1 / 9

Chapter 4 Data Acquisition

Chapter 4 Data Acquisition. Data Acquisition Methods Bit-Stream Disk-to-Image File Most common & most flexible method Creates a compressed image file of suspect’s hard drive Bit-Stream Disk-to-Disk Copy Use when there are hardware/software errors or incompatibilities

Rita
Download Presentation

Chapter 4 Data Acquisition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4Data Acquisition

  2. Data Acquisition Methods • Bit-Stream Disk-to-Image File • Most common & most flexible method • Creates a compressed image file of suspect’s hard drive • Bit-Stream Disk-to-Disk Copy • Use when there are hardware/software errors or incompatibilities • Copies data exactly from one disk to another • Sparse Data Copy • Use when time is limited or when source disk is too large to copy (e.g., RAID) • Copies only files & directories associated with incident or crime

  3. Bit-Stream Disk-to-Image Copy • Data from the suspect’s drive are compressed when image file is created • Compression is Lossless (i.e., no data are discarded during compression) • The space needed for the image file can be as low as 50% of the size of the suspect’s drive

  4. Hash Algorithms & Image Copies • Allows a comparison to be made between image file and suspect’s drive • Matching hash values verify that the data haven’t changed during the compression process

  5. Absolute vs. Relative Sectors • An Absolute Sector starts at the beginning of a disk • A Relative Sector starts at the beginning of the current partition

  6. Drawbacks to Windows Acquisition Tools • Large size (can’t be copied on boot disk) • Require high levels of system resources • Can contaminate suspect’s drive (i.e., must use hardware write-blocker) • Cannot acquire host protected area

  7. RAID • Redundant Array of Independent Disks • Involves two or more disks • Typically used for very large storage needs Challenges: • Involves very large storage volumes (which may require Sparse data acquisition methods) • Files may be spread across multiple disks • Image acquisition requires specialized software tools

  8. Static vs. Live Acquisitions Static • Preferred method • Image is acquired locally • Write-protection can be used (so suspect drive is not altered) • Can be repeated with same results Live • Used when suspect’s PC cannot be shut down • Image is acquired locally or over network • Captured data may be altered during acquisition (because no write-protection is used) • Not repeatable (because suspect’s data is continually altered by OS)

  9. Remote Acquisitions • Acquisition made across network • Can be done without alerting suspect • Not necessary to travel to suspect’s computer • Drawbacks • Must be done as a Live acquisition • Transfer speeds may impede acquisition • Network traffic may slow down acquisition or cause errors • Remote access software may be blocked by antivirus, antispyware, and/or firewall tools

More Related