In the previous chapter, we learned that documentation and proper procedures are key in any investigation. These ensure the integrity of the investigation by providing proof of data authenticity and preservation of the original evidence and documentation, which can be used to achieve the same exact results if usage of tools and methods are repeated.
In this chapter, we will demonstrate forensically sound techniques for the acquisition of data using Bitstream copies inclusive of creating data hashes.
The first tool we will use for acquisition is called DC3DD (Department of Defense Cyber Crime Center). DC3DD is a patch of the very popular Data Dump or DD tool, used for forensic acquisition and hashing.
These are the features of Data Dump (DD):
- Bitstream (raw) disk acquisition and cloning
- Copying disk partitions...