Understand Linux Standard Tools in this the forensic investigators use built-in Linux command dd to copy data from a disk drive. This command can create a bit-stream disk-to-disk copy and a disk-to-image file. It can copy any disk data that Linux can mount and access. Forensic tools like AccessData FTC and Hook, can read dd image files.
In Linux, the advantage of dd command is its independence on any additional computer resources. The dd command can create images with ext2, ext3, FAT12, FAT16, FAT32, UNIX, NTUS, HPFS and HFS filesystem disks and can also help investigators to retrieve digital evidence and copy it to any media that the Linux OS can access.
Related Product : Computer Hacking Forensic Investigator | CHFI
Acquiring Data on Linux: dd Command
The syntax for the dd command is as follows:
dd if <source > of<target> bs<byte size> (usually some power of 2, not less than 512 bytes [i.e., 512, 1024, 2048, 4096, 81921) skip seekconv<conversion>
- source: from where to read the data
- target: where to write the data
- skip: number of blocks to skip at the start of the input
- seek: number of blocks to skip at the start of the output
- cony: conversion options
An investigator may use the following commands for the respective tasks:
- To make a full physical backup of a hard disk, use dd if/dev/had of/dev/case5i mg1 command
- To copy one hard disk partition to another hard disk, use Dd if/dev/ sda 2 of/dev/sdb2 bs4096 convnotrunc, noerror command
- Tomake an image of a CD, use dd if/dev/ hdc of/home/sam/mycd.iso bs2048 convnotrunc command
- To copy a floppy disk, use dd if/dev/fd0 of/home/sam/floppy.image convnotrunc command
- To restore a disk partition from an image file, use the dd if/home/sam/partition.image of/dev/sbd2 bs4096 convnotrunc, noerror command
- To copy RAM memory to a file, use the dd if/dev/mem of/home/sam/mem.bin bs1024 command
Also Read : Data Acquisition and Duplication Tools: Software
Acquiring Data on Linux: dcfldd Command
The dd command is a data management tool and not specifically designed for forensics, therefore, it has few drawbacks. Nicholas Harbour of the Defense Computer Forensics Laboratory (D FL) designed a tool called dcfldd, which works similar to dd but includes several features to support forensics data acquisition.
Features:
- Records all the errors to an output file for ease in examination
- Supports hashing algorithms such as MD5, SHA-1, SHA-256, etc.
- Informs about the acquisition progress
- Splits image file into segmented volumes
- Verifies acquired data with the original source
An example of the dcfldd command:
Dcfldd if=/ dev / sdb of=sdb_image.img
Parameter explanation:
- if : input file
- / dev / sdb : source /suspect drive (whole disk)
- of : output file
- img: name of the image file
If it is required to split the image file into smaller chunks and hash the image at the end. The following command is used:
Dcefldd if=/dev/sbd split=2M of=sdb_image.img hash=md5
An advanced dcfldd command look like:
dcfldd if=/dev/sdb hash=md5,sha256 hashwindow=2G md5log=md5.txt sha256log=sha256.txt \ hashconv=after bs=4k conv=noerror,sync split=2G splitformat=aa of=sdb_image.img
Parameter explanation:
- if : input file
- /dev/sdb : source /suspect drive (whole disk)
- hash : Definition of hash algorithms
- hashwindows : Will hash data chunks of 2 GB
- md5log : Saves all rnd5 hashes in a file calledmd5.txt
- hashconv : Hashing AFTER or BEFORE the conversion
- sha256log : Saves all sha hashes in a file called sha256.txt
- bs : block size (default is 512)
- 4k : block size of 4 kilobyte
- conv : conversion
- noerror : will continue even with read errors
- sync : if there is an error, NULL fill the rest of the block
- split : Split image file in chunks of 2 GB
- SPlitformat : the file extension format for split operation of output file
- img : name of the image file
To validate the image file with the source, use the “vf” switch command: dcfldd if=/dev/sdb vf=sdb_image.img
Acquiring Data on Windows: Access Data FTK Imager
AccessData FIK Imager
FTK Imager is a data preview and imaging tool enables analysis of files and folders on local hard drives, CDs/DVDs, network drives and examine the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explorer.
Its architecture is database-driven and enterprise-class, which allows managing large data, sets. It also provides stability and faster processing speeds. Its built-in data visualization and explicit image detection technology help to detect and report the relevant content for the investigation rapidly. FTK can function simultaneously with all AccessData’s solutions and allows correlating data sets from various sources, like computer hard drives, network data, mobile devices, internet storage, etc.
Questions related to this topic
- What is monitoring tools in Linux?
- What are the basics of Linux?
- How do I see performance in Linux?
- What computers use Linux?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com