Why do I need a forensically sound image? What is a forensic image?
What makes up a forensic image? How do I make a forensically sound Image?
The questions listed above are four that we are going to answer here today, before we go any further in to DEFT 7.1
What is DEFT 7.1? DEFT is a very professional and stable system that includes excellent hardware detection and the best free and open source applications dedicated to Incident Response, Cyber Intelligence and Computer Forensics. It is one tool in many an investigator should have!
DEFT is meant to be used by:
- IT Auditors
And DEFT is 100% made in Italy
DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer Forensic system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management.
English manual can be downloaded - http://www.deftlinux.net/doc/EN-deft7.pdf
What is a forensic image? The forensicon answer to this is as follows:
“When a computer is identified as possibly containing electronic evidence, it is imperative to follow a strict set of procedures to ensure a proper (i.e. admissible) extraction of any evidence that may exist on the subject computer. The first thing to remember is the “golden rule of electronic evidence” – never, in any way, modify the original media if at all possible. Thus, before any data analysis occurs, it usually makes sense to create an exact, bit stream copy of the original storage media that exists on the subject computer. A forensic image is sometimes referred to as a mirror image or ghost image. Mirror imaging or ghost imaging does not always generate a true forensic image. The same is true for cloning a hard drive. A forensic image may include a single or multiple hard drives, floppy disk(s), CD(s), Zip drive(s) or DVD(s), plus many other types of storage media that now exist. Imaging the subject media by making a bit-for-bit copy of all sectors on the media is a well-established process that is commonly performed on the hard drive level, hence often referred to as hard drive imaging, bit stream imaging or forensic imaging.” For further visit link above.
There are many thoughts on the terms used but the root of the answer is to ensure no evidence or potential evidence was altered to the best of your ability.
What makes it a forensic image? The first step is to make sure that the device being imaged is write protected. If it is not write protected, then when you connect it to a computer to be imaged, it WILL be altered in some form or fashion. You have to weigh each case based on the needs of the investigation or case type. Are you properly trained to obtain the image and what type of training do you have? Did you use a hardware write blocker or software write blocker? Did you validate your tool? Do you need a complete image, meaning a sector by sector image or just the logical section of the device? These are things that you will need to answer based on your case.
How do I make a forensic Image? This is where DEFT 7.1 comes in to play for you and anyone else who needs a forensic image of a device. I have tested and validated DEFT 7.1 for the ability to write block a device. I found in my test that it works and I was able to image a device without making any alterations to the original evidence. I strongly suggest that you test the software yourself and do not take my word for it. This goes for any tool out there, never just assume that it works because Joe Bob said so! DEFT 7.1 has several tools built in for imaging devices, my favorite is “Cyclone” http://www.lovemytool.com/.a/6a00e008d9577088340177442cc808970d-pi
If you want, DEFT 7.1 can be installed as a standalone operating system. Please see the introduction written a while back here http://www.lovemytool.com/blog/2012/08/deft-7-cyber-forensic-tool-overview-by-casey-mullis.html
Once you install the OS (Operating System), you can then go to Accessdata’s web site and download FTK Imager for Command Prompt and use it in DEFT 7.1.
Please keep a check back as I will be releasing a video on how to image with DEFT 7.1. At that time I will show that the write blocking works and how to image in two different ways. Thanks again for stopping by LoveMyTool.com.
The 4 awesome videos are now released - http://www.youtube.com/channel/UCVRRaTIhT3RC7c2HLkZj0Bg?feature=watch.
Expect a lot more on cyber forensics, coming soon!
Please share feedback and suggestions through the feedback at the bottom of the article.
Please read this Editor’s Note – I have had the pleasure of working with this great guy and investigator for almost 3 years; he technically designed and built a very high class cyber lab capable of supporting a lot of evidence, with their E01 copies and a ton of the latest technologies for almost any sound acquisition of REAL evidence. The biggest and best in my state! His fear as are mine and all other professional investigators is that the willfully uniformed supervisors just want a quick preview and with that, using this forensically UNsound information and unofficial evidence they want to get arrest and more equipment search warrants. Previews are NOT forensically sound and can easily lead to false arrest, false prosecution and destruction of an innocent person’s life. Since this was written and after an incredible class on Raptor (UTube videos linked above) was delivered to HTCIA members, and the UTube videos were made by this Investigator who is now a patrolman. This same guy who is considered by many of the Federal trainers, Local trainers, High Tech organizations and professional Law Enforcement officers as one of the finest cyber investigators in the southeastern United States has now returned to patrol. Lack of LE managements understanding will lead to innocent people being charged, criminals getting away and in general a breach of good lab procedures and correct forensic search for REAL evidence will be lost. An Example - If one looks at Fingerprints, the standard for them to used as evidence is that there must be 12 to 20 identifying markings on the unique ridges or swirls on a finger. What if you suddenly said 5 matches were enough to arrest and prosecute? Remember there is a very fine line between Prosecution and Persecution, actually only one letter. I was in Law Enforcement back when crime scene preservation was a joke and DNA was black magic and I remember this same stuff happening and coming from uniformed leaders. It is sad that it is happening again, as I had hoped that Law Enforcement had accepted the new and innovative technologies along with forensically sound techniques and processes.
Let me give you an example there is a current case where a college professor that runs an open 24X7 computer lab, that has several open computers for the students. A female student found 1 picture that offended her. The local department came in did a preview and arrested the professor. They seem to have forgotten the basic principles of Custody, Control and Care. That has not helped the professor who has lost his position and no matter what happens his academic life is harmed and he will have to spend a large sum of money to fight the unjust charges. I am hoping that this is not a common occurrence!!!!!
Yes, previews are needed to go forward with a full examination and a Full recovery. They alone can prove if a crime has been committed. You must prove that the suspect had Control of the device during the crime, that he or she had custody of the device during the crime and that they were in full Care at the time of the crime.
The really bad news is that almost all states have little or no new laws focused on cybercrime and worse most defense attorneys have no training on how to defend against ramrod charges and weak evidence. All this and soon we will have point and click forensics being used by poorly trained investigators, and this will lead to even more innocents being charged. Like push button Network analysis, this just shows you a potential problem, you must understand your network, the components, the applications and the users to then develop a solution through your deep over all understanding.
I heard one official saying to a very good investigator who has chosen to go bac on patrol, ‘By you filing/charging on all these pedophiles you are making my county look like an area of perverts”. I guess it is better to let them attack our children then soil a politically perceived good image? Am I missing something here ?
I am here just talking about pedophiles and child pornographers, there are many more types of cyber criminals , If we raise the subject to get Law Enforcement to help our stores and industry to defend and prosecute Cyber-attacks, thefts…etc we will find that the current state of capability is very poor. The Feds,who are much more sophisiticated and have strict training and lab procedures, will help if the losses are in the millions+, so where is our state and local LE? They just cannot handle that level of technology, so Private Investigators and other experts are called in but few if any ever do the criminals get charged or prosecuted. Even our state lab that has had huge cutbacks and are streamlining their activities but will not take a preview as anything but a signal that deeper investigations are required. In the last year the state has lost 8+ top cyber investigators about half left because of burnout, the others have been demoted over conflict on Procedural l issues, as firing them would trigger an investigation…so a plan to demean and discredit them so they will have to leave, seems to be the current political strategy.
I saw one agency build the most sophisticated cyber investigation lab in the state, with all the protection and equipment to do real, NIST quality investigations. That will soon be closed or turned over to be used as a backup or remote lab for a state agency.
I hope that we the citizens of this Great Country raise their voices and fight sloppy investigative and prosecution work, get cyber focused laws, and we help and demand training for Defense teams and State/Federal certifications for all investigators. We must demand that procedures and lab quality be just like they are for latent evidence, dna, fingerprints…etc and the labs associated with them. We need to train the defense and prosecution lawyers in how to make sure that clients are not charged because of sloppy evidence gathering. I and several friends and associates see the same problem and we all have made a choice to start helping all involved in the legal process from Investigators, IS Mangers, Prosecutors, Defense and even corporations in the real ways that the evidence should be gathered and if not forensically sound then how to defeat it. We ALL must demand forensicially sound evidence! To help the entire justice program we will be starting classes in Atlanta starting Q1, 2013. Watch www.lovemytool.com for dates and subjects.
The Author - Casey Mullis has been in Law Enforcement for roughly 14 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people, this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real everyday challenge. I enjoy this challenge and look forward to learning more every day! Casey considers himself a Google Master as he says he can find out about almost anything if you look hard enough with Google!