Practical Forensic Imaging

Home , ATA Packet Interface, Logical Disk Manager, USB Attached SCSI

Index

The letter t following a page number denotes AFF (Advanced Forensic Format) a table; the letter f following a page number aff4imager tool, 190 denotes a figure. affcat tool, 209–210 affconvert tool, 204–205, 209 affcrypto tool, 215 Numbers affinfo tool, 198, 210, 211 4Kn disks, 12, 41–44, 42f AFFlib software package 512e sector emulation, 41, 42, 43 affuse tool, 196–197, 235 built-in compression, 190 A built-in encryption, 215 overview, 62 abstraction layers, disk interfaces, 34, 35f piping, 209 AccessData. See ftkimager tool; FTK signing and validating SMART format signatures, 202 Ace Laboratory PC-3000 tool, 122 built-in compression, 190 ACPO (Association of Chief Police built-in encryption, 215 Officers), UK, 2, 6–7 converting raw images to, 204–205 acquisition host converting to another format, attaching subject disk to 209–211 Apple Target Disk Mode, 137–138 overview, 62–63 devices with block or character piping, 209 access, 140 recalculating hash of forensic image, enabling access to hidden sectors, 198–199 118–125 AHCI (Advanced Host Controller examining subject PC hardware, Interface), mode, SATA, 101–102 23–24 identifying subject drive, 105–107 aimage tool, 190 NVME SSDs, 138–139 Appelbaum, Jacob, 251 querying subject disk, 107–118 Apple removable storage media, 132–136 FileVault, 248–251 viewing examiner workstation Target Disk Mode, 31, 137–138 hardware, 103–104 Thunderbolt interface, 30–32, 31f, 137 performance, optimizing, 88–90 array-info tool, 178 acquisition process. See forensic Association of Chief Police Officers acquisition (ACPO), UK, 2, 6–7 ACS (ATA Command Set). See ATA ATA (Advanced Technology Attachment) commands commands Advanced Forensic Format. See AFF common, 35t Advanced Format 4Kn disks, 12, DCO and HPA drive areas, 39–40 41–44, 42f overview, 34–36 Advanced Format 512e disks, 41, 42, 43 password-protected disks, 126–128 Advanced Host Controller Interface and SCSI, 39 (AHCI) mode, SATA, 23–24 security erase command, 226–227 Advanced Technology Attachment SSD devices, 16–17 commands. See ATA ATA Command Set (ACS). See ATA commands commands ATAPI (ATA Packet Interface) boot images, preparing with xmount, DCO and HPA drive areas, 39–40 235–237 overview, 35–36 BOT (Beginning of Tape) marker, password-protected disks, 126–128 on tapes, 176 SCSI commands, 39 BOT (Bulk-Only Transport) USB Atola Insight Forensic, 122 interface, 29, 40–41 auditd package, 76 bottlenecks, performance, 88–90, 91t audit trail Bourne Again shell (Bash), 56, 73, 74, 82. overview, 70 See also command line shell history, 73–75 Bulk-Only Transport (BOT) USB task management, 70–73 interface, 29, 40–41 terminal monitors and Linux burning forensic image to optical disc, auditing, 76 221–222 terminal recorders, 75–76 bus speeds, 90, 91t. See also interfaces aureport command, 76 bzip tool, 188, 189

B C Bash (Bourne Again shell), 56, 73, 74, 82. CA (certificate authority) certificates, See also command line 156, 157, 201–202 Bash math expansion, 183, 248, 249, 252, C.A.I.N.E. boot CD, 99 265, 274 card readers, 18 bdeinfo command, 248 Carrier, Brian, 48 bdemount command, 248 carving tools, 165 BDs. See Blu-ray discs; optical storage cat command, 196, 199 media cciss-vol-status package, 178 Beginning of Media (BOM) marker, CDB (command descriptor block), 36 on tapes, 176 cd-drive command, 132–133 Beginning of Tape (BOT) marker, cd-info command, 133 on tapes, 176 cdparanoia tool, 175 BitLocker, Microsoft, 243–248 CDs (compact discs). See also optical blkcat command, 274 storage media blkls command, 271–272 acquiring, 174, 175 blktap-utils tool, 241 Linux forensic boot, 98, 99 blockdev command, 43, 98, 99, 108 as storage media, 19f, 20–21 block devices transferring forensic image to, acquiring, 172–173 221–222 attaching to acquisition host, 140 certificate authority (CA) certificates, creating from raw image, 230 156, 157, 201–202 Linux, 50–55 CF (CompactFlash) card, 18 making QCOW2 image available as, CFTT (Computer Forensic Tool Testing) 237–239 project block-level encryption systems. See dd utility tests, 60 encrypted filesystems, forensic-imaging requirements, 9 accessing HWB Device Specification, 94 Blu-ray discs (BDs), 19f, 21–22. See also overview, 3, 6 optical storage media software write blockers, 99 acquiring, 174, 175 chip-off, 15, 125 transferring forensic image to, Choudary, Omar, 248 222, 223 CipherShed, 217 BOM (Beginning of Media) marker, client mode, rdd tool, 166, 167–168 on tapes, 176 cloned disks, 219–221 bootable Linux CDs, 98, 99 Coltel, Romain, 243 command descriptor block (CDB), 36

278 Index command line. See also Linux; specific key-wiping procedures, 227–228 commands/tools RFC-3161 timestamping, 157–159 audit trail, 70–76 signing forensic images, 154–157 command privileges, xxv, 212, 233 verifying forensic image integrity, organizing output, 76–83 197–202 output cryptsetup tool, 251–254, 257 organizing, 76–83 ctrl-Z shortcut, 92–93, 123 redirecting, 81–83 curl command, 158 scalable examination directory structure, 79–81 reasons to use, xx–xxi D saving output with redirection, 81–83 dares carver tool, 165 shell history, 73–75 data CDs, 20. See also CDs; optical storage task management, 70–73 media terminal monitors and Linux data disposal, 224–228 auditing, 76 data extraction terminal recorders, 75–76 manual, using offsets, 272–274 viewing examiner workstation partition extraction, 264–271 hardware, 103–104 partition scheme analysis, 259–264 command sets slack space, 271–272 ATA, 34–36, 35t unallocated blocks, 272 NVME, 37–38, 37t data flow, optimizing, 90 SCSI, 36–37, 37t, 39 data recovery tools, 61–62, 162–163 compact discs. See CDs; optical storage dc3dd tool media acquiring image to multiple CompactFlash (CF) card, 18 destinations, 150 completeness, forensic, 10 cryptographic hashing algorithms, completion times, estimating, 87–88 151–152, 151t compression error handling, 160–161 AFFlib built-in, 190 forensic acquisition with, 142, 144–145 combining with splitting, 192 optical discs, imaging, 174–175 EnCase EWF compressed format, 189 overview, 61 FTK SMART compressed format, 190 piecewise hashing, 153–154 SquashFS, 66–67, 191 splitting functionality, 193 Computer Forensic Tool Testing project. SquashFS forensic evidence See CFTT project containers, 65, 149 computer-related forensics. See digital wiping functionality, 225–226 forensics; forensic acquisition writing image file to clone disk, converting between image formats, 220–221 202–211 dcfldd tool conv=noerror parameter, dd utility, 143 acquiring image to multiple copying forensic images, 87 destinations, 150 Copy-on-Write (CoW) snapshots, live compressing images, 189 imaging with, 172 cryptographic hashing algorithms, Coroner’s Toolkit, The, 2 151, 151t Corsair Padlock2 thumb drive, 228 encryption during acquisition, 212 CoW (Copy-on-Write) snapshots, live error handling, 160 imaging with, 172 forensic acquisition with, 142, cpqarrayd tool, 178 144 –145 cryptography. See also encrypted hash windows, 153 filesystems, accessing; overview, 61 encryption partition extraction, 266 basic hashing, 151–152, 151t splitting functionality, 192–193 hash windows, 143, 152–154, 199–200 tapes, extracting data from, 177

Index 279 DCO (Device Configuration Overlay) digital forensics. See also forensic extracting sector ranges belonging acquisition to, 269–271 defined, 2 overview, 39–40, 118 history of, 1–4 removing, 118–121 Linux and OSS in context of, 48–50 dd_rescue tool, 61, 62, 142, 163, 215–216 peer-reviewed research, 7–8 ddrescue tool, 61, 142, 162–163, 165 principles of, 6–10 dd utility standards for, 6–7 combining compressing and trends and challenges, 4–5 splitting, 192 Digital Investigation: The International cryptographic hashing Journal of Digital Forensics & algorithms, 152 Incident Response, 7 forensic acquisition with, 142–144 digital signatures, 154–157 forensic variants, 61, 144–145 digital versatile discs. See DVDs; optical manual extraction using offsets, storage media 273–274 directories partition extraction, 266 naming conventions for, 76–79 raw images, 60 scalable examination structure, 79–81 secure remote imaging, 168, 169–170 disk block recovery tools, 162–163 sparse files, 85 disk cloning and duplication, 219–221 validating acquisition hash, 197–198 disk coolers, 93 wiping functionality, 226 disk imaging. See forensic acquisition debug ports, accessing storage media disk partition scheme, analyzing, 259–264 using, 122–125 disks. See forensic acquisition; storage decryption. See also cryptography; media; subject disk encrypted filesystems, disktype tool, 260–261, 263 accessing; encryption dislocker package, 243–247 of GPG-encrypted image, 212, 213 dismounting VeraCrypt volume, 218. See of OpenSSL-encrypted file, 213–214 also unmounting DEFT (Digital Evidence & Forensics disposal, data, 224–228 Toolkit), 98 –99 distributions, Linux, 55–56 deleted partitions, extracting, 266–268 dm-crypt encryption, 251, 254 deleting forensic image data, 224–228 dmesg tool, 206 desktop environments, Linux, 56 dmraid tool, 178 –179 /dev directory, Linux, 50, 51–52 dmsetup tool, 159–160, 179–180, 182, 183 Device Configuration Overlay. See DCO documenting device identification device mapper, 179–182, 231–232, 253, details, 107–108 255–256 DOS partition scheme, 262 device tree, Linux, 50–51 dpt-i2o-raidutils package, 178 DFRWS (Digital Forensic Research drive maintenance sectors, 40, 122–125 Workshop), 2, 8, 59 drives. See forensic acquisition; specific diagnostic ports, accessing storage media media; storage media; using, 122–125 subject disk Diaz Diaz, Antonio, 61, 162 Dulaunoy, Alexandre, 61 diff tool, 200 duplication, disk, 219–221 Digital Evidence & Forensics Toolkit DVDs (digital versatile discs), 19f, 21. See (DEFT), 98–99 also optical storage media digital evidence bags. See forensic file acquiring, 174, 175 formats overview, 21 Digital Forensic Research Workshop reassembling split forensic images, 196 (DFRWS), 2, 8, 59 transferring forensic image to, 222 dynamic disks, Microsoft, 181–182

280 Index E evidence containers. See forensic file formats EIDE (Enhanced Integrated Drive disk. See subject disk Electronics), 32 integrity of, 197–202. See also eject shell command, 133 cryptography Electronic Crime Scene Investigation: A organizing, 76–83 Guide for First Responders EWF. See EnCase EWF (US DOJ), 3, 7 ewfacquirestream tool, 172, 210 EnCase EWF ewfacquire tool built-in encryption, 215 compressing images, 189 compressed format, 189 converting raw images to EWF, converting AFF images to, 209–210 202–203 converting FTK files to, 208 cryptographic hashing algorithms, converting raw images to, 202–203 151, 151t converting to another format, error handling, 161 205–208 forensic acquisition, 141, 145–147 forensic acquisition, 145–146 splitting images during hash windows, 153 acquisition, 193 image access tasks, 233–234 ewfexport tool, 205, 206, 207 overview, 62 ewfinfo tool, 206, 207 recalculating hash of forensic ewfmount tool, 233, 234 image, 198 ewfverify tool, 198 remote forensic acquisition, 171–172 examination directory structure, 79–81 splitting images during examination host. See acquisition host acquisition, 193 Expert Witness Format. See EnCase EWF encrypted filesystems, accessing EXTENDED SECURITY ERASE command, 227 Apple FileVault, 248–251 Extensible Host Controller Interface Linux LUKS, 251–254 (xHCI), 29–30 Microsoft BitLocker, 243–248 external drives, encrypting, 216, 217–218 overview, 243 extracted files, naming conventions for, TrueCrypt, 254–257 77–78 VeraCrypt, 254–257 extracting subsets of data. See data EncryptedRoot.plist.wipekey file, 249–250 extraction encryption. See also cryptography; encrypted filesystems, accessing F flash drives, 17, 131, 131f, 228 failure, drive, 159–165 key-wiping procedures, 227–228 FC (Fibre Channel) interface, 25–26, 26f Opal, 128–131 FDE (full-disk encryption), 128–131, securing disk image with, 211–218 216–218 Enhanced Integrated Drive Electronics fg command, 93 (EIDE), 32 Fibre Channel (FC) interface, 25–26, 26f environmental factors, 91–93 file compression, 85 EO1. See EnCase EWF file formats. See forensic file formats EOD (End of Data) marker, on tapes, files, naming conventions for, 76–79 14, 176 file shredder, 224–225 EOF (End of File) marker, on tapes, 176 file sizes, reporting, 86–87 EOM (End of Media) marker, on file slack, 43 tapes, 176 filesystems. See also encrypted filesystems, EOT (End of Tape) marker, on tapes, 176 accessing erasing forensic image data, 224–228 accessing forensic file format as, errors, drive, 159–165 233–235 estimated completion time, 87–88 data CD, 20

Index 281 filesystems, continued image access tasks, 233–235 general purpose disk encryption, image compression support, 188 216–217, 218 naming conventions for, 77 identifying, 263–264 overview, , 59–60 Linux kernel and, 52–55 raw images, 60–62 slack space, extracting, 271–272 SquashFS, 63–67 unallocated blocks, extracting, 272 forensic filesystem analysis, 271, 274 file transfer protocols, 224 forensic image management FileVault, Apple, 248–251 compression, 187–191 FileVault Cracking software, 251 converting between image formats, FireWire (IEEE1394) interface, 33, 202–211 33f, 137 disk cloning and duplication, first responder triage of live PCs, 102 219–221 flash drives, 17, 131, 131f, 173, 228 overview, 187 flash memory. See non-volatile memory secure wiping and data disposal, Flash Translation Layer (FTL), 15 224–228 fls command, 180, 238, 242, 249–250, securing image with encryption, 265–266 211–218 forensic acquisition. See also data split images, 191–197 extraction; digital forensics; transfer and storage, 221–224 forensic image management; verifying image integrity, 197–202 image access tasks forensic imaging. See forensic acquisition completeness of, 10 forensic readiness, 69–70 dd-based tools, 142–145 forensic write blockers. See write blockers encryption during, 212, 213, 214 forks, in open source software, 49 with forensic formats, 145–150 formats, file. See forensic file formats Linux as platform for, 47–57 FreeTSA, 158, 159, 201 managing drive failure and errors, freeze commands, ATA password- 159–165 protected disks, 127 to multiple destinations, 150 frozen DCO configuration, 119–120 over network, 166–172 fsstat command, 263–264 overview, 141, 275–276 ftkimager tool peer-reviewed research, 7–8 built-in encryption, 214–215 performance, 88–90, 91t compressing images, 190 prerequisites, 9 converting files from EnCase to FTK, RAID and multidisk systems, 178–184 207–208 removable media, 172–178 converting from FTK format, 208–209 signing forensic images, 154–157 converting raw image to FTK splitting image during, 192–194 SMART, 203 standards for, 6–7 cryptographic hashing algorithms, suspending process, 92–93 151, 151t tools for, choosing between, 141–142 error handling, 161–162 trends and challenges, 4–5 forensic acquisition, 141, 147–149 verifying hash during, 197–198 overview, 62 writing image file to clone disk, splitting images during acquisition, 220–221 193–194 forensic boot CDs, 98, 99 FTK SMART format forensic file formats. See also specific compressed format, 190 formats converting AFF images to, 209–210 acquiring image with, 145–150 converting EnCase EWF files to, built-in encryption, 214–216 207–208 converting between, 202–211 converting raw images to, 203

282 Index converting to another format, hardware 208–209 examiner workstation, viewing, overview, 62 103–104 remote forensic acquisition, 171–172 managing drive failure and errors, FTL (Flash Translation Layer), 15 159–165 full-disk encryption (FDE), 128–131, subject PC, examining, 101–102 216–218 write blockers, 39, 94–97, 94f, 95f, 97f, FUSE filesystem, 196, 233, 241–243, 245, 107–108 246, 250–251 Hardware Write Block (HWB) fusermount command, 234 Device Specification, fvdeinfo tool, 249 Version 2.0, 94 fvdemount tool, 250–251 hashing basic, 151–152, 151t GPG encryption, 213 G OpenSSL encryption, 214 Garfinkel, Simson, 62 overview, 197 Garloff, Kurt, 62, 163 recalculating hash, 198–199 Globally Unique Identifier (GUID), LDM split raw images, 199 disk group, 181 verifying hash during acquisition, GNU dd. See dd utility 197–198 GNU dd_rescue tool, 61, 62, 142, 163 hash windows, 143, 152–154, 199–200 215–216 HBA (host bus adapter), 36 GNU ddrescue tool, 61, 142, 162–163, 165 hd (hexdump) tool, 226 GNU Privacy Guard (GnuPG or GPG), HDDGURU, 125 155–156, 200–201, 211–213 HDD Oracle, 125 GNU screen terminal multiplexer, 75–76 hddtemp tool, 91 GNU split command, 192 hdparm tool gpart tool, 267 ATA password-protected disks, GPG (GNU Privacy Guard), 155–156, 126, 127 200–201, 211–213 ATA security erase unit gpgsm tool, 156–157 commands, 227 gptparser.pl tool, 263 DCO, removing, 118–120 GPT partition scheme, 262 HPA Grenier, Christophe, 267 removing, 121–122 growisofs command, 222 replicating sector size with, 220 GUID (Globally Unique Identifier), LDM sector ranges, extracting, 270 disk group, 181 querying disk capabilities and Guidance Software. See EnCase EWF features with, 108–112 GUI interface read-only property, 98 versus command line, xxi SSDs, 16–17 Linux, 55–56 heat, monitoring, 91–93 gunzip tool, 188, 213 heat sinks, 93 gzip tool, 188–189, 192, 204, 214 hexdump (hd) tool, 226 hidden sectors, enabling access to DCO removal, 118–121 H HPA removal, 121–122 Harbour, Nicholas, 61 overview, 118 hard disks. See also forensic acquisition; system areas, 122–125 storage media; subject disk hidden volume, VeraCrypt, 256–257 magnetic, 12–13, 13f history, shell, 73–75 service areas, 40 host bus adapter (HBA), 36 transferring forensic image to, 223

Index 283 HPA (Host Protected Area) International Organization of Computer extracting sector ranges belonging Evidence (IOCE), 2, 3 to, 269–271 Internet of Things, 4 overview, 39–40, 118 inter-partition gaps, extracting, 269 removing, 121–122 IOCE (International Organization of replicating sector size with, 219–220 Computer Evidence), 2, 3 Hulton, David, 251 ISO (International Organization for HWB (Hardware Write Block) Device Standardization), 6 Specification, Version 2.0, 94 iStorage datashur drives, 228 hxxp, 79 J I jail-broken devices, 5 IAAC (Information Assurance Advisory JBOD (Just a Bunch Of Disks), 179–180 Council), 8 JTAG interface, 125 icat tool, 249–250 jumper setting, Advanced Format 512e IDE (Integrated Drive Electronics), 18, disks, 43 32, 32f Just a Bunch Of Disks (JBOD), 179–180 IEEE1394 (FireWire) interface, 33, 33f, 137 image access tasks. See also encrypted K filesystems, accessing Kali Linux, 99 boot images, preparing with xmount, kernel, Linux 235–237 defined, 55 forensic format image files, 233–235 determining partition details, 264 overview, 229–230 and filesystems, 52–55 raw images, 230–233 and storage devices, 50–52 VM images, 237–243 kernel patch, write-blocking, 98–99 image acquisition/imaging. See forensic kernel ring buffer, 106 acquisition Kessler, Gary, 262–263 img_stat command, 59–60, 194, 195, key-wiping procedures, 227–228 197–198 Kornblum, Jesse, 61 industry kpartx tool, 231, 233, 234, 241, 242 collaboration within, 5 regulations and best practice, 8–9 L Information Assurance Advisory Council (IAAC), 8 law enforcement, and digital forensics information security, 211–218 collaboration, 5 initiator, SCSI commands, 36 history of, 1–2 Integrated Drive Electronics (IDE), 18, LDM (Logical Disk Manager), 181 32, 32f ldmtool tool, 181 integrity. See cryptography; verifying legacy technologies forensic image integrity magnetic, 15 interfaces. See also specific interfaces optical storage media, 22 bus speeds, 90, 91t storage media interfaces, 32–34, 32f, legacy, 32–34, 32f, 33f, 34f 33f, 34f NVME, 27–29, 27f, 28f Lenovo ThinkPad Secure Hard Drives, overview, 22 216, 216f SAS and Fibre Channel, 25–26, libata library, 39 25f, 26f libbde package, 247–248 SATA, 22–25, 23f, 24f, 25f libewf library, 62, 215 Thunderbolt, 30–32, 31f libfvde software package, 248–251 USB, 29–30, 29f, 30f libqcow-utils package, 237 International Organization for libvhdi tools, 241 Standardization (ISO), 6 libvmdk-utils software package, 240

284 Index link layer, disk interfaces, 34, 35f, 38 lshw tool, 103, 104, 133–134 Linux. See also command line; specific lspci tool, 103–104 commands lsscsi command, 105, 108 Advanced Format 4Kn disks, 42–43 lsusb tool, 104, 105, 108 Apple Target Disk Mode, 137–138 luksDump command, 252–253 audit trail, 76 LUKS encryption system, 251–254 command execution, 56 LVM (Logical Volume Manager) compression tools, 188–189 layers, 254 distributions, 55–56 forensic boot CDs, 98, 99 in forensic context, 48–50 M kernel and filesystems, 52–55 M.2 interface kernel and storage devices, 50–52 NVME, 27, 27f loop devices, 230–233 SATA, 24, 24f LUKS, 251–254 magnetic storage media. See also hard overview, xx–xxi, 47, 57 disks; magnetic tapes piping and redirection, 56–57 legacy, 15 RAID-5 acquisition, 183–184 overview, 12 SCSI commands, 36–37 magnetic tapes, 14f shell history, 73, 74 acquiring, 176 –178 shells, 56 attaching to acquisition host, 133–135 software RAID, 178 overview, 13–14 Thunderbolt interface, 31–32 with physical read-only modes, 100 Linux Storage Stack Diagram, 52, 53f maintenance sectors, 40, 122–125 live imaging with CoW snapshots, 172 managing image files. See forensic image live PCs, triage of, 102 management locked DCO configuration, 119–120 manual extraction using offsets, 272–274 Logical Disk Manager (LDM), 181 mapper devices, 179–182, 231–232, 253, Logical Volume Manager (LVM) 255–256 layers, 254 mass storage technologies. See storage logistical issues media environmental factors, 91–93 master boot record (MBR), 129 estimating task completion times, master password, ATA password- 87–88 protected disks, 126–127, 128 file compression, 85 maximum visible sectors, on clone image sizes and disk space drive, 220 requirements, 83–84 MBR (master boot record), 129 moving and copying forensic md5sum tool, 152, 154, 207 images, 87 mdadm tool, 183, 184 overview, 83 media. See storage media performance and bottlenecks, memory. See specific types of memory; 88–90, 91t storage media reported file and image sizes, 86–87 memory cards, 18f sparse files, 85–86 acquiring, 173 –174 logs, SMART, 115 attaching to acquisition host, 136 long-term storage of forensic images, overview, 17–18 221–224 memory slack, 43 loop devices, 183–184, 230–233, 252–253, metadata, forensic file formats, 62 265–266 Metz, Joachim, 62, 237, 247, 248 loop option, mount command, 245, 247 micro IDE ZIF interface, 33, 33f losetup command, 183, 230, 231, 252, 265 micro SATA interface, 24, 24f Lougher, Phillip, 63 Micro SD cards, 173–174 lsblk command, 106–107, 108 Microsoft BitLocker, 243–248 ls command, 86–87, 196 Microsoft dynamic disks, 181–182

Index 285 Microsoft VHD format, 241–243 Netherlands Forensic Institute (NFI), 166 mini IDE interface, 33, 33f network Mini-SAS HD interface, 26f image acquisition over mini-SATA (mSATA) interface, 23, 23f to EnCase or FTK format, mirrored disks, RAID-1, 182–183 171–172 mismatched hash windows, 199–200 live imaging with CoW mkisofs command, 221–222 snapshots, 172 mksquashfs tool, 63, 170, 206–207 overview, 166 mmcat tool, 266, 268, 269, 270 with rdd, 166–168 mmls command, 262 to SquashFS evidence container, mmstat command, 260, 261 169–171 mount command, 184, 241, 245, 247 with ssh, 168–169 mounting transferring acquired images, decrypted filesystem image, 245, 246, 223–224, 223t 247, 250, 253, 256 performance tuning, 90 filesystems in Linux, 53–54 Next Generation Form Factor (NGFF), 27 forensic format image files, 233–235 NFI (Netherlands Forensic Institute), 166 image files as regular filesystems, 229 NIST. See CFTT project loop partitions, 232–233 nonprivileged user, 241–243, 246, 251, 254 SquashFS container, 66 non-volatile memory VeraCrypt volume, 218 legacy, 19 VM images, 236, 238–239, 240–243 overview, 15–16 moving forensic images, 87 removable memory cards, 17–18, 18f mpt-status tool, 178 solid state drives, 16–17, 16f mSATA (mini-SATA) interface, 23, 23f USB flash drives, 17, 17f msed tool, 129 Non-Volatile Memory Express (NVME) mt tool, 134–135 command set, 37–38, 37t multidisk systems, acquiring interface, 27–29, 27f, 28f JBOD and RAID-0 striped disks, namespaces, 44–45, 138, 139, 226 179–180 nvme-cli software package, 44–45 Linux RAID-5, 183–184 nvme tool, 138, 139 Microsoft dynamic disks, 181–182 SSDs, 138–139 overview, 178 wiping drives, 226 proprietary systems, 178–179 nwipe tool, 226 RAID-0 striped disks, 179–180 RAID-1 mirrored disks, 182–183 O multifunction drivebay write blocker, 94, 95f of= flags, dc3dd tool, 150 multiple destinations, forensic --offset flag, losetup command, 231 acquisition to, 150 offsets, manual extraction using, 272–274 music CDs, 20, 175. See also CDs; optical Opal self-encrypting drives, 128–131, 228 storage media opengates tool, 236 myrescue tool, 163 openjobs tool, 236 open source software (OSS), 48–50, 276 OpenSSH software package, 224 N OpenSSL command line tool, 157–159, namespaces, NVME, 44–45, 138, 139, 226 201–202, 213–214 naming conventions for files and optical storage media directories, 76–79 acquiring, 174 –175 NAND flash technology, 15 attaching to acquisition host, 132–133 National Institute of Standards and Blu-ray discs, 19f, 21–22 Technology. See CFTT project acquiring, 174, 175 nbd kernel module, 237–238, 239 transferring forensic image to, negative sectors, 40, 122–125 222, 223

286 Index CDs, 19f, 20–21 physical errors, SMART data on, 117–118 acquiring, 174, 175 physical layer, disk interfaces, 34, 35f, Linux forensic boot, 98, 99 38–39 transferring forensic image to, physical PC examination, 102 221–222 physical read-only modes, media with, damaged, 165 100, 100f DVDs, 19f, 21 Physical Security ID (PSID), 128, acquiring, 174, 175 129f, 228 reassembling split forensic piecewise data extraction. See data images, 196 extraction transferring forensic piecewise hashing, 152–154, 199–200 image to, 222 piping legacy, 22 acquiring image to multiple overview, 19–20 destinations, 150 transferring forensic image to, with AFF files, 209 221–223 combining compressing and OS-encrypted filesystems. See encrypted splitting, 192 filesystems, accessing compressing images with, 189 OS image, booting in VM, 235–237 cryptographic hashes of split raw OSS (open source software), 48–50, 276 images, 199 OS X, booting image in VM, 236 cryptographic hashing over-provisioning, 15–16 algorithms, 152 in Linux, 56–57 to validate acquisition hash, 197–198 P PKI (public key infrastructure), 156, 216 Parallel ATA (PATA), 18 plain dm-crypt encryption, 251, 254 parallel interfaces, 22 planning for forensic acquisition. See parsing tools, 262–263 preparatory forensic tasks partition devices, 51–52, 231–233, 238, post-acquisition tasks. See data extraction; 239–240 forensic image management; partition extraction image access tasks deleted, 266–268 postmortem computer forensics. See HPA and DCO sector ranges, digital forensics; forensic 269–271 acquisition individual, 264–266 power management, 93 inter-partition gaps, 269 preparatory forensic tasks. See also overview, 264 logistical issues partition scheme, analyzing, 259–264 audit trail, 70–76 partition tables, 261–263 organizing collected evidence and password-protected disks, 126–128 command output, 76–83 password recovery techniques, 125 overview, 69–70 PATA (Parallel ATA), 18 write-blocking protection, 93–100 PC-3000 tool, Ace Laboratory, 122 Pretty Good Privacy (PGP), 155–156 PCI bus, listing devices attached to, private sector forensic readiness, 70 103–104 privileges, command, xxv, 212, 233. See PCI Express write blockers, 96, 97f also nonprivileged user PEM signature file, 157, 201 proc filesystem, Linux, 107 Pentoo forensic CD, 99 proprietary RAID acquisition, 178–179 PEOT (Physical End of Tape) marker, 176 pseudo definition file, mksquashfs, 206 performance, forensic acquisition, PSID (Physical Security ID), 128, 88–90, 91t 129f, 228 PGP (Pretty Good Privacy), 155–156 public key infrastructure (PKI), 156, 216 PHY devices, 38 public sector forensic readiness, 70 Physical End of Tape (PEOT) marker, 176

Index 287 Q recalculating hash of forensic image, 198–199 QCOW2 format, 237–239 Recorder Identification Code qcowinfo tool, 237 (RID), CDs, 21 qcowmount tool, 237 recoverdm tool, 163 QEMU emulator, 237–239 redirection qemu-img command, 237 with AFF files, 209 qemu-nbd tool, 237–238, 239 compressing images with, 189 querying subject disk in Linux, 56–57 documenting device identification saving command output with, 81–83 details, 107–108 Redundant Array of Independent Disks. extracting SMART data, 112–118 See RAID systems, acquiring with hdparm, 108–112 regulations, industry-specific, 8–9 overview, 107 remapped sectors, 40 remote access to command line, xxi R remote forensic acquisition to EnCase or FTK format, 171–172 RAID (Redundant Array of Independent live imaging with CoW snapshots, 172 Disks) systems, acquiring overview, 166 JBOD striped disks, 179–180 with rdd, 166–168 Linux RAID-5, 183–184 secure, with ssh, 168–169 Microsoft dynamic disks, 181–182 to SquashFS evidence container, overview, 178 169–171 proprietary systems, 178–179 transferring acquired images, RAID-0 striped disks, 180 223–224, 223t RAID-1 mirrored disks, 182–183 removable storage media. See also specific RAM slack, 43 media types; storage media raw devices, in Linux, 51, 52 acquiring, 172–178 raw images attaching to acquisition host, 132–136 accessing forensic file format as, encrypting, 216 233–235 transferring forensic image to, converting to and from AFF, 209 221–223 converting to another format, reported file and image sizes, 86–87 202–205 research, peer-reviewed, 3, 7–8 cryptographic hashes of split, 199 RFC-3161 timestamping, 157–159, 201 data recovery tools, 61–62 RID (Recorder Identification dd utility, 60 Code), CDs, 21 forensic dd variants, 61 ring buffer, kernel, 106 image access tasks, 230–233 ripping music CDs, 175 naming conventions for, 77 overview, 60 preparing boot images with S xmount tool, 236 S01. See FTK SMART format reassembled, 196–197 SAS (Serial Attached SCSI) interface, writing to clone disk, 220–221 25–26, 25f, 26f, 37 rdd tool, 166–168 SAT (SCSI-ATA Translation), 39 read errors, dd utility, 143–144 SATA (Serial ATA) interface, 16, 22–25, read-only modes, media with, 100, 100f 23f, 24f, 25f, 94f read-only property, setting with write SATA Express disk interface, 25, 25f blockers, 97–98 scalable examination directory structure, reassembling split forensic images, 79–81 195–197

288 Index Scientific Working Group on Digital self-encrypting drives (SEDs), 128–131, Evidence (SWGDE), 3 218, 228 scp (secure copy) tool, 224 Self-Monitoring, Analysis and Reporting screen terminal multiplexer, 75–76 Technology (SMART) script command, 75 extracting data with smartctl, 112–118 scripting, with command line, xxi managing drive failure and errors, scriptreplay command, 75 163–164 SCSI-ATA Translation (SAT), 39 NVME drives, 139 SCSI interface, 34f self-tests, SMART data on, 115–116 command sets for, 36–37, 37t, 39 serial access to disks, 122–125 documenting device identification Serial ATA (SATA) interface, 16, 22–25, details, 108 23f, 24f, 25f, 94f identifying subject drive, 105 Serial Attached SCSI (SAS) interface, overview, 33–34 25–26, 25f, 26f, 37 querying drives, 112 serial bus controller class, 104 tape drives, querying, 134 serial point-to-point connections, 22 SD (Secure Digital) standard, 18 server mode, rdd tool, 166, 167, 168 sdparm command, 112 service areas, 40, 122–125 sector offsets sessions, CD, 20 converting into byte offset, 247–248, sfsimage tool 249, 252, 265 acquiring image with, 149–150 filesystem identification, 263–264 converting AFF file to compressed manual extraction using, 272–274 SquashFS, 210 sectors. See also hidden sectors, enabling converting FTK files to SquashFS, access to; 4Kn disks 208–209 hard disks, 12, 40 converting raw image to SquashFS, replicating with HPA, 219–220 203–204 user-accessible, wiping, 225–226 dcfldd and dc3dd tools, 145 secure copy (scp) tool, 224 image access tasks, 235 secure_deletion toolkit, 224 overview, 63 Secure Digital (SD) standard, 18 remote forensic acquisition, 169–171 Secure/Multipurpose Internet Mail removable media, acquiring Extensions (S/MIME), 155, image of, 174 156–157, 201 SquashFS compression, 191 secure network data transfer, 223–224 SquashFS evidence containers, 64–67 secure remote imaging, 168–169 sg3_utils software package, 36–37 secure wiping and data disposal, 224–228 shadow MBR on Opal SEDs, 129–130, 131 security erase command, ATA, 226–227 shared buses, 22 security features, subject disk shell alias, 72–73 ATA password-protected disks, shell history, 73–75 126–128 shells. See Bash; command line encrypted flash thumb drives, 131 shredding files, 224–225 overview, 125 SID (Source Unique Identifier), CDs, 21 self-encrypting drives, 128–131 sigfind tool, 266 security levels, ATA password-protected signatures, confirming validity of, disks, 127 200–202 security of forensic image, 211–218 signing forensic images, 154–157 SEDs (self-encrypting drives), 128–131, size 218, 228 disk image, 83–84 sedutil-cli command, 129–130, 218, 228 reported file and image, 86–87 seeking, within compressed files, 188, 204 skip parameter, for partition extraction with dd, 266

Index 289 slack space, 43, 271–272 forensic evidence containers, 64–67, Sleuth Kit 149–150, 191 blkcat command, 274 image access tasks, 235 blkls command, 271–272 manual container creation, 205–207 fls command, 180, 238, 242, 249–250, overview, 63 265–266 remote forensic acquisition, 169–171 fsstat command, 263–264 squashfs-tools package, 64 img_stat command, 59–60, 194, 195, SSDs (solid state drives), 12, 16–17, 16f, 197–198 43, 138–139 mmcat tool, 266, 268, 269, 270 ssh command, 168 –172 mmls command, 262 SSHDs (Solid State Hybrid Disks), 45 mmstat command, 260, 261 standards, digital forensics, 6–7 sigfind tool, 266 stderr, 82 SMART (FTK forensic format).See FTK stdin, 82, 189 SMART format stdout, 81–82, 189 SMART (Self-Monitoring, Analysis and storage, forensic image, 221–224 Reporting Technology) storage media. See also forensic extracting data with smartctl, 112–118 acquisition; specific media managing drive failure and errors, types; subject disk 163–164 Advanced Format 4Kn disks, 12, NVME drives, 139 41–44, 42f DCO and HPA drive areas, 39–40 smartctl command, 91–92, 112–118 S/MIME (Secure/Multipurpose Internet encrypting, 216–218 Mail Extensions), 155, examiner workstation hardware, 156–157, 201 103–104 Snoopy command logger, 74–75 image sizes and disk space software requirements, 83–84 open source, 48–50 interfaces and connectors, 22–32 proprietary, 49–50 Linux kernel and, 50–52, 53f write blockers, 97–99, 108 magnetic, 12–15 solid state drives (SSDs), 12, 16–17, 16f, naming conventions for, 77, 78 43, 138–139 non-volatile memory, 15–19 Solid State Hybrid Disks (SSHDs), 45 NVME namespaces, 44–45 source-level access, to open source optical, 19–22 software, 48 overview, 11–12, 46 Source Unique Identifier (SID), CDs, 21 remapped sectors, 40 space requirements, 83–84 scalable examination directory sparse files, 85–86 structure, 80, 81 secure disk wiping, 225–226 split command, 192 Solid State Hybrid Disks, 45 split forensic images system areas, 40, 122–125 accessing, 194–195 terms used for, xxvi cryptographic hashes of, 199 trends and challenges, 4 during acquisition, 192–194 UASP, 29, 40–41 overview, 191–192 write-blocking protection, 93–100 reassembling, 195–197 SquashFS strace command, 195 background of, 63 striped disks, 179–180 burning file to CD, 221–222 subject disk. See also forensic acquisition; converting AFF file to compressed, storage media 210–211 attaching to acquisition host converting FTK files to, 208–209 Apple Target Disk Mode, 137–138 converting raw images, 202–205 devices with block or character access, 140

290 Index enabling access to hidden sectors, tee command, 152 118–125 temperature data, SMART, 116–117 examining subject PC hardware, temperature monitoring, 91–93 101–102 terminal monitors, 76 identifying subject drive, 105–107 terminal multiplexers, 75–76 NVME SSDs, 138–139 terminal recorders, 75–76 overview, 101 testdisk tool, 267–268 querying subject disk, 107–118 text files, naming conventions for, 78, 79 removable storage media, thumb drives, 17, 131, 131f, 173, 228 132–136 Thunderbolt interface, 30–32, 31f, 137 security features, 125–131 Thunderbolt-to-FireWire adapter, viewing examiner workstation 137–138 hardware, 103–104 time command, 82 defined, xxvi timestamps, 82–83, 157–159, 201–202 image sizes and disk space tmux terminal multiplexer, 75–76 requirements, 83–84 todo.txt file format, 72 preparing boot images with xmount transfer, forensic image, 221–224 tool, 235–237 transport layer, disk interfaces, 34, 35f removal from PC, 102 Trapani, Gina, 72 temperature monitoring, 91–93 triage of live PCs, 102 subsets of data, extracting. See data TRIM command, ATA, 16–17 extraction TrueCrypt, 216–217, 254–257 sudo command, 212, 242–243, 246, Trusted Computing Group (TCG), 128 251, 254 TSA certificates, 201 support, for open source software, 48, 49 ts command, 83, 158–159 suspect disk. See subject disk tsget command, 158 suspending acquisition process, 92–93 Type C interface, USB, 30, 30f SWGDE (Scientific Working Group on Digital Evidence), 3 symmetric encryption, 211–213, 215–216 U sync parameter, dd utility, 143 U.2 interface, NVME, 28, 28f /sys pseudo filesystem, 42–43 UASP (USB Attached SCSI Protocol), 29, system areas, 40, 122–125 40–41 UDF (Universal Disk Format), 21 T udevadm tool, 50–51 udev system, Linux, 50–51 tableau-parm tool, 95–96, 121 umount command, 54, 207, 232–233, Tableau write blocker, 94f, 95–96 234, 241 tapeinfo tool, 134–135 unallocated blocks, extracting, 272 tapes, magnetic, 14f unique identifiers, 77, 105 acquiring, 176 –178 Universal Disk Format (UDF), 21 attaching to acquisition host, 133–135 Universal Serial Bus. See USB overview, 13–14 unmounting with physical read-only modes, 100 decrypted filesystem image, 245, 251, target, SCSI commands, 36 254, 256 Target Disk Mode (TDM), Apple, 31, filesystems in Linux, 54 137–138 forensic format image files, 234 task completion times, estimating, 87–88 loop partitions, 232–233 task management, 70–73 VeraCrypt volume, 218 Taskwarrior, 71–72 virtual images, 236 TCG (Trusted Computing Group), 128 unsquashfs command, 207 tc-play, 217 URLs, naming conventions for, 79 TDM (Target Disk Mode), Apple, 31, 137–138

Index 291 USB (Universal Serial Bus), 29f, 30f VM images, accessing card readers, 18 dislocker package, 244–245 documenting device identification Microsoft VHD, 241–243 details, 108 overview, 237 flash drives, 17, 17f, 131, 131f, 173, 228 QEMU QCOW2, 237–239 listing devices attached to, 104, 105 VirtualBox VDI, 239–240 multifunctional devices, 140 VMWare VMDK, 240–241 overview, 29–30 VMs, booting subject drive in, 235–237 serial access to disks, 122–125 VMWare VMDK format, 240–241 USB Attached SCSI Protocol (UASP), 29, VPD (Vital Product Data), 112 40–41 usb_modeswitch tool, 140 useless use of cat (UUOC), 199 W user-accessible sectors, wiping, 225–226 wear leveling, 15 user password, ATA password-protected Weinmann, Ralf-Philipp, 251 disks, 126–127 window managers, Linux, 55–56 UUOC (useless use of cat), 199 Windows, booting image in VM, 236 wiping forensic image data, 224–228 World Wide Name (WWN), 111–112 V write blockers varmon tool, 178 documenting evidence for use of, VBoxManage tool, 239 107–108 VDI format, 236, 239–240 hardware, 39, 94–97, 94f, 95f, 97f VeraCrypt, 217–218, 254–257 importance of, 93–94 verifying forensic image integrity for legacy interfaces, 34 GPG encryption, 213 Linux forensic boot CDs, 99 manual creation of SquashFS media with physical read-only modes, container, 207 100, 100f mismatched hash windows, 199–200 NVME, 28–29 OpenSSL encryption, 214 overview, 21 overview, 197 software, 97–99, 108 recalculating hash, 198–199 for USB devices, 30 signature and timestamp, 200–202 when mounting filesystems, 54 split raw images, 199 WWN (World Wide Name), 111–112 verifying hash during acquisition, 197–198 VFDecrypt tool, 251 X VFS (Virtual File System) abstraction X11 window system, Linux, 55 layer, 52 Xen blktap xapi interface, 241 VHD format, Microsoft, 241–243 xHCI (Extensible Host Controller vhdiinfo command, 241–242 Interface), 29–30 vhdimount command, 242 xmount tool, preparing boot images with, VirtualBox VDI images, 236, 239–240 235–237 Virtual File System (VFS) abstraction layer, 52 Z Virtual Machine DisK (VMDK) format, 240–241 zcat tool, 189, 196, 199 Vital Product Data (VPD), 112 ZIP archive format, 211 vmdkinfo command, 240 zuluCrypt, 217

292 Index