Lect09 - Acquisition

Question 1

Command for detailed disk information?

Answer 1

hdparm -I /dev/sda | less

• Provides detailed disk information, including HPA/DCO
• Use the -I option for detailed information
• Useful for hard drives
• May not be useful for flash media

Question 2

Command for detailed USB drive information?

Answer 2

usb-devices | less

• shell script that reads /proc/bus or /sys/kernel
• provides detailed USB device information
• Useful for flash media

Question 3

How to hash a block device?

Answer 3

• # md5sum /dev/sdb
• # sha1sum /dev/sdb
• # sha256sum /dev/sdb
• # sha512sum /dev/sdb

Question 4

How does the basic dd command looks like? What other options are possible?

Answer 4

# dd if=/dev/sdc of=evidence.raw bs=512

Other options include:

• skip = <number></number>
• count = <number> </number>
• conv=noerror = <skip></skip>
• conv=sync = <fill></fill>
• status=progress = provides status update

Question 5

How can you split a large image into smaller pieces?

Answer 5

# split -d -a3 -b4G case1.disk1.raw case1.disk1.split.

• -d = the -d option gives us numerical numbering (*.01, *.02, *.03, etc.) for the output files as opposed to alphabetical (*.aa, *.ab, *.ac, etc.).
• -a3 = The -a option specifies the suffix length.
• -b4G = Binary input, split after 4 GB (K, M, G)

Question 6

How can you split image on-the-fly with dd?

Answer 6

# dd if=/dev/sdd | split -d -a3 -b4G - case1.disk1.split.

Question 7

How can you reassemble the image?

Answer 7

# cat case1.disk1.split* > case1.disk1.new.raw

Question 8

How can you hash every single split file?

Answer 8

# sha1sum case1.disk1.split.*

Question 9

How can you hash the complete file?

Answer 9

# cat case1.disk1.split*| sha1sum

Question 10

What are the basics steps to acquire a block device?

Answer 10

1. identify the device: # lsscsi
2. document media: # hdparm | #usb-devices
3. hash the device: # sha1sum
4. image the device: # dd
5. check the size of the image: # ls
6. hash the image: # sha1sum

Question 11

Name a few alternative acquisition tools?

Answer 11

• # dc3dd - Enhanced dd program for forensic use (based on dd code).
• # dcfldd - Enhanced dd program for forensic use (fork of dd code).
• # ewfacquire - Part of the libewf project, this tool is used to acquire Expert Witness Format (EWF) images.
• # ddrescue - An imaging tool specifically designed to recover data from media exhibiting errors.
• # aimage - Forensic imaging tool provided primarily to create images in the Advanced Forensic Format (AFF).

Question 12

How does a standard dc3dd command looks like with:

• Hash and split the output
• Two hashes
• Logfile
• Output size 512 MB

Answer 12

# dc3dd if=/dev/sdb hofs=thumb.dc3dd.000 ofsz=512M hash=sha1 hash=md5 log=thumb.dc3dd.log

Other options are:

• if=<device></device>: input device (subject device/file)
• of=<file></file>: output file (the forensic image)
• hof=FILE or DEVICE: hashes the input bytes, hashes the output bytes, writes the output to the specified destination
• hash=<algorithm></algorithm>: specify the algorithm we will use to hash input/output bytes (md5, sha1, sha256, etc.) when we use hof or hofs.
• ofs=BASE.FMT: split the output file. use the name BASE for the output files. use the extension FMT for the output files. FMT naming scheme: FMT=aa (filename.aa, filename.ab, filename.ac), FMT=aaa (filename.aaa, filename.aab, filename.aac), FMT=00 (filename.00, filename.01, filename.02), FMT=000 (filename.000, filename.001, filename.002)
• ofsz=<bytes></bytes>: output file size; when using either ofs or hofs, this parameter sets the size of each split file.
• hofs=BASE.FMT: hash and split the output file
• log=<logfile></logfile>: log the output to <logfile></logfile>
• hlog=<logfile></logfile>: write a hash log of the image and any split files to FILE

Question 13

How can you create multiple duplicate images with dc3dd?

Answer 13

# dc3dd if=/dev/sdb hof=thumbcopy.dc3dd hof=duplicate.dc3dd hash=md5

Question 14

Name the six tools of the tools from the libewf project?

Answer 14

• ewfacquire - create Expert Witness Format (EWF) images (E01)
• ewfinfo - print the metadata from and EWF image (# ewfinfo subject_flash_001.E01)
• ewfverify - check the stored hash against the stored data (hashes raw data only; # ewfverify subject_flash_001.E01 OR # ewfverify -d sha1 subject_flash_001.E01)
• ewfexport - export the data from an EWF image to a raw format (# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01)
• ewfmount - provide a fuse mounted “raw” image from an EWF image file
• ewfacquirestream - Allow us to take a stream of input (with the same netcat pipe) and create an EWF file from it.

Question 15

How does a simple ewfacquire command looks like?

Answer 15

ewfaquire /dev/sdb

Question 16

How does a complex ewfacquire command looks like?

Answer 16

# ewfacquire -C “2019-001” -d sha1 -D “Thumb drive seized from bad guy” -e “Barry J. Grundy” -E “2019-001-002” -m removable -M physical -S 512M -t case1.disk2 -u /dev/sdb

Options are:

-C : the case number is specified with -C

-D : the evidence description is given with -D

-e : the examiner given with -e

-E : evidence number with -E

-f encase6 : encase6 format is specified with -f encase6

-m : the media type, options: fixed (default), removable, optical, memory

-M : the media flags, options: logical, physical (default)

-N : notes are provided with -N

-t /path/file : the target path and file name is specified with -t /path/file

-d : Calculate additional digest (hash) types besides md4. Options: sha1, sha256

-S : Segment file size in bytes (default is 1.4 GiB)

Question 17

How can you convert an EWF file into a raw bitstream image?

Answer 17

# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01

-t: target to write to a file; -f: file format we are writing to; -u: to accept remaining defaults and prevent interaction

Question 18

How does ddrescue works?

Answer 18

# ddrescue /dev/sdc sdcrescue.img.raw sdcrescue.map

More options:

• -i0 : Start at sector 0
• -d : Directly access disk, bypassing the kernel cache
• -N : Prevent from trimming the bad areas that are found. Leave whole bad clusters out. Collect good data first.
• –cluster-size=X : Defines cluster size.
• -rX : Number of retries.

Map File:

• ? = non-tried
• * = bad area - non trimmed
• / = bad area - non scraped
• - = bad hardware block(s)
• + = finished

Question 19

How can you image over the network? Explain Listener and suspect.

Answer 19

Listener:
root@forensic:~# nc -l -p 2525 | dd of=/mnt/evid/netimg.raw

• netcat is listening on port 2525
• anything coming through the port is directed to dd

Suspect:

root@bootdisk:~# dd if=/dev/sda | nc 192.168.0.1 2525

• First calculate hash of suspect drive: # sha1sum /dev/sda
• dd sends the contents of if to netcat
• netcat sends the data to the IP address and port provided
• if you want to use dd options like conv=noerror,sync or bs=x, then you do that on the dd side of the pipe.
• Check when done hash of image file

Question 20

How can you image over the network with dc3dd?

Answer 20

Listening Host:

# nc-l -p 2525 | dc3dd ofs=/mnt/evidence/net_dc3dd.000 ofsz=4G log=/mnt/evidence/dc3dd.log

Suspect Host:

# dd if=/dev/sda | nc 192.168.0.1 2525

Question 21

How can you image over the network with ewfacquirestream?

Answer 21

Listening host:

# nc -l -p 2524 | ewfacquirestream -c 2019-001 -D”Subject Disk” -e “BGrundy” -E ’1’ -f encase6 -m fixed -M physical-N “Imaged via network connection” -t mnt/evidence/net_ewfstream

Suspect host:

# dd if=/dev/sda | nc 192.168.0.1 2525

Question 22

Explain the following compresssions with dd using gzip:

1. Compress a file (file replace)
2. Decompress a file (file replace)
3. Create new compressed file
4. Decompress into new file
5. Calculate hash of compressed file
6. Calculate hash of compressed file content

Answer 22

# dd if=/dev/sdc | gzip -c > sdc_img.raw.gz

1. # gzip
2. # gzip -d
3. # gzip -c >
4. # gzip -d -c >
5. # sha1sum
6. # gzip -cd | sha1sum

Question 23

How can you image compressed over the network with dd?

Answer 23

Listening Host:

# nc -l -p 2525 | gzip -cd | dc3dd hash=sha1 hof=netCompress.raw log=netCompress.log

Suspect Host:

# dd if=/dev/sda | gzip -c | nc 192.168.0.1 2525

Question 24

How can you wipe the media with:

1. dd
2. dc3dd
3. Verification
4. dc3dd + Verification

Answer 24

1. # dd if=/dev/zero of=/dev/sdc
2. # dc3dd wipe=/dev/sdc
3. # xxd -a /dev/sdd
4. # dc3dd hwipe=/dev/sdc hash=sha1