- Introduction
- Hard Disk Drives
- Cloning a PATA or SATA Hard Disk
- Removable Memory
- Summary
- Assessment
- References
Removable Memory
Today, it is rare for an investigator to simply seize a laptop computer and then only analyze that computer’s hard drive. The investigator must also consider the myriad of removable storage devices that are so pervasive today because of the low cost of removable memory. It is important to consider all potential storage when drafting a warrant and when conducting a search; you must understand how these devices are connected to the computer, understand trace evidence, and know the types of files that may be stored on these devices. This is easier said than done, given that removable memory has become smaller and more varied, with more wireless capabilities. This section provides some helpful advice on how to deal with removable memory.
FireWire
FireWire is the Apple version of IEEE 1394, which is a serial bus interface standard for high-speed data transfer. FireWire (see Figure 3.16) provides for higher data transfer speeds than USB wire, with speeds up to 400Mbps (megabits per second). FireWire 400 (1394-1995) can transfer data between devices at speeds ranging from 100, 200, or 400 megabits per second full duplex, and the cable length can measure up to 14.8 feet. FireWire 800 (1394b-2002) can transfer data at rates of 782.432 megabits per second full duplex. Apple, which has been largely responsible for the development of FireWire, has been slowly phasing out this protocol in favor of its Thunderbolt interface. Chapter 11, “Mac Forensics,” details how helpful FireWire can be for acquiring a forensic image from an Apple Mac using an Apple Mac.
FIGURE 3.16 FireWire cables
USB Flash Drives
As noted in Chapter 2, each time a device is connected to a computer, information about that device is recorded in Windows File Registry. Figure 3.17 shows exactly where in the registries USB device connections are recorded.
FIGURE 3.17 Registry Editor
These file registry entries are important in showing a history of what devices were connected to a computer. Every USB device has a serial number that is recorded in the subkey for that USB registry.
Access to files on a USB is not a forgone conclusion, however, because many of these storage devices have utilities built in. For example, Ironkey USB devices use AES 256-bit encryption to protect files on the device. These devices protect the user and enterprise from theft of intellectual property; after a series of unsuccessful attempts to access the device, the device automatically reformats the drive.
The file system found on a USB flash memory device is usually FAT, a file system that most computers recognize, although the device can be formatted to support other file systems.
External Hard Drives
There are generally two types of external hard drives: a USB-powered hard drive and an external drive that uses the USB interface for data transfer but uses an adapter to power the drive. Housed within the casing, an investigator usually finds a Serial ATA hard disk drive. This is important to know because if there is a limited amount of time to acquire evidence or the external hard drive cannot be removed from the premises, then it is probably advisable to remove the hard disk drive from the outer casing. By removing the drive from the casing, a cloning device can be used to make a copy of the external drive. If the hard disk drive is not removed from its casing, then the drive must be imaged using a write-blocker connected to a laptop. The Western Digital external hard disk drive in Figure 3.18 houses a 2.5-inch drive. A mini USB port is used for both power and data transfer to a computer.
FIGURE 3.18 Western Digital (WD) external hard drive
In some cases, a cloning device may not be workable, so an investigator should always bring a write-blocker (including a USB write-blocker). For imaging and validating the drive, an investigator can bring FTK Imager Lite on a USB or perhaps carry Raptor 2.0 on a USB or bootable CD. Imaging a 250GB drive, with verification, using FTK Imager Lite could take just over two hours whereas cloning that same drive could take approximately 40 minutes. When cloning or imaging a hard drive, it is proper protocol to place the source and destination hard drives on an antistatic, rubberized mat to avoid any electromagnetic interference. Hard drives should also be transported in antistatic bags.
External hard drives are mostly used today for backups or as an extension to a computer’s memory. An examiner should be aware that an external hard disk drive could contain any number of file systems, including (Windows) NTFS or (Mac) HFS+. More important, if the external drive is connected to a PC with Windows 7 installed and BitLocker To Go is running, then disconnecting the drive from the computer may encrypt that external drive. In other words, think before you remove any USB device that is connected to a live system. Of course, external drives can also be eSATA or FireWire. Newer drives may also have software installed for backing up the drive, perhaps to a cloud service. It is important to check for all installed software utilities on the suspect’s drive and note that backup software and other data integrity utilities can be present on a separate partition.
MultiMedia Cards (MMCs)
A MultiMedia card is storage memory that was developed by Siemens AG and SanDisk for use in portable devices, like cameras. MMCs are not as popular as they once were because they have largely been replaced by secure digital (SD) cards. An MMC has a standard size of 24mm × 32mm × 1.4mm. MultiMedia cards replaced SmartMedia cards, which Toshiba developed in 1995, and had a storage capacity of 16 MB–128 MB. As you can see in Figure 3.19, a SmartMedia card is very similar in appearance to an SD card.
FIGURE 3.19 SmartMedia card
Secure Digital (SD) Cards
A Secure Digital (SD) card is a file storage device that was developed for use in portable electronics, like cameras. The association that developed SD cards and set the standard for this memory is a joint venture between Matsushita Electrical Industrial Co., Ltd. (Panasonic); SanDisk Corporation; and Toshiba Corporation.
The standard size for an SD card is 24mm wide and 32mm long, with a thickness of 2.1mm (see Figure 3.20). It is possible to find SD cards, which have a capacity of up to 4GB. The standard size is often used in digital cameras, and many laptops come with an SD card slot and reader as standard. More recently, SDHC (Secure Digital High Capacity) cards began to appear in the market, beginning with a capacity of 4GB. SDHC cards can go up to 32GB. Even more recently, 64GB cards began to appear with the emergence of SDXC (Secure Digital eXtended Capacity). Secure Digital cards are formatted with the FAT32 file system.
FIGURE 3.20 Secure Digital card
Note that some SD cards are WiFi enabled with preinstalled utilities. Some of these utilities can automatically send photos to a mobile device, upload files to social media sites, or even add files to a cloud service. Generally, a logo on the SD card indicates that the card is WiFi enabled, but this might not always be the case; the investigator should be cognizant of these wireless capabilities.
If you encounter an SD card during an investigation, it is proper protocol to set the write-protect switch to on, when present on the card, to prevent any data from being written to this memory. Of course, the investigator will use a write-blocker before examining any removable memory, like an SD card.
A miniSD is 20 mm wide and 21.5 mm long. The microSD format was developed by SanDisk. A microSD card can be used in a Standard Digital card reader with the use of an SD adapter. microSD cards are often found in cellular telephones, and therefore they can be a valuable source of evidence. Additionally, many cellphone forensic imaging or cloning devices cannot read the contents of the microSD card, so the card may have to be removed and imaged separately.
CompactFlash (CF) Cards
CompactFlash (see Figure 3.21) is a memory card that was first developed by SanDisk for use in portable electronics, like digital cameras. A CompactFlash (CF) can have two different dimensions: (a) Type I is 43mm × 36mm × 3.3mm, and (b) Type II is 43mm × 36mm × 5mm. CompactFlash cards are not as popular today as Secure Digital cards, but they do have an effective file storage system and can potentially support up to 100GB of memory.
FIGURE 3.21 CompactFlash
Memory Sticks
A Memory Stick (see Figure 3.22) is Sony’s proprietary memory card that was introduced in 1998. Unlike many other flash memory manufacturers, Sony also produces many of the electronic devices that support its memory card. Sony manufactures televisions, laptops, cellular telephones, digital cameras, video recorders, game consoles, MP3 players, and numerous other electronic devices, all of which support additional memory through the use of a Memory Stick. The original Memory Stick was replaced by the Memory Stick PRO in 2003, to enable a greater storage capacity. The PRO series utilizes FAT12, FAT16, and FAT32 file systems. The Memory Stick Duo was a smaller memory card that was developed to fit well into small handheld devices. Other versions of the Memory Stick were developed to increase memory capabilities and to support high-definition video capture.
FIGURE 3.22 Memory Stick
More recently, the Memory Stick XC (Extended High Capacity) series was released by Sony and SanDisk. These memory cards have the potential to store up to 2TB of memory. The XC series uses the exFAT (FAT64) file system. This series have maximum data transfer rates up to 160 Mbps and 480Mbps depending upon the XC model.
The important point for investigators to note is that if a suspect owns Sony products, Memory Sticks could be present in these devices. For example, a Sony television might have a Memory Stick inserted. Moreover, that memory card will probably contain files uploaded from a computer.
xD Picture Cards
Introduced in 2002, xD (Extreme Digital) Picture Cards were developed by Olympus and Fujifilm for digital cameras and some voice recorders. These memory cards have been slowly phased out by Olympus and Fujifilm in favor of the more popular SD cards.
Hardware for Reading Flash Memory
There are a few ways to securely view the contents of flash memory cards. One tool is Digital Intelligence’s UltraBlock Forensic Card Reader and Writer (see Figure 3.23). This device is connected to a computer via the USB port (2.0 or 1.0) and can read the following media:
- CompactFlash
- MicroDrive
- Memory Stick
- Memory Stick PRO
- Smart Media Card
- xD Picture Card
- Secure Digital Card (SD and SDHC)
- MultiMedia Card
FIGURE 3.23 UltraBlock Forensic Card Reader and Writer
A regular memory card reader could be used in addition to a USB write-blocker to ensure that the data is viewed forensically. A write-blocker is a hardware device that allows an individual to read data from a device, like a hard drive, without writing to that device. An investigator could connect a media card reader to Digital Intelligence’s UltraBlock USB Write Blocker, which would be connected to a computer, where the media card’s contents would be viewed or acquired.
Compact Discs
A compact disc (CD), also known as an optical disc, is a polycarbonate plastic disc with one or more metal layers, used to store data digitally. A CD is usually 1.2mm thick and weighs 15–20 grams. Aluminum is generally used for the metallic surface. Data is stored to the disc and read from the disc using a laser. The laser that writes data to a disc reaches a temperature of 500–700 degrees Centigrade. Because the data is stored through a laser, CDs are not vulnerable to electromagnetic charges. The high temperatures used in storing the data cause the metal alloy to liquefy, and the reflective state changes. Lands are the reflective surfaces on a CD burned flat by a laser. Pits are the less reflective surfaces on a CD that have not been burned by a laser. The differences between the reflective and less reflective surfaces can be translated to binary (0s, 1s).
CDs were initially developed by Sony and Philips to store and play audio files. Later the CD-ROM was developed for data storage. A CD-R allows data to be stored once. Because a CD-R can only have data written to it once, handling this type of CD in a forensically sound manner does not require a write-blocker. A CD-RW, on the other hand, allows data to be written multiple times to the disc. Today a standard CD generally has a storage capacity of 700MB.
ISO 9660, introduced in 1988, refers to the standard for optical discs and their file system. ISO 9660 is also called CDFS (Compact Disc File System), and it was created to support different operating systems, like Windows and Mac OS. Other file systems can also be supported by CDs; however, these include Joliet, UDF, HSG, HFS, and HFS+. Joliet allows for longer filenames, which are associated with more recent versions of Windows. Because other file systems can exist on a CD, it is important to remember that a CD used in a Windows computer may show that it is invalid if an HFS+ file system resides on the disk. This means that specialized tools may be required to access the files stored on a CD. IsoBuster, for example, is a data recovery tool for CD, DVD, and Blu-ray. InfinaDyne’s CD/DVD Inspector is a specialized tool for a forensic acquisition of files from CDs and DVDs. It should be noted that an .iso file, which is an image of an optical disk, may be saved on the hard drive of a suspect’s computer or on another storage device.
The International Standardization Organization (ISO) in Geneva, Switzerland, has created this standard to facilitate the use of CDs on Windows, Macintosh, and UNIX computers. Frames consist of 24 bytes and are the smallest unit of memory on a CD-ROM. A sector on a CD-ROM consists of 98 frames (2352 bytes).
Compact Disc–Rewritable (CD-RW)
A CD-RW usually stores less data than a CD (570MB instead of 700MB). A track on a compact disc is a group of sectors that are written to at one time. A session on a compact disc is a group of tracks recorded at the same time. The table of contents (TOC) records the location of the start address, the session number, and track information (music or video) on a compact disc. The TOC is an example of a session, and every session contains a TOC. If the TOC cannot be read by the computer’s CD-ROM drive, then the compact disc will not be recognized. A full erase of a CD-RW deletes all data on a disc. However, a quick erase will only remove all references to tracks and sessions, leaving the land and pits unchanged. Nevertheless, the CD-RW will not be recognized because the sessions have been removed.
CnW Recovery is a tool that claims to recover disc data that has been through the quick erase process. Ultimately, when a quick erase has been performed, it is possible to recover the data on a CD-RW. When a full erase has been executed, the data cannot be recovered.
DVDs
A digital video (or versatile) disc (DVD) is an optical disc with a large storage capacity that was developed by Philips, Sony, Toshiba, and Time Warner. A single-sided DVD generally has a capacity of 4.7GB. Other DVD formats can store more than 17GB of data. Their large storage capacity makes them ideal for storing video files, which are often very large in size. A DVD player uses a red laser (650 nanometers) to read data from a DVD disc.
Blu-ray Discs
A Blu-ray disc (BD) is a high-capacity optical disc that can be used to store high-definition video. A single-layer disc has a storage capacity of 25GB, while dual-layer disc can store 50GB of data. Also available are 3D Blu-ray players and discs. A firmware upgrade available for Sony’s PlayStation 3 facilitates 3D Blu-ray playback as well. The name of this storage media comes from the blue laser (405nm) used to read the disc; this laser enables more data to be stored than the red laser used in DVDs. Standards for these optical discs have been developed and are maintained by the Blu-ray Disc Association (www.blu-raydisc.com).
From a forensics perspective, Blu-ray discs have limited value because both the Blue-ray burner and recordable discs are still prohibitively expensive for the average consumer; a suspect is more likely to store video on a hard drive or burn video files onto a DVD. Nevertheless, there are two different recordable formats. A BD-R disc can be written to once, while a BD-RE can be used for re-recording.
Companies like Digital Forensics Systems produce devices for imaging and analyzing CDs, DVDs, and BDs.
Floppy Disks
A floppy disk is a thin, flexible, plastic computer storage disc that is housed in a rigid plastic rectangular case. Files are stored on the disk magnetically. These disks have historically come in 8-inch (see Figure 3.25), 5¼-inch, and 3½-inch (see Figure 3.26) sizes. Initially, these disks were used to store a computer’s operating system. Subsequently, they were used for general file storage purposes. The 3½-inch disk was introduced in 1987; its storage capacity ranges from 720KB to 1.4MB.
FIGURE 3.25 8-inch floppy disk drive
FIGURE 3.26 3½-inch floppy disk drive
IBM invented the floppy disk drive, which was used to store and read data from floppy disks.
Floppy disks have been largely replaced by flash memory, optical disks, and external hard drives. An investigator who encounters floppy disks during an investigation is more likely to find the PC-compatible 1440KB format. Floppy disks are formatted with the FAT12 file system. All of these disks will only have either one or two clusters.
A forensic image of a floppy disk can be made by using the following Linux command:
# dd if=/dev/fd0 of=/evidence/floppy1.img bs=512
In the previous command, “/dev/fd0” refers to the floppy disk drive. The “bs=512” refers to the block size (bs), which is 512K.
Of course, prior to inserting any disk you should make sure that the disk is set to write-protected. You should then make a bit-for-bit copy of the floppy disk and lock the original disk in an evidence locker away from any potential magnetic interference. To view the files on the disk, you can use the following command:
# ls /dev/fd0
Zip Disks
A zip disk is a removable storage medium that was developed by Iomega in the early 1990s. Zip disks originally came with a 100MB capacity and subsequently increased to 750MB. They were introduced as an alternative to floppy disks, which have a lower storage capacity. A zip drive, where zip disks are loaded, can be either an internal or an external drive. Zip drives and their disks have largely been replaced by CDs and the more popular, smaller, flash memory devices.
Magnetic Tapes
Magnetic tape is a thin plastic strip with a magnetic coating that is used for storing audio, video, and data. Because data is stored magnetically, an investigator must be careful to keep magnetic tapes away from all types of magnetism. Magnetic tapes differ in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the tape. This often makes the process of acquiring data from magnetic tape much longer.
The use of audio tapes in investigations has become less important. This is also true of video tapes used in a video cassette recorder (VCR).
Magnetic Tapes (Data Storage)
Forensic imaging and analysis of magnetic tapes (see Figure 3.27) used for data storage on servers is a challenge. Many different proprietary server systems exist, which makes it impossible to have a single solution. An analysis of the physical surface can be conducted using a complicated process known as magnetic force microscopy. This method can be used to uncover wiped or overwritten data.
FIGURE 3.27 Magnetic tape for data storage
Generally, data is recorded to a magnetic tape in blocks. Data at the block level can be accessed using the dd command. In computer investigations, dd is a UNIX command that produces a raw data image of a storage medium, like a hard drive or magnetic tape, in a forensically sound manner. The dd command is written in such a way that the image is copied to a hard drive, which allows for better search capabilities. A magnetic tape has no hierarchical file system because files are stored sequentially or in a tape partition. Partitions on magnetic tapes allow users to group files in “tape directories.” When a sector is only partially used by a file, the remainder of the sector is referred to as memory slack, buffer slack, or RAM slack. Similar to hard disks, file slack can contain remnants of data from previously existing files.