Data acquisition from electronic evidence

The first principle when examining electronic evidence is to keep data held on a storage medium unchanged. For embedded systems this principle is more challenging than it looks at first sight. Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition. The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.

The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.

Issues like network connections are similar to the open systems world although it might be more difficult to detect that an embedded system is connected to other systems. For flash memory, wear leveling might cause unpredictable data changes. Switching mobile phones off and/or on has shown data changes due to wear leveling and/or garbage collection algorithms.

More research is needed on this topic but for now the general rule is to keep the number of power cycles as low as possible. There are three possible data acquisition approaches for obtaining a full copy of flash memory data. These are flasher tools, followed by a method using the JTAG11 test access port of an embedded device and finally the most invasive method, whereby the flash chip is physically removed and read with an external reader.

Cyber Security

Find out how you can strengthen your cyber security. Call us today for advice on how to protect your information systems.

+44(0) 29 2010 0982