Forensic Imaging

• Radiological examinations: x-ray, computed tomography (CT), magnetic resonance imaging (MRI), angiography, ultrasound, micro-CT, micro-MRI

• Surface examinations: photogrammetry, 3D scanner technology, forensic photogrammetry

• Computer-assisted reality: virtual reality, augmented reality, crime scene reconstruction

• Data processing: rendering techniques, visualization tools, segmentation, 3D printing, image fusion

• Specific nonimaging examinations: magnetic resonance spectroscopy, Hounsfield unit profiling, material differentiation

• Artificial intelligence: machine learning, deep learning

• A physical image of a hard drive will capture all of the ones and zeros contained on the drive. it will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture all the deleted files and file fragments on a hard drive.

• If one is making a physical image of one T.B drive the resulting image file will be one T.B  unless compression algorithms are used.

Logical Image

• A logical image of the hard drive will capture all the "active" data if you look at my computer icon on your computer and browser through C drive you are viewing the logical drive and active files. This is what will capture if one forms a logical capture.

• Typical deleted space, deleted files, and fragments will not be captured. If one is making a logical image of a 1TB drive but only 30GB active files, then the resulting image will be 30GB uncompressed.

Target Collection

• If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to preserve those documents.

• This may be difficult to do if a custodian is not organized or the custodian has email in eight different PST's are none are in separate folders or with current technology. it's also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted Collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.

Tools for Digital Forensic

• The FTK Imager is a forensics software developed by Access Data, and it is very useful in gathering digital data from a storage drive. This software can scan for and retrieve various information from a hard disk. It can also retrieve files that have already been deleted from the recycle bin, crack passwords, and decrypt files. FTK Imager not only works on hard drives. It can create forensic images and process a wide range of data types from many sources, including mobile devices. Using the FTK Imager tool, you can create an image of an entire drive and send it to another computer.

• FTK Imager is only used for imaging. Whereas for analysis another package is available, that is FTK. Acquired Image can be shifted to larger memory and then investigations can be performed.

AVML

• AVML is a volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

• Save recorded images to external locations via Azure Blob Store or HTTP PUT
• Automatic Retry (in case of network connection issues) with exponential backoff for uploading to Azure Blob Store
• Optional page-level compression using Snappy.
• Uses LiME output format (when not using compression).

• This is an independent hardware unit to copy/clone one drive on another. It has a very simple touch screen interface and supports Serial Advanced Technology Attachment (SATA), External Serial Advanced Technology Attachment (E-SATA), Universal Serial Bus (USB), Statistical Analysis System (SAS), etc. It can clone one source drive in two 2 drives simultaneously (one-many cloning). It has 1 to 1, 2 to 2, and 1 to 2 options. It has a LAN interface too. It is portable and it has high speed. It has its built-in write blocker so the chances of accidental damage are greatly reduced.

• MASSter Solo-4 G3 PLUS Forensic Enterprise hard drive data acquisition unit is designed with built-in support to connect to an Expansion Box and provides the capability to capture data from additional devices which have interfaces not natively available on the Image MASSter Solo-4 PLUS Enterprise Forensic hard drive data acquisition unit. The Expansion Box is configured with the following hardware:

• FireWire 1394 PCI-Express card for connecting 1394A(1 Port) or 1394B(2 Ports) mass storage devices.

• SCSI Ultra320 PCI-Express card for connecting SCSI mass storage devices. The Image MASSter Solo-4 SATA-3 6Gb/s hard drive data acquisition unit can capture from two "Suspect" SCSI hard drives simultaneously with no speed degradation.

• PCI-Express to ExpressCard 34 Reader for connecting a broad range of Express Card compliant cards, such as Express Card USB 3.0 adapter cards that enable users to connect USB 3.0 mass storage devices.

LIME

• A Loadable Kernel Module (LKM) allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

• To use a LiME memory dump with volatility, a memory profile must be generated on the target system.

• Full Android memory acquisition
• Acquisition over network interface
• Minimal process footprint
• The hash of dumped memory

MacPmem

• MacPmem is an Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:

• /dev/pmem: allows physical memory read access, but can be built also with write support.

• /dev/pmem_info: Exposes informational dump.

• The Advanced Forensics File Format 4 (AFF4) is an open-source format used for the storage of digital evidence and data.

Sleuth Kit

• The Sleuth Kit was used to retrieve evidence from a physical drive and many other tools. Sleuth Kit takes only command-line instructions. On the other hand, autopsy makes the same process easy and user-friendly. Autopsy provides various features that help in acquiring and analyzing critical data and also uses different tools for jobs like Timeline Analysis, Filtering Hashes, Carving Data, Exif Data, Acquiring Web Artifacts, Keyword search, etc. Autopsy uses multiple cores and runs the background processes in parallel and tells you as soon as something of your interest shows up, making it an extremely fast and reliable tool for digital forensics.

• Allows accessing files directly instead of through Windows APIs which may be hijacked by rootkits. The integration also allows Cyber Triage to access files that are normally locked using standard methods of file access.

• The Sleuth Kit to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open-source and commercial forensics tools.

PhotoRec

• PhotoRec is file data recovery software designed to recover lost files including video, documents, and archives from hard disks and CD-ROMs. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.

• PhotoRec uses read-only access to handle the drive or memory card you are about to recover lost data from. Important: As soon as a picture or file is accidentally deleted, or you discover any missing, do NOT save any more pictures or files to that memory device or hard disk drive; otherwise you may overwrite your lost data. This means that while using PhotoRec, you must not choose to write the recovered files to the same partition they were stored on.

Volatility

• The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License 2. Analysts use Volatility for the extraction of digital artifacts from volatile memory (RAM) samples. Because Volatility is open source and free to use, you can download the framework and begin performing advanced analysis without paying a penny. Furthermore, when it comes down to understanding how your tool works beneath the hood, nothing stands between you and the source code—you can explore and learn to your fullest potential.

• No need of remembering command line parameters.

• Storage of the platform and process list with the memory dump, in a .CFG file. When a memory image is re-loaded, this saves a lot of time and eliminates the need to get a process list each time.

• Simpler copy & paste.

• Simpler printing of paper copies (via right-click).

• Simpler saving of the dumped information to a file on disk.

• A drop-down list of available commands and a short description of what the command does.

• Time stamping of the commands executed.

• Auto-loading the first dump file found in the current folder.

• Support for analyzing Mac and Linux memory dumps.

Plaso

First Incident Response 

• Tag every connection and take photos.

• Search for the physical evidence first.

• Open and find out the storage device.

• Make enough documentation (serial no, size, manufacturer of the disk, etc.)

• Seal it properly and go for further operations

• Take a photo of the current activity first. Ensure that after shutting down the system, it will not harm the investigation.

• Hibernate option will be beneficial so after imaging, we can directly resume the system

• Capture a snapshot 

• As soon as possible, remove the power cord to avoid further damage.

• Then start with imaging of the disk