Background
This
blog post will cover how to image a hard drive(s) of a
workstation/desktop computer. The process for imaging a large scale
server will differ from these steps.
Purpose
Imaging is used to create a 1 to 1 copy of a drive. Forensics will be performed on the copy of the drive to gather evidence. The Chain of Custody is used to ensure that the processes used to obtain the image and the forensic evidence will hold up in legal proceedings.
Purpose
Imaging is used to create a 1 to 1 copy of a drive. Forensics will be performed on the copy of the drive to gather evidence. The Chain of Custody is used to ensure that the processes used to obtain the image and the forensic evidence will hold up in legal proceedings.
Live Boot USB/CD
- Create a Live Boot USB/CD of a forensics oriented operating system. For the purpose of this blog post we will be using Kali Linux.
- Zero Drive refers to a drive that has been over written with zeros.
Methodology
When Imaging a drive for the purpose of evidence collection one must always adhere to the Chain of Custody[1]. The Chain of Custody is a set of standards and procedures designed to preserve the integrity of the data collected for legal proceedings.
Use Cases
There will be two primary scenarios for acquiring a forensic image:
When Imaging a drive for the purpose of evidence collection one must always adhere to the Chain of Custody[1]. The Chain of Custody is a set of standards and procedures designed to preserve the integrity of the data collected for legal proceedings.
Use Cases
There will be two primary scenarios for acquiring a forensic image:
- The hard drive is NOT connected to the computer.
- Solution: Attach the drive to a forensic workstation using a Write Blocking mechanism.
- The hard drive is still connected to a powered down computer.
- Solution: Use a Forensic Live USB/CD and have the computer boot from the attached USB/CD.
Concepts
- Reasons to Split an Image File:
- If the media you are imaging is larger than the media it is being imaged too, then split the image into smaller files for transferring across multiple devices.
- If you are trying to transfer a large FAT32 Image, then you must split it into files less than 4gigs in size. This is do to the fact that FAT32 supports a maximum file size of 4GB.
How To
Create a Zero Drive
Steps:
1. Boot into Kali Linux.
2. Connect the drive.
3. Run the following command:
Acquiring The Image[2]
Steps:
1. Boot into Kali Linux.
2. Connect the drive.
3. Run the following command:
- sudo dc3dd wipe=/dev/sda dc3dd
- This will over right all data on the drive using zeros.
Acquiring The Image[2]
Steps:
1. Identify
- Verify the drive to be imaged from the list of available drives. Using 1 of 2 methods:
- Run command the following command to show a list of available drives:
- fdisk -I
- If the drive is removed from the computer then compare the physical label on the drive to the output from the following command:
- hdparm -I /dev/sda
- Disk Name will be in the format of:
- /dev/sDN
- D - device
- N - name
- To Image the whole drive DO NOT include a number in the drive name
- Incorrect: /dev/sda1, /dev/sda2, etc
- Correct: /dev/sda
- Select a location (a Zero Drive) to save the image file to using the following command:
- df -h: displays see the location of where your external Drive is mounted.
2. Run The dc3dd tool
- To Image a FAT32 drive you will need to split the Image file using the following:
- “hofs” option
- Requires that you add the Format Specifier to the file name.
- Format Specifier - is used to set a pattern for a sequence of file extensions.
- BEST Practice: always use three numerical digits at the end of your .img naming scheme because AFF only recognizes names in that format.
- Example: If you included “00” to the end of the file extension .img, then the file set would be the following .img.00, .img.01, .img.02, ext
- “ofsz” option
- Purpose: set the maximum size of each file in the sets of files specified.
- For FAT32 set the file size to under 4GB.
- Syntax:
- dc3dd if=Name_Of_Disk_To_Image /Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
- example:
- Dc3dd if=/dev/sda /media/root/47bf-5c55/forensics/cases/
- Add option(s) to the command for hashing
- “hof” option
- Purpose: write output to a file or device.
- To use it place it in front of the “/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img”
- Syntax:
- hof=/Full_Path_Of_Location_To_Save_The_Disk_Image/Image_Name.img
- “hash” option
- Purpose: compute an ALGORITHM hash of the input and also of any outputs specified.
- Place it at the end of the “hof” command
- Syntax:
- hash=(select one of the following:)md5,sha1,sha-256,sha-512
- “log” option
- Purpose: Log input/output statistics, diagnostics, and total hashes of input and output to file.
- Syntax:
- log=Full_Path_of_Location_to_Store_log_files/Log_File_Name.log
Resources
1. An Open Extensible Format for Disk Imaging
2. Digital Forensics with Kali Linux
ISBN: 9781783989225
References
1. Chain of Custody
2. Digital Forensics with Kali Linux
ISBN: 9781783989225
Social Media
Facebook:
https://www.facebook.com/BDavisCS/
Twitter:
@BDavis_CyberSec
