Methods of Acquisition

In all instances where digital forensics examiners perform live or static/dead box acquisitions and imaging of a media storage device, it is important to perform a bit-by-bit copy of the entire media storage drive to preserve integrity and reliability of digital forensics evidence file.

Increasingly, digital forensics examiners may be faced with time and physical circumstances that may not allow them to make a bit-by-bit copy of the target media storage devices for examination, which may result in a modification of the original target media device or hard drive evidence.

While not the norm, pursuing this approach raises the possibility that altered media storage device evidence may become inadmissible in court. Consequently, it is important for digital forensics examiners who undertake extraordinary acquisition measures to properly document the reasons for any extraordinary acquisition approaches taken. They must ensure that their actions are consistent with department, agency, or company policies for the handling of exceptional digital forensics media device acquisition circumstances.

Some of the choices facing digital forensic examiners are as follows:

  1. create a bit-by-bit copy of the original target media storage device source
  2. create a single image file from the original target media storage device source (that may alter media device content) or
  3. allow the examiner to select the files and folders from the source to be acquired.

In each instance, a hash value can be generated for an entire media storage device drive or for a single file to validate or dispel whether changes have occurred to the target media storage device or to a single file, during the digital forensics examination acquisition and imaging process.

The National Institute of Standards and Technology offers the following as examples of methods of acquisition:

Truncated clone: An unaligned or aligned partial clone of a digital source created on a clone destination too small to contain all the data from the digital source.

Cylinder-aligned clone: a bitstream duplicate restored to physical media of the data acquired from a digital source except for minor changes as required to align partitions on cylinder boundaries. The cylinder-aligned clone allows for changes in file system metadata (such as partition table entries) and the addition of benign fill to produce a restored hard drive with partitions aligned on cylinder boundaries, a partition table updated to reflect the partition adjustments, and updated partition boot sectors.

Unaligned clone: a bitstream duplicate restored to physical media of the data acquired from the digital source from both visible and hidden data sectors. However, the clone may need to be configured such that sectors hidden on the digital source are visible on the clone.

Bit-stream disk-to-image: a bit-for-bit digital copy of a digital object such as a document, file, partition, graphic image, physical disk, or similar digital object.

Bit-stream duplicate: a bit-for-bit digital copy of a digital object such as a document, 194 file, partition, graphic image, physical disk, or similar digital object.

Logical evidence file: sometimes called an LEF, is an image of one or more files instead of an entire drive. It will include file metadata, file size, etc.

References

Kent, K., Chevalier, S., Grance, T., & Dang, H. (2018). Special publication 800-86: Guide to integrating forensic techniques into incident response. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

National Institute of Standards and Technology. (2004). Digital data acquisition tool specification. http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf