some tools will create a raw image and save the additional descriptive data to a separate file.
  • 22. Thank you for listening to me !