Zeltser Challenge Update
As previously mentioned, and as part of the Zeltser challenge, I have assigned themes to each day of the week. Sunday’s theme is meant to be a grab bag of sorts, where I may expand upon a previously-discussed topic, offer new content, or anything else that comes to mind. I plan to also use Sundays to post book reviews, hopefully recommending quality content to expand any DFIR investigator’s book collection. My first Sunday grab bag will be just that!
Book Review: Practical Forensic Imaging - Securing Digital Evidence with Linux Tools
For today’s book review, I’m going to look at the recently-released Practical Forensic Imaging by Bruce Nikkel, published by NoStarch. The book also contains a foreword by Eoghan Casey. You can check out more information and/or buy a copy of the book here at NoStarch.
I am a big fan of this book, and found it to contain the right amount of technical content coupled with important concepts and concerns surrounding forensic imaging. Nikkel covers a lot of technical subject matter related to hard disks, disk storage and forensic imaging. Even better, he provides command-line tools and example syntax to gather certain information. As someone who prefers the CLI to perform forensic analysis, I can say without a doubt that my arsenal grew after reading the book.
From an imaging tool perspective, the book goes beyond simple dd. Other acquisition methods are also discussed, such as ewfacquire (part of the libewf toolset), ftkimager (the CLI version), dd variants, and SquashFS. Furthermore, the book does not focus entirely on imaging. Nikkel also explores topics such as different types of storage devices, a brief history of digital forensics that has led to digital forensic standards and other research. While some readers may not enjoy this, I applaud Nikkel for mentioning previous or ongoing research and providing links for further explanation.
The author also, importantly, included a chapter on “Planning and Preparation”. This chapter discusses making an imaging audit trail, reporting, collecting evidence, and other ideas help stay organized. I’d highly recommend that chapter alone for any large-scale imaging effort, especially ones involving multiple team members and physical locations. Admittedly, many of the good ole’ imaging weekends, where we had to acquire hundreds of drives in a small amount of time, are going by the wayside.
I was happy to see that Nikkel also discussed topics such as encryption, write-blocking, and compression. While these topics may seem trivial to an experienced DFIR imager, I cannot stress how important the concepts are for newer DFIR analysts to learn and understand. More importantly, if someone is forced to utilize Linux for imaging — which may draw the out of their GUI-based comfort zone — then having these commands at hand only make the analyst stronger.
- Understand your media. Nikkel constantly makes a point about understanding your media, what you should expect, and what the tools are showing you. He addresses concepts such as DCO and HPA, which investigators should have a grasp on.
- Linux is a fully-capable operating system that has a wealth of built-in tools. If you’re performing hard disk analysis daily or frequently, and aren’t using Linux, this book gives a great introduction of why you should be doing so.
- Understand the differences between various imaging formats, their pros and cons, and decide what works best for your organization. This also includes compression and encryption.
- Imaging is not a one-size-fits-all game. Often times, you will be presented with multiple scenarios and have to get the same result from each. Understanding how to utilize Linux for imaging expands the DFIR analyst’s toolkit, and allows them to deal with even more scenarios. Like me, many analysts may also find ways to make their future imaging efforts go faster.
- Know how to work with other types of disk formats. while virtual machine disks are discussed kn one of the final chapters, they are certainly some of the most popular formats I see on a daily basis. Often times I am provided copies of VMDKs instead of images from a VM. I actually prefer it.
- One of my favorite parts of the book was where Nikkel discussed usage of SquashFS as a forensic container. Using SquashFS is a fantastic way to capture a disk image in Linux, and is going to start becoming one of my go-to formats. In fact, I recently had to image some hard drives from my home, and utilized his SquashFS techniques. I saved a lot of disk space and was able to image a few 2TB drives rather quickly.
- I was also happy to see Nikkel discuss other disk formats, albeit towards the end of the book. In particular, he focuses on virtual disk image formats QEMU, VDI, VMDK, and VHD. QEMU has become one of my primary imaging/conversion/mounting tools over the past few years, and it was good to see it getting good usage. There was also, as expected, reliance on various Metz libraries to to mount other disk types.
- Lastly, I really have to commend Nikkel for the wealth of Linux tools he utilized to explore various aspects of a hard disk and show how to display the information. Many of the tools are already included with major Linux distributions, which if anything furthers the argument that Linux is an excellent operating system for forensic purposes (Note: This is not to say Windows is not a good platform; I’m reflecting on the OS used in the book.)
I’d encourage anyone in DFIR who is imaging regularly or looking to increase their Linux skills to check out a copy of the book. There is no such thing as knowing it all, and despite the petabytes I’ve imaged in my time, I still found value in new tools or approaches presented in the book. Thank you to Bruce Nikkel for his contribution to our DFIR toolkits and to my personal library; this book is going to have quite a few frays and post-it’s sticking out when all is said and done.
Until tomorrow, happy forensicating!