Back to Subject
Practice MCQ

Unit 3 - Notes

INT250

Unit 3: Data Acquisition, Duplication and Windows Forensics

1. Data Acquisition Fundamentals

Data acquisition is the critical first step in digital forensics, involving the precise process of gathering and imaging digital information from media formats (hard drives, USBs, mobile devices, RAM) to create a forensic copy for analysis.

1.1 Types of Acquisition

  1. Static Acquisition (Post-Mortem): Performed on a system that is powered off. It is the preferred method as it preserves the most data without altering the source evidence.
  2. Live Acquisition: Performed while the system is powered on and running. This is necessary when:
    • Full disk encryption (BitLocker, FileVault) is active.
    • The system is a critical server that cannot be shut down.
    • Volatile data (RAM) needs to be captured.

1.2 Acquisition Levels

  • Physical Acquisition (Bit-stream Copy): Captures every bit of data on the drive, including the file system, allocated space, unallocated space (deleted files), and slack space.
  • Logical Acquisition: Captures only the files and directories visible to the operating system. It ignores unallocated space and deleted data.
  • Sparse Acquisition: Captures specific files or data structures based on select criteria (e.g., only .docx files or only the Windows Registry).

1.3 Forensic Image Formats

  • Raw Format (.dd, .img): A bit-by-bit copy with no compression or metadata wrapped around it. High compatibility but large file size.
  • Proprietary Formats (e.g., .e01 EnCase): Can compress data, split images into segments, and store metadata (case number, investigator name, hashes) within the file header.
  • Advanced Forensic Format (AFF): An open-source format (.aff) designed to store data and metadata with compression, unrestricted by proprietary software limitations.

2. Data Acquisition Methodology

A standardized methodology ensures the evidence is admissible in court. The methodology generally follows the RFC 3227 guidelines.

2.1 The Order of Volatility (OOV)

When collecting evidence, forensic analysts must collect the most volatile data (data likely to disappear first) before less volatile data.

  1. Registers and Cache: (Most Volatile)
  2. Routing Tables, ARP Cache, Process Table, Kernel Statistics, Memory (RAM):
  3. Temporary File Systems:
  4. Disk (Hard Drive):
  5. Remote Logging and Monitoring Data: (Least Volatile)

2.2 Acquisition Process Lifecycle

  1. Identification: Determine the scope of the incident and location of data.
  2. Preparation: sanitize target media (wipe drives) and prepare tools.
  3. Isolation: Disconnect the system from the network (pull the plug or disable Wi-Fi) to prevent remote wiping or tampering.
  4. Acquisition: Perform the imaging (Live or Static).
  5. Verification: Hash the original drive and the new image to ensure they match.

3. Prepare an Image for Examination

Before analysis begins, the investigator must ensure the evidence is handled correctly to maintain the Chain of Custody.

3.1 Write Blocking

Crucial Step: You must never alter the original evidence.

  • Hardware Write Blocker: A physical device bridging the suspect drive and the forensic workstation. It allows read commands but physically blocks write commands.
  • Software Write Blocker: Utility within an OS (e.g., Windows Registry write protect) that prevents mounting a drive as writable. Hardware blockers are statistically more reliable and preferred in court.

3.2 Sterilizing Target Media

The destination drive (where the image will be stored) must be forensically wiped to ensure no residual data from previous cases corrupts the new evidence.

  • Zero-fill: Overwriting every sector of the target drive with zeros.

3.3 Hashing and Integrity

Cryptographic hashes act as digital fingerprints.

  • Common Algorithms: MD5, SHA-1, SHA-256.
  • Procedure: Calculate the hash of the source drive before acquisition. Calculate the hash of the image file after acquisition. If the hashes match, the copy is an exact duplicate.

4. Collect Volatile and Non-volatile Information

4.1 Collecting Volatile Data (Live Response)

This must be done before shutting down the machine.

  • System Time/Date: Document difference between system time and actual time.
  • RAM Capture: Use tools like FTK Imager (Lite), DumpIt, or Belkasoft RAM Capturer.
  • Network State:
    • netstat -anob: Shows active connections, listening ports, and associated executables.
    • arp -a: Shows the ARP cache (IP to MAC address mappings).
  • Running Processes:
    • tasklist: Displays currently running processes.

4.2 Collecting Non-volatile Data

Once volatile data is secured, or if the machine was found off:

  1. Shutdown: If the machine is on, perform a "hard" shutdown (pull the power plug) to prevent OS shutdown scripts from clearing temporary files or timestamps. Note: If encryption is detected, this step is skipped.
  2. Disk Removal: Remove the HDD/SSD.
  3. Imaging: Connect to a write blocker and create a physical bit-stream image.

5. Perform Windows Memory and Registry Analysis

5.1 Windows Memory (RAM) Analysis

RAM contains data that exists nowhere else: unencrypted passwords, encryption keys, decrypted documents, and malware running in memory but not on disk.

  • Tools: Volatility Framework, Rekall.
  • Artifacts to Look For:
    • Process List (pslist): Identify hidden processes (rootkits).
    • Network Connections (connscan): View past connections that are now closed.
    • Cmd History: Commands typed into the command prompt.

5.2 Windows Registry Analysis

The Registry is a hierarchical database storing configuration settings for the OS and applications.

  • Structure: Hives (Files) Keys Subkeys Values.

  • Key Hives and File Locations:

    • SAM (Security Accounts Manager): C:\Windows\System32\config\SAM (User accounts, groups).
    • SYSTEM: C:\Windows\System32\config\SYSTEM (TimeZone, USB history, Computer Name).
    • SOFTWARE: C:\Windows\System32\config\SOFTWARE (Installed programs, OS version).
    • SECURITY: C:\Windows\System32\config\SECURITY (Security policies).
    • NTUSER.DAT: C:\Users\[Username]\NTUSER.DAT (User-specific settings, search history, recent docs).

  • Critical Registry Keys for Forensics:

    • USB History: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (Lists all USB devices ever connected).
    • UserAssist: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist (ROT13 encoded list of executed programs and run count).
    • Run/RunOnce: HKLM\...\Windows\CurrentVersion\Run (Malware persistence mechanisms).
    • Shellbags: Tracks folder access and window positions, proving a user viewed a specific directory.
    • MRU (Most Recently Used): Lists recent files, run commands, and search terms.

6. Examine the Cache, Cookie and History Recorded in Web Browsers

Web browser analysis reconstructs a user's internet activity.

6.1 Core Artifacts

  • History: A database of visited URLs and timestamps. Can establish intent.
  • Cache: Copies of images, scripts, and HTML files downloaded to speed up browsing. Forensic analysts can reconstruct viewed web pages from the cache even if the site is offline.
  • Cookies: Small text files used for session tracking. Can prove a user was logged into a specific account (email, social media).
  • Form Data/Autofill: Saved usernames, addresses, and search terms.

6.2 Browser Specifics

  • Google Chrome / MS Edge (Chromium):
    • Stores data in SQLite databases located in AppData\Local\Google\Chrome\User Data\Default.
    • Files: History, Cookies, Web Data.
    • SNSS files: Current session tabs.
  • Mozilla Firefox:
    • Uses .sqlite databases (places.sqlite for history).
  • Incognito/Private Mode: Does not save History or Cookies to the HDD, but artifacts may remain in RAM or the Pagefile (pagefile.sys).

7. Examine Windows Files and Metadata

7.1 File Systems (NTFS)

  • MFT (Master File Table): The heart of NTFS. Every file has an entry in the MFT.
  • Resident vs. Non-Resident:
    • Resident: Small files (< ~700 bytes) stored directly inside the MFT record.
    • Non-Resident: Larger files stored in data clusters; the MFT points to their location.
  • ADS (Alternate Data Streams): Allows data to be hidden behind a file. (e.g., file.txt:hidden.exe). Malware often uses this.

7.2 Metadata (Data about Data)

  • MAC Times:
    • Modified: Content changed.
    • Accessed: File read/opened.
    • Created: File created on the volume.
    • Entry Modified (MFT Change): Metadata changed (permissions, rename).
  • EXIF Data: Metadata in images (Camera model, GPS coordinates, Date taken).

7.3 Windows Artifacts

  • LNK Files (Shortcuts): Created automatically when a file is opened. Contains the path to the original file, volume serial number, and timestamps. Proves a file existed even if deleted.
  • Prefetch Files (.pf): Located in C:\Windows\Prefetch. Created to speed up boot. Contains the name of the executable run, the last time it ran, and how many times it ran.
  • Jump Lists: AutomaticDestinations and CustomDestinations. Shows recent files accessed by specific applications (pinned on taskbar).
  • Recycle Bin:
    • Located at $Recycle.Bin.
    • When a file is deleted, it is renamed (e.g., I...) is created with the original name and deletion time.

8. Understand Text-based Logs and Windows Event Logs

Logs are the "black box" of the operating system, recording system, security, and application events.

8.1 Windows Event Logs (.evtx)

Located in C:\Windows\System32\winevt\Logs.

  • Security Log: Audits success/failure of logons, privilege use, file access.
  • System Log: Driver failures, system startup/shutdown, hardware changes.
  • Application Log: Errors and events logged by software (e.g., SQL Server, Antivirus).

8.2 Critical Event IDs (Security Log)

  • 4624: Successful Logon (Check Logon Type: Type 2 = Interactive/Keyboard, Type 10 = RDP/Remote).
  • 4625: Failed Logon (Indicates brute force attempts).
  • 4672: Special Privileges Assigned (Administrator logon).
  • 4688: New Process Created (Tracks execution of programs/malware).
  • 1102: Audit Log Cleared (Indicates anti-forensics/cover-up).

8.3 Text-based Logs

  • IIS Logs: Web server logs (W3C format). Tracks IP addresses requesting web pages, user agents, and status codes (e.g., SQL injection attempts via URL).
  • Firewall Logs: Tracks dropped and allowed packets, source/destination IPs, and ports.
  • SetupAPI.dev.log: Text log tracking USB device insertion events (connection times and device IDs).