Lect09 - Acquisition Flashcards

1
Q

Command for detailed disk information?

A

hdparm -I /dev/sda | less

  • Provides detailed disk information, including HPA/DCO
  • Use the -I option for detailed information
  • Useful for hard drives
  • May not be useful for flash media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Command for detailed USB drive information?

A

usb-devices | less

  • shell script that reads /proc/bus or /sys/kernel
  • provides detailed USB device information
  • Useful for flash media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How to hash a block device?

A
  • # md5sum /dev/sdb
  • # sha1sum /dev/sdb
  • # sha256sum /dev/sdb
  • # sha512sum /dev/sdb
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does the basic dd command looks like? What other options are possible?

A

# dd if=/dev/sdc of=evidence.raw bs=512

Other options include:

  • skip = <number></number>
  • count = <number> </number>
  • conv=noerror = <skip></skip>
  • conv=sync = <fill></fill>
  • status=progress = provides status update
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can you split a large image into smaller pieces?

A

# split -d -a3 -b4G case1.disk1.raw case1.disk1.split.

  • -d = the -d option gives us numerical numbering (*.01, *.02, *.03, etc.) for the output files as opposed to alphabetical (*.aa, *.ab, *.ac, etc.).
  • -a3 = The -a option specifies the suffix length.
  • -b4G = Binary input, split after 4 GB (K, M, G)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can you split image on-the-fly with dd?

A

# dd if=/dev/sdd | split -d -a3 -b4G - case1.disk1.split.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you reassemble the image?

A

# cat case1.disk1.split* > case1.disk1.new.raw

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can you hash every single split file?

A

# sha1sum case1.disk1.split.*

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you hash the complete file?

A

# cat case1.disk1.split*| sha1sum

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the basics steps to acquire a block device?

A
  1. identify the device: # lsscsi
  2. document media: # hdparm | #usb-devices
  3. hash the device: # sha1sum
  4. image the device: # dd
  5. check the size of the image: # ls
  6. hash the image: # sha1sum
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name a few alternative acquisition tools?

A
  • # dc3dd - Enhanced dd program for forensic use (based on dd code).
  • # dcfldd - Enhanced dd program for forensic use (fork of dd code).
  • # ewfacquire - Part of the libewf project, this tool is used to acquire Expert Witness Format (EWF) images.
  • # ddrescue - An imaging tool specifically designed to recover data from media exhibiting errors.
  • # aimage - Forensic imaging tool provided primarily to create images in the Advanced Forensic Format (AFF).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does a standard dc3dd command looks like with:

  • Hash and split the output
  • Two hashes
  • Logfile
  • Output size 512 MB
A

# dc3dd if=/dev/sdb hofs=thumb.dc3dd.000 ofsz=512M hash=sha1 hash=md5 log=thumb.dc3dd.log

Other options are:

  • if=<device></device>: input device (subject device/file)
  • of=<file></file>: output file (the forensic image)
  • hof=FILE or DEVICE: hashes the input bytes, hashes the output bytes, writes the output to the specified destination
  • hash=<algorithm></algorithm>: specify the algorithm we will use to hash input/output bytes (md5, sha1, sha256, etc.) when we use hof or hofs.
  • ofs=BASE.FMT: split the output file. use the name BASE for the output files. use the extension FMT for the output files. FMT naming scheme: FMT=aa (filename.aa, filename.ab, filename.ac), FMT=aaa (filename.aaa, filename.aab, filename.aac), FMT=00 (filename.00, filename.01, filename.02), FMT=000 (filename.000, filename.001, filename.002)
  • ofsz=<bytes></bytes>: output file size; when using either ofs or hofs, this parameter sets the size of each split file.
  • hofs=BASE.FMT: hash and split the output file
  • log=<logfile></logfile>: log the output to <logfile></logfile>
  • hlog=<logfile></logfile>: write a hash log of the image and any split files to FILE
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can you create multiple duplicate images with dc3dd?

A

# dc3dd if=/dev/sdb hof=thumbcopy.dc3dd hof=duplicate.dc3dd hash=md5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name the six tools of the tools from the libewf project?

A
  • ewfacquire - create Expert Witness Format (EWF) images (E01)
  • ewfinfo - print the metadata from and EWF image (# ewfinfo subject_flash_001.E01)
  • ewfverify - check the stored hash against the stored data (hashes raw data only; # ewfverify subject_flash_001.E01 OR # ewfverify -d sha1 subject_flash_001.E01)
  • ewfexport - export the data from an EWF image to a raw format (# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01)
  • ewfmount - provide a fuse mounted “raw” image from an EWF image file
  • ewfacquirestream - Allow us to take a stream of input (with the same netcat pipe) and create an EWF file from it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does a simple ewfacquire command looks like?

A

ewfaquire /dev/sdb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does a complex ewfacquire command looks like?

A

# ewfacquire -C “2019-001” -d sha1 -D “Thumb drive seized from bad guy” -e “Barry J. Grundy” -E “2019-001-002” -m removable -M physical -S 512M -t case1.disk2 -u /dev/sdb

Options are:

-C : the case number is specified with -C

-D : the evidence description is given with -D

-e : the examiner given with -e

-E : evidence number with -E

-f encase6 : encase6 format is specified with -f encase6

-m : the media type, options: fixed (default), removable, optical, memory

-M : the media flags, options: logical, physical (default)

-N : notes are provided with -N

-t /path/file : the target path and file name is specified with -t /path/file

-d : Calculate additional digest (hash) types besides md4. Options: sha1, sha256

-S : Segment file size in bytes (default is 1.4 GiB)

17
Q

How can you convert an EWF file into a raw bitstream image?

A

# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01

-t: target to write to a file; -f: file format we are writing to; -u: to accept remaining defaults and prevent interaction

18
Q

How does ddrescue works?

A

# ddrescue /dev/sdc sdcrescue.img.raw sdcrescue.map

More options:

  • -i0 : Start at sector 0
  • -d : Directly access disk, bypassing the kernel cache
  • -N : Prevent from trimming the bad areas that are found. Leave whole bad clusters out. Collect good data first.
  • –cluster-size=X : Defines cluster size.
  • -rX : Number of retries.

Map File:

  • ? = non-tried
  • * = bad area - non trimmed
  • / = bad area - non scraped
  • - = bad hardware block(s)
  • + = finished
19
Q

How can you image over the network? Explain Listener and suspect.

A

Listener:
root@forensic:~# nc -l -p 2525 | dd of=/mnt/evid/netimg.raw

  • netcat is listening on port 2525
  • anything coming through the port is directed to dd

Suspect:

root@bootdisk:~# dd if=/dev/sda | nc 192.168.0.1 2525

  • First calculate hash of suspect drive: # sha1sum /dev/sda
  • dd sends the contents of if to netcat
  • netcat sends the data to the IP address and port provided
  • if you want to use dd options like conv=noerror,sync or bs=x, then you do that on the dd side of the pipe.
  • Check when done hash of image file
20
Q

How can you image over the network with dc3dd?

A

Listening Host:

# nc-l -p 2525 | dc3dd ofs=/mnt/evidence/net_dc3dd.000 ofsz=4G log=/mnt/evidence/dc3dd.log

Suspect Host:

# dd if=/dev/sda | nc 192.168.0.1 2525

21
Q

How can you image over the network with ewfacquirestream?

A

Listening host:

# nc -l -p 2524 | ewfacquirestream -c 2019-001 -D”Subject Disk” -e “BGrundy” -E ’1’ -f encase6 -m fixed -M physical-N “Imaged via network connection” -t mnt/evidence/net_ewfstream

Suspect host:

# dd if=/dev/sda | nc 192.168.0.1 2525

22
Q

Explain the following compresssions with dd using gzip:

  1. Compress a file (file replace)
  2. Decompress a file (file replace)
  3. Create new compressed file
  4. Decompress into new file
  5. Calculate hash of compressed file
  6. Calculate hash of compressed file content
A

# dd if=/dev/sdc | gzip -c > sdc_img.raw.gz

  1. # gzip
  2. # gzip -d
  3. # gzip -c >
  4. # gzip -d -c >
  5. # sha1sum
  6. # gzip -cd | sha1sum
23
Q

How can you image compressed over the network with dd?

A

Listening Host:

# nc -l -p 2525 | gzip -cd | dc3dd hash=sha1 hof=netCompress.raw log=netCompress.log

Suspect Host:

# dd if=/dev/sda | gzip -c | nc 192.168.0.1 2525

24
Q

How can you wipe the media with:

  1. dd
  2. dc3dd
  3. Verification
  4. dc3dd + Verification
A
  1. # dd if=/dev/zero of=/dev/sdc
  2. # dc3dd wipe=/dev/sdc
  3. # xxd -a /dev/sdd
  4. # dc3dd hwipe=/dev/sdc hash=sha1