Windows Forensics: The Field Guide for Corporate Computer Investigations
| | ||
| | ||
| | ||
Overview
Forensic duplication is the copying of the contents of a storage device completely and without alteration. The technique is sometimes known as bitwise duplication, sector copying, or physical imaging. Forensic duplication is the primary method for collecting hard disk, floppy, CD/DVD, and flash-based data for the purpose of evidence gathering.
Copying files from a suspects device using standard techniques (Windows Explorer, cutting and pasting, xcopy) or imaging of logical drives (using Ghost or DriveImage) provides some of the data for an investigation but is usually insufficient for forensic imaging and may violate best evidence rules.
| Note | When applied to a drive as a whole, this imaging is generally not sufficient. Copies of individual files can be made and used as evidence (such as those gathered in a live acquisition or from a shared drive), but it needs to be documented why bitwise imaging was not performed and the examiner needs to understand the limitations. |
The failings of standard duplication techniques from a forensic standpoint are as follows :
-
Lack of authenticity. There is no verification of authenticity in a standard file copy. This can be addressed through the use of external tools such as MD5sum that provide this facility.
-
Loss of non-file data. Information stored in slack space, un-partitioned space, or free space is not copied . These locations may contain previously deleted content or other information of interest that will not be available with logical imaging.
-
Alteration of metadata. Depending on the file systems copied To/From, metadata associated with a file may be lost. Rights and permissions stored on a specific file system (for example, NTFS) as well as system attributes (for example, Read Only bit) may be altered or deleted when a file is copied between disparate file systems. This can include the loss of the ability to look up permissions (based on SID) even on copies to similar file systems.
-
Inability to provide context. A copy of the data in a logical file does not provide the same machine context as an image. Contextual data can include location in a directory tree, or duplication details, and details on other surrounding files.
Note Context is very important in investigations. An image of a young child in a bathing suit found in a directory labeled "Relatives ˆ4th of July 2004" might take on a vastly different meaning than the same image in a directory called Young Kids. Likewise, the surrounding files may be indicators. The same image grouped with 100 other pictures of individuals of varying ages in bathing suits may have a different interpretation than 100 other kids in bathing suits .
-
Failure to copy all data streams. Alternate Data Streams, a feature of NTFS file systems, are not supported by most other file systems. By copying files to a non-NTFS file system, these streams are lost, as only the primary stream is retained.
Because of these limitations, special tools and techniques exist for forensic duplications. Their usage depends on the specifics of the case. The duplication of a single floppy disk varies greatly from the duplication of a multi-terabyte RAID array.
| | ||
| | ||
| | ||