Preserving Evidence

● Number one priority● Must also find incriminating evidence● Must search the contents of the hard drive● Can not change the hard drive

Procedure

● Retrieve the hard drive from the evidence locker and update the chain of custody record.

● Calculate the MD5 Hash of the drive.

● “Image the hard drive.”

● Validate the M5D hash of the drive is the same as the MD5 hash of the image.

● Make a copy of the “Image”

● Store the actual hard drive together with the original “image” in the evidence locker.

● Remember to update the chain of custody record.

Procedure (cont’d)

● Use the copy of the hard drive image to perform your forensic analysis.

● You can always go back to the original image.● Or if necessary you can go back to the hard drive

and validate the MD5 hash.

Disk Image

● A disk image is an exact copy of everything on the disk.

● Not merely a copy of all the files.● It is an exact copy – all mistakes, errors, erasures,

dates, times, ● etc.● You can prove that it is an exact copy.

Disk Image

● Forensic Software does it.● HW can assist.● Software can do it.

Technique must be Validated

● NIST - ww.ncjrs.org● Unix command dd● EnCase● SafeBack● etc.

Cautions

● The hard drive cannot be accessed.● The hard drive cannot be altered.● The hard drive is sacred.● If you mess with it you are gone!!!● Blame always falls somewhere.

● What to do?

Technology to the Rescue

● HW – Write blockers

● SW – Write blockers

Write Blocker

● Write blockers prevent writing to the medium.● The medium can be read but not written to.● The modify, access, create dates cannot not be

changed.● The contents cannot be modified.

Example

● Floppies – write protect thingee.

HW Write Blocker

● Paraben● Accommodates a number of hard drives● Comes with cables● Forensically certified● Standard with Law Enforcement● Necessary for on site image acquisition

SW Imaging

● Unix – dd if=??? of=???● NIST certifies that it does not corrupt the original.● The original and the image are identical.

● EnCase● Has an imaging function.

● WinHex ● Create Disk Image ...● Verifiable exact copy.

Week 4 Lab

1. Using WinHex image your floppy. Describe procedure in your lab report.

2. Validate that the copy is exact using MD5 hash signatures. Show in your lab report.

3. Using the image you made describe some of the contents of the floppy – floppy image.

4. E-mail the floppy image to yourself so you can use it at home.

Select Start Center

Click open disk

Click OK

CalculateMD5 Hash

Select Raw image

Select a Filename and pathRemember where you put the image.

Calculate the MD5 Hash

Click OK

Hash of the Image

Is it the same as the floppy disk?

Open raw image file

Find the image file

Open the image file

Claculate the MD5 hash ofthe file.

Is it the same?

MD5 Hash of image file

Explorer the floppy image.What files are there?

Week 5 Lab

1. Create a case folder on your F_Drive.

2. Using WinHex image your floppy. Save the image in your case folder. Describe procedure in your lab report.

3. Validate that the copy is exact using MD5 hash signatures. Show in your lab report.

4. Using the image you made describe some of the contents of the floppy – floppy image.

5. Recover an image and save it your case folder.

6. Keep all of your homework in your case folder.