Acquisition Method

Below list out a list of procedures to create computer images

Encryption Detection (EDD.exe)

A good practice is to check for encryption before performing acquisition to avoid running into trouble

One good tool to peform such task is EDD.exe by magnet forensic

Just run the EDD.exe and it will tell you which volume is encrypted.

Memory Acquisition (FTK Imager Lite)

File > Capture Memory

FTK Imager Lite for capturing memory

FTK Imager on Linux

  • copy the file to /usr/local/bin so that the binary is executable from anywhere

  • mount the disk where the image files is going to be stored

  • run the following command

ftkimager source [dest_file] [options]
Options:
   --help Display this information
   --list-drives Show detected physical drives
   --verify Hash/verify the destination image, or the source image if no
   --destination is specified
   --print-info Print information about a drive or image and then exit
   --quiet Do not show create/verify progress information
   --no-sha1 Do not compute SHA1 hash during acquire or verify
 The following options are valid only when dest_file is specified
   --s01 Create a SMART ew-compressed image
   --e01 Create an E01 format image
   --frag x{K|M|G|T}  Create image fragments at most x {K|M|G|T} in size  also accepts kB, MB, GB, and TB for powers of 10 instead of 2 
   --compress C  Set compression level to C (0=none, 1=fast, ..., 9=best)
 E01/smart metadata (use quote marks when X contains spaces):
   --case-number X
   --evidence-number X
   --description X
   --examiner X
   --notes X

FastBloc SE

  1. Make sure no devices are attached (or only your storage device is attached)

  2. Tools > FastBloc SE > Write Blocked

  3. Attach the target device to the system

  4. In EnCase, either create a new case or open an existing one

  5. Add Evidence > Add Local Device

  6. On the page that follows, accept the defaults and click Next. On the screen that follows, you will see a dot or Yes in the Write Blocked column, and the icon for the device will have a green box around it, both indicating a successful write block.

  7. Select the write-blocked target device (blue check) > Finish > double click the evidence > Acquire

Write Block = writes are prevented but are cached locally to prevent Windows error messages

Write Protect = writes are prevented, nothing is cached locally, and Windows launches error messages when writes are attempted

Acquire > Acquire
Remove Write-Blocking after complete the acquisition

After finished acquiring > Physically remove the device > Stop the write-blocking software in EnCase (Tools > FastBloc SE > Clear All)

Tableau Write Blocker

  1. Connect the target disk to the write blocker

  2. In EnCase, either create a new case or open an existing one

  3. Add Evidence > Add Local Device

  4. Select the device that is write-blocked

  5. In the Evidence tab, right click the item we would like to acquire, Select Process Evidence -> Acquire

Detect Tableau Hardware
Process Evidence -> Acquire
Location tab
Format tab
Advanced tab

Tableau Duplicator

LinEn (Linux)

Edit the inittab file with text editor to change your Linux (e.g. Helix) to console mode by changing id:5:initdefault:. to id:3:initdefault:.

  1. Attached the target drive to the Linux imaging platform

  2. Attached storage drive (FAT32) to the Linux imaging platform

  3. Boot your Linux machine to console and log in as root

  4. Check what file systems are mounted

    mount
  5. Check what devices are available

    fdisk -l
  6. Mount your storage drive and check that the storage drive is mounted

    mkdir /mnt/fat32
    mount /dev/hda1 /mnt/fat32
    mount
  7. Create the folder on your storage volume to hold the EnCase evidence file

  8. Go to the directory of LinEn and run LinEn

    ./LinEn
  9. press A / use Tab key to go to Acquire and press Enter

  10. Select your drive and press Enter

  11. Choose the path for your evidence file and prefix it with the path to the mount path e.g. /case/casename/evidence to /mnt/winfat/cases/casename/evidence/XXX001

Guymager (Caine OS)

  1. Insert the CAINE OS USB into the target machine. Boot from BIOS (F2). Select the USB as the boot drive

  2. After startup, connect storage harddisk to the target machine

  3. Mount storage harddisk Create mount point

     mkdir /media/drive

    Mount Drive in RW mode

     sudo mount /dev/sdc2 /media/drive -rw
  4. Open guymager and select Calculate MD5 and Verify image after acquisition (takes twice as long)

  5. Click OK to start the acquisition

Fill in the information and click OK

Convert a hibernation file to a memory dump

A hibernation file is stored in C:\hiberfile.sys if you have hibernation enabled. It contains parts of the memory at the time of hibernation, depending on the version of Windows. Run this to covert it to a raw image for further processing with Volatility.

volatility -f /path/to/hiberfile.sys --profile=<profile> imagecopy -O /path/to/output/folder/hibermemory.raw

Remote Acquisition

F-Response

Tactical

Consultant + Covert

Last updated

Was this helpful?