Lect09 - Acquisition Flashcards
Command for detailed disk information?
hdparm -I /dev/sda | less
- Provides detailed disk information, including HPA/DCO
- Use the -I option for detailed information
- Useful for hard drives
- May not be useful for flash media
Command for detailed USB drive information?
usb-devices | less
- shell script that reads /proc/bus or /sys/kernel
- provides detailed USB device information
- Useful for flash media
How to hash a block device?
- # md5sum /dev/sdb
- # sha1sum /dev/sdb
- # sha256sum /dev/sdb
- # sha512sum /dev/sdb
How does the basic dd command looks like? What other options are possible?
# dd if=/dev/sdc of=evidence.raw bs=512
Other options include:
- skip = <number></number>
- count = <number> </number>
- conv=noerror = <skip></skip>
- conv=sync = <fill></fill>
- status=progress = provides status update
How can you split a large image into smaller pieces?
# split -d -a3 -b4G case1.disk1.raw case1.disk1.split.
- -d = the -d option gives us numerical numbering (*.01, *.02, *.03, etc.) for the output files as opposed to alphabetical (*.aa, *.ab, *.ac, etc.).
- -a3 = The -a option specifies the suffix length.
- -b4G = Binary input, split after 4 GB (K, M, G)
How can you split image on-the-fly with dd?
# dd if=/dev/sdd | split -d -a3 -b4G - case1.disk1.split.
How can you reassemble the image?
# cat case1.disk1.split* > case1.disk1.new.raw
How can you hash every single split file?
# sha1sum case1.disk1.split.*
How can you hash the complete file?
# cat case1.disk1.split*| sha1sum
What are the basics steps to acquire a block device?
- identify the device: # lsscsi
- document media: # hdparm | #usb-devices
- hash the device: # sha1sum
- image the device: # dd
- check the size of the image: # ls
- hash the image: # sha1sum
Name a few alternative acquisition tools?
- # dc3dd - Enhanced dd program for forensic use (based on dd code).
- # dcfldd - Enhanced dd program for forensic use (fork of dd code).
- # ewfacquire - Part of the libewf project, this tool is used to acquire Expert Witness Format (EWF) images.
- # ddrescue - An imaging tool specifically designed to recover data from media exhibiting errors.
- # aimage - Forensic imaging tool provided primarily to create images in the Advanced Forensic Format (AFF).
How does a standard dc3dd command looks like with:
- Hash and split the output
- Two hashes
- Logfile
- Output size 512 MB
# dc3dd if=/dev/sdb hofs=thumb.dc3dd.000 ofsz=512M hash=sha1 hash=md5 log=thumb.dc3dd.log
Other options are:
- if=<device></device>: input device (subject device/file)
- of=<file></file>: output file (the forensic image)
- hof=FILE or DEVICE: hashes the input bytes, hashes the output bytes, writes the output to the specified destination
- hash=<algorithm></algorithm>: specify the algorithm we will use to hash input/output bytes (md5, sha1, sha256, etc.) when we use hof or hofs.
- ofs=BASE.FMT: split the output file. use the name BASE for the output files. use the extension FMT for the output files. FMT naming scheme: FMT=aa (filename.aa, filename.ab, filename.ac), FMT=aaa (filename.aaa, filename.aab, filename.aac), FMT=00 (filename.00, filename.01, filename.02), FMT=000 (filename.000, filename.001, filename.002)
- ofsz=<bytes></bytes>: output file size; when using either ofs or hofs, this parameter sets the size of each split file.
- hofs=BASE.FMT: hash and split the output file
- log=<logfile></logfile>: log the output to <logfile></logfile>
- hlog=<logfile></logfile>: write a hash log of the image and any split files to FILE
How can you create multiple duplicate images with dc3dd?
# dc3dd if=/dev/sdb hof=thumbcopy.dc3dd hof=duplicate.dc3dd hash=md5
Name the six tools of the tools from the libewf project?
- ewfacquire - create Expert Witness Format (EWF) images (E01)
- ewfinfo - print the metadata from and EWF image (# ewfinfo subject_flash_001.E01)
- ewfverify - check the stored hash against the stored data (hashes raw data only; # ewfverify subject_flash_001.E01 OR # ewfverify -d sha1 subject_flash_001.E01)
- ewfexport - export the data from an EWF image to a raw format (# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01)
- ewfmount - provide a fuse mounted “raw” image from an EWF image file
- ewfacquirestream - Allow us to take a stream of input (with the same netcat pipe) and create an EWF file from it.
How does a simple ewfacquire command looks like?
ewfaquire /dev/sdb