Information Technology Reference
In-Depth Information
to as the “
source
.” There are various methods and tools for accomplishing this, as we
will see below.
There are guidelines regarding preparations for doing the imaging. In most cases,
the machine is delivered to the incident response investigator turned off. It may also
be left on but disconnected from the network. In the former case, the computer must
not be turned on except by trained operators, otherwise data may be modified in a
way that compromises the investigation. When in doubt, the golden rule is “if the
machine is off it has to stay off; if it is on it has to stay on;
until further orders
.”
It goes without saying, but I will say it anyway: The original support must be
carefully protected (for example, apply write-protect where possible).
The image of the support is obtained using software tools, described below, to cre-
ate a bit by bit image. The preferred method is to use a trusted workstation for the
acquisition whether the source disk is a single hard disk, a floppy or a CD. Other-
wise, if conditions permit, the investigated computer may be booted from a floppy
(drive A:) rather than from the hard disk. In this case the computer boots up with
a minimal operating system that contains additional programs and drivers so that
the computer recognizes an external memorization device as a removable hard disk.
Then a program is booted from the floppy that creates the image of the hard disk(s)
on the external device. This image will include both visible and hidden files, the
parts of the disk that contain information on details of the directories (file name,
dimension, date and timestamp) and also certain other fragments of files that had
been previously deleted but not yet overwritten. The image file can be easily read
or examined, although in some cases (especially during the Reconstruction phase) it
may be necessary to carry out a reverse procedure on a second computer with similar
characteristics to the first, i.e., an exact clone of the original disk so that all details
can be completely reproduced. In any case, the images are copied onto
Write Once
Read Many
CD ROMs that cannot be altered.
As a preliminary, remember: the disk image destination drive must be
wiped
.The
procedure involves the complete cancellation of the entire contents of the hard disk.
There are a number of ad hoc tools for this purpose, including one known as “Wipe.”
Keep in mind that the wiping operation must be documented in the forensic analysis
report whether or not the report relates to incident response operations. It is recom-
mended that the disk image destination hard disk be wiped upon completion of an
examination. In any case it must be done (and documented) prior to any subsequent
image acquisition.
2.1.1 Disk Imaging Tools
Forensic analysis operations require a number of software tools and dedicated
hardware devices. The tools have different functions, such as backup and restore, file
