Practical Forensic Imaging

Practical Forensic Imaging

by Bruce Nikkel
Released September 2016
Publisher(s): No Starch Press
ISBN: 9781593277932

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on ebooks.com
Start your free trial

Book description

Forensic image acquisition is an important part of postmortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases; examine organizational policy violations; resolve disputes; and analyze cyber attacks.

Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools. This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations related to the imaging of storage media.

You'll learn how to:

  • Perform forensic imaging of magnetic hard disks, SSDs and flash drives, optical discs, magnetic tapes, and legacy technologies
  • Protect attached evidence media from accidental modification
  • Manage large forensic image files, storage capacity, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure disposal
  • Preserve and verify evidence integrity with cryptographic and piecewise hashing, public key signatures, and RFC-3161 timestamping
  • Work with newer drive and interface technologies like NVME, SATA Express, 4K-native sector drives, SSHDs, SAS, UASP/USB3x, and Thunderbolt
  • Manage drive security such as ATA passwords; encrypted thumb drives; Opal self-encrypting drives; OS-encrypted drives using BitLocker, FileVault, and TrueCrypt; and others
  • Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media
With its unique focus on digital forensic acquisition and evidence preservation, Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills and experienced Linux administrators wanting to learn digital forensics. This is a must-have reference for every digital forensics lab.

Publisher resources

View/Submit Errata

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Author
  6. Brief Contents
  7. Contents in Detail
  8. Foreword by Eoghan Casey
  9. Introduction
    1. Why I Wrote This Book
    2. How This Book Is Different
    3. Why Use the Command Line?
    4. Target Audience and Prerequisites
      1. Who Should Read This Book?
      2. Prerequisite Knowledge
      3. Preinstalled Platform and Software
    5. How the Book Is Organized
    6. The Scope of This Book
    7. Conventions and Format
  10. Chapter 0: Digital Forensics Overview
    1. Digital Forensics History
      1. Pre-Y2K
      2. 2000–2010
      3. 2010–Present
    2. Forensic Acquisition Trends and Challenges
      1. Shift in Size, Location, and Complexity of Evidence
      2. Multijurisdictional Aspects
      3. Industry, Academia, and Law Enforcement Collaboration
    3. Principles of Postmortem Computer Forensics
      1. Digital Forensic Standards
      2. Peer-Reviewed Research
      3. Industry Regulations and Best Practice
      4. Principles Used in This Book
  11. Chapter 1: Storage Media Overview
    1. Magnetic Storage Media
      1. Hard Disks
      2. Magnetic Tapes
      3. Legacy Magnetic Storage
    2. Non-Volatile Memory
      1. Solid State Drives
      2. USB Flash Drives
      3. Removable Memory Cards
      4. Legacy Non-Volatile Memory
    3. Optical Storage Media
      1. Compact Discs
      2. Digital Versatile Discs
      3. Blu-ray Discs
      4. Legacy Optical Storage
    4. Interfaces and Physical Connectors
      1. Serial ATA
      2. Serial Attached SCSI and Fibre Channel
      3. Non-Volatile Memory Express
      4. Universal Serial Bus
      5. Thunderbolt
      6. Legacy Interfaces
    5. Commands, Protocols, and Bridges
      1. ATA Commands
      2. SCSI Commands
      3. NVME Commands
      4. Bridging, Tunneling, and Pass-Through
    6. Special Topics
      1. DCO and HPA Drive Areas
      2. Drive Service and Maintenance Areas
      3. USB Attached SCSI Protocol
      4. Advanced Format 4Kn
      5. NVME Namespaces
      6. Solid State Hybrid Disks
    7. Closing Thoughts
  12. Chapter 2: Linux as a Forensic Acquisition Platform
    1. Linux and OSS in a Forensic Context
      1. Advantages of Linux and OSS in Forensics Labs
      2. Disadvantages of Linux and OSS in Forensics Labs
    2. Linux Kernel and Storage Devices
      1. Kernel Device Detection
      2. Storage Devices in /dev
      3. Other Special Devices
    3. Linux Kernel and Filesystems
      1. Kernel Filesystem Support
      2. Mounting Filesystems in Linux
      3. Accessing Filesystems with Forensic Tools
    4. Linux Distributions and Shells
      1. Linux Distributions
      2. The Shell
      3. Command Execution
      4. Piping and Redirection
    5. Closing Thoughts
  13. Chapter 3: Forensic Image Formats
    1. Raw Images
      1. Traditional dd
      2. Forensic dd Variants
      3. Data Recovery Tools
    2. Forensic Formats
      1. EnCase EWF
      2. FTK SMART
      3. AFF
    3. SquashFS as a Forensic Evidence Container
      1. SquashFS Background
      2. SquashFS Forensic Evidence Containers
    4. Closing Thoughts
  14. Chapter 4: Planning and Preparation
    1. Maintain an Audit Trail
      1. Task Management
      2. Shell History
      3. Terminal Recorders
      4. Linux Auditing
    2. Organize Collected Evidence and Command Output
      1. Naming Conventions for Files and Directories
      2. Scalable Examination Directory Structure
      3. Save Command Output with Redirection
    3. Assess Acquisition Infrastructure Logistics
      1. Image Sizes and Disk Space Requirements
      2. File Compression
      3. Sparse Files
      4. Reported File and Image Sizes
      5. Moving and Copying Forensic Images
      6. Estimate Task Completion Times
      7. Performance and Bottlenecks
      8. Heat and Environmental Factors
    4. Establish Forensic Write-Blocking Protection
      1. Hardware Write Blockers
      2. Software Write Blockers
      3. Linux Forensic Boot CDs
      4. Media with Physical Read-Only Modes
    5. Closing Thoughts
  15. Chapter 5: Attaching Subject Media to an Acquisition Host
    1. Examine Subject PC Hardware
      1. Physical PC Examination and Disk Removal
      2. Subject PC Hardware Review
    2. Attach Subject Disk to an Acquisition Host
      1. View Acquisition Host Hardware
      2. Identify the Subject Drive
    3. Query the Subject Disk for Information
      1. Document Device Identification Details
      2. Query Disk Capabilities and Features with hdparm
      3. Extract SMART Data with smartctl
    4. Enable Access to Hidden Sectors
      1. Remove a DCO
      2. Remove an HPA
      3. Drive Service Area Access
    5. ATA Password Security and Self-Encrypting Drives
      1. Identify and Unlock ATA Password-Protected Disks
      2. Identify and Unlock Opal Self-Encrypting Drives
      3. Encrypted Flash Thumb Drives
    6. Attach Removable Media
      1. Optical Media Drives
      2. Magnetic Tape Drives
      3. Memory Cards
    7. Attach Other Storage
      1. Apple Target Disk Mode
      2. NVME SSDs
      3. Other Devices with Block or Character Access
    8. Closing Thoughts
  16. Chapter 6: Forensic Image Acquisition
    1. Acquire an Image with dd Tools
      1. Standard Unix dd and GNU dd
      2. The dcfldd and dc3dd Tools
    2. Acquire an Image with Forensic Formats
      1. The ewfacquire Tool
      2. AccessData ftkimager
      3. SquashFS Forensic Evidence Container
      4. Acquire an Image to Multiple Destinations
    3. Preserve Digital Evidence with Cryptography
      1. Basic Cryptographic Hashing
      2. Hash Windows
      3. Sign an Image with PGP or S/MIME
      4. RFC-3161 Timestamping
    4. Manage Drive Failure and Errors
      1. Forensic Tool Error Handling
      2. Data Recovery Tools
      3. SMART and Kernel Errors
      4. Other Options for Failed Drives
      5. Damaged Optical Discs
    5. Image Acquisition over a Network
      1. Remote Forensic Imaging with rdd
      2. Secure Remote Imaging with ssh
      3. Remote Acquisition to a SquashFS Evidence Container
      4. Acquire a Remote Disk to EnCase or FTK Format
      5. Live Imaging with Copy-On-Write Snapshots
    6. Acquire Removable Media
      1. Memory Cards
      2. Optical Discs
      3. Magnetic Tapes
    7. RAID and Multidisk Systems
      1. Proprietary RAID Acquisition
      2. JBOD and RAID-0 Striped Disks
      3. Microsoft Dynamic Disks
      4. RAID-1 Mirrored Disks
      5. Linux RAID-5
    8. Closing Thoughts
  17. Chapter 7: Forensic Image Management
    1. Manage Image Compression
      1. Standard Linux Compression Tools
      2. EnCase EWF Compressed Format
      3. FTK SMART Compressed Format
      4. AFFlib Built-In Compression
      5. SquashFS Compressed Evidence Containers
    2. Manage Split Images
      1. The GNU split Command
      2. Split Images During Acquisition
      3. Access a Set of Split Image Files
      4. Reassemble a Split Image
    3. Verify the Integrity of a Forensic Image
      1. Verify the Hash Taken During Acquisition
      2. Recalculate the Hash of a Forensic Image
      3. Cryptographic Hashes of Split Raw Images
      4. Identify Mismatched Hash Windows
      5. Verify Signature and Timestamp
    4. Convert Between Image Formats
      1. Convert from Raw Images
      2. Convert from EnCase/E01 Format
      3. Convert from FTK Format
      4. Convert from AFF Format
    5. Secure an Image with Encryption
      1. GPG Encryption
      2. OpenSSL Encryption
      3. Forensic Format Built-In Encryption
      4. General Purpose Disk Encryption
    6. Disk Cloning and Duplication
      1. Prepare a Clone Disk
      2. Use HPA to Replicate Sector Size
      3. Write an Image File to a Clone Disk
    7. Image Transfer and Storage
      1. Write to Removable Media
      2. Inexpensive Disks for Storage and Transfer
      3. Perform Large Network Transfers
    8. Secure Wiping and Data Disposal
      1. Dispose of Individual Files
      2. Secure Wipe a Storage Device
      3. Issue ATA Security Erase Unit Commands
      4. Destroy Encrypted Disk Keys
    9. Closing Thoughts
  18. Chapter 8: Special Image Access Topics
    1. Forensically Acquired Image Files
      1. Raw Image Files with Loop Devices
      2. Forensic Format Image Files
      3. Prepare Boot Images with xmount
    2. VM Images
      1. QEMU QCOW2
      2. VirtualBox VDI
      3. VMWare VMDK
      4. Microsoft VHD
    3. OS-Encrypted Filesystems
      1. Microsoft BitLocker
      2. Apple FileVault
      3. Linux LUKS
      4. TrueCrypt and VeraCrypt
    4. Closing Thoughts
  19. Chapter 9: Extracting Subsets of Forensic Images
    1. Assess Partition Layout and Filesystems
      1. Partition Scheme
      2. Partition Tables
      3. Filesystem Identification
    2. Partition Extraction
      1. Extract Individual Partitions
      2. Find and Extract Deleted Partitions
      3. Identify and Extract Inter-Partition Gaps
      4. Extract HPA and DCO Sector Ranges
    3. Other Piecewise Data Extraction
      1. Extract Filesystem Slack Space
      2. Extract Filesystem Unallocated Blocks
      3. Manual Extraction Using Offsets
    4. Closing Thoughts
  20. Closing Remarks
  21. Index
  22. Updates
  23. “An indispensible reference for anyone responsible for preserving digital evidence.” —Professor Eoghan Casey, University of Lausanne
  24. Footnotes
    1. Chapter 0: Digital Forensics Overview
    2. Chapter 1: Storage Media Overview
    3. Chapter 2: Linux as a Forensic Acquisition Platform
    4. Chapter 3: Forensic Image Formats
    5. Chapter 4: Planning and Preparation
    6. Chapter 5: Attaching Subject Media to an Acquisition Host
    7. Chapter 6: Forensic Image Acquisition
    8. Chapter 7: Forensic Image Management
    9. Chapter 8: Special Image Access Topics

Product information

  • Title: Practical Forensic Imaging
  • Author(s): Bruce Nikkel
  • Release date: September 2016
  • Publisher(s): No Starch Press
  • ISBN: 9781593277932