Fluent Essays

Instructions attached.  I have attached chapter 3 from book and the template. Forensic Tool Selection (KW3CompForen) Overview Your supervisor has asked you to research current forensic acquisition tools and to compile a list of recommended tools for the new forensics lab. Instructions 1. Research current forensic acquisition tools listed in Chapter 3, using the  Strayer University Library  and/or the Internet. 2. Populate the  Forensic Acquisition Tool Template [XLSX]  with information about the forensic acquisition tools you researched. . Be sure to populate all columns in the template. · In a separate two-page written report, recommend two tools for use in a forensics lab. . Be sure to justify your recommendations. · Integrate into the assignment at least three quality professional and/or academic resources, written within the past five years. . Note: Wikipedia and similar websites do not qualify as quality resources. Note: Be sure to submit the Forensic Acquisition Tool Template and  your written report. Formatting This course requires the use of Strayer Writing Standards. For assistance and information, please refer to the Strayer Writing Standards link in the left-hand menu of your course. Check with your professor for any additional instructions. Note the following: · The preferred method is for your written report to be typed, double-spaced, using Times New Roman font (size 12), with one-inch margins on all sides. · Include a cover page containing the assignment title, your name, your professors name, the course title, and the date. The cover page is not included in the required page length. · Include a source list page. Citations and references must follow SWS format. The source list page is not included in the required page length. Learning Outcomes The specific course learning outcome associated with this assignment is: · Recommend acquisition tools for a forensics lab. Data acquisition After reading this chapter and completing the exercises, you will be able to: List digital evidence storage formats Explain ways to determine the best acquisition method Describe contingency planning for data acquisitions Explain how to use acquisition tools Describe how to validate data acquisitions Describe RAID acquisition methods Explain how to use remote network acquisition tools List other forensics tools available for data acquisitions Data acquisition is the process of copying data. For digital forensics, it’s the task of collecting digital evidence from electronic media. There are two types of data acquisition: static acquisitions and live acquisitions. In this chapter, you learn how to perform static acquisitions from magnetic disk media and flash drives. In Chapter 12, you learn how to forensically acquire digital evidence from solid-state devices, typically found in smartphones and tablets. Because of the use of whole disk encryption, data acquisitions are shifting toward live acquisitions with newer operating systems (OSs). In addition to encryption concerns, collecting any data that’s active in a suspect’s computer RAM is becoming more important to digital investigations. Techniques for acquiring live disk and RAM data are covered in Chapter 10. The processes and data integrity requirements 93 c H a P t E R 3 68944_ch03_hr_093-142.indd 93 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition94 for static and live acquisitions are similar, in that static acquisitions capture data that’s not accessed by other processes that can change. With live acquisitions, file metadata, such as date and time values, changes when read by an acquisition tool. With static acquisitions, if you have preserved the original media, making a second static acquisition should produce the same results. The data on the original disk isn’t altered, no matter how many times an acquisition is done. Making a second live acquisition while a computer is running collects new data because of dynamic changes in the OS. Your goal when acquiring data for a static acquisition is to preserve the digital evidence. Many times, you have only one chance to create a reliable copy of disk evidence with a data acquisition tool. Although these tools are generally dependable, you should still take steps to make sure you acquire an image that can be verified. In addition, failures can and do occur, so you should learn how to use several acquisition tools and methods; you work with a few different tools in this chapter. Other data acquisition tools that work in Windows, MS-DOS 6.22, and Linux are described briefly in the last section, but the list of vendors and methods is by no means conclusive. You should always search for newer and better tools to ensure the integrity of your forensics acquisitions. Note For additional information on older acquisition methods and tools, see Appendix D. You can perform most digital evidence acquisitions for your investigations with a combination of the tools discussed in this chapter. Understanding Storage Formats for Digital Evidence The data a forensics acquisition tool collects is stored as an image file, typically in an open-source or proprietary format. Each vendor has unique features, so several different proprietary formats are available. Depending on the proprietary format, many forensics analysis tools can read other vendors’ formatted acquisitions. Many acquisition tools create a disk-to-image file in an older open-source format, known as raw, as well as their own proprietary formats. The new open-source format, Advanced Forensic Format (AFF), is gaining recognition from some forensics examiners. Each data acquisition format has unique features along with advantages and disadvantages. The following sections summarize each format to help you choose which one to use. 68944_ch03_hr_093-142.indd 94 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition 95 Raw Format In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bit-stream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format. This format has unique advantages and disadvantages to consider when selecting an acquisition format. The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected. Several commercial acquisition tools can produce raw format acquisitions and typically perform a validation check by using Cyclic Redundancy Check (CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or later) hashing functions. These validation checks, however, usually create a separate file containing the hash value. Proprietary Formats Most commercial forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following: • The option to compress or not compress image files of a suspect drive, thus saving space on the target drive • The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment • The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details Note For additional information on digital evidence handling and documenting, see ISO/IEC 27037: 2012, www.iso.org/iso/catalogue_detail?csnumber=44381. Downloading ISO documents requires paying a fee, so you might check with a college or public library about getting a copy. 68944_ch03_hr_093-142.indd 95 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition96 One major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools. For example, the ILookIX imaging tool IXImager (www.perlustro.com/solutions/e-forensics/iximager) produces three proprietary formats—IDIF, IRBF, and IEIF—that can be read only by ILookIX (see www.perlustro.com for additional information on ILookIX). Another problem with proprietary and raw formats is a file size limitation for each segmented volume. Typically, proprietary format tools produce a segmented file of 650 MB. The file size can be adjusted up or down, with a maximum file size per segment of no more than 2 GB. Most proprietary format tools go up to only 2 GB because many examiners use target drives formatted as FAT, which has a file size limit of 2 GB. Of all the proprietary formats for image acquisitions, the Expert Witness Compression format is currently the unofficial standard. This format, the default for Guidance Software EnCase, produces both compressed and uncompressed image files. These files (or volumes) write an extension starting with .e01 and increment it for each additional segmented image volume. Several forensics analysis tools can generate generic versions of the Expert Witness Compression format and analyze it, including X-Ways Forensics, AccessData Forensic Toolkit (FTK), Belkasoft, and SMART. For more information on the Expert Witness Compression format, see http://asrdata.com/E01-format.html. Advanced Forensic Format Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced Forensic Format (AFF). This format has the following design goals: • Capable of producing compressed or uncompressed image files • No size restriction for disk-to-image files • Space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata. Because AFF is open source, digital forensics vendors have no implementation restrictions on this format. For more information on AFF, see www.afflib.sourceforge.net and www.basistech.com/wp-content/uploads/datasheets/Digital-Forensics-Toolsets-EN.pdf. Note Forensics examiners have several ways of referring to copying evidence data to files: bit-stream copy, bit-stream image, image, mirror, and sector copy, to name a few. For the purposes of this book, “image” is generally used to refer to all forensics acquisitions saved to a data file. 68944_ch03_hr_093-142.indd 96 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition 97 Determining the Best Acquisition Method As mentioned, there are two types of acquisitions: static acquisitions and live acquisitions. Typically, a static acquisition is done on a computer seized during a police raid, for example. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect. Static acquisitions are always the preferred way to collect digital evidence. However, they do have limitations in some situations, such as an encrypted drive that’s readable only when the computer is powered on or a computer that’s accessible only over a network. Some solutions can help decrypt a drive that has been encrypted with whole disk encryption, such as Elcomsoft Forensic Disk Decryptor (www.elcomsoft.com/efdd.html). Note In Chapter 11, you learn how to perform live acquisitions, including data collection of digital media and dynamic/volatile memory (RAM) on a computing system. For both types of acquisitions, data can be collected with four methods: creating a disk-to-image file, creating a disk-to-disk copy, creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file. Determining the best acquisition method depends on the circumstances of the investigation. Note See ISO/IEC 27037: 2012 (section 5.4.4 Acquisition and section 6.5 Use reasonable care) for additional discussions on when to perform sparse acquisitions. Creating a disk-to-image file is the most common method and offers the most flexibility for your investigation. With this method, you can make one or many copies of a suspect drive. These copies are bit-for-bit replications of the original drive. In addition, you can use many commercial forensics tools to read the most common Tip For more information on forensics acquisition file formats, see www.sleuthkit.org/informer, issues #19 and #23. 68944_ch03_hr_093-142.indd 97 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition98 types of disk-to-image files you create. These programs read the disk-to-image file as though it were the original disk. Older MS-DOS tools can only read data from a drive. To use MS-DOS tools, you have to duplicate the original drive to perform the analysis. GUI programs save time and disk resources because they can read and interpret directly from the disk-to-image file of a copied drive. Sometimes you can’t make a disk-to-image file because of hardware or software errors or incompatibilities. This problem is more common when you have to acquire older drives. For these drives, you might have to create a disk-to-disk copy of the suspect drive. Several imaging tools can copy data exactly from an older disk to a newer disk. These programs can adjust the target disk’s geometry (its cylinder, head, and track configuration) so that the copied data matches the original suspect drive. These imaging tools include EnCase and X-Ways Forensics. See the vendors’ manuals for instructions on using these tools for disk-to-disk copying. Tip For more information on current and older drives, see www.t13.org. Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive. An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files. Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID or storage area network (SAN) server with several exabytes (EB) or more of data storage, the logical method might be the only way you can acquire the evidence. In e-discovery for the purpose of litigation, a logical acquisition is becoming the preferred method, especially with large data storage systems. To determine which acquisition method to use for an investigation, consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner, how much time you have to perform the acquisition, and where the evidence is located. If the source disk is very large, such as 4 terabytes (TB) or more, make sure you have a target disk that can store a disk-to-image file of the large disk. If you don’t have a target disk of comparable size, review alternatives for reducing the size of data to create a verifiable copy of the suspect drive. Older Microsoft disk compression tools, such as DoubleSpace or DriveSpace, eliminate only slack disk space between files. Other compression methods use an algorithm to reduce file size. Popular archiving 68944_ch03_hr_093-142.indd 98 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition 99 tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as “lossless compression.” Compression algorithms for graphics files use what’s called “lossy compression,” which can change data. For example, lossy compression is used with .jpeg files to reduce file size and doesn’t affect image quality when the file is restored and viewed. Because lossy compression alters original data, however, it isn’t used for forensics acquisitions. Both compression methods are discussed in more detail in Chapter 8. Most imaging tools have an option to use lossless compression to save disk space, which means the target drive doesn’t have to be as large as the suspect drive. For example, if you’re examining a 3 TB SATA drive, you might be able to use lossless compression to create the disk-to-image file on a 2 TB target drive. Image files can be reduced by as much as 50\% of the original. If the suspect drive already contains several zip files, however, the imaging tool can’t compress them any further. This is because zip files have already been compressed, so any additional compression results in very little size reduction. For additional information on lossless compression, see www.data- compression.com/lossless.shtml or www.cise.ufl.edu/~sahni/papers/encycloimage.pdf. An easy way to test lossless compression is to perform an MD5 or SHA-1 hash on a file before and after it’s compressed. If the compression is done correctly, both versions have the same hash value. If the hashes don’t match, that means something corrupted the compressed file, such as a hardware or software error. As an added precaution, perform two separate hashes with different algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a good way to establish that nothing has changed during data processing. If you can’t retain the original evidence drive and must return it to the owner, as in a discovery demand for a civil litigation case, check with the requester (your lawyer or supervisor, for example), and ask whether a logical acquisition is acceptable. If not, you have to refer the matter back to the requester. When performing an acquisition under these conditions, make sure you have a good copy because most discovery demands give you only one chance to capture data. In addition, make sure you have a reliable forensics tool that you know how to use. Contingency Planning for Image Acquisitions Because you’re working with digital evidence, you must take precautions to protect it from loss. You should also make contingency plans in case software or hardware doesn’t work or you encounter a failure during an acquisition. The most common and time-consuming technique for preserving evidence is creating a duplicate of your disk-to-image file. Many digital investigators don’t make duplicates of their evidence because they don’t have enough time or resources to make a second image. However, if the first copy doesn’t work correctly, having a duplicate is worth the effort and resources. Be sure you take steps to minimize the risk of failure in your investigation. 68944_ch03_hr_093-142.indd 99 3/7/18 3:27 PMNOT FOR SALE CHAPTER 3 Data Acquisition100 As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as FTK Imager Lite and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. Different acquisition tools use different methods to copy data, and one tool might, for example, make more attempts to copy corrupted areas of a drive. So using more than one tool can be helpful in making sure data has been copied correctly. If you have only one tool, however, consider making two images of the drive with the same tool, especially for critical investigations. With many tools, you can make one copy with no compression and compress the other copy. Remember that Murphy’s Law applies to digital forensics, too: If anything can go wrong, it will. Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive. Check the vendor’s documentation to see whether its tool can copy a drive’s HPA. If not, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as Belkasoft or ILookIX IXImager, with a write-blocker, Image MASSter Solo, or X-Ways Replica. These tools can read a disk’s HPA. Microsoft has added whole disk encryption with BitLocker to its newer operating systems, such as Windows Vista, 7, 8, and 10, which makes performing static acquisitions more difficult. (Several other third-party whole disk encryption tools are available, and you should be familiar with as many as possible.) As part of contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk—encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key. Most whole disk encryption tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption is that data isn’t altered, in that free and slack space aren’t changed. The biggest concern with whole disk encryption is getting the decryption key—that is, the password or code used to access encrypted data. If you can recover the whole disk key with tools such as Elcomsoft Forensic Disk Decryptor, mentioned previously, you need to learn how to use it to decrypt the drive. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key. Note Researchers at Princeton University have produced a technique to recover passwords and passphrases from RAM; for more information, see www.usenix.org/legacy/event/sec08/tech/ full_papers/halderman/halderman.pdf or https://jhalderm.com/pub/papers/coldboot-cacm09.pdf. 68944_ch03_hr_093-142.indd 100 3/7/18 3:27 PMNOT FOR SALE www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf CHAPTER 3 Data Acquisition 101 Using Acquisition Tools Many forensics software vendors have developed acquisition tools that run in Windows. These tools make acquiring evidence from a suspect drive more convenient, especially when you use them with hot-swappable devices, such as USB-3, FireWire 1394A and 1394B, or SATA, to connect disks to your workstation. Using acquisition tools with current OSs, such as Windows and Linux, has some drawbacks, however. Because Windows and Linux can easily contaminate an evidence drive when it’s mounted, you must protect it with a well-tested write-blocking hardware device. The automatic mounting process updates boot files by changing metadata, such as the most recent access time. (Chapter 6 discusses write-blocking devices in more detail.) In addition, some countries haven’t yet accepted the use of write-blocking devices for data acquisitions. Check with your legal counsel for evidence standards in your community or country. Note Although many digital forensics vendors have improved their acquisition tools, some older Windows and Linux tools (such as the dd or dcfldd commands) can’t acquire data from a disk’s HPA. Mini-WinFE Boot CDs and USB Drives Accessing a disk drive directly might not be practical for a forensics acquisition. For example, a laptop’s design could make removing the disk drive to mount it on a write-blocker difficult, or you might not have the right connector for a drive. In these situations, a forensic boot CD/DVD or USB drive gives you a way to acquire data from a suspect computer and write-protect the disk drive. These forensic boot discs or drives can be Windows or Linux. One forensically sound Windows boot utility is Mini-WinFE. It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only. Before booting a suspect’s computer with Mini-WinFE, you need to connect your target drive, such as a USB drive. After Mini-WinFE is booted, you can list all connected drives and alter your target USB drive to read-write mode so that you can run an acquisition program. To create your own Mini-WinFE boot CD or USB drive, review the documentation and download the software from the following Web sites: • For an overview of WinFE, see http://brettshavers.cc/index.php/brettsblog/tags/ tag/winfe. For the latest information and instructions, review the Downloads and Using WinFE menus. 68944_ch03_hr_093-142.indd 101 3/7/18 3:27 PMNOT FOR SALE http://brettshavers.cc/index.php/brettsblog/tags/tag/winfe http://brettshavers.cc/index.php/brettsblog/tags/tag/winfe CHAPTER 3 Data Acquisition102 • For download instructions on Mini-WinFE, see http://brettshavers.cc/index.php/ brettsblog/entry/mini-winfe-and-xwf. • Another download site for Mini-WinFE is http://reboot.pro/files/file/375-mini-winfe. • For complete instructions on Mini-WinFE, see www.forensicfocus.com/ downloads/WinFE.pdf. In addition, you need a Windows installation DVD (version 8 or later) and FTK Imager Lite or X-Ways Forensics installed on your workstation. Follow the instructions in the preceding Web sites to create the Mini-WinFE ISO file and then burn it to CD or transfer it to a USB drive. If you want to use a USB drive, you need a tool to transfer an ISO image to a USB drive. A freeware tool called ISO to USB is available at www.isotousb.com. Acquiring Data with a Linux Boot CD The Linux OS has many features that are applicable to digital forensics, especially data acquisitions. One unique feature of older Linux versions is that it can access a drive that isn’t mounted. Physical access for the purpose of reading data can be done on a connected media device, such as a disk drive, a USB drive, or other storage devices. In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire, external SATA, or even internal PATA or SATA controllers, both OSs automatically mount and access the drive. On Windows drives, an acquisition workstation can access and alter data in the Recycle Bin; on Linux drives, the workstation most likely alters metadata, such as mount point configurations for an Ext3 or later drive. If you need to acquire a USB drive that doesn’t have a write-lock switch, use one of the forensic Linux Live CDs (discussed in the next section) to access the device. Caution Use caution when working with newer Linux distributions with KDE or Gnome GUIs. Many newer distributions mount most media devices automatically. If you’re using a nonforensic Linux distribution, you should test it before using it on actual evidence to see how it handles attached storage devices. If in doubt, always use a physical write-blocker for an acquisition from Linux. Using Linux Live CD Distributions Several Linux distributions, such as Ubuntu, openSUSE, Arch Linux, Fedora, and Slackware, provide ISO images that can be burned to a CD or DVD. They’re called “Linux Live CDs.” Most of these Linux distributions are for Linux OS recovery, not for digital forensics acquisition and analysis. For a list of the most current Linux Live CDs, see https://livecdlist.com/. 68944_ch03_hr_093-142.indd 102 3/7/18 3:27 PMNOT FOR SALE http://brettshavers.cc/index.php/brettsblog/entry/mini-winfe-and-xwf http://brettshavers.cc/index.php/brettsblog/entry/mini-winfe-and-xwf www.forensicfocus.com/downloads/WinFE.pdf www.forensicfocus.com/downloads/WinFE.pdf CHAPTER 3 Data Acquisition 103 A few Linux ISO images are designed specifically for digital forensics, however. These images contain additional utilities that aren’t typically installed in normal Linux distributions. They’re also configured not to mount, or to mount as read-only, any connected storage media, such as USB drives. This feature protects the media’s integrity for the purpose of acquiring and analyzing data. To access media, you have to give specific instructions to the Live CD boot session through a GUI utility or a shell command prompt. Mounting drives from a shell gives you more control over them. See the man page for the mount command (by typing man mount at the shell prompt) to learn what options are available for your Linux distribution. Tip The man command displays pages from the online help manual for information on Linux commands and their options. Linux can read data from a physical device without having to mount it. As a usual practice, don’t mount a suspect media device as a precaution against any writes to it. Later in this section, you learn how to make a forensics acquisition in Linux without mounting the device. The following are some well-designed Linux Live CDs for digital forensics: • Penguin Sleuth Kit (www.linux-forensics.com or https://sourceforge.net/projects/ psk/?source=directory) • CAINE (www.caine-live.net) • Deft (www.deftlinux.net) • Kali Linux (www.kali.org), previously known as BackTrack (www.backtrack-linux .org/wiki/index.php/Forensics_Boot) • Knoppix (www.knopper.net/knoppix/index-en.html) • SANS Investigate Forensic Toolkit (SIFT; http://computer-forensics.sans.org/ community/downloads) You can download these ISO images to any computer, including a Windows system, and then burn them to CD/DVD with burner software, such as Roxio or Nero. Creating a bootable image from an ISO file is different from copying data or music files to a CD or DVD. If you aren’t familiar with how to do it, see the Help menu in your burner software for instructions on creating a bootable CD or DVD. For example, Roxio Creator Classic and Nero Express have a Bootable CD or DVD option. An alternative is using a USB drive instead of a CD or DVD. For this option, you need a tool such as ISO to USB, mentioned previously (or another tool for transferring an ISO image to a USB drive). 68944_ch03_hr_093-142.indd 103 3/7/18 3:27 PMNOT FOR SALE www.linux-forensics.com https://sourceforge.net/projects/psk/?source=directory https://sourceforge.net/projects/psk/?source=directory http://www.backtrack-linux.org/wiki/index.php/Forensics_Boot http://www.backtrack-linux.org/wiki/index.php/Forensics_Boot http://computer-forensics.sans.org/community/downloads … Forensic Acquisition Tool Info Vendor Name Name of Acquisition Tool Raw Format Validation Methods Description of Tool