Acquisition: Collecting the evidence

Have you ever seen Law and Order or CSI? In these shows a crime takes place and it’s the detective’s job to solve the crime and place the criminal(s) behind bars. During the investigation police tape is used to cut the crime scene off so nothing is disturbed and everything at the scene is how it was when the crime took place. The preservation of the crime scene is a vital step in the process of solving a crime. The crime scene concept can also be applied to digital forensics. In this case the crime scene can be a computer’s hard drive, RAM, or a USB drive. But how can this “crime scene” be preserved so it can be analyzed for evidence? The answer to this is imaging.

What is imaging? Imaging is the process of taking a bit for bit copy of the original data contents from a computer system.

This original data can come from several different sources:

  • Hard drive
  • RAM
  • Removable media
    • CD
    • DVD
    • USB drives

To relate this to physical police forensic work, taking an image is like the police cutting off the crime scene by using police tape.

Why would an image need to be taken? This is so the data on the computer can be examined. Let’s put this into a scenario. We have a company that has an employee that may have illegal pictures on his company computer. Now the only way to find out if this is true is to examine the contents of the computer. It is not wise to check for the illegal pictures using the computer in question. This may alter the data that is on the computer. Taking an image solves this problem. Because the image is a bit for bit copy everything that is in the hard drive is preserved including when the pictures in question were put on the computer, when they were accessed, and where they may have come from.

There are two different types of acquisition: dead and live. Dead acquisition is when an image of a “dead” hard drive or removable media is taken. A hard drive is considering dead when a questionable operating system is not interacting with the hard drive, dead in this case doesn’t necessary mean broken or not repairable.  An OS becomes questionable or when it is suspected of being infected with malware or a virus. A hard drive that is removed from a computer is also considered dead. Only non volatile sources of data storage can be imaged while dead. Non volatile means that the contents of the storage device will be preserved when the device is removed from power.

Here are some examples of non volatile storage:

  • Platter hard drives
  • Solid state hard drives
  • CDs
  • DVDs
  • Flash drives
  • SIM cards

Before taking an image of a dead device it is good practice to label the hard drive using an evidence tag. This tag will contain information like:

  • Case name and evidence number
  • Date the evidence was taken
  • Model and serial numbers of the hard drive
  • Hard drive capacity
  • Which computer it came from
  • Type of evidence
    • Original evidence – the name says it all, this is the evidence that came from the computer in question
    • Best evidence – in some cases you will not be able to take the original evidence for a case. So the first copy that is taken is the “best evidence” all other copies that are to be used for forensic examination will be taken from the best evidence.
    • Working copy – A working copy is a copy of the original evidence that is to be tested using forensic tools

When imaging a dead device always use a write blocker. A write blocker is a physical device that blocks a computer system from writing to the device that is connected to the write blocker. For example if I have a dead hard drive that I want to take an image of the prudent course of action would be to connect the dead hard drive to the write blocker then connect the write blocker to my forensic computer system. This set up will allow me to take an image of the hard drive in question without altering the contents on the hard drive thus maintaining the hard drive’s integrity.

Live acquisition is when an image of a hard drive or other form of storage is taken when the suspect OS is interacting with the evidence. This is when volatile storage is imaged, for example when a computer becomes compromised most of the time RAM will have records or evidence of programs that are not supposed to be running on the computer in question. The only way to acquire RAM is to use live imaging. This is because RAM is volatile evidence. When power is removed from RAM the contents are cleared.

After the image is taken a hash needs to be taken of the evidence. Hashing is a method of taking a file or input of any length and producing a fingerprint or unique value which is used to identify a file. If the slightest bit in a file is changed then the hash of the file will radically change. There is also a chance that two different files can have the same hash. This is known as a hash collision. But the odds of this happening are astronomically small.

The two most common hashing algorithms are:

  • MD5 – Message digest 5
  • SHA-2 – Secure Hash Algorithm

The formula for making a hash is: Input or file fed into hashing algorithm = hash

The file is fed into the algorithm and it produces a random set of numbers and characters based on the hashing algorithm used.

Here’s an example of hashing and what will happen when a file’s contents are changed

I created a text file on a Linux system to show what will happen to a file's hash value when its contents are changed
First I create a text file on the Linux system. Notice in the command that the text in quotes starts with a capital t.
MD5 hash of the text file
Next I used the md5sum command to calculate the md5 hash of the text file. The random string of numbers is the md5 hash of the text file.


I then used the nano text editor to change the first letter of the text file to lowercase
I then used the nano text editor to change the first letter of the text file to lowercase
Finally I used the md5sum command again on the text file but the hash of the file is very different because of the change I made to the text. This shows that even the slightest change will affect the hash of the file.
Finally I used the md5sum command again on the text file. The hash of the file is very different because of the change I made to the text. This shows that even the slightest change will affect the hash of the file.

After the original evidence is imaged a copy of the image is taken so it can be examined. A hash is then taken of this copy and compared against the hash of the original evidence. If the hashes match then the copy is exactly the same as the original evidence.

In addition to using hashing, chain of custody must be used to insure the evidence has not been tampered with. Chain of custody is a paper trail that starts when the evidence is seized by law enforcement through final disposition in the court of law. The chain of custody will start with the name and contact information of the first responder that took the item in as evidence for his or her case. The chain of custody document will then have the name and contact information of the next person that takes control of the evidence; also there will be signatures of both people on this document confirming that the exchange of control took place. This is quite common in police work when a first responder has to pass the original evidence to a digital forensics investigator. The chain of custody document should continue to document who takes control of the original evidence, until that evidence is imaged. Once the image of the original is made and the hash verifies it is an exact copy of the original then the hash becomes the chain of custody until final disposition in court. In other words the hash of the image is the link to the chain of custody document.

For my next post I’ll be discussing best practices on storing original evidence, both physical and digital and some of the tools I use to image disk drives. Thanks for reading!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s