Friday, June 5, 2015

Forensic Imaging and their Formats - DD (raw)

Forensics imaging is the process of making an exact copy of a hard drive and or some other type of media. During the process, every 0 and 1 on the original disk/media is copied to the target disk/media. Prior to performing imaging, the destination drive must be zeroed or blanked (whereismydata.wordpress.com, 2009). 


The raw image format is a bit-by-bit copy of the raw data on the source media without any additions and or deletions. Images produced in raw format does not contain any metadata. However, this metadata may be stored in additional files. Tools such as dd and it’s derivatives (dc3dd, dcfldd, etc) typically writes images in the raw format (forensicswiki.org, n.d.).


The image below shows a successful acquisition of the contents of the drive /dev/sdb1. The input md5 and sha1 values of /dev/sdb1 matches the output value of the created image “forensicsImage.raw”

f44189506b2d888d810105af6ddbe760  forensicImage.raw
0aec1c7155dac2616adc0c577f4414c94b41590f  forensicImage.raw
 



Reference:
https://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/
http://forensicswiki.org/wiki/Raw_Image_Format


In this series

Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)

Forensic Imaging and their Formats - Encase Image (E01)

Forensics imaging is the process of making an exact copy of a hard drive and or some other type of media. During the process, every 0 and 1 on the original disk/media is copied to the target disk/media. Prior to performing imaging, the destination drive must be zeroed or blanked (whereismydata.wordpress.com, 2009). 

The E01 extension is primarily used by Encase Forensic Imager. However, this format can also be found in tools such as FTK Imager. The image below shows part of the process of an image being acquired in E01 format in FTK Imager.



Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)

Forensics imaging is the process of making an exact copy of a hard drive and or some other type of media. During the process, every 0 and 1 on the original disk/media is copied to the target disk/media. Prior to performing imaging, the destination drive must be zeroed or blanked (whereismydata.wordpress.com, 2009). 

The Advanced Forensic Format (AFF) is an open source flexible and extensive image format which allows for metadata to be stored with images. It also consumes less space than images in other formats since it utilizes compression. (Garfinkel, Malan, Dubec, Stevens, & Pham).


The image below shows an image being acquired with the AFF extension using GUYMAGER.

Working with media - Slack Space

Slack space is considered to be the space between the end of the file and the end of the cluster of which the file belongs (rjohnston, 2011). Using an example, I’ve formatted a Windows Disk with 1024 cluster size as can be seen below. 



A file name “slack-space-test.txt” of size 338 bytes has been created.  The operating system may write additional data to this cluster therefore the actual size of slack space may not necessarily be the difference of 1024 and 338. From the image below, the cluster of consist of two sectors (512 * 2 = 1024). The first sector begins at offset x1546ec00 (not shown), while the third sector begins at offset x1546f000. The difference between those values tells us we have 1024 (x400) bytes of cluster. The highlighted area below represents the area of slack space.





Hope you find this information helpful and please see the other posts in this series for additional information on working with media

Reference:
http://blog.priveonlabs.com/sec_blog.php?title=forensic-basics-slack-space&more=1&c=1&tb=1&pb=1


In this series

Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)

Working with media - Clusters

Clusters consists of one or more sectors and are exponents of 2. That is clusters are either 2, 4, 8, 16, etc. However, a cluster can consist of 1 sector. The space in clusters are reserved for data contents. Whenever data is appended to the file and the file grows, additional clusters are allocated accordingly (ntfs.com, n.d.)

Using an example, if we have a file of 600 bytes and a drive with 1024 bytes cluster, this would require 1 cluster (or 1024) bytes to be reserved since the 600 bytes is more than the size of 1 sector (512 bytes). If this file grows to 1200 bytes then 4 clusters (2048 bytes) will be allocated. To view the disk cluster information on a computer running Microsoft Windows, one can use either fsutil (technet.microsoft.com, 2012) or chkdsk (microsoft.com, n.d.) as shown below.



On a computer running Linux, the term is not cluster but instead blocks. In the image below our “test.txt” file which is 8 bytes actually takes up 8 blocks. From the image above in the “sectors” section we know that each sector is 512 bytes. As a result, the IO Block size for this drive/partition is 512*8 which equals 4096 bytes. Therefore for the purpose of this discussion, this drive/partition uses 4096 bytes block size similar to how Microsoft Windows uses 4096 bytes cluster.


Working with media - Sectors

Sectors are the smallest unit of storage on a hard drive and typically is 512 bytes (active-undelete.com, n.d.). However, manufacturers of newer hard drive have started moving to disks with sector size of 4096 bytes (4K). These are considered more efficient (seagate.com, n.d.).  Sectors can be read from or written to in any order as this is a random process. However, the bytes within each sector is ordered sequentially (sawdust, 2012). 

In the example below, we have a drive which shows a sector starting at offset x15470000 and another starting at offset x15470200. I’ve also created a file which is less than 512 bytes (actually it is about 317 bytes) which should fit within one sector. However, as can be seen this file actually starts at offset x15470160 and spans two sectors. While the writing did not start at the beginning of any sector it is instead contiguous across the two sectors.




On a computer running Microsoft Windows, one can use either fsutil (technet.microsoft.com, 2012) or chkdsk (microsoft.com, n.d.) to see the sector information.


On a computer running Linux you can use “fdisk” utility to see your sector size
   


Hope you find this information helpful and please see the other posts in this series for additional information on working with media

Reference:
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/chkdsk.mspx?mfr=true
http://superuser.com/questions/432318/what-are-disk-sectors-for
http://www.seagate.com/ca/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/
https://technet.microsoft.com/en-us/library/cc788080.aspx

In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)

Forensic Imaging and their Formats - DD (raw)

Working with media - Partitioning


Partitions are used for breaking a physical drive into one or more logical drives. Each logical drive can then be accessed as if it were a separate physically disk. Users may create separate partitions so as to separate operating system (OS) data from user data. In some instances, it may be to use multiple OSes or even to run different file systems on one hard drive. Data about the partitions is stored in a partition table at the very start of the disk.  (access.redhat.com, n.d.) 

The image below shows a drive which has been partitioned into 2. In this case the two partitions are formatted as ext4 and ntfs. So the single disk /dev/sdb now has 2 partitions /dev/sdb1 partitions as ext4 and /dev/sdb2 partitioned as NTFS 














Hope you find this information helpful and please see the other posts in this series for additional information on working with media


Reference:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/ch-partitions-x86.html

In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)

Forensic Imaging and their Formats - DD (raw)