Acquisition: Storing the evidence and imaging tools

In the previous post I discussed some of the first steps in the acquisition process. Finding the physical or digital evidence at the crime scene, starting the chain of custody, recording when change of control takes place on the chain of custody document, image hashing, and making the copy of the original or best evidence to use for forensic examination. The only task left in the acquisition process is storing the original evidence. In this post I’ll also introduce some acquisition tools and describe some of their features.

Depending on whether or not the best evidence in a case is digital or physical the best practices for storing that evidence will change how the original evidence should be stored. If a physical hard drive is the original evidence then the usual storing method is to place the hard drive on a shelf in a climate controlled room. There are several problems with this method. Original evidence can sit in storage for years before it is called upon for a case. This can lead to the hard drive breaking down while it is in storage. If this happens then the evidence will be changed and the case will most likely be thrown out. With physical hard drives there is not much that can be done to fix this. However with digital evidence measures can be taken that can safeguard it from these problems. The best thing to do with digital evidence is to upload it to a managed RAID system that has regular backups done. (RAID stands for redundant array of independent disks. This type of system is designed to be a more robust type of data storage.) Another method is to have offsite backups of the evidence done. The main copy can be in a computer system at the police station and the backup can be at a separate location for example. If disaster strikes the main location and the main storage system is damaged or destroyed the backup can be used.

There are multiple disk imaging tools to choose from, some use the command line and others use the GUI (Graphical user interface). Let’s start with one of the oldest tools still in use: dd.

dd is a command line tool that is used to capture forensic images from hard drives, USB drives, and other forms of media. dd stands for data description; others may believe that dd stands for data dump. I’ve heard both terms being used so I interchange them; they both refer to the same tool. Dd is built into the Unix operating system, is part of the GNU Corutils package, and has many features:

  • Forensic image creation
  • Drive wiping
  • Data copying

Dcfldd is an upgraded version of the dd program that was created by the US Department of Defense Computer Forensics Lab. Dcfldd has many more features than its dd counterpart:

  • Hashing of the data on the fly
    • Meaning that while the imaging is in progress the program is creating a hash
  • Displays progress of the imaging process
  • Imaging bit for bit verification
  • MD5 and SHA-256 hashing of data

FTK Imager is a GUI based tool made by Access Data. FTK Imager can be run from a forensic system or from a USB drive. This tool has a plethora of features:

  • Forensic image creation
  • Memory image creation
  • Local file system mounting
    • This feature will allow the examiner to take a peek at what’s inside the hard drive and determine if further examination is needed
  • Image mounting
  • Deleted file recovery
  • Hashing of the imaged media
  • File and folder exporting from forensic images

These are three great tools that can be used to acquire forensic images in the field. In my next post I’ll show how to use each of these tools. Thanks for reading.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s