Chapter 4 Data Acquisition - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Chapter 4 Data Acquisition

Description:

Chapter 4 Data Acquisition Source: Nelson, Phillips, Enfinger, & Steuart - Guide to Computer Forensics and Investigations Source: Nelson, Phillips, Enfinger ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 10
Provided by: profdavis
Category:

less

Transcript and Presenter's Notes

Title: Chapter 4 Data Acquisition


1
Chapter 4Data Acquisition
2
  • Data Acquisition Methods
  • Bit-Stream Disk-to-Image File
  • Most common most flexible method
  • Creates a compressed image file of suspects hard
    drive
  • Bit-Stream Disk-to-Disk Copy
  • Use when there are hardware/software errors or
    incompatibilities
  • Copies data exactly from one disk to another
  • Sparse Data Copy
  • Use when time is limited or when source disk is
    too large to copy (e.g., RAID)
  • Copies only files directories associated with
    incident or crime

3
  • Bit-Stream Disk-to-Image Copy
  • Data from the suspects drive are compressed when
    image file is created
  • Compression is Lossless (i.e., no data are
    discarded during compression)
  • The space needed for the image file can be as low
    as 50 of the size of the suspects drive

4
  • Hash Algorithms Image Copies
  • Allows a comparison to be made between image file
    and suspects drive
  • Matching hash values verify that the data havent
    changed during the compression process

5
  • Absolute vs. Relative Sectors
  • An Absolute Sector starts at the beginning of a
    disk
  • A Relative Sector starts at the beginning of the
    current partition

6
  • Drawbacks to Windows Acquisition Tools
  • Large size (cant be copied on boot disk)
  • Require high levels of system resources
  • Can contaminate suspects drive (i.e., must use
    hardware write-blocker)
  • Cannot acquire host protected area

7
  • RAID
  • Redundant Array of Independent Disks
  • Involves two or more disks
  • Typically used for very large storage needs
  • Challenges
  • Involves very large storage volumes (which may
    require Sparse data acquisition methods)
  • Files may be spread across multiple disks
  • Image acquisition requires specialized software
    tools

8
  • Static vs. Live Acquisitions
  • Static
  • Preferred method
  • Image is acquired locally
  • Write-protection can be used (so suspect drive is
    not altered)
  • Can be repeated with same results
  • Live
  • Used when suspects PC cannot be shut down
  • Image is acquired locally or over network
  • Captured data may be altered during acquisition
    (because no write-protection is used)
  • Not repeatable (because suspects data is
    continually altered by OS)

9
  • Remote Acquisitions
  • Acquisition made across network
  • Can be done without alerting suspect
  • Not necessary to travel to suspects computer
  • Drawbacks
  • Must be done as a Live acquisition
  • Transfer speeds may impede acquisition
  • Network traffic may slow down acquisition or
    cause errors
  • Remote access software may be blocked by
    antivirus, antispyware, and/or firewall tools
Write a Comment
User Comments (0)
About PowerShow.com