If you are in the position of having to export only certain data, as opposed to imaging an entire drive, then I would strongly suggest using a container image. This will preserve the file system metadata for the exported files/folders, and it will preserve the data itself from possible manipulation. Like a disk image, it creates a "snapshot in time" of the data.
However, one issue that is directly related to this topic is that there is no universal "container image" format. EnCase has the .L01, FTK Imager has the .AD1 and X-ways has their format (which is IMHO the best of the bunch, but again that's just my opinion!)
The problem is all of these formats are completely proprietary and are limited to being used only with the tool that created them.
With triaging/previewing becoming much more prevalent, and with it, the need to capture "some, but not all" data, there is a distinct need for a cross platform standard for container images.
We're the consumers, we need to demand this from our vendors. If nothing else, how about a conversion tool that allows the various formats to be used on other platforms.
Imaging may be the best method of capturing all the data, but as mentioned, not always practical. In a business dispute involving 50+ computers, it may not be practical (ie..affordable). With criminal cases, even civil cases, there is not the requirement of proving 100% culpability. The vast majority of investigations stop when there is enough to charge/indict and bring to trial with enough evidence to prove beyond a reasonable doubt. The low hanging fruit theory is the method of investigation for the most part. Get enough evidence for conviction, nothing more is really needed.
If the evidence resides on a 20TB virtual server, is it reasonable to expect to image it or just extract the relevant data? Or maybe there are 75 desktops with whole disk encryption…should they all be imaged in an encrypted state and decrypted for exam, even if you can extract the evidence needed for the case through a live triage? Factors such as the case importance (the death penalty or a $20K contact dispute) come into play for these decisions.
On the point of how to extract relevant data into a forensic format during triage, FTK Imager is my first choice, as the tool is free, therefore, anyone that is given the data file (.ad1) can not only view the file, but can export any or all of the files for native review. I believe one of the riskiest methods of collection is copying the files from their native state to a native state, whether or not there is a log, or maintaining metadata, or hashing of files that is conducted. Even WinRAR does a better job of creating some archive from which evidence can be collected (other than an entire drive image) than using any tool that simply copies native files to a destination that will contain copy of the native files. However, sometimes the client just wants the files copied. In that case, what the client wants, the client gets, otherwise, the client isn't going to pay.
Also, there are several triage software systems available, but with the Windows Forensic Edition (WinFE) boot disk, not only can you image a hard drive, but you can also triage a hard drive and forensically extract evidence files using FTK Imager or other Windows forensic application at no cost of software or equipment other than a CD. Since WinFE is free, and FTK Imager is free, and no hardware write blocker is needed (ie, free), the only impact is time of imaging or extracting files onto your destination drive (which is not free).
Sorry to keep jumping him, but I thought I would explain how the system works here in New Zealand.
Once the LE agency seizes a computer and examines it and decides to produce the evidence in court that it has found, the entire HDD then becomes part of disclosure and must be disclosed to the defence. If the LE agency won't disclose the evidence then it will go before a judge, who can order disclosure.
If the HDD is examined and no evidence is to be adjuiced during the hearing, then it must be returned to the subject three months after it was seized. If the Police believe that there is data on the drive that the subject should not have but cannot or do not charge them, then they can go to the court to get an order for destruction.
I many cases here in New Zealand, when the LE agency has examined the HDD, a forensic report is never produced, all that is ever known is when the Briefs of Evidence are disclosed. And then all we see is the evidence that supports the charges before the court. No evidence is ever disclosed that may help the subject. This causes problems, as more and more HDD's are having to be examined at great expense to the subjects and the justice system.
For minor cases even i do check the files directly(which of course does not involve legal team and police!)
But in my opinion the procedure should be followed in-order to safe guard the primary evidence(in this case hard disk). If the evidence is damaged then the team performing forensics is also liable for legal action!
Sorry to be such a dummy, but where can I find Windows Forensic Edition (WinFE) boot disk which bshavers described? ?
Do it yourself wink
http//
http//
http//
and in spanish from my blog
http//
I have had a recent instance where the LE agency copied data from a drive and burnt it to DVD. This was supplied to the defence as the complete set of files that had been found on the drive. It was of particular relevance as these files were from a surveillance system.[end quote]
Will all due respect to the writer and understanding he only has the defendant's side of the story, the facts as presented are not believed to be accurate. This case occurred in 2008. A computer-based surveillance system was seized by the police and taken to the police forensics lab, not for a forensic analysis, but simply to copy the surveillance footage to a DVD. This was done, through a write blocker. They were asked if any further analysis was required, but they indicated no. A copy of the DVD was provided to the defence as well.
This sort of chore is often done by the forensics lab since they have the necessary equipment. It is also sometimes done by the police photo unit, since they handle many video jobs as well.
When the computer was returned to the subject, the drive was found to be faulty and a computer shop replaced it, not knowing that it was going to be needed for a future hearing. The lawyer and suspect thought the agency had fully examined the drive for evidence and did not know it had not been imaged.
When asked for the image of the subject drive, the defence were informed that the drive was never imaged and the files on the DVD were the only ones available.
Of course then the question arose of selective copying by the LE agency, but I won't go into that. No notes were kept by the examining officer and they could not say if these were the only files of interest on the drive.[end quote]
As indicated, the copy job was done in 2008 and this issue came up in a pre-trial hearing in 2010. Notes were made by the lab at the time (a job sheet) to indicate what was done. As far as is known, the computer was returned to the suspect in 2008, in working order. Since the police had no interest in it as a potential source of evidence of drug lab activities, other than what might have been on the video - evidence of co-conspirators visiting the illegal meth lab, etc., it was not retained. Could the defendant have intentionally damaged the drive, fearing that the police may come back for it and find additional incriminating evidence? Who knows!
Having said that, the question of imaging or not imaging is a valid one and most of those responding to his thread recognize that it's no longer a black and white issue. Given typical backlogs and ever increasing drive capacities, triage-type previews are becoming more and more necessary. In many cases, no image is taken. In cases where charges are likely to be made, based on the computer evidence, images are normally taken, but there are always exceptions. A recent case here involved the seizure of about 15 Terabytes of data. Several hundred Megabytes were determined to be of evidential value and that's all that was copied. Charges were filed and a guilty plea was entered. The original media was retained pending the plea, but imaging all of that would have served no real purpose and would have exhausted all of our available storage space.
I recall the day when normal practice was to image a system, then boot the image to conduct the analysis (I’ve been around awhile). That practice is now the exception because of the capabilities of the tools we use, etc. I predict that imaging will soon be the exception as drives get bigger, we're doing more live and remote acquisitions, coping with encryption, etc.
Just my $0.02.
Thanks for the elaboration there Bill. I've done a few of these cases also where we're called upon by the local police to capture a limited amount of surveillance footage from a DVR because they figure we're the "computer evidence" guys and a DVR is a "computer". In those circumstances I also copied out the relevant footage to a DVD/CD and didn't preserve the whole hard drive. The reason being that in that scenario you are really doing video forensics, and not computer forensics.
There are a couple of very good reasons why you'd only export a small amount of footage rather than image. Firstly, there are quite a few surveillance DVR systems that use a proprietary format for data storage. Secondly, many DVRs match the hard drive to the system and refuse to work on a replaced drive, and in some situations, even a restored original drive. Because of these issues it's common practice to use the device to produce a copy of the specific footage that you need and then you're done.
I can't really see a problem in the procedure carried out by the police agency here after hearing both sides. I seriously doubt the coppers intentionally wrecked the drive and if you're the owner, and a suspect, and you let your computer shop replace your drive and don't keep the original… well as the old drink driving ads used to say back in Australia "you're a bloody idiot".
Also, I know quite a few current and former LEOs in NZ, and all the ones I know subscribe to a code of ethics that requires them to both search for and present exculpatory evidence. The simple fact that a single observer of their work hasn't seen them present exculpatory evidence doesn't mean that they don't do it. In fact, in most cases where a police forensic examiner finds exculpatory evidence, you'll never hear about it because the detective will often close the investigation without pressing any charges once he receives the forensics results report and verifies the information.
I did not post this question because I wanted to re-litigate the issue. All I was asking was, what the current procedure(s) were and/or what was currently prescribed. I explained the issue/situation and that was to explain what had happened during the investigation.
This issue DID NOT involve a CD/DVD recorder but a computer that had a four channel PCI Video Surveillance card installed with 4 camera's attached.
If the full facts of the case were explained here then you could write a book. Mr Crane has not explained in any detail any further facts which does cloud the issue.
The true issue with this matter is that by the Polices own admission the video system was running/recording at the time the address was searched, but no AVI files/footage was copied from the drive when the DVD was given to the defence. This is footage of the of the day the search was conducted. The video system was still recording the following day when it was shut down by the Detective. This has been confirmed in evidence by the Police themselves. I would have expected footage to have been on the drive of the search of the address. Footage was on the drive up to the day before the search and the owner of the computer was not home that night or during the search.
This is purely the issue here. If the computer HDD had been imaged then there would be no issues of selective copying. And as the original drive is no longer available as it was unusable when it was returned to the defendant, we cannot check anything. There is also the possible issue that the drive had been accessed prior to the file copying being conducted as the Computer Forensic Technician did not check anything on the drive. No records were kept or notes taken of what they did, although by their own admission also, they check/skimmed the drive for other evidence.
It is a bit lame to just say we were asked only to copy files from a drive. I feel that where any data is copied from a drive and then presented to the defence or used for any reason, then the drive should be preserved.
Sorry about this going on but I think this is an issue that will crop up even more with the increasing size of drives and examinations being done in preview mode.
Mr. Chappell is correct in that I did not go into some of the details because I felt them irrelevant to the issue which is that in this case, no forensic examination was requested or conducted. There were some anomalies in the DVR data that cannot be positively explained and could have resulted from police or defendant activities or system failures. The lab personnel weren't part of the raid so we don't know what did or did not happen. We only did what we did, no more, no less.
In my opinion, the defense was doing what they often do when they can't argue the facts - they try and cloud the issue by questioning procedures, protocols, etc. If the defendant let the original drive get away from him, suspecting or knowing that there was mitigating evidence on it, shame on him. In any case, the DVR didn't put the precursor chemicals and other meth lab paraphernalia at the scene.
FWIW - NZ Police lab personnel are required to disclose all evidence which tends to prove or disprove an allegation. Obviously, when mitigating evidence is found, the case may never get prosecuted so those cases never see the light of day. Moreover, the defense bar knows full well that they have access to all of our findings and we generally have a good relationship with the defense, often taking pains to explain our findings, etc. Its not up to us, however, to do their case for them.
Statistically, very, very few cases here (i.e. none that I'm aware of) have been lost because of questioned forensic analysis.