Forensics Steps: Imaging

Over the past 18 months, our profile in IT forensics has been raised a bit. What started out sometime back as a call to me on a Saturday from another partner, asking “Can you guys recover deleted files from a computer?”, turned into another journey that eventually created our relatively new technical services group catering to IT forensics and penetration testing services. So aside from CISA for auditors and assurance, we ended up with CHFI guys, and CEH guys. More acronyms usually make us more technical sounding.

On a serious note, IT forensics is relatively new; and we didn’t go into it totally without guidance. We’ve worked with Cybersecurity, and still do, especially during the acquisitions and analysis. Recently, we’ve got in a few devices ourselves, namely the Tableu TD2 and writeblocker to do some serious work with imaging. Before this, we primarily used FTK and USB based imaging, and using software writeblocking through the registry. It was fine, but it wasn’t something that we could do long term, especially looking at a job where we had to image 30 hard drives in 2 days. While we roped in our partners to help out, we also used our TD2 to good effect, and happy to add, that we’re ready for bigger projects.

Imaging itself is simply half the job done. In fact it’s just a part of it. We’ve also had to physically tag, inventorise, chain of custody, secure the physical evidence through tamper proof tapes and bags. Once imaged, we have to verify the image for integrity through a hash check and then secure the original evidence under lock and key. The original evidence, in this case, we sent back to the owners, along with the chain of custodies.

While you might think imaging is relatively simple, it’s tedious. In this case, we had a server where we had to image live, in order not to break the RAID. Live imaging is a pain, because it takes enormous amount of time to get it done. Sometimes, we face hours of imaging and at the end of it, it says that the disk is corrupted.

But overall, get the documentation right, and make sure the images are secured. These will be the images where we will run analysis with, so take it as seriously as a primary evidence.

Once this portion is done, we are looking at analysis, which constitutes a whole other chapter. CSI, this is not, I guarantee you. Most of the time, we’re looking for a needle in a barnyard of haystacks. The proverbial smoking gun. Usually we don’t find it, so I don’t quite believe how CSI New York can solve a case in 45 minutes, built on a hair found conveniently trapped within the car door. Which has been burnt and sunk. And scrapped into a million pieces and left in the trash for 20 years. Seriously, Hollywood.

From the hours of bleary eyed reviews of thousands of lines of files and emails and patched up text files, we can use bits and pieces, but it’s usually not as rewarding as our CSI bedfellows.

If you need any more information or services regarding IT forensics or data recovery, do let us know at avantedge@pkfmalaysia.com.

 

Leave a Reply