An Overview of knowledge Acquisition is that the initial pro-active step within the forensic investigation method. The aim of forensic information acquisition is to extract as of knowledge gift on the victim’s fixed disk and build a forensic copy to use it as proof within the court.
In some cases, information duplication is preferred rather than information acquisition to gather the information. 1st investigators can even gift the duplicated data in court.This section discusses regarding information acquisition, a way to duplicate the info (imaging) and verify image integrity.
Data acquisition is that the use of established strategies to extract the electronically keep data (ESI) from suspect PC or storage media to realize insight into against the law or an occurrence. Forensic Knowledge acquisition may be a method of imaging or assembling data from numerous media in accordance with sure standards for analyzing its rhetorical price. it’s one in every of the foremost important steps of digital forensics as improper acquisition might alter knowledge obvious media, and render it impermissible within the court of law.
Incident res-ponders ought to be able to verify the accuracy of non-inheritable information, and also the complete method ought to be audit-able and acceptable to the court. With the progress of technology, the method of information acquisition has become a lot of correct, simple, and versatile. It uses many sorts of equipment, starting from tiny sensors to classy computers.
Following are the 2 classes of information acquisition:
• Live/Volatile information Acquisition: It’s the method of exploit volatile information from a operating PC (either secured or in sleep condition) that’s already high-powered on. Volatile information is fragile and lost once the system loses power or the user switches it off. Such information reside in registries, cache, and RAM. Since RAM and different volatile information are dynamic, a group of this info ought to occur in real time.
• Static information Acquisition: It’s the method of exploit the nonvolatile or dateless information remains within the system even when closing. Incident res-ponders will recover such information from laborious drives further as from slack area, swap files, and unallocated drive area. Different sources of nonvolatile information embody DVD-RDMs, USB thumb drives, smartphones, and PDAs. The static acquisition is sometimes applicable for the computers the police had confiscate throughout the raid and embrace an encrypted drive.
Related Product :- Certified Threat Intelligence Analyst | CTIA
Duplicate the data (Imaging)
Performing the investigation on the first proof will misdirect the investigation to totally different results and will create the original proof vulnerable. Information duplication is a very important step in securing the first proof. Investigation the first proof will cause injury to the identity of the proof that may build it now not helpful to the case.
Data duplication includes piecemeal repetition of the first knowledge employing a software system or hardware tool. The duplicated information ought to be a certain blueprint of the initial proof and create 2 or a lot of copies to perform completely different investigations. The copies may also facilitate if one copy is broken. Send the duplicated data to the forensics work for investigation and additional analysis.
The points to recollect whereas duplicating the data:
• Make a reproduction of the collected information therefore .as to preserve the initial
• The data ought to be duplicated bit by bit to represent constant original information
• Use trade customary or commissioned hardware or software system tools to duplicate the information
• Once a replica of the initial knowledge is formed and verified, you’ll use the copy for additional process
Data Imaging Tools
Discussed below are a number of the necessary tools used for making a duplicated bit by bit image:
FTK imager:- FTK imager could be a information preview and imaging tool that enables analysis of files and folders on native arduous drives, MS/DVDs, network drives, and examination of the content of forensic pictures or memory dumps. FTK imager may also produce MOS or SHAl hashes of
files, review and recover files deleted from the Recycle Bin, export files and folders from rhetorical pictures to disk and mount a rhetorical image to look at its contents in Windows someone.
R-Drive Image:- R-Drive Image could be a potent utility that gives creation of disk image files for backup or duplication purposes’-Drive Image rest ores the pictures on the initial disks, on the other partitions, or maybe on a tough drive’s free area. Using R-Drive Image, one will restore the system once significant data loss caused by an OS crash, virus attack, or hardware failure.
• A easy wizard interface
• Image file compression
• Removable media support
• Image files rending
• Image Protection
Also Read:-Distribute Threat Intelligence Overview
Verify Image Integrity
Hash values are similar to information fingerprints. No 2 files contain a similar hash values. The hash algorithms utilized in forensics are MOS and SHA. Calculate and match the MOS hash for the first proof and also the forensic image. a similar hash values show that the image is that the same because the proof.
Perform the subsequent steps to verify image integrity:
• Calculate the hash price of the first information and also the forensic image generated
• If there’s a match it means the forensic image is an explicit reproduction of the first information
Listed below are some of the tools wont to calculate the hash value:
HashCalc:- Free calculator is employed to figure multiple hashes, check sums, and HMACs for files, text, and hex strings.
MOS Calculator:- MOS Calculator helps in hard the MOS hash price of the chosen file. Right click the file and select “MOS Calculator,” the program can calculate the MOS hash.
HashMyfiles:-HashMy Files may be a little utility that permits to calculate the MOS and SHA-1 hashes of 1 or additional files within the system.
Questions related to this topic
- How do I find the hash value of a file?
- How are hash values used in cyber investigations?
- Where does Accessdata FTK Imager find the original hash of the drive image file for hash comparison?
- How does FTK Imager verify the integrity of the evidence file?
Cyber Security Related Things
- Top Cyber security Certifications of 2020 India
- Concept of Security, Cyber Space & Cyber Crime
- 10 Steps to Cyber Security
- Climbing the Cyber Security Certification Ladder
- Top 5 Key Elements of an Information Security
- Essential Terminology in Cyber security
- Top categories which includes in Information Warfare
- What is Defense in Depth? & How Defense in depth Works
- Information Security Incidents
- What is Information Security & types of Security policies
- Overview of Cyber security Frameworks
- 9 Tips for Top Data Backup Strategy
- What is Cyber Kill Chain? and it’s 7 Phases
- A Need for Tactics, Techniques & Procedures
- An Overview of knowledge Acquisition
- Business Needs and Requirements
- What is Pyramid of Pain ? & It’s types
- Top IT Management Certifications of 2020 to Impress Recruiters
- Best Cyber security career 2020 road map for IT Professionals
- 15 Benefits Of Security Certifications to Upgrade Career Path 2020
- 6 Things You Should know About Social Engineering
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com