The first step of doing a forensic analysis is extracting the data from the hard disk.

A naive approach would be to simply copy all the files and directories, however, this would only copy the files that weren’t deleted. By accessing the data on the partition at a lower level, we’ll be able to recover deleted files as well.

Using dd

dd is one of the most powerful tools for doing a byte level back up of physical media.

In linux, drives are usually mounted in /dev

The first drive is /dev/sda, the second is /dev/sdb, and so on.

Each partition also has its own entry.

So /dev/sda1 would be the first partition on drive /dev/sda , and /dev/sdb3 would be the third partition on drive /dev/sdb

Simple usage:

dd if=/dev/sdb2 of=/home/owner/dd_result

This would copy every byte in /dev/sdb2 to the file ’/home/owner/dd_result’

At the simplest level, this is good for copying a filesystem for analysis, so you don’t need to worry about writing to your original source, and possibly ruining it.

However, there are two more options that are worth knowing about:

  • ‘conv=noerror’ - This option forces dd to continue even if there is an error.
  • ‘sync’ - in case of an error, dd fills the rest of the block with 0’s.

dd if=/dev/sdb2 of=dd_result conv=noerror,sync

dd Variants

In addition to the standard dd, modified versions of dd are also available.

  • ddrescue (not dd_rescue) is a version of dd optimized for recovering data from damaged hard disks. It’s recommended to use this version if the drive you want to analyze is dying.
  • dc3dd is a version of dd that was designed for forensic analysis.
    • dc3dd if=/dev/sdb2 of=dc3dd.result verb=on hash=md5 hash=sha256 hlog=dc3dd_result.hashlog log=dc3dd_result.log

‚ÄčThese commands would create hashes of the drive as well, as well as log important information. The hashes are important to verify that the drive was copied correctly.

<sample run>

moshe@moshe-desktop:~/Downloads/dc3dd-7.1.614/src$ ./dc3dd if=/dev/sdc of=DC_dc3dd.result verb=on hash=md5 hash=sha256 hlog=dc3dd_result.hashlog log=dc3dd_result.log

dc3dd 7.1.614 started at 2012-02-04 22:54:24 -0500

compiled options:

command line: ./dc3dd if=/dev/sdc of=DC_dc3dd.result verb=on hash=md5 hash=sha256 hlog=dc3dd_result.hashlog log=dc3dd_result.log

device size: 78165360 sectors (probed)

sector size: 512 bytes (probed)

40020664320 bytes (37 G) copied (100%), 1690.67 s, 23 M/s

 

input results for device `/dev/sdc':

78165360 sectors in

0 bad sectors replaced by zeros

88c3e1a6b9afb7aa0e6a5ba9c7b7d70f (md5)

1b5c4f02ded9ed9efcae2797c90ffc12e5f6d5bf0baa9464b79858220c669c34 (sha256)

 

output results for file `DC_dc3dd.result':

78165360 sectors out

 

dc3dd completed at 2012-02-04 23:22:34 -0500

</sample output>

 

Mounting the partition

Now that you’ve backed up the partition with dd, you can mount it as a partition on your own linux machine. You can then analyze the partition without needing the original hard disk.

In linux, all files that are mounted need to be mounted in a folder.

Therefore, you’ll first need to choose the mount destination.

Let’s mount the partition in `/media/forensics`.

So we’ll first need to create the drive:

`sudo mkdir /media/forensics`

then we can mount the partition with:

sudo mount -t <filesystem type> /home/owner/dd_result /media/forensics -o ro

 

For example, for an ntfs partition, we’d do:

sudo mount -t ntfs /home/owner/dd_result /media/forensics  -o ro

 

This would mount the image located in `/home/owner/dd_result` as an ntfs drive in `/media/forensics`, and would be read only.

 

For ext3 and ex4 filesystems, there’s one more option that should be added: "noload". This prevents the filesystem from automatically fixing the journaling system when the drive is mounted.

Therefore, for an ext3 filesystem, you would run:

 `sudo mount -t ext3 /home/owner/dd_result /media/forensics`  -o ro,noload

 

Now you can access the drive as if it was plugged into your computer.

Below is a copy of the file I created in the video "copyOfDriveDc3dd" You can try computing a hash for it and mounting it on your own Linux machine as I demonstrated. For a more difficult challenge, try to use dd and dc3dd on your own. Make a copy of a flash drive of your own and mount it in a Linux machine. Compare the hashes for the original and the copy to ensure they are identical. I would recommend trying this in a virtual machine and making a copy of the data on your flash drive before beginning in case anything goes wrong.  Be careful not to confuse the input file and output file for dd as you may overwrite important data.

copyOfDriveDc3dd.zip(258.73 KB) marcbudofsky, Mar 17 2013, 9:42 PM

Further information on this module can be found at the following links.


You must Sign-In to post a comment.