Nikkel - Practical forensic imaging securing digital evidence with Linux tools

Securing Digital Evidence with Linux Tools

Bruce Nikkel

San Francisco

PRACTICAL FORENSIC IMAGING. Copyright 2016 by Bruce Nikkel.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

20 19 18 17 16 1 2 3 4 5 6 7 8 9

ISBN-10: 1-59327-793-8

ISBN-13: 978-1-59327-793-2

Publisher: William Pollock

Production Editor: Alison Law

Cover Illustration: Garry Booth

Interior Design: Octopod Studios

Technical Reviewer: Don Frick

Copyeditor: Anne Marie Walker

Compositor: Alison Law

Proofreader: Paula L. Fleming

Indexer: BIM Creatives, LLC

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103

phone: 415.863.9900;

www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Nikkel, Bruce, author.

Title: Practical forensic imaging : securing digital evidence with Linux tools / Bruce Nikkel.

Description: San Francisco : No Starch Press, [2016] | Includes index.

Identifiers: LCCN 2016026449 (print) | LCCN 2016033058 (ebook) | ISBN 9781593277932 | ISBN 1593277938 | ISBN 9781593278007 (epub) | ISBN 1593278004 (epub) | ISBN 9781593278014 ( mobi) | ISBN 1593278012 (mobi)

Subjects: LCSH: Computer crimes--Investigation. | Data recovery (Computer science) | Data encryption (Computer science) | Evidence, Criminal. | Linux.

Classification: LCC HV8079.C65 N55 2016 (print) | LCC HV8079.C65 (ebook) | DDC 363.25/9680285586--dc23

LC record available at https://lccn.loc.gov/2016026449

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

This book is dedicated to everyone who provided motivation, support, guidance, mentoring, inspiration, encouragement, critiques, wisdom, tools, techniques, and researchall of which influenced and helped with the creation of this book.

Bruce Nikkel is the director of Cyber-Crime / IT Investigation & Forensics at UBS AG, a global financial institution based in Switzerland. He has worked for the banks security and risk departments since 1997 and has managed the IT forensics team since 2005. Active in the digital forensics community, Bruce has published research papers on various digital forensics topics and is an editor for Digital Investigation: The International Journal of Digital Forensics and Incident Response. He is also on the organizing committee of DFRWS Europe. Bruce holds a PhD in network forensics from Cranfield University. His forensics website is .

DIGITAL FORENSICS OVERVIEW

STORAGE MEDIA OVERVIEW

LINUX AS A FORENSIC ACQUISITION PLATFORM

FORENSIC IMAGE FORMATS

PLANNING AND PREPARATION

ATTACHING SUBJECT MEDIA TO AN ACQUISITION HOST

FORENSIC IMAGE ACQUISITION

FORENSIC IMAGE MANAGEMENT

SPECIAL IMAGE ACCESS TOPICS

EXTRACTING SUBSETS OF FORENSIC IMAGES

Practical Forensic Imaging is much needed, and comes at a most opportune time. In recent years, preservation of digital evidence has become crucial in corporate governance, regulatory compliance, criminal and civil actions, and military operations. This trend is not geo-graphically constrained but applies across the majority of continents, including developing countries.

Savvy organizations preserve pertinent computer systems when handling human resource complaints, policy violations, and employment termination. Some organizations even preserve data proactively, particularly for regulatory compliance purposes. This book provides scalable solutions that can be implemented across an enterprise for reasonable cost.

Most criminal cases involve digital evidence, and responsibility to preserve the data is increasingly falling on small law enforcement agencies with limited resources or training. Practical Forensic Imaging is an invaluable resource for such agencies, delivering practical solutions to their everyday problems.

Civil matters can involve large quantities of data spread across many data sources, including computers, servers, removable media, and backup tapes. Efficient and effective methods are crucial in such circumstances, and this book satisfies these requirements as well.

Given the increasing importance of preserving digital evidence in a multitude of contexts, it is critical to use proper preservation processes. Weaknesses in the preservation process can create problems in all subsequent phases of a digital investigation, whereas evidence that has been preserved using forensically sound methods and tools provides the foundation to build a solid case.

Furthermore, the growing need to preserve digital evidence increases the demand for tools that are dependable, affordable, and adaptable to different environments and use cases.

Practical Forensic Imaging addresses these requirements by concentrating on open source technology. Open source tools have these advantages: high transparency, low cost, and potential for adaptability. Transparency enables others to evaluate the reliability of open source tools more thoroughly. In addition to black box testing using known datasets, the source code can be reviewed.

Reducing the cost of forensic preservation is important both for agencies with limited resources and for organizations that have to deal with large quantities of data.

Being able to adapt open source tools to the needs of a specific environment is a major benefit. Some organizations integrate open source tools and preservation tools into automated processes within their enterprise or forensic laboratory, while others deploy these same tools on portable systems for use in the field.

There is a steep learning curve associated with all digital forensic processes and tools, particularly open source tools. Bruce Nikkels extensive experience and knowledge is evident in the impressive clarity of the technical material in this book, making it accessible to novices while interesting to experts.