Practical Forensic Imaging

Footnotes

Chapter 0: Digital Forensics Overview

1. Gary Palmer, “A Roadmap for Digital Forensic Research.” Digital Forensics Research Workshop (DFRWS), 2001. Technical report DTR-T0010-01, Utica, New York.

2. http://www.dfrws.org/about-us/

3. https://utica.edu/academic/institutes/ecii/publications/articles/A04BC142-F4C3-EB2B-462CCC0C887B3CBE.pdf

4. “Forensic Imaging of Hard Disk Drives—What We Thought We Knew,” Forensic Focus, January 27, 2012, http://articles.forensicfocus.com/2012/01/27/forensic-imaging-of-hard-disk-drives-what-we-thought-we-knew-2/.

Chapter 1: Storage Media Overview

1. Jeff Hedlesky, “Advancements in SSD Forensics” (presentation, CEIC2014, Las Vegas, NV, May 19–22, 2014).

2. Bruce Nikkel, Digital Investigation 16 (2016): 38–45, doi:10.1016/j.diin.2016.01.001.

3. LAN/WAN layered networking is described by the Open Systems Interconnect (OSI) model’s seven layers of abstraction in network communication.

4. AT Attachment Interface for Disk Drives, ANSI X3.221-199x, Revision 4c, X3T10, 1994.

5. ATA/ATAPI Command Set - 2 (ACS-2), Revision 2.

6. Mayank R. Gupta, Michael D. Hoeschele, and Marcus K. Rogers, “Hidden Disk Areas: HPA and DCO,” International Journal of Digital Evidence 5, no. 1 (2006), https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf.

Chapter 2: Linux as a Forensic Acquisition Platform

1. Erin Kenneally, “Gatekeeping Out of the Box: Open Source Software as a Mechanism to Assess Reliability for Digital Evidence,” Virginia Journal of Law and Technology 6, no. 13 (2001).

2. Brian Carrier, “Open Source Digital Forensic Tools: The Legal Argument” [technical report] (Atstake Inc., October 2002).

3. FUSE is a userspace filesystem implementation (see https://en.wikipedia.org/wiki/Filesystem_in_Userspace).

4. There is some naming controversy regarding the inclusion of GNU with Linux, see https://en.wikipedia.org/wiki/GNU/Linux_naming_controversy.

Chapter 3: Forensic Image Formats

1. Philip Turner, “Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags)” (paper presented at Digital Forensic Research Workshop [DFRWS], New Orleans, Louisiana, August 18, 2005). http://dfrws.org/2005/proceedings/turner_evidencebags.pdf.

2. M.I. Cohen, Simson Garfinkel, and Bradley Schatz, “Extending the Advanced ForensicFile Format to Accommodate Multiple Data Sources, Logical Evidence, Arbitrary Information and Forensic Workflow,” Digital Investigation 6 (2009): S57–S68.

3. With Debian-based systems, the package is installed using apt-get install squashfs-tools.

Chapter 4: Planning and Preparation

1. The dot in this example may be interpreted as a regular expression. This is ignored here for simplicity.

2. The GNU cp command also allows for the creation of sparse files during copy.

3. Tested on a typical i7PCwith two SATA3 disks using dd.

4. Forensically sound acquisition also deals with data completeness and preserving integrity.

5. “Tableau Bridge Query—Technical Documentation,” accessed 8 December 2005, previously available for download. Contact Guidance Software for more information.

Chapter 5: Attaching Subject Media to an Acquisition Host

1. From the lsusb -v output, the iSerial device descriptor in Linux Foundation...root hub devices will point to the USB controller’s PCI device address.

2. SMART statistics and logs available vary among hard disk vendors.

3. For a paper on the forensics of HPA and DCO areas, see Mayank R. Gupta, Michael D. Hoeschele, and Marcus K. Rogers, “Hidden Disk Areas: HPA and DCO,” International Journal of Digital Evidence 5, no. 1 (2006).

4. Some mainboards require SATA ports to be configured for hot plugging in the BIOS.

5. For research into the possibility of hiding data in the service sectors, see Ariel Berkman, “Hiding Data in Hard-Drive’s Service Areas,” Recover Information Technologies LTD, February 14, 2013, http://www.recover.co.il/SA-cover/SA-cover.pdf.

6. Todd G. Shipley and Bryan Door, “Forensic Imaging of Hard Disk Drives: What We Thought We Knew,” Forensic Focus, January 27, 2012, http://articles.forensicfocus.com/2012/01/27/forensic-imaging-of-hard-disk-drives-what-we-thought-we-knew-2/.

7. The Joint Test Action Group (JTAG) defines a standardized debug interface for accessing electronic components.

8. At the time of this writing, I did not have testing access to any NVME drives with support for multiple namespaces. These conclusions are based on reading the standards and documentation.

Chapter 6: Forensic Image Acquisition

1. It is assumed the authorized person has installed GnuPG and has securely generated a key pair.

2. PEM was originally defined in the Privacy Enhanced Mail standard, and today it usually refers to the file format used to store X.509 certificates.

3. Multiple signatures from different people can also be used to reduce the risk of stolen keys or malicious changes by one person.

4. On some systems, this is a Perl script located in /usr/lib/ssl/misc.

5. In the data recover industry, this is called a donor drive.

6. The quote from Andrew S. Tanenbaum is appropriate here: “Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.”

7. cdparanoia was developed when CD drives had more quality issues than today’sdrives.

8. Heinz Mauelshagen,“dmraid - Device-Mapper RAID Tool: Supporting ATARAID Devices via the GenericLinux Device-Mapper.” Paper presented at the Linux Symposium, Ottawa, Ontario, July 20–23, 2005.

9. The Linux md driver orginally meant mirror device, and some OSes call them meta devices.

Chapter 7: Forensic Image Management

1. As of this writing, the most recent version of ewfacquire had bzip2 support temporarily disabled (see section 20160404 in the ChangeLog file of the libewf software package).

2. The sector size could also be replicated using a DCO.

3. I am Canadian; hence the favoritism for the RCMP method. :-)

Chapter 8: Special Image Access Topics

1. The term slices originates from BSD UNIX, and it’s a common partitioning scheme in the UNIX world.

Previous Chapter