Table of Contents for

Practical Forensic Imaging

CONTENTS IN DETAIL

FOREWORD BY EOGHAN CASEY

INTRODUCTION

Why I Wrote This Book

How This Book Is Different

Why Use the Command Line?

Target Audience and Prerequisites

Who Should Read This Book?

Prerequisite Knowledge

Preinstalled Platform and Software

How the Book Is Organized

The Scope of This Book

Conventions and Format

0
DIGITAL FORENSICS OVERVIEW

Digital Forensics History

Pre-Y2K

2000–2010

2010–Present

Forensic Acquisition Trends and Challenges

Shift in Size, Location, and Complexity of Evidence

Multijurisdictional Aspects

Industry, Academia, and Law Enforcement Collaboration

Principles of Postmortem Computer Forensics

Digital Forensic Standards

Peer-Reviewed Research

Industry Regulations and Best Practice

Principles Used in This Book

1
STORAGE MEDIA OVERVIEW

Magnetic Storage Media

Hard Disks

Magnetic Tapes

Legacy Magnetic Storage

Non-Volatile Memory

Solid State Drives

USB Flash Drives

Removable Memory Cards

Legacy Non-Volatile Memory

Optical Storage Media

Compact Discs

Digital Versatile Discs

Blu-ray Discs

Legacy Optical Storage

Interfaces and Physical Connectors

Serial ATA

Serial Attached SCSI and Fibre Channel

Non-Volatile Memory Express

Universal Serial Bus

Thunderbolt

Legacy Interfaces

Commands, Protocols, and Bridges

ATA Commands

SCSI Commands

NVME Commands

Bridging, Tunneling, and Pass-Through

Special Topics

DCO and HPA Drive Areas

Drive Service and Maintenance Areas

USB Attached SCSI Protocol

Advanced Format 4Kn

NVME Namespaces

Solid State Hybrid Disks

Closing Thoughts

2
LINUX AS A FORENSIC ACQUISITION PLATFORM

Linux and OSS in a Forensic Context

Advantages of Linux and OSS in Forensics Labs

Disadvantages of Linux and OSS in Forensics Labs

Linux Kernel and Storage Devices

Kernel Device Detection

Storage Devices in /dev

Other Special Devices

Linux Kernel and Filesystems

Kernel Filesystem Support

Mounting Filesystems in Linux

Accessing Filesystems with Forensic Tools

Linux Distributions and Shells

Linux Distributions

The Shell

Command Execution

Piping and Redirection

Closing Thoughts

3
FORENSIC IMAGE FORMATS

Raw Images

Traditional dd

Forensic dd Variants

Data Recovery Tools

Forensic Formats

EnCase EWF

FTK SMART

AFF

SquashFS as a Forensic Evidence Container

SquashFS Background

SquashFS Forensic Evidence Containers

Closing Thoughts

4
PLANNING AND PREPARATION

Maintain an Audit Trail

Task Management

Shell History

Terminal Recorders

Linux Auditing

Organize Collected Evidence and Command Output

Naming Conventions for Files and Directories

Scalable Examination Directory Structure

Save Command Output with Redirection

Assess Acquisition Infrastructure Logistics

Image Sizes and Disk Space Requirements

File Compression

Sparse Files

Reported File and Image Sizes

Moving and Copying Forensic Images

Estimate Task Completion Times

Performance and Bottlenecks

Heat and Environmental Factors

Establish Forensic Write-Blocking Protection

Hardware Write Blockers

Software Write Blockers

Linux Forensic Boot CDs

Media with Physical Read-Only Modes

Closing Thoughts

5
ATTACHING SUBJECT MEDIA TO AN ACQUISITION HOST

Examine Subject PC Hardware

Physical PC Examination and Disk Removal

Subject PC Hardware Review

Attach Subject Disk to an Acquisition Host

View Acquisition Host Hardware

Identify the Subject Drive

Query the Subject Disk for Information

Document Device Identification Details

Query Disk Capabilities and Features with hdparm

Extract SMART Data with smartctl

Enable Access to Hidden Sectors

Remove a DCO

Remove an HPA

Drive Service Area Access

ATA Password Security and Self-Encrypting Drives

Identify and Unlock ATA Password-Protected Disks

Identify and Unlock Opal Self-Encrypting Drives

Encrypted Flash Thumb Drives

Attach Removable Media

Optical Media Drives

Magnetic Tape Drives

Memory Cards

Attach Other Storage

Apple Target Disk Mode

NVME SSDs

Other Devices with Block or Character Access

Closing Thoughts

6
FORENSIC IMAGE ACQUISITION

Acquire an Image with dd Tools

Standard Unix dd and GNU dd

The dcfldd and dc3dd Tools

Acquire an Image with Forensic Formats

The ewfacquire Tool

AccessData ftkimager

SquashFS Forensic Evidence Container

Acquire an Image to Multiple Destinations

Preserve Digital Evidence with Cryptography

Basic Cryptographic Hashing

Hash Windows

Sign an Image with PGP or S/MIME

RFC-3161 Timestamping

Manage Drive Failure and Errors

Forensic Tool Error Handling

Data Recovery Tools

SMART and Kernel Errors

Other Options for Failed Drives

Damaged Optical Discs

Image Acquisition over a Network

Remote Forensic Imaging with rdd

Secure Remote Imaging with ssh

Remote Acquisition to a SquashFS Evidence Container

Acquire a Remote Disk to EnCase or FTK Format

Live Imaging with Copy-On-Write Snapshots

Acquire Removable Media

Memory Cards

Optical Discs

Magnetic Tapes

RAID and Multidisk Systems

Proprietary RAID Acquisition

JBOD and RAID-0 Striped Disks

Microsoft Dynamic Disks

RAID-1 Mirrored Disks

Linux RAID-5

Closing Thoughts

7
FORENSIC IMAGE MANAGEMENT

Manage Image Compression

Standard Linux Compression Tools

EnCase EWF Compressed Format

FTK SMART Compressed Format

AFFlib Built-In Compression

SquashFS Compressed Evidence Containers

Manage Split Images

The GNU split Command

Split Images During Acquisition

Access a Set of Split Image Files

Reassemble a Split Image

Verify the Integrity of a Forensic Image

Verify the Hash Taken During Acquisition

Recalculate the Hash of a Forensic Image

Cryptographic Hashes of Split Raw Images

Identify Mismatched Hash Windows

Verify Signature and Timestamp

Convert Between Image Formats

Convert from Raw Images

Convert from EnCase/E01 Format

Convert from FTK Format

Convert from AFF Format

Secure an Image with Encryption

GPG Encryption

OpenSSL Encryption

Forensic Format Built-In Encryption

General Purpose Disk Encryption

Disk Cloning and Duplication

Prepare a Clone Disk

Use HPA to Replicate Sector Size

Write an Image File to a Clone Disk

Image Transfer and Storage

Write to Removable Media

Inexpensive Disks for Storage and Transfer

Perform Large Network Transfers

Secure Wiping and Data Disposal

Dispose of Individual Files

Secure Wipe a Storage Device

Issue ATA Security Erase Unit Commands

Destroy Encrypted Disk Keys

Closing Thoughts

8
SPECIAL IMAGE ACCESS TOPICS

Forensically Acquired Image Files

Raw Image Files with Loop Devices

Forensic Format Image Files

Prepare Boot Images with xmount

VM Images

QEMU QCOW2

VirtualBox VDI

VMWare VMDK

Microsoft VHD

OS-Encrypted Filesystems

Microsoft BitLocker

Apple FileVault

Linux LUKS

TrueCrypt and VeraCrypt

Closing Thoughts

9
EXTRACTING SUBSETS OF FORENSIC IMAGES

Assess Partition Layout and Filesystems

Partition Scheme

Partition Tables

Filesystem Identification

Partition Extraction

Extract Individual Partitions

Find and Extract Deleted Partitions

Identify and Extract Inter-Partition Gaps

Extract HPA and DCO Sector Ranges

Other Piecewise Data Extraction

Extract Filesystem Slack Space

Extract Filesystem Unallocated Blocks

Manual Extraction Using Offsets

Closing Thoughts

CLOSING REMARKS

INDEX