Understanding Storage Formats For Digital Evidence Information Technology Essay

Active Data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.

Archival Data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.

Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.

A computer investigation could involve looking at all of these data types, depending on the circumstances. Obtaining latent data is by far the most time consuming and costly.

Computer forensics is all about obtaining the proof of a crime or breech of policy. It focuses on obtaining proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit.

Understanding Storage Formats for Digital Evidence

Three formats:

Raw format

Proprietary formats

Advanced Forensics Format (AFF)

Raw Format

Makes it possible to write bit-stream data to files


Fast data transfers

Can ignore minor data read errors on source drive

Most computer forensics tools can read raw format


Requires as much storage as original disk or data

Tools might not collect marginal (bad) sectors

Proprietary Formats


Option to compress or not compress image files

Can split an image into smaller segmented files

Can integrate metadata into the image file


Inability to share an image between different tools

File size limitation for each segmented volume

Advanced Forensics Format

Design goals:

Provide compressed or uncompressed image files

No size restriction for disk-to-image files

Provide space in the image file or segmented files for metadata

Simple design with extensibility

Open source for multiple platforms and OSs

Internal consistency checks for self-authentication

Determining the Best Acquisition Method

Types of acquisitions:

Static acquisitions and live acquisitions

Four methods:

Bit-stream disk-to-image file

Bit-stream disk-to-disk

Logical disk-to-disk or disk-to-disk data

Sparse data copy of a file or folder

Bit-stream disk-to-image file

Most common method

Can make more than one copy

Copies are bit-for-bit replications of the original drive

ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook

Bit-stream disk-to-disk

When disk-to-image copy is not possible

Consider disk’s geometry configuration

EnCase, SafeBack, SnapCopy

Logical acquisition or sparse acquisition

When your time is limited

Logical acquisition captures only specific files of interest to the case

Sparse acquisition also collects fragments of unallocated (deleted) data

For large disks

PST or OST mail files, RAID servers

Spares data copy

When making a copy, consider:

Size of the source disk

Lossless compression might be useful

Use digital signatures for verification

When working with large drives, an alternative is using tape backup systems

Whether you can retain the disk

Contingency Planning for Image Acquisitions

Create a duplicate copy of your evidence image file

Make at least two images of digital evidence

Use different tools or techniques

Copy host protected area of a disk drive as well

Consider using a hardware acquisition tool that can access the drive at the BIOS level

Be prepared to deal with encrypted drives

Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions

Capturing an Image with ProDiscover Basic

Connecting the suspect’s drive to your workstation

Document the chain of evidence for the drive

Remove the drive from the suspect’s computer

Configure the suspect drive’s jumpers as needed

Connect the suspect drive

Create a storage folder on the target drive

Using ProDiscover’s Proprietary Acquisition Format

Image file will be split into segments of 650MB

Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)

Using ProDiscover’s Raw Acquisition Format

Select the UNIX style dd format in the Image Format list box

Raw acquisition saves only the image data and hash value

Capturing an Image with AccessData FTK Imager

Included on AccessData Forensic Toolkit

View evidence disks and disk-to-image files

Makes disk-to-image copies of evidence drives

At logical partition and physical drive level

Can segment the image file

Evidence drive must have a hardware write-blocking device

Or the USB write-protection Registry feature enabled

FTK Imager can’t acquire drive’s host protected area


Boot to Windows

Connect evidence disk to a write-blocker

Connect target disk to write-blocker

Start FTK Imager

Create Disk Image

Use Physical Drive option

Remote Connections

Read also  Evolution Of Operating Systems Information Technology Essay

GoToMyPC allows you to access and work on your computer on-the-fly from any location connected to the Internet. Get reliable, convenient and secure access to email, files, programs and network resources from home or the road.





Automatic Setup

Automatic Setup

Plug-in automatically launches, installs and configures itself. No restart required.

Set up and ready to go in minutes, even by novice users.

Universal Viewer

Universal Viewer

When you connect to your computer, the Viewer window launches automatically, allowing you to view and control your computer from another Microsoft® Windows®, Microsoft® Windows® CE, Macintosh®, Linux, Unix® or Solaris® computer. No pre-loaded software required.

Access your computer from any Web browser on any operating system at any time. Even work on your office Microsoft® Windows® PC from your Macintosh® at home.

Encryption and Maximum Security

Encryption and Maximum Security

All data is protected with AES encryption using 128-bit keys. Dual passwords and end-to-end user authentication. Optional One-Time Passwords provide maximum security.

Most secure Internet connection available in a remote-access service. Nobody can “see” what you’re doing (not even us).


Optimal Performance

Optimal Performance

Connect to your computer in seconds and enjoy fast in-session performance.

Be more productive – faster. Quick connections and better performance mean you get more done in less time.


True Color

True Color

View your desktop in true 24-bit color.

Enjoy a true-to-life, full-color view of your desktop – perfect for looking at pictures and reviewing design work.

Remote Printing

Remote Printing

Print documents to any printer wherever you happen to be.

Read also  Distinction Between Conventional And Cyber Crime Information Technology Essay

A hard copy of that forgotten file is only a connection away – print your document even if you don’t have the application.



File Sync

and Transfer

Synchronize files and folders between your computer and any remote computer with just a click. Or transfer files and folders from one computer to another by simply dragging and dropping between screens.

Increase file organization between your computers to eliminate confusion.





Hear sound at any remote PC with customizable audio settings. Automatic muting on the PC you are accessing remotely means sound can only be heard by you.

Get the complete experience of being at your PC. Hear system alerts, voice mail, music or any other sound from your remote PC.

Guest Invite

Guest Invite

Invite a second person to temporarily view or share control of your PC.

Great for tech support, demos or “conference” viewing of info. Save time by meeting on-the-fly on your PC.


Multi-Monitor Support

Multi-Monitor Support

Use GoToMyPC with multiple monitors connected to a single computer.

Work on multiple monitors whether they’re connected to your host computer or to the computer at your remote-access location.

PocketView Wireless Access

PocketViewâ„¢ Wireless Access

Securely access your PC from your Pocket PC, Microsoft® Windows® Mobile or Microsoft® Windows® CE wireless device.

Ultimate mobility with on-the-fly remote access to your PC desktop – including your email, all your files, all your applications and your corporate intranet.

Network Forensic Tools

Iris Network Traffic Analyzer

Continuous vulnerability forensics plus network performance analysis

Iris Network Traffic Analyzer empowers your security and operations teams by providing granular data monitoring and precise packet and session reconstruction capabilities. The solution is designed to combine process and technology into a single effective system for network forensics.

Today’s organizations rely on the continuity and security of underlying IT systems at all times. This requirement is further amplified when you take into account the fact that most security or performance issues, whether due to malicious acts, user non-compliance or simple bandwidth mis allocation, generally reside above your network in the applications being serviced by your infrastructure.



Virtual Tap

Most organizations today have already invested substantial time, money, and training for solutions that monitor their network’s security and performance at the physical level. However, these solutions, such as firewalls, network intrusion detection and prevention devices, virus scanning, and data loss prevention tools have been unable to provide the same functionality in a virtualized environment because of their inability to monitor network traffic between virtual servers inside physical servers. This has led to the need for another, parallel investment in time, energy, and money into “virtual” versions of all of these security devices and processes-until now.

Read also  Reviewing The Online Ticket Sales Of Easyjet Information Technology Essay


Using Remote Network Acquisition Tools

You can remotely connect to a suspect computer via a network connection and copy data from it

Remote acquisition tools vary in configurations and capabilities


LAN’s data transfer speeds and routing table conflicts could cause problems

Gaining the permissions needed to access more secure subnets

Heavy traffic could cause delays and errors

Remote Acquisition with ProDiscover

With ProDiscover Investigator you can:

Preview a suspect’s drive remotely while it’s in use

Perform a live acquisition

Encrypt the connection

Copy the suspect computer’s RAM

Use the optional stealth mode

ProDiscover Incident Response additional functions

Capture volatile system state information

Analyze current running processes

Locate unseen files and processes

Remotely view and listen to IP ports

Run hash comparisons

Create a hash inventory of all files remotely

PDServer remote agent

ProDiscover utility for remote access

Needs to be loaded on the suspect

PDServer installation modes

Trusted CD


Pushing out and running remotely

PDServer can run in a stealth mode

Can change process name to appear as OS function

Remote connection security features

Password Protection


Secure Communication Protocol

Write Protected Trusted Binaries

Digital Signatures

Remote Acquisition with EnCase Enterprise

Remote acquisition features

Remote data acquisition of a computer’s media and RAM data

Integration with intrusion detection system (IDS) tools

Options to create an image of data from one or more systems

Preview of systems

A wide range of file system formats

RAID support for both hardware and software

Remote Acquisition with R-Tools R-Studio

R-Tools suite of software is designed for data recovery

Remote connection uses Triple Data Encryption Standard (3DES) encryption

Creates raw format acquisitions

Supports various file systems

Using Other Forensics-Acquisition Tools


SnapBack DatArrest



ILook Investigator IXimager

Vogon International SDi32


Australian Department of Defence PyFlag

SnapBack DatArrest

Columbia Data Products

Old MS-DOS tool

Can make an image on three ways

Disk to SCSI drive

Disk to network drive

Disk to disk

Fits on a forensic boot floppy

SnapCopy adjusts disk geometry

NTI SafeBack

Reliable MS-DOS tool

Small enough to fit on a forensic boot floppy

Performs an SHA-256 calculation per sector copied

Creates a log file


Disk-to-image copy (image can be on tape)

Disk-to-disk copy (adjusts target geometry)

Parallel port laplink can be used

Copies a partition to an image file

Compresses image files

Order Now

Order Now

Type of Paper
Number of Pages
(275 words)