Check for disk encryption prior to removing power from the disk.Use write blockers to prevent alteration of the evidence.In addition to use proper evidence-handling techniques in the event that the image is used as evidence in a courtroom, it is important to pay attention to the following tips.Therefore, it is recommended to decide immediately whether to perform live imaging.Live imaging of nonvolatile media is recommended based on the situation such as the chance of further changes to media or lack of accessibility due to encryption.Dead imaging is always available to nonvolatile media.When there is a chance that powering off a disk or system may tip off an attacker or malicious process that it is being analyzed, causing a change in behavior that may hinder the investigation (Vandeven, 2014).If the data to be imaged resides in a remote location where physical access is limited or difficult.When the responsible party may require that the system stay online for business reasons.When a hard disk is encrypted and if it is powered off, all the data on it will be shielded from the investigator because of encryption. The issue is there is no access to the decryption key.Imaging RAM is an example of live imaging since powering off RAM would cause the loss of data in it.There are certain situations in which live imaging has to be performed:.Live imaging is when the media of a computer is imaged while the media is still connected to the computer and powered on.If there is a chance that time bombs could be activated on the computer to erase the content of the digital media, it is recommended to shut down the computer and perform dead imaging.In other words, if dead imaging is performed properly, the chance of data alteration on the original media (and image) is zero.This method is the preferred method since there is no chance to temper with data on the media during the imaging process.Dead imaging is when the digital media (that is to be imaged) has been powered off and will be imaged outside of its original computer.dead imaging is also discussed in the next few slides. As we explain the two types of imaging, the cases of using live vs.
PRODISCOVER BASIC. FULL
However, sometimes persistent data is stored using, for example, a full disk encryption solution and there is no access to the decryption key. Persistent data: This data remains intact after media is powered off.Volatile data: This data will be lost when media is disconnected from power.In general, we have two types of data for investigation:.It depends on the situation since each incident and the circumstances around it is unique. One of those is the type of data.Sometimes we have no choice and we have to image the media while it is connected and powered on.The imaging therefore, can be done while the digital media is powered off and the media is outside the original computer.Also, if the imaging were to be done on the original computer while it is powered, there is a chance of missing hidden data or getting interference during imaging from rootkits.Hardware write blockers are normally preferred however, they are not always available.Write blockers could be hardware or software.To guarantee that no change has would occur to the original digital media, using write blockers is recommended.Various dd-based utilities such as dcfldd, which is also capable of generating hash at the end of process.A program called dd, which was originally a Unix utility.When imaging is done, a process called hashing generates a hash to ensure that the image and original media are the same.The image is just a file which can be handled easily.Creating an exact copy of the original digital media that investigators can examine is commonly referred to as making a bitstream image or simply the imaging process.Therefore, the first step is to create an exact duplicate of the media to be examined.Working directly on the original evidence (e.g., hard disk of a computer) in any forensic data recovery operation or computer forensic investigation is not allowed as the investigation can make irrecoverable changes to the source data.
PRODISCOVER BASIC. FREE
0 kommentar(er)
