Table of Contents for

Practical Forensic Imaging

INTRODUCTION

Welcome to Practical Forensic Imaging: Securing Digital Evidence with Linux Tools. This book covers a variety of command line techniques for acquiring and managing disk images for digital evidence. Acquiring disk images is the first step in preserving digital forensic evidence in preparation for postmortem examination and analysis.

Why I Wrote This Book

Many digital forensics books are available on the market today. But the importance of forensic acquisition and evidence preservation tends to receive minimal attention. Often, the topic is only briefly covered in smaller chapters or subsections of a larger book. I thought that the topic of acquisition and evidence preservation was large enough to warrant its own book, and this book addresses this gap in the literature.

Another motivating factor to write this book was my desire to give back to the community in some way. After working professionally in a digital forensics lab for more than a decade and regularly using open source tools for various tasks (in addition to other commercial tools), I wanted to provide an additional resource for my colleagues and other professionals.

A third motivating factor was the increasing importance of preserving forensic evidence in the private sector. Investigating misconduct, fraud, malware, cyber attacks, and other abuse is becoming more common across private industry. But emphasis on the steps needed to acquire and preserve evidence is often lacking. Law enforcement agencies require properly acquired and preserved evidence to prosecute criminals. Civil cases involving e-discovery might require the sound acquisition and preservation of disk images. Large organizations with internal teams managing human resources disputes, policy violations, and whistle-blowing incidents can also benefit from following accepted procedures for collecting and preserving digital evidence.

How This Book Is Different

The book is a technical procedural guide. It explains the use of Linux as a platform for performing computer forensics, in particular, forensic image acquisition and evidence preservation of storage media. I include examples that demonstrate well-known forensic methods using free or open source computer forensic tools for acquiring a wide range of target media.

Unlike Linux forensic books covering a broad range of application and OS analysis topics, this book focuses on a single specific area within computer forensics: forensic acquisition, also known as forensic imaging, of storage media. This includes the preparation, acquisition, preservation, and management of digital evidence from various types of storage media. The sound acquisition of storage media is precisely what makes this process “forensic.”

In addition to covering open source tools, this book includes examples of several proprietary command line tools that are free to use but not open source.

I discuss some newer hardware topics that have not yet been incorporated into other forensic books. For example, NVME and SATA Express, 4K-native sector drives, Hybrid SSDs, SAS, UASP/USB3x, Thunderbolt, and more. Some of these are straightforward to manage in a digital forensics context; others are more challenging.

I also introduce a new forensic technique that uses the SquashFS compressed filesystem as a simple and practical forensic evidence container. With this book, I provide the sfsimage shell script, which can preserve evidence into SquashFS forensic containers.

Why Use the Command Line?

Why is a book based on the command line even useful or relevant today? The computer command line has been around since the teletype days of the 1960s, making it more than half a century old. In computing, although age is sometimes viewed as a sign of obsolescence, it can also be a sign of maturity and dependability, which is the case with the Linux/Unix command line. Even Microsoft has recognized the value and power of the command line by introducing and promoting PowerShell as an alternative to the aging DOS prompt.

There are many reasons why the command line has retained its popularity over the years and continues to be relevant for the topics I discuss in this book. Here are some examples:

• Easier scripting and automation possibilities: A GUI interface is designed for human use, whereas the command line can be used by either human or machine. This makes the command line particularly useful for scripting and automating work.

• Better understanding of how things work under the hood: Graphical tools are often simply frontends to command line tools. Learning command line tools helps you understand what is going on under the hood when you’re using the GUI frontend tools.

• Flexibility and efficiency: When you execute certain tasks on the command line, you have more flexibility, power, and control. For example, piping and redirection allow you to combine multiple steps into a single command line.

• Unix philosophy: The traditional Unix philosophy is to create simple tools that do one job well, whereas large GUI programs pack rich and complex functionality into one large monolithic program.

• Remote access: Command line activity is secure and easy to perform remotely using ssh. In some cases, remote shell access is your only choice, especially when you’re working with virtual or cloud-based servers or systems located in other cities or countries.

• Headless servers: On Unix and Linux servers where an incident has occurred, the command line might be your only option, because a GUI might not have been installed.

• Embedded systems: The increasing popularity of embedded Unix and Linux systems, such as Raspberry Pi, Beagleboard, or other Internet-of-Things devices, might only have a command line interface available.

• Knowledge investment: Command line tools do not change much over time compared to GUI tools. If you invest time learning to use a command line tool, you won’t need to relearn everything when the command is updated or new features are added.

• Personal preference: Some tech people simply prefer using the command line rather than a GUI and would use it if given the option.

This book provides you with a command line guide for performing digital forensic acquisition for investigations and incident response activities. It does not cover GUI equivalent tools or frontends.

Target Audience and Prerequisites

I wrote this book with a specific audience in mind. I had some expectations and made some assumptions when writing many sections.

Who Should Read This Book?

This book primarily benefits two groups of people. First, it helps experienced forensic investigators advance their Linux command line skills for performing forensic acquisition work. Second, it’s useful for experienced Unix and Linux administrators who want to learn digital forensic acquisition techniques.

The book targets the growing number of forensic practitioners coming from a number of areas, including incident response teams; computer forensic investigators within large organizations; forensic and e-discovery technicians from legal, audit, and consulting firms; and traditional forensic practitioners from law enforcement agencies.

By the end of this book, you should have a comprehensive and complete picture of the command line tool landscape available for performing forensic acquisition of storage media and the management of forensic images.

Prerequisite Knowledge

This book assumes that you have a working knowledge of OSes, in particular, the Unix and Linux shell environment. The examples in this book use the Bash shell extensively. You should also have an understanding of how to run command line programs as well as how to do basic piping and redirecting between programs.

Additionally, you should have a basic understanding of digital forensics principles, including write-blocking technology, sector-by-sector acquisition, and preserving evidence integrity with cryptographic hashing. This foundational knowledge is assumed when applying the examples presented.

Preinstalled Platform and Software

You should have access to a functioning Linux platform with the relevant tools already installed. The book doesn’t cover how to find, download, compile, or install various tools. If you have a reasonably new machine (within a year of this book’s publication date) with a recent distribution of Linux, the examples should work without any issues. Some of the tools are not part of standard Linux distributions but can easily be found on github or by searching for them.

How the Book Is Organized

Rather than a chronological list of steps, this book is intended to be more of a cookbook of tasks. However, the book does follow a logical progression, from setting up a platform, planning and preparation, and acquisition to post acquisition activities. In general, the book is designed as a reference, so you don’t need to read it from beginning to end. Certain sections assume some knowledge and understanding of prior sections, and appropriate cross-references to those sections are provided.

• Chapter 0 is a general introduction to digital forensics. I also cover the history and evolution of the field, mentioning significant events that have shaped its direction. I give special emphasis to the importance of standards needed to produce digital evidence that can be used in a court of law. The overall book strives to be international and indepen-dent of regional legal jurisdictions. This is important today, because more criminal investigations span country borders and involve multiple jurisdictions. Also, due to the increase in private sector forensic capabilities, the book will be useful for private forensic labs, especially in global firms.

• Chapter 1 provides a technical overview of mass storage media, connectors and interfaces, and the commands and protocols used to access the media. It covers the technologies a typical forensic investigator will encounter working in a professional forensic lab environment. I’ve made an effort to help you achieve clear understanding of the different storage media interfaces, protocol tunneling, bridging, and how storage media attach and interact with a host system.

• Chapter 2 provides an overview of Linux as a forensic acquisition platform. It briefly touches on the advantages and disadvantages of using Linux and open source software. It describes how the Linux kernel recognizes and handles new devices being attached to the system and how you can access those devices. The chapter presents an overview of Linux distributions and shell execution. It also explains the use of piping and redirection as an important concept used throughout the book.

• Chapter 3 covers the various raw and forensic formats commonly used in the field. These formats are the digital “evidence bags” for acquired storage media. The chapter explains raw images; describes commercial forensic formats, such as EnCase and FTK; and covers formats from the research community, such as AFF. It also introduces a simple forensic evidence container, based on SquashFS, and a tool for managing it.

• Chapter 4 is a transitional point in the book, leaving the theoretical and entering more practical and procedural territory. It begins with examples of maintaining logs and audit trails and saving command data for use in formal forensic reports. It covers various planning and logistical issues frequently faced by forensic investigators. It ends with a section on setting up a forensically sound, write-blocked working environment to prepare for the actual acquisition process.

• Chapter 5 progresses with attaching a suspect disk to the acquisition host and gathering data (ATA, SMART, and so on) about the disk. At this stage, media accessibility restrictions, such as HPA and DCO, are removed, and locked and self-encrypted disks are made accessible. This chapter also covers several special topics, such as Apple Target Disk Mode. At this point, the disk is prepared and ready for you to execute acquisition commands.

• Chapter 6 executes the acquisition, demonstrating multiple forms of forensic acquisition using open source as well as proprietary tools. Emphasis is placed on preserving evidence during acquisition using hashes, signatures, and timestamping services. The chapter also covers handling various scenarios with bad blocks and errors, as well as remote acquisition over a network. Special topics include the acquisition of tapes and RAID systems.

• Chapter 7 focuses on managing acquired disk images. This chapter assumes the forensic image has been successfully made, and typical post acquisition tasks are described. These tasks include compressing, splitting, and encrypting images; converting between forensic formats; cloning or duplicating images; transferring images to other parties; and preparing images for long-term storage. The chapter ends with a section on secure data disposal.

• Chapter 8 covers a number of special tasks that you can do post acquisition in preparation for examination. These tasks include accessing images via loop devices, accessing virtual machine images, and accessing OS-encrypted images (BitLocker, FileVault, TrueCrypt/VeraCrypt, and so on). The chapter also covers accessing other virtual disk containers. These techniques enable you to conduct forensic analysis on the images and allow you to safely browse the filesystem using regular file managers and other programs.

• Chapter 9 partly enters the forensic analysis realm and demonstrates extracting subsets of data from images. It includes identifying and extracting partitions (including deleted partitions), extracting inter-partition gaps, extracting slack space, and extracting previously hidden areas of the disk (DCO and HPA). The chapter shows several examples of piecewise data extraction, including the extraction of individual sectors and blocks.

Each chapter might describe several different tools used to perform the same task. Often, multiple tools will be available to you to perform the same task, and depending on the situation, one tool might be more useful than another. In such cases, I discuss the advantages and disadvantages of each tool.

Each section in a chapter follows roughly the same structure. The title provides a high-level description of the topic. An introductory paragraph describes the motivation for the section and explains why the particular task is useful for investigations, digital forensics, or incident response. In many cases, the motivation is driven by legal or industry-accepted standards. It’s important to know and understand these standards, because they support the forensic soundness of the work being done. Where necessary, I provide references to the source code of tools, additional information, or other articles of interest.

Prior to introducing or demonstrating a new tool, I provide a paragraph that describes the function or purpose of the tool and its relevance to digital forensics. In some cases, the history of the tool might also be of interest to you, so I include that as well.

After a description of the task and tool(s), you’ll see one or more command line examples as well as the command output (displayed in blocks of monospaced or fixed-width font). A command might be repeated to show different variations or extended forms of use. Each command example is followed by a paragraph that describes the command being executed and explains the resulting output.

A final paragraph might include potential gotchas, caveats, risks, and common problems or mistakes you might encounter that are relevant to digital forensic investigations.

The Scope of This Book

This book focuses on the forensic acquisition of common storage media and the steps required to preserve evidence. Although some triage and analysis work is shown, in general, forensic analysis of application and OS data is considered outside the scope of this book.

A number of other areas are also outside the scope of this book, including data acquisition from areas other than traditional storage media, for example, network forensic acquisition, memory acquisition from live systems, cloud data acquisition, and so on.

In various places, I mention enterprise class storage media and legacy storage media, but I don’t provide practical examples. These are less commonly found in forensic lab settings. However, many of the methods presented will generally work with enterprise or legacy storage hardware.

The acquisition of proprietary devices is also beyond the scope of this book. Acquiring the latest generation of mobile phones, tablets, or Internet-of-Things devices might be possible with the tools and techniques shown in the book (if they behave as block devices in the Linux kernel), but I don’t explicitly cover such devices.

Conventions and Format

Examples of code, commands, and command output are displayed in a monospace or fixed-width font, similar to what you see on a computer terminal screen. In some places, nonrelevant command output may be removed or truncated and replaced with an ellipsis (...), and when lines are too long for the book’s margins, they are wrapped and indented.

Commands that you can run without root privilege use a $ prompt. Privileged commands that typically need to be run as root are prefixed with #. For brevity, the use of sudo or other privilege escalation is not always shown. Some sections provide more information about running command procedures as a non-root user.

In the computer book industry, it is common practice to change the timestamps in blocks of code and command output to a point in the future after release, giving the contents a newer appearance. I felt that writing a book about preserving evidence integrity and then manipulating the very evidence provided in the book (by forward dating timestamps) wasn’t appropriate. All the command output you see in this book reflects the actual output from the testing and research, including the original dates and time-stamps. Aside from snipping out less relevant areas with ... and removing trailing blank lines, I left the command output unchanged.

A bibliography is not provided at the end of the book. All references are included as footnotes at the bottom of the page where the source is referenced.

The investigator’s or examiner’s workstation is referred to as the acquisition host or examination host. The disk and image that are undergoing acquisition are referred to as the subject disk, suspect disk, or evidence disk.

A number of terms are used interchangeably throughout the book. Disk, drive, media, and storage are often used interchangeably when they’re used in a generic sense. Forensic investigator, examiner, and analyst are used throughout the book and refer to the person (you) using the examination host for various forensic tasks. Imaging, acquisition, and acquiring are used interchangeably, but the word copying is deliberately excluded to avoid confusion with regular copying outside the forensic context.