 So far this week, we've talked about data and data structures, how to make sense out of the data. And in this lecture, we're going to talk about data acquisition and how to actually verify the data once we've acquired it. So basically how digital forensic investigators collect the information from the suspect system and how do they make sure that that's an actual exact representation of the suspect device. So some considerations that digital forensic investigators need to think about before or during their acquisition and after their acquisition. Some considerations, how do we preserve, first off, the best possible copy of the data? So whatever data you're trying to copy, think about how can we actually preserve the best possible copy. And by best possible copy, I mean a copy that is exactly the same in this case. We want a copy that has the smallest amount of changes if possible, and especially a copy that we can say that evidence that we might derive from that data later has definitely not been modified in any way. So think about how can we preserve the best possible copy of the data. Next, how can we preserve all of the data? In many situations, we might not actually be able to acquire all of the data from a suspect system because of some technology limitation or the way that things work. So think about the data that you're trying to collect. How do we make sure we can preserve all of it? Or if we can't preserve all of it, why not? What is the issue that stops us from preserving all of this data? How can we also make sure that the data that has been acquired is correct? In this case, correct also means exactly the same as the suspect data or the original data that we're copying from. And how can we ensure the acquired data can be verified by a third party? Especially for digital forensic investigations, everything we do, or at least almost everything we do, should be able to be verified by a third party to confirm that our processes and our findings are actually correct. So one of the biggest tasks of a digital forensic investigator is device acquisition or data acquisition. We have to identify where the data is actually located. We've talked about data locations a little bit before. And we need to make sure that we acquire the data keeping all of the prior considerations in mind. So the main point out of all of this is don't change data. We want to collect data without modifying the original and ensuring that our copy is exactly the same if possible. We must be able to show that we have not altered the data from its original state. And if the data is altered, we must be able to explain and justify the action that we did that modified the data and prove that any submitted evidence has not been modified. So any information that we collect from this data, we have to be able to prove that it was never modified or the chance of it being modified is extremely, extremely low. And we'll talk about how to do that in a second. So one of the biggest things that we use to ensure that we are not modifying data in digital forensics is we use a something called a write blocker. A write blocker can either be a physical device or a piece of software that you install on your computer. And the idea of the write blocker is exactly like it sounds. Whenever you connect, for example, a suspect's hard drive to a write blocker and a write blocker to your computer, your forensic workstation, then your forensic workstation is prevented, physically prevented from writing any data to the suspect hard drive. You can still read all of the data off of the hard drive, but you cannot write any data to the hard drive. And this way we can make sure that our computer doesn't accidentally write any information to the suspect disk so we can basically get an unmodified copy every single time. So a write blocker is hardware or software component that prevents your computer from changing any data on the suspect's hard drive. So our goal is that we do not want to modify the original data in any way if we can. So the original has not been modified and our copy is exactly the same. This is what we need to be able to prove in the investigation. So device acquisition. First off, think about what do you want to acquire? The data source or the type of data that you want to acquire will tell you how you need to approach the acquisition process. What we will cover this week is post-mortem digital forensic acquisition, which is essentially the suspect's computer is off and the hard drive has been taken out and we are accessing the hard drive directly. There are other ways to collect data which we'll talk about in later lessons. So consider what data you need to collect for the investigation. Is it a hard drive? If it's a hard drive, is there any encryption on that hard drive that makes it more difficult for you to access the data? We'll talk more about encryption later. RAM, do you have the correct tools to acquire RAM on the device that you're trying to investigate? And what other types of device could it be? So for example, we might have a PC and a PC and a Mac are actually quite a bit different in how you would go about collecting data from these devices. It might be a mobile device. Mobile devices, there's lots of different types of mobile devices now, tablets, et cetera. And all of them have different ways that you would collect information from them or even think about newer devices like drones. Drones also provide or have some data storage. Maybe we need to get a video off of a drone. How would we actually collect data from that drone? So the most common scenario that we work with in digital forensics is hard drive acquisition from a computer that's off. We actually take the hard drive out of the suspect's computer and we image the drive directly. Remove from the PC, connect directly to the investigator's workstation via a write blocker. Remember, you always want to try to use a write blocker as long as you can. And RAM, I just have a note. It's collected on scene. The computer essentially has to be on for you to collect a random access memory. We normally do this on scene during first response and we'll talk about RAM and RAM acquisition in later lectures. So when acquiring data, once the required data has been identified, we actually know where the data is and what we expect to find whenever we're looking there. We need to copy it in something called a forensically sound way, which means we need to use a proper procedure to be able to collect this data. So there are many different digital forensic tools that are available that will help us collect this data in a forensically sound way and we'll talk about several of them actually this week. Saving data, normally the acquired data is saved into a file called a forensic disk image. So we might have a suspect's hard drive and we copy all of that data bit for bit into a file that's exactly, that contains exactly the same data as the hard drive. Now this file, as long as we don't use compression, the file size will be exactly the same size as the physical disk. So these physical disk images tend to get very big. If we have a one terabyte hard drive, we will have a one terabyte forensic disk image. Because we're saving it as a file, it's a little bit easier to work with and we can use things like compression to save space whenever we're not working with it. The forensic disk image without compression will be as big as the hard drive and sometimes investigators clone hard drives rather than making a file. So if they have one suspect hard drive, they might copy all of the data onto another hard drive and work with that hard drive copy. Although digital forensic disk images tend to be much, much more common. Once we've collected the data into a file, we need a way to be able to compare that the data that I've copied from and the file that I've copied to are exactly the same. We have to be able to prove that they're exactly the same for the court to be able to accept it. So once the data has been acquired, we need to ensure that the copy is exactly the same as the original and to do this, we use cryptographic hashing. A cryptographic hash is an algorithm that inputs data and outputs a unique number. So an algorithm that inputs data and outputs a unique number based on the input. If you have the same input, you will always get the same output. So you will always generate the same number as long as the ones and zeros are exactly the same. So in this case, for digital forensics, we use the most common hashing algorithms that we use are MD5, SHA1 and SHA256. A lot of other hashing algorithms exist and there's a few other ways that we can verify that the data is the same, but the most common way is by MD5 hashing or SHA1 hashing to generate a unique identifier for the data. So the idea or the process is before we acquire a suspect disk, we connect the suspect disk, we take the suspect disk out of the suspect's computer, we connect the suspect disk to a right blocker, we connect the right blocker to our forensic workstation. Once we can access the disk, but we can't write to it, then we create a hash value for all of the data that's on the suspect disk already. We then get this unique identifier number and we save it somewhere, okay? Once we have that identifying number, then we can acquire a physical disk image of the disk that's connected, save that physical disk image as a file on our computer, then we can make a hash of the original disk, the suspect original disk again, and the image file that we've created. So at the end, you have three hashes, the original suspect hash, the new suspect hash, and the digital forensic image hash. All of those hashes should be the same. If they're all the same, then you've proven that all of the data is exactly the same. So your copy is exactly the same as the original and you haven't modified the original data whenever you were imaging. So we will actually practice that today. So I will have links in the forums and an assignment about disk imaging, disk acquisition, and hashing the data. Thank you.