The first step of doing a forensic analysis is extracting the data from the hard disk.
A naive approach would be to simply copy all the files and directories, however, this would only copy the files that weren’t deleted. By accessing the data on the partition at a lower level, we’ll be able to recover deleted files as well.
dd is one of the most powerful tools for doing a byte level back up of physical media.
In linux, drives are usually mounted in /dev
The first drive is /dev/sda, the second is /dev/sdb, and so on.
Each partition also has its own entry.
So /dev/sda1 would be the first partition on drive /dev/sda , and /dev/sdb3 would be the third partition on drive /dev/sdb
dd if=/dev/sdb2 of=/home/owner/dd_result
This would copy every byte in /dev/sdb2 to the file ’/home/owner/dd_result’
At the simplest level, this is good for copying a filesystem for analysis, so you don’t need to worry about writing to your original source, and possibly ruining it.
However, there are two more options that are worth knowing about:
dd if=/dev/sdb2 of=dd_result conv=noerror,sync
In addition to the standard dd, modified versions of dd are also available.
These commands would create hashes of the drive as well, as well as log important information. The hashes are important to verify that the drive was copied correctly.
moshe@moshe-desktop:~/Downloads/dc3dd-7.1.614/src$ ./dc3dd if=/dev/sdc of=DC_dc3dd.result verb=on hash=md5 hash=sha256 hlog=dc3dd_result.hashlog log=dc3dd_result.log
dc3dd 7.1.614 started at 2012-02-04 22:54:24 -0500
command line: ./dc3dd if=/dev/sdc of=DC_dc3dd.result verb=on hash=md5 hash=sha256 hlog=dc3dd_result.hashlog log=dc3dd_result.log
device size: 78165360 sectors (probed)
sector size: 512 bytes (probed)
40020664320 bytes (37 G) copied (100%), 1690.67 s, 23 M/s
input results for device `/dev/sdc':
78165360 sectors in
0 bad sectors replaced by zeros
output results for file `DC_dc3dd.result':
78165360 sectors out
dc3dd completed at 2012-02-04 23:22:34 -0500
Now that you’ve backed up the partition with dd, you can mount it as a partition on your own linux machine. You can then analyze the partition without needing the original hard disk.
In linux, all files that are mounted need to be mounted in a folder.
Therefore, you’ll first need to choose the mount destination.
Let’s mount the partition in `/media/forensics`.
So we’ll first need to create the drive:
`sudo mkdir /media/forensics`
then we can mount the partition with:
sudo mount -t <filesystem type> /home/owner/dd_result /media/forensics -o ro
For example, for an ntfs partition, we’d do:
sudo mount -t ntfs /home/owner/dd_result /media/forensics -o ro
This would mount the image located in `/home/owner/dd_result` as an ntfs drive in `/media/forensics`, and would be read only.
For ext3 and ex4 filesystems, there’s one more option that should be added: "noload". This prevents the filesystem from automatically fixing the journaling system when the drive is mounted.
Therefore, for an ext3 filesystem, you would run:
`sudo mount -t ext3 /home/owner/dd_result /media/forensics` -o ro,noload
Now you can access the drive as if it was plugged into your computer.
Below is a copy of the file I created in the video "copyOfDriveDc3dd" You can try computing a hash for it and mounting it on your own Linux machine as I demonstrated. For a more difficult challenge, try to use dd and dc3dd on your own. Make a copy of a flash drive of your own and mount it in a Linux machine. Compare the hashes for the original and the copy to ensure they are identical. I would recommend trying this in a virtual machine and making a copy of the data on your flash drive before beginning in case anything goes wrong. Be careful not to confuse the input file and output file for dd as you may overwrite important data.
|copyOfDriveDc3dd.zip(258.73 KB)||marcbudofsky, Mar 17 2013, 9:42 PM|
Further information on this module can be found at the following links.
You must Sign-In to post a comment.