Acquisition: How to use three of my favorite tools

In my last post I talked about some of the acquisition tools that are available to use for imaging evidence. This post will demonstrate how to use the tools I mentioned: dd, dcfldd, and FTK Imager.

For dd and dcfldd I’ll be using the SANS SIFT kit and for the FTK Imager demo I’ll by using a Windows 7 machine.

First let’s start with dd:

With the dd command i need to know the location of the mounted USB device that I'm going to image. The mount command will show where the USB device is in the Linux filesystem.
With the dd command I need to know the location of the mounted USB device that I’m going to image. The mount command will show where the USB device is in the Linux filesystem. The third line before the last line says: /dev/sdc1 on /media/Thumb Drive This is the device I’m looking for. /dev/sdc1 is where the USB device is located within the Linux filesystem.
Now that I know the location of the USB devide I can start the imaging process. In this screenshot I invoked the dd command to image the USB bit for bit and to send the image file to a location of my choosing.
Now that I know the location of the USB device I can start the imaging process. In this screenshot I invoked the dd command to image the USB bit for bit and to send the image file to a location of my choosing.

I’ll break down the command: First I have sudo, this command allows me to run a command as a different user. In this case I’m running this command as the root user. This user has privileges to make changes to the system. This is required because root access is needed to use the /dev/sdc device. Next is dd, this is the invocation of the dd command. Next is if=/dev/sdc. This is telling dd that the input file is the /dev/sdc device. Notice that I put /dev/sdc not /dev/sdc1. The reason for this is because the 1 is the first partition of the USB drive. I want to image the entire drive so I have to take out the 1 and that will allow dd to image the entire drive front to back. After if= is bs=, this is the block size. The block size tells dd how many bytes to convert at one time. The default block size is 512 bytes. This can be changed to a larger size but it may affect performance. Typically I use the block size of 4096 bytes or 4KB. The last part of the command is of=ntfs_usb1.dd. This is the where the output of the dd command is going to be placed. Because I only have the name of the file rather then the full path of the file, the output of the dd command will be placed inside of the file and that file will be placed inside of the current working directory. Notice the the file name ends with the dd extension. This is a raw file, literally ones and zeros. It can not be read by normal means. Forensic software has to be used to be able to view its contents.

dd image completion
This screen will show after the dd command has completed imaging the USB drive.

After imaging to file I take MD5 hashes of both the USB drive and the image file to make sure that the image file is exactly the same as the USB drive.

md5 sum of original and image
Notice that the random stings of numbers and letters before ntfs_usb1.dd and /dev/sdc are exactly the same. This verifies that the USB drive and the image file are the same.

Next is dcfldd, this program is almost identical to the dd command:

Using dcfldd to take an image
The only differences between the dcfldd command the dd command shown above is dcfldd after sudo, that’s the invocation of the dcfldd program, hash=md5 (I’m telling dcfldd to use MD5 as the hashing algorithm for image verification), and md5log=md5hash.txt (I’m telling dcfldd to send the md5 hash it generates to a text file named md5hash.txt)

Notice that dcfldd shows what it has copied so far.

After imaging is complete the same output screen as dd will show.

dcfldd image completion

After dcfldd completed imaging the USB drive I took a MD5 hash of the USB drive and compared it to the hash the dcfldd generated during the imaging process.

md5 hashes of image file and original
Both hashes match

The last tool is GUI based and has far more options then the command line tools used above.

After starting FTK Imager here's the screen that you will see.
After starting FTK Imager here’s the screen that you will see.
Click on create image
Click on create image
Select the source of the evidence. In this cases it's a physical drive.
Select the source of the evidence. In this case it’s a physical drive.
Next select which drive to image
Next select which drive to image, the drop down list will have all of the drives that are connected to and recognized by the system.
After drive selection
Next a destination for the image has to be specified. Click add.
Select which format the image is going to be. In my case I chose Raw (dd)
Select which format the image is going to be. In my case I chose Raw (dd)
Next FTK Imager will ask you to fill in some case information.
Next FTK Imager will ask you to fill in some case information.
Next select a destination for the image file.
Next select a destination for the image file. I choose to place the image file on the desktop. Also notice the image fragment size. FTK Imager can split the image file into multiple pieces based on what size is placed in the fragment box. If the size is zero then FTK Imager will not fragment the image file. The image file can also be compressed and encrypted.
After all of the options are selected click start to begin the imaging process
After all of the options are selected click start to begin the imaging process
FTK Imager will display the current progress of the imaging
FTK Imager will display the current progress of the imaging
After imaging is complete FTK Imager will show hash reports and other data related to the imaging process. The most important thing is to make sure that the hashes match.
After imaging is complete FTK Imager will show hash reports and other data related to the imaging process. The most important thing is to make sure that the hashes match.

So here are the three tools that I use the most when it comes to forensic imaging. I hope you enjoyed this post. My next post will be a mock case where I will go through the first two steps of the forensic process: acquisition and examination. Thanks for reading!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s