Skip to content

CH3: Acquisition, Chain of Custody, & Forensic Reporting

Chapter Overview

In Chapter 1, we established the legal and ethical framework for digital forensics, emphasizing the fragility of evidence. In Chapter 2, we explored the Threat Landscape, defining the types of cybercrimes and the actors behind them. Now, we move from understanding the crime to the physical practice of securing the evidence.

Chapter 3 covers the "Science of Preservation" and the "Art of Documentation." You will learn how to physically secure evidence so its integrity can never be questioned in court. We will explore the hardware and software tools used to "clone" hard drives without altering a single bit of data. We will also demystify the mathematics of cryptographic hashing—the digital fingerprints that prove our evidence is authentic. Finally, we will address the most critical skill for any investigator: the ability to document your actions in a report that withstands the scrutiny of a legal defense.

Learning Objectives

By the end of this chapter, you will be able to:

  • Define Chain of Custody and explain its critical role in the admissibility of evidence.
  • Differentiate between Hardware and Software Write Blockers, explaining how they prevent data alteration at the command level.
  • Compare Acquisition Types, specifically Physical (Disk-to-Image), Logical (Partition-to-Image), and Targeted (File/Folder) acquisitions.
  • Evaluate Forensic Image Formats, identifying the technical differences between Raw (DD), E01, and AFF4.
  • Operate Standard Acquisition Tools, demonstrating familiarity with FTK Imager and command-line acquisition via dd.
  • Apply Cryptographic Hashing (MD5, SHA1, SHA256) to verify data integrity pre- and post-acquisition.
  • Distinguish between Static and Live acquisition, understanding the volatility of data in each state.
  • Construct a Forensic Report structure that separates facts from expert opinion, utilizing precise forensic terminology.

3.1 The Lifeline of Evidence: Chain of Custody

Before a single cable is connected or a byte of data is copied, the investigator must establish the Chain of Custody. This is not a technical concept, but a procedural one that serves as the backbone of legal admissibility.

Defining the Chain

The Chain of Custody is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. Ideally, it answers a simple question: "Who touched this evidence, when did they touch it, and why?"

If there is a gap in the chain—for example, if a hard drive sits on an undocumented desk for four hours between seizure and the evidence locker—a defense attorney can argue that the evidence could have been tampered with during that window. If the judge accepts this argument, the evidence is deemed inadmissible, regardless of what incriminating data it contains.

The "Bag and Tag" Process

In a physical scenario, this involves:

  1. Seizure: The device is taken into possession.
  2. Tagging: An evidence tag is attached, listing the Case Number, Item Number, Description, Date/Time, and the seizing officer's name.
  3. Logging: A Chain of Custody form is initiated. Every time the evidence changes hands (e.g., from the Police Officer to the Forensic Examiner), both parties sign and date the form.

In the digital world, the Chain of Custody extends to our Forensic Images. When we create a copy of a hard drive, that file is treated as evidence. The "Chain" includes the hashing verification logs that prove the file hasn't changed since it was created.

3.2 Write Blocking Technology

Recall Locard’s Exchange Principle: interacting with a drive alters it. To acquire data without altering it, we use Write Blocking technology.

How Write Blocking Works

When a computer connects to a storage device (like a USB drive or hard disk), the Operating System (OS) naturally tries to "talk" to it. It mounts the file system, updates access times, and may even create hidden folders (like the System Volume Information folder in Windows).

A Write Blocker sits between the host computer (the investigator's machine) and the suspect drive. It acts as a traffic cop for data commands:

  • Read Commands: Allowed. The investigator can see and copy data from the suspect drive.
  • Write Commands: Blocked. If the OS tries to save a file or update a timestamp on the suspect drive, the Write Blocker intercepts the command and prevents it from reaching the disk.

Hardware vs. Software Write Blockers

Hardware Write Blockers

These are physical devices (bridges) that connect via USB, FireWire, or Thunderbolt.

  • Mechanism: They operate at the firmware level, blocking write commands (such as ATA or SCSI commands) before they ever leave the cable.
  • Reliability: This is the industry standard. It is independent of the Operating System, making it highly reliable and defensible in court.
  • Visual Indicators: Most hardware blockers have LEDs that light up (often Red) if a write command is attempted and blocked.

Software Write Blockers

These are modifications to the investigator's Operating System to suppress write commands.

  • Mechanism: In Windows, this often involves modifying the Registry (e.g., USBWriteProtect keys) to tell the OS not to write to newly connected USB devices.
  • Risks: Software blockers are notoriously prone to failure. A simple OS update or a user error can disable them without warning. Furthermore, they may not block low-level commands initiated by the BIOS or firmware.
  • Best Practice: Use software blocking only as a last resort when hardware blocking is impossible.

Validation: Regardless of the type, you must test and validate your write blocker regularly to ensure it is actually functioning.

3.3 Acquisition Concepts: Live vs. Dead

Once the drive is protected, the investigator must decide how to acquire the data. This depends on the state of the machine.

Dead (Static) Acquisition

This occurs when the suspect computer is powered off.

  • Process: The hard drive is removed from the laptop or tower, connected to a forensic workstation via a hardware write blocker, and imaged.
  • Pros: It is the safest method. There is zero chance of the suspect machine running a "wipe" script, and the data is perfectly stable.
  • Cons: You cannot access encrypted volumes (like BitLocker) if you don't have the key, and you lose all data stored in RAM.

Live Acquisition

This occurs when the suspect computer is powered on and running.

  • Scenario: You raid an office and find a suspect logged in, with an encrypted volume open. If you pull the plug, the encryption locks, and you may never get back in.
  • Volatility: Live acquisition is dangerous because the data is changing while you copy it. This is called "smearing".
  • Process: You insert a USB stick with forensic tools (trusted binaries) into the live machine and run a capture tool to dump the RAM and the disk content.

3.4 Acquisition Types

The "Scope" determined in Phase 1 dictates how much data we grab.

1. Physical Acquisition (Disk-to-Image)

This is the "Bit-for-Bit" copy.

  • Scope: It captures the entire physical medium, from Sector 0 to the final sector.
  • Includes: Active files, hidden system files, AND Unallocated Space (deleted data).
  • Use Case: This is the standard for criminal investigations where deleted evidence (like a wiped chat log) might be critical.

2. Logical Acquisition (Partition-to-Image)

This captures only the active file system data.

  • Scope: The tool queries the Master File Table (MFT) and copies all files the OS sees as "active".
  • Excludes: It typically ignores Unallocated Space and deleted files that have no file system reference.
  • Use Case: Useful for massive server drives (e.g., 20TB) where imaging the empty space is impractical, or in corporate e-discovery where deleted data is out of scope.

3. Targeted Acquisition (Sparse)

This captures specific files or folders.

  • Scope: Only selecting specific artifacts, such as C:\Users\Suspect\Documents or specific email archives.
  • Use Case: Limited legal scope (e.g., a warrant only authorizes searching for specific spreadsheets) or time-sensitive triage.

3.5 Forensic File Formats

When you create an image, you don't just get a pile of loose files. The data is encapsulated in a forensic container format.

Raw / DD (.dd, .001)

Named after the Unix command dd (Data Dump).

  • Structure: A pure bit-stream copy of the data. No headers, no metadata, no compression.
  • Pros: Universal compatibility. Any tool can read it.
  • Cons: No error checking (hashes are stored separately) and no compression (a 1TB drive takes up 1TB of space, even if empty).

E01 / EnCase (.e01)

Developed by Guidance Software (now OpenText), this is the de facto industry standard.

  • Structure: It wraps the raw data in a "shell."
    • Header: Contains case info (Case Number, Examiner Name, Notes).
    • CRC: Cyclic Redundancy Checksums are embedded every 64 sectors to ensure data integrity chunks are valid.
    • Footer: Contains the MD5 hash of the entire image.
  • Pros: Supports compression (saving huge amounts of space) and password protection.

AFF4 (Advanced Forensic Format)

  • Structure: An open-standard format designed for modern, large-capacity drives.
  • Pros: Faster and more efficient at handling massive images than E01.

3.6 Common Acquisition Tools

Just as a carpenter needs a hammer and saw, a forensic investigator relies on specialized software to create these images reliably.

Commercial Suites

In large corporate labs or law enforcement agencies with significant budgets, you will often find these industry leaders:

  • OpenText EnCase: One of the oldest and most widely recognized platforms. It uses a dongle-based licensing system and is famous for creating the E01 format.
  • Magnet AXIOM: Known for its "Artifact First" approach, making it very user-friendly for finding evidence quickly.
  • X-Ways Forensics: A German-engineered tool known for being lightweight (portable), incredibly fast, and precise. It is a favorite among advanced examiners for its "no-nonsense" interface.

Free & Open Source Tools

You do not need a $5,000 license to create a forensic image. In fact, many professionals prefer these free tools for acquisition because they are lightweight and reliable.

Exterro FTK Imager (Windows)

FTK Imager is free to download and is arguably the most common acquisition tool in the world. It is a "Swiss Army Knife" that can image drives, mount images, and capture RAM.

Free download link: https://go.exterro.com/download-ftk-imager-82

The Workflow:

  1. Connect Evidence: Ensure your hardware Write Blocker is active, then connect the suspect drive.
  2. File > Create Disk Image: This launches the acquisition wizard.
  3. Select Source: You will typically select Physical Drive. This ensures you grab the unallocated space (deleted data), not just the active partition.
  4. Select Drive: Choose the drive that corresponds to the suspect device (e.g., \\.\PhysicalDrive1). Note: Be very careful not to select your own C: drive!
  5. Add Destination:
    • Image Type: Select E01 (recommended for compression and verification).
    • Evidence Item Information: Enter the Case Number, Evidence Number, and Examiner Name. These details get baked into the E01 header.
    • Destination Folder: Select a folder on your storage drive (not the suspect drive).
  6. Verify Images: Crucial Step. Always check the box that says "Verify images after they are created." This forces FTK Imager to hash the source drive and the new image file to ensure they match.

dd and dc3dd (Linux/CLI)

For those working in Linux environments (or using a bootable forensic distro like CAINE or PALADIN), the command line offers ultimate control. The original tool is dd (Data Dump), but forensic examiners prefer the enhanced version, dc3dd.

Why dc3dd? Standard dd is silent. If you image a 4TB drive, it will sit with a blinking cursor for 10 hours, giving you no feedback. dc3dd adds a progress bar, on-the-fly hashing, and error logging.

The Workflow:

  1. Identify Drives: Use the command lsblk or fdisk -l to identify your suspect drive (e.g., /dev/sdb) and your destination drive (e.g., /mnt/evidence).

  2. The Command: A typical acquisition command looks like this:

    sudo dc3dd if=/dev/sdb of=/mnt/evidence/case001.img hash=md5 log=/mnt/evidence/case001.log

  3. Breaking Down the Syntax:

    • sudo: Run as root (required to read raw hardware).
    • if: Input File. This is your source (the suspect drive). Note that we use /dev/sdb (the physical disk) and not /dev/sdb1 (a specific partition).
    • of: Output File. This is your destination path and filename.
    • hash=md5: Tells the tool to calculate the MD5 hash as it copies.
    • log=...: Saves a text file with the start/end times and the final hash values for your report.

3.7 Cryptographic Hashing & Integrity

How do we prove to a jury that the image file we analyzed in our lab is identical to the hard drive we seized from the suspect's house six months ago? We use Hashing.

The Digital Fingerprint

A hash algorithm takes an input of any size (a single file or a 4TB drive) and runs it through a mathematical formula to produce a fixed-length string of characters (the hash value).

  • Uniqueness: If you change a single bit of data in the file (e.g., changing a comma to a period), the resulting hash value changes completely. This is the "Avalanche Effect."
  • One-Way: You cannot reverse-engineer the original file from the hash.

Common Algorithms

  1. MD5 (Message Digest 5): Produces a 128-bit hash. It is fast but has known weaknesses where two different files could theoretically have the same hash (Collision). However, it is still widely used for verification speed.
  2. SHA1 (Secure Hash Algorithm 1): A 160-bit hash. More secure than MD5 but also aging.
  3. SHA256: The modern standard. Extremely secure and collision-resistant.

The Verification Process

  1. Pre-Image Hash: Before imaging, the write blocker calculates the hash of the source drive.
  2. Acquisition: The data is copied.
  3. Post-Image Hash: The forensic software calculates the hash of the resulting image file.
  4. Match: If Hash A == Hash B, the copy is mathematically identical to the original.

Fuzzy Hashing (SSDeep)

Standard hashing checks for identical files. But what if a suspect changes one word in a Word document? The MD5 will be totally different.

  • SSDeep: This algorithm calculates "Context Triggered Piecewise Hashes." It allows an investigator to compare two files and calculate a percentage of similarity (e.g., "These two files are 98% similar"). This is crucial for finding different versions of the same document or malware.

3.8 The Art of Forensic Documentation

You can be the best technician in the world, but if you cannot write a report, you are useless to the justice system.

Contemporaneous Notes

Forensics is a long process. You must keep a "Running Log" or contemporaneous notes of your actions as they happen.

  • 10:00 AM: Connected Exhibit 001 to Write Blocker.
  • 10:05 AM: Validated Write Blocker with test utility.
  • 10:15 AM: Began physical acquisition to E01 format. Do not rely on your memory. In court, two years later, these notes are your lifeline.

The Forensic Report Structure

A professional report typically follows this hierarchy:

  1. Executive Summary: A high-level overview for non-technical readers (Lawyers/Management). It summarizes the scope and the key findings ("Evidence of data theft was found").
  2. Methodology: A detailed technical section explaining the tools and processes used. This ensures Reproducibility—another expert should be able to read this and repeat your exact steps to get the same result.
  3. Findings: The facts. "The file 'passwords.txt' was located in the Documents folder."
  4. Conclusion: Your expert opinion based on the facts. "Based on the browser history and file artifacts, it is the opinion of the examiner that the user intentionally downloaded the contraband."

Terminology: Precision is Key

Words matter. Avoid absolute terms unless you are 100% certain.

  • Bad: "The suspect, John Smith, downloaded the file." (You don't know who was sitting at the keyboard).
  • Good: "The user account 'JSmith' was logged in when the file was downloaded."

3.9 Chapter Summary

In this chapter, we explored the mechanics of moving data from a crime scene to the lab. We established that the Chain of Custody is the procedural shield that protects evidence integrity. We learned that Write Blockers (preferably hardware) are the gatekeepers that satisfy Locard's Exchange Principle by preventing data alteration.

We compared acquisition types, noting that Physical (Disk-to-Image) is the gold standard for recovering deleted data, while Logical and Targeted acquisitions have specific uses in larger or limited-scope cases. We examined the containers for this data, specifically the E01 format which adds compression and integrity checks to the raw data.

We then covered the practical side of acquisition, detailing how to use industry-standard tools like FTK Imager for Windows and dc3dd for Linux to securely clone evidence. We validated these clones using Cryptographic Hashes (MD5/SHA256), the mathematical guarantee that our copy matches the original.

Finally, we discussed the Forensic Report, emphasizing that an examiner's true value lies in their ability to document their methodology and findings clearly, accurately, and neutrally.

In the next chapter, we will open up these forensic images and begin the Examination phase, diving deep into file systems, hex editors, and the physical structure of data storage.

3.10 Key Terms Glossary

  • Chain of Custody: The documentation trail that records the sequence of custody, control, transfer, analysis, and disposition of evidence.
  • Write Blocker: A device or software that allows read-only access to a storage medium, preventing accidental modification.
  • Physical Acquisition: A bit-for-bit copy of an entire storage drive, including unallocated space.
  • Logical Acquisition: A copy of the files visible to the file system (active files), usually excluding deleted data/unallocated space.
  • Unallocated Space: The area on a hard drive that is not currently assigned to a file by the file system; often contains deleted data.
  • Forensic Image: A container file (like .E01) that holds the bit-stream copy of the seized device.
  • FTK Imager: A free, industry-standard Windows tool used for data acquisition and verification.
  • dc3dd: An enhanced version of the Linux dd command, optimized for forensics with hashing and logging features.
  • Hash Collision: A rare theoretical event where two different data sets result in the same hash value.
  • SSDeep: A "fuzzy hashing" algorithm used to detect similarities between files rather than exact matches.
  • Contemporaneous Notes: Notes taken in real-time as events occur, critical for refreshing memory during testimony.