In my last post I talked about some of the acquisition tools that are available to use for imaging evidence. This post will demonstrate how to use the tools I mentioned: dd, dcfldd, and FTK Imager.
For dd and dcfldd I’ll be using the SANS SIFT kit and for the FTK Imager demo I’ll by using a Windows 7 machine.
First let’s start with dd:
I’ll break down the command: First I have sudo, this command allows me to run a command as a different user. In this case I’m running this command as the root user. This user has privileges to make changes to the system. This is required because root access is needed to use the /dev/sdc device. Next is dd, this is the invocation of the dd command. Next is if=/dev/sdc. This is telling dd that the input file is the /dev/sdc device. Notice that I put /dev/sdc not /dev/sdc1. The reason for this is because the 1 is the first partition of the USB drive. I want to image the entire drive so I have to take out the 1 and that will allow dd to image the entire drive front to back. After if= is bs=, this is the block size. The block size tells dd how many bytes to convert at one time. The default block size is 512 bytes. This can be changed to a larger size but it may affect performance. Typically I use the block size of 4096 bytes or 4KB. The last part of the command is of=ntfs_usb1.dd. This is the where the output of the dd command is going to be placed. Because I only have the name of the file rather then the full path of the file, the output of the dd command will be placed inside of the file and that file will be placed inside of the current working directory. Notice the the file name ends with the dd extension. This is a raw file, literally ones and zeros. It can not be read by normal means. Forensic software has to be used to be able to view its contents.
After imaging to file I take MD5 hashes of both the USB drive and the image file to make sure that the image file is exactly the same as the USB drive.
Next is dcfldd, this program is almost identical to the dd command:
Notice that dcfldd shows what it has copied so far.
After imaging is complete the same output screen as dd will show.
After dcfldd completed imaging the USB drive I took a MD5 hash of the USB drive and compared it to the hash the dcfldd generated during the imaging process.
The last tool is GUI based and has far more options then the command line tools used above.
So here are the three tools that I use the most when it comes to forensic imaging. I hope you enjoyed this post. My next post will be a mock case where I will go through the first two steps of the forensic process: acquisition and examination. Thanks for reading!