How Can a Criminal Investigator Ensure the Integrity of a Removable Media Device

This chapter is from the volume 

Removable Memory

Today, it is rare for an investigator to merely seize a laptop reckoner and then just clarify that computer'due south hard bulldoze. The investigator must also consider the myriad of removable storage devices that are then pervasive today because of the depression cost of removable retention. Information technology is of import to consider all potential storage when drafting a warrant and when conducting a search; you lot must understand how these devices are connected to the computer, sympathize trace evidence, and know the types of files that may exist stored on these devices. This is easier said than done, given that removable memory has become smaller and more than varied, with more wireless capabilities. This department provides some helpful advice on how to deal with removable retention.

FireWire

FireWire is the Apple version of IEEE 1394, which is a serial bus interface standard for high-speed data transfer. FireWire (run across Figure 3.16) provides for college data transfer speeds than USB wire, with speeds up to 400Mbps (megabits per second). FireWire 400 (1394-1995) can transfer data between devices at speeds ranging from 100, 200, or 400 megabits per second full duplex, and the cable length tin measure out up to xiv.8 feet. FireWire 800 (1394b-2002) can transfer data at rates of 782.432 megabits per second full duplex. Apple, which has been largely responsible for the development of FireWire, has been slowly phasing out this protocol in favor of its Thunderbolt interface. Chapter 11, "Mac Forensics," details how helpful FireWire can be for acquiring a forensic image from an Apple Mac using an Apple Mac.

USB Wink Drives

Equally noted in Chapter 2, each time a device is connected to a reckoner, data virtually that device is recorded in Windows File Registry. Figure 3.17 shows exactly where in the registries USB device connections are recorded.

These file registry entries are important in showing a history of what devices were connected to a figurer. Every USB device has a serial number that is recorded in the subkey for that USB registry.

Access to files on a USB is non a forgone conclusion, however, considering many of these storage devices have utilities built in. For example, Ironkey USB devices utilize AES 256-flake encryption to protect files on the device. These devices protect the user and enterprise from theft of intellectual holding; after a series of unsuccessful attempts to access the device, the device automatically reformats the drive.

The file system plant on a USB flash memory device is ordinarily FAT, a file organization that well-nigh computers recognize, although the device can be formatted to support other file systems.

External Hard Drives

In that location are generally two types of external hard drives: a USB-powered hard bulldoze and an external bulldoze that uses the USB interface for information transfer but uses an adapter to power the drive. Housed within the casing, an investigator usually finds a Series ATA hard disk drive. This is of import to know considering if there is a limited amount of time to learn evidence or the external hard drive cannot exist removed from the premises, then it is probably advisable to remove the hard disk drive from the outer casing. By removing the drive from the casing, a cloning device tin be used to make a copy of the external drive. If the hard disk drive is not removed from its casing, so the drive must be imaged using a write-blocker connected to a laptop. The Western Digital external hard disk drive in Figure 3.18 houses a 2.5-inch drive. A mini USB port is used for both power and data transfer to a calculator.

In some cases, a cloning device may non be workable, so an investigator should ever bring a write-blocker (including a USB write-blocker). For imaging and validating the drive, an investigator tin bring FTK Imager Light on a USB or perhaps carry Raptor 2.0 on a USB or bootable CD. Imaging a 250GB bulldoze, with verification, using FTK Imager Light could have just over two hours whereas cloning that same bulldoze could accept approximately forty minutes. When cloning or imaging a hard bulldoze, it is proper protocol to place the source and destination hard drives on an antistatic, rubberized mat to avoid any electromagnetic interference. Hard drives should also be transported in antistatic bags.

External difficult drives are by and large used today for backups or as an extension to a calculator'due south retentivity. An examiner should be aware that an external hard disk could contain any number of file systems, including (Windows) NTFS or (Mac) HFS+. More important, if the external drive is connected to a PC with Windows 7 installed and BitLocker To Go is running, and then disconnecting the drive from the computer may encrypt that external drive. In other words, think before yous remove whatever USB device that is continued to a live system. Of course, external drives can besides be eSATA or FireWire. Newer drives may besides accept software installed for backing up the drive, possibly to a cloud service. It is important to check for all installed software utilities on the suspect's drive and note that fill-in software and other information integrity utilities tin be nowadays on a separate sectionalisation.

MultiMedia Cards (MMCs)

A MultiMedia card is storage retentiveness that was developed by Siemens AG and SanDisk for use in portable devices, like cameras. MMCs are not as popular as they in one case were because they have largely been replaced by secure digital (SD) cards. An MMC has a standard size of 24mm × 32mm × one.4mm. MultiMedia cards replaced SmartMedia cards, which Toshiba adult in 1995, and had a storage capacity of xvi MB–128 MB. As you can see in Effigy 3.19, a SmartMedia card is very similar in appearance to an SD card.

Effigy three.19 SmartMedia card

Secure Digital (SD) Cards

A Secure Digital (SD) card is a file storage device that was developed for utilize in portable electronics, like cameras. The association that developed SD cards and gear up the standard for this memory is a articulation venture between Matsushita Electrical Industrial Co., Ltd. (Panasonic); SanDisk Corporation; and Toshiba Corporation.

The standard size for an SD card is 24mm wide and 32mm long, with a thickness of 2.1mm (see Figure three.20). It is possible to observe SD cards, which have a capacity of up to 4GB. The standard size is often used in digital cameras, and many laptops come with an SD card slot and reader every bit standard. More recently, SDHC (Secure Digital Loftier Capacity) cards began to appear in the market, beginning with a capacity of 4GB. SDHC cards can become up to 32GB. Even more recently, 64GB cards began to appear with the emergence of SDXC (Secure Digital eXtended Chapters). Secure Digital cards are formatted with the FAT32 file system.

Note that some SD cards are WiFi enabled with preinstalled utilities. Some of these utilities can automatically send photos to a mobile device, upload files to social media sites, or fifty-fifty add files to a cloud service. Generally, a logo on the SD card indicates that the carte du jour is WiFi enabled, but this might not always be the case; the investigator should be cognizant of these wireless capabilities.

If you run across an SD carte during an investigation, it is proper protocol to set up the write-protect switch to on, when nowadays on the carte du jour, to forestall any data from beingness written to this retentivity. Of course, the investigator will employ a write-blocker before examining any removable memory, like an SD carte.

A miniSD is 20 mm broad and 21.5 mm long. The microSD format was adult by SanDisk. A microSD card can be used in a Standard Digital card reader with the use of an SD adapter. microSD cards are often found in cellular telephones, and therefore they tin can be a valuable source of testify. Additionally, many cellphone forensic imaging or cloning devices cannot read the contents of the microSD card, then the carte may have to be removed and imaged separately.

CompactFlash (CF) Cards

CompactFlash (see Figure 3.21) is a memory card that was kickoff developed by SanDisk for use in portable electronics, like digital cameras. A CompactFlash (CF) can have two different dimensions: (a) Type I is 43mm × 36mm × 3.3mm, and (b) Type II is 43mm × 36mm × 5mm. CompactFlash cards are non equally pop today as Secure Digital cards, just they practise have an effective file storage organisation and can potentially support up to 100GB of memory.

Figure 3.21 CompactFlash

Memory Sticks

A Retentiveness Stick (run into Figure 3.22) is Sony's proprietary memory menu that was introduced in 1998. Unlike many other flash retentivity manufacturers, Sony also produces many of the electronic devices that back up its memory carte. Sony manufactures televisions, laptops, cellular telephones, digital cameras, video recorders, game consoles, MP3 players, and numerous other electronic devices, all of which support additional memory through the use of a Retention Stick. The original Memory Stick was replaced past the Memory Stick PRO in 2003, to enable a greater storage capacity. The PRO series utilizes FAT12, FAT16, and FAT32 file systems. The Retentivity Stick Duo was a smaller memory card that was developed to fit well into small handheld devices. Other versions of the Memory Stick were developed to increase memory capabilities and to support loftier-definition video capture.

More recently, the Retention Stick 90 (Extended High Capacity) series was released by Sony and SanDisk. These memory cards accept the potential to store up to 2TB of memory. The XC series uses the exFAT (FAT64) file organisation. This series have maximum information transfer rates up to 160 Mbps and 480Mbps depending upon the Ninety model.

The of import point for investigators to annotation is that if a doubtable owns Sony products, Retentiveness Sticks could be present in these devices. For example, a Sony television might have a Memory Stick inserted. Moreover, that memory menu will probably incorporate files uploaded from a estimator.

xD Picture Cards

Introduced in 2002, xD (Farthermost Digital) Picture Cards were developed past Olympus and Fujifilm for digital cameras and some voice recorders. These memory cards take been slowly phased out by Olympus and Fujifilm in favor of the more than popular SD cards.

Hardware for Reading Wink Retentivity

At that place are a few ways to securely view the contents of flash retention cards. One tool is Digital Intelligence's UltraBlock Forensic Carte Reader and Writer (see Figure three.23). This device is connected to a calculator via the USB port (2.0 or 1.0) and can read the following media:

• CompactFlash
• MicroDrive
• Memory Stick
• Memory Stick PRO
• Smart Media Card
• xD Picture Card
• Secure Digital Card (SD and SDHC)
• MultiMedia Menu

A regular retentivity bill of fare reader could be used in addition to a USB write-blocker to ensure that the data is viewed forensically. A write-blocker is a hardware device that allows an individual to read information from a device, like a hard drive, without writing to that device. An investigator could connect a media carte du jour reader to Digital Intelligence's UltraBlock USB Write Blocker, which would exist connected to a computer, where the media bill of fare's contents would be viewed or acquired.

Compact Discs

A compact disc (CD), also known as an optical disc, is a polycarbonate plastic disc with one or more metal layers, used to shop data digitally. A CD is usually 1.2mm thick and weighs 15–20 grams. Aluminum is generally used for the metallic surface. Data is stored to the disc and read from the disc using a light amplification by stimulated emission of radiation. The laser that writes data to a disc reaches a temperature of 500–700 degrees Centigrade. Because the data is stored through a light amplification by stimulated emission of radiation, CDs are not vulnerable to electromagnetic charges. The loftier temperatures used in storing the information cause the metallic alloy to liquefy, and the reflective land changes. Lands are the reflective surfaces on a CD burned flat by a laser. Pits are the less reflective surfaces on a CD that take non been burned by a laser. The differences between the reflective and less reflective surfaces tin be translated to binary (0s, 1s).

CDs were initially developed by Sony and Philips to store and play sound files. Later the CD-ROM was developed for data storage. A CD-R allows information to be stored once. Because a CD-R tin merely have data written to it once, treatment this type of CD in a forensically sound manner does not require a write-blocker. A CD-RW, on the other hand, allows data to be written multiple times to the disc. Today a standard CD more often than not has a storage capacity of 700MB.

ISO 9660, introduced in 1988, refers to the standard for optical discs and their file system. ISO 9660 is likewise called CDFS (Compact Disc File System), and it was created to support different operating systems, like Windows and Mac Os. Other file systems tin can also be supported past CDs; nevertheless, these include Joliet, UDF, HSG, HFS, and HFS+. Joliet allows for longer filenames, which are associated with more than recent versions of Windows. Considering other file systems tin can exist on a CD, it is important to retrieve that a CD used in a Windows computer may testify that it is invalid if an HFS+ file system resides on the deejay. This means that specialized tools may be required to access the files stored on a CD. IsoBuster, for example, is a information recovery tool for CD, DVD, and Blu-ray. InfinaDyne's CD/DVD Inspector is a specialized tool for a forensic acquisition of files from CDs and DVDs. Information technology should exist noted that an .iso file, which is an image of an optical deejay, may exist saved on the hard drive of a suspect'south computer or on another storage device.

The International Standardization Organisation (ISO) in Geneva, Switzerland, has created this standard to facilitate the apply of CDs on Windows, Macintosh, and UNIX computers. Frames consist of 24 bytes and are the smallest unit of measurement of memory on a CD-ROM. A sector on a CD-ROM consists of 98 frames (2352 bytes).

Compact Disc–Rewritable (CD-RW)

A CD-RW usually stores less data than a CD (570MB instead of 700MB). A rails on a compact disc is a group of sectors that are written to at in one case. A session on a meaty disc is a grouping of tracks recorded at the aforementioned time. The tabular array of contents (TOC) records the location of the kickoff address, the session number, and rails information (music or video) on a compact disc. The TOC is an case of a session, and every session contains a TOC. If the TOC cannot be read past the calculator's CD-ROM bulldoze, then the compact disc will not be recognized. A full erase of a CD-RW deletes all data on a disc. However, a quick erase will merely remove all references to tracks and sessions, leaving the country and pits unchanged. Yet, the CD-RW volition non exist recognized considering the sessions take been removed.

CnW Recovery is a tool that claims to recover disc data that has been through the quick erase process. Ultimately, when a quick erase has been performed, it is possible to recover the data on a CD-RW. When a full erase has been executed, the information cannot be recovered.

DVDs

A digital video (or versatile) disc (DVD) is an optical disc with a large storage capacity that was developed by Philips, Sony, Toshiba, and Time Warner. A single-sided DVD generally has a capacity of four.7GB. Other DVD formats can store more than 17GB of data. Their large storage capacity makes them ideal for storing video files, which are oft very large in size. A DVD actor uses a red laser (650 nanometers) to read data from a DVD disc.

Blu-ray Discs

A Blu-ray disc (BD) is a high-capacity optical disc that tin be used to store high-definition video. A unmarried-layer disc has a storage chapters of 25GB, while dual-layer disc can store 50GB of data. Also available are 3D Blu-ray players and discs. A firmware upgrade available for Sony's PlayStation three facilitates 3D Blu-ray playback too. The name of this storage media comes from the blue laser (405nm) used to read the disc; this laser enables more data to be stored than the red laser used in DVDs. Standards for these optical discs accept been developed and are maintained by the Blu-ray Disc Association (world wide web.blu-raydisc.com).

From a forensics perspective, Blu-ray discs have limited value because both the Blueish-ray burner and recordable discs are nonetheless prohibitively expensive for the average consumer; a doubtable is more than likely to store video on a hard drive or burn video files onto a DVD. Nevertheless, at that place are two different recordable formats. A BD-R disc can be written to once, while a BD-RE can be used for re-recording.

Companies like Digital Forensics Systems produce devices for imaging and analyzing CDs, DVDs, and BDs.

Floppy Disks

A floppy disk is a sparse, flexible, plastic computer storage disc that is housed in a rigid plastic rectangular case. Files are stored on the disk magnetically. These disks have historically come in eight-inch (meet Figure 3.25), 5¼-inch, and three½-inch (see Figure iii.26) sizes. Initially, these disks were used to store a figurer's operating organisation. Subsequently, they were used for general file storage purposes. The 3½-inch deejay was introduced in 1987; its storage chapters ranges from 720KB to 1.4MB.

IBM invented the floppy disk drive, which was used to store and read data from floppy disks.

Floppy disks have been largely replaced by flash memory, optical disks, and external difficult drives. An investigator who encounters floppy disks during an investigation is more likely to find the PC-uniform 1440KB format. Floppy disks are formatted with the FAT12 file system. All of these disks will only take either ane or ii clusters.

A forensic image of a floppy deejay tin be made by using the following Linux control:

# dd if=/dev/fd0 of=/evidence/floppy1.img bs=512

In the previous command, "/dev/fd0" refers to the floppy disk drive. The "bs=512" refers to the block size (bs), which is 512K.

Of course, prior to inserting any deejay y'all should make sure that the deejay is fix to write-protected. Yous should then make a fleck-for-bit copy of the floppy disk and lock the original disk in an evidence locker abroad from whatever potential magnetic interference. To view the files on the disk, you lot can use the following control:

# ls /dev/fd0

Zip Disks

A zip disk is a removable storage medium that was developed by Iomega in the early on 1990s. Zero disks originally came with a 100MB capacity and after increased to 750MB. They were introduced as an alternative to floppy disks, which have a lower storage capacity. A zip drive, where zero disks are loaded, can be either an internal or an external drive. Zip drives and their disks accept largely been replaced by CDs and the more than popular, smaller, flash memory devices.

Magnetic Tapes

Magnetic tape is a thin plastic strip with a magnetic coating that is used for storing sound, video, and data. Because data is stored magnetically, an investigator must be careful to proceed magnetic tapes away from all types of magnetism. Magnetic tapes differ in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the record. This oft makes the process of acquiring data from magnetic tape much longer.

The use of audio tapes in investigations has get less important. This is besides truthful of video tapes used in a video cassette recorder (VCR).

Magnetic Tapes (Information Storage)

Forensic imaging and assay of magnetic tapes (come across Effigy three.27) used for data storage on servers is a challenge. Many different proprietary server systems be, which makes information technology impossible to have a single solution. An analysis of the physical surface tin can be conducted using a complicated process known as magnetic force microscopy. This method can be used to uncover wiped or overwritten information.

More often than not, data is recorded to a magnetic record in blocks. Data at the block level tin can be accessed using the dd command. In reckoner investigations, dd is a UNIX control that produces a raw data prototype of a storage medium, like a hard bulldoze or magnetic tape, in a forensically sound style. The dd command is written in such a way that the paradigm is copied to a difficult drive, which allows for better search capabilities. A magnetic tape has no hierarchical file system because files are stored sequentially or in a tape partition. Partitions on magnetic tapes allow users to grouping files in "record directories." When a sector is only partially used by a file, the residuum of the sector is referred to as memory slack, buffer slack, or RAM slack. Similar to difficult disks, file slack tin can incorporate remnants of data from previously existing files.

humesmanch1937.blogspot.com

Source: https://www.pearsonitcertification.com/articles/article.aspx?p=2271195&seqNum=4

Share this post