A digital forensic acquisition is the process of creating a bit for bit copy of data on a storage device in a forensically sound manner. Once a forensic acquisition has been performed the acquired forensic image needs to be authenticated. Check out my article, “When Electronically Stored Information Cannot Be Self-Authenticated” from Vol. 4 No. 6. We are going to look at two types of forensic acquisitions – a logical acquisition and a physical acquisition.
For our example in this article the device we need to image is a USB drive. If we are looking for files that have been deleted from the USB drive which type of forensic acquisition should we perform? It is important to understand the differences between a logical acquisition and a physical acquisition because depending on the type of data that needs to be acquired, it may be important to attempt to perform one type of acquisition rather than another.
It is important to understand the differences between a logical acquisition and a physical acquisition because depending on the type of data that needs to be acquired, it may be important to attempt to perform one type of acquisition rather than another.
In the case of a logical acquisition, what we are doing is essentially a copy of the files. You will obtain information similar to that which you would obtain if you were to open the thumb drive and copy the files that you can see from the thumb drive to your computer’s documents folder. Doing that, however, is not by itself forensically sound. If a file on the USB drive has been deleted that is not a file that you will acquire by performing logical acquisition.
If we need to obtain files which have been deleted from a USB drive, we need the ability to conduct a physical acquisition. A physical acquisition is going to result in a bit for bit copy of not only the files that are present on the USB drive but also files that have been deleted that have not been overwritten already. When we talk about acquiring deleted files, you can think of it best by considering the table of contents in the beginning of a book. When you delete a file, the contents of that file (the contents of the chapter contained in that book) are not erased (torn out of the book), but simply the entry (entry in the table of contents) for that document (chapter) has been removed.
However, because storage devices have a limited amount of space with which to hold data, once an entry for a file has been removed the space that the data of that file is occupying can be used for other data to be stored in the future. When future data needs to be written to the device, the data is written to unallocated space or free space. This includes space that may still hold data, but the data contained in this space has been deleted.
Let’s consider an imaginary device capable of holding only 100 text files. For this example, we will also assume that every email that will ever be stored on this device will be the same size. The device currently has 100 text files on it. If you delete 50 text files, the device tells you that you have space for 50 more text files; however, where did those 50 deleted text files go? The 50 deleted text files are still on the device, but they have been marked as deleted so the space that the data of those 50 text files at once occupied is available for new text files to be written to.
This makes it imperative to perform a forensic acquisition in a timely manner. It is also important for attorneys to submit a preservation notice as soon as practical. If we later need to recover the contents of the 50 text files that were deleted from this device a logical acquisition will not acquire the deleted text files. Instead, we would need to perform a physical acquisition of the storage device because the physical acquisition is going to contain not only the 50 text files that are currently on the device but rather the storage space of the entire device itself (including the unallocated space which is where those 50 text files that you deleted went) in the event of no new information has been written to this device. It is likely that the 50 deleted text files can be recovered.
The reality of this process is more complicated with real world devices that store real world data. Our computers and phones constantly receive data. Because of the volume of data that is written to our computers and phones, the possibility of recovering certain deleted files becomes more difficult. It is prudent to consult with a computer forensics expert to decide the best way to recover the needed data. Michael Zinn
