Before using Assure for digital forensics
If the device, irrespective of type is available for long periods of time, then please ignore the remainder of this paragraph. However, from previous experience we have frequently been confronted with situations where the availability of target or source media is either unpredictable, at very short notice or access whether overt or covert is not possible. Making imaging by someone with knowledge of digital forensics nigh on impossible.
If this is the case, then those undertaking the digital imaging need to take into account a number of factors which may have a bearing, and where a small amount of preparation and a little research should be undertaken before attempting to acquire an image using Assure.
If the amount of time that a device is likely to be available to allow some form of digital forensics, whether an analysis or the acquisition of data. Knowing the speeds at which an application might complete these tasks can be critical. Having an idea of the disk sizes and data transfer rates will provide a guide as to the amount of time (see below).
Note: The rest of this page deals with how to acquire a digital image for analysis.
Preparing to acquire data
When advising on how best to prepare to acquire a target device, we would recommend trying to establish the following. Most of which should be available from markings on the device or from searching the internet:
What is the likely size of the target media?
Firstly, if we assume that the target media we are looking to image is contained within a desktop or laptop computer and we don’t know the size of the hard drive or drives. Establishing the make and model as a start point, followed by a little research should at least provide information in relation to the default sizes of hard drives installed at the time of manufacture. As well as the potential for any additional internal capacity, such as flash cards. If this has changed, when attempting to acquire any images and storage space potentially becomes an issue Assure will let you know.
What is the capacity of the case storage device?
It might sound daft, but if you have an idea of what the likely size of the target media is, you should at least ensure that your case storage is at least equal to it.
What type of data connectivity do the target and case storage devices have?
The answer to this question, together with the size of the target media will determine the length of time an acquisition will take.
Note: The most likely bottleneck will be the speed at which the slowest connected USB port operates. As an example: A 1tb drive copied over a USB 2 port could take nearly two days! Whereas copying the same data over a USB-C port to an NVME drive will take just over an hour.
Other factors to consider when time is of the essence are the type of copy being made and the file format being used to acquire the data. Normally, the fastest combination for acquiring an image is to get an intelligence copy using the DD format. As image splitting and compression, as well as obtaining a forensic copy will slow the process.
Is the target device’s BIOS or Boot Menu available?
The way in which access to a system’s BIOS, frequently depends on manufacturer and any security settings which may have been applied. For example, with Lenovo laptops and workstations the boot sequence can be changed by pressing the Enter key or F12 to access the boot menu. On other systems, pressing F1 or the Delete key can have a similar effect. With MacBooks you need to press the Option key while powering up.
For detailed information on how to boot a computer from a USB Key or flash drive click here
If a computer is shared and access to either the BIOS or boot menu is restricted, the possibility of modifying settings temporarily so that access to either can be obtained may still exist. This will depend on the type of computer being accessed and may not be recommended. For more information please email firstname.lastname@example.org
Finally, if access to a target computer’s BIOS or boot menu are not possible. The only other option available would be to temporarily remove the drive from the target and then acquire an image using a host machine.
Does the target device have a constant source of power?
This might sound a bit of a no-brainer, but in the past, we have become aware of users attempting to acquire data images from laptops when the system’s battery had less than 10 minutes power! Needless to say, things didn’t work out well until an appropriate power lead was sourced.
Using in host mode
- The only things you really need to be certain of is that you have power and sufficient storage capacity to acquire the media.
One other thing which frequently crops up, is that clients often assume that because they do not have or know a logon password imaging will not work or that data acquired may be inaccessible. The way Assure works bypasses any protection offered by a logon password.
Looking for advice on digital forensics?
Interested in new releases, sign up here
Evitrack Assure for digital forensics