Lect09 - Acquisition Flashcards
Command for detailed disk information?
hdparm -I /dev/sda | less
- Provides detailed disk information, including HPA/DCO
- Use the -I option for detailed information
- Useful for hard drives
- May not be useful for flash media
Command for detailed USB drive information?
usb-devices | less
- shell script that reads /proc/bus or /sys/kernel
- provides detailed USB device information
- Useful for flash media
How to hash a block device?
- # md5sum /dev/sdb
- # sha1sum /dev/sdb
- # sha256sum /dev/sdb
- # sha512sum /dev/sdb
How does the basic dd command looks like? What other options are possible?
# dd if=/dev/sdc of=evidence.raw bs=512
Other options include:
- skip = <number></number>
- count = <number> </number>
- conv=noerror = <skip></skip>
- conv=sync = <fill></fill>
- status=progress = provides status update
How can you split a large image into smaller pieces?
# split -d -a3 -b4G case1.disk1.raw case1.disk1.split.
- -d = the -d option gives us numerical numbering (*.01, *.02, *.03, etc.) for the output files as opposed to alphabetical (*.aa, *.ab, *.ac, etc.).
- -a3 = The -a option specifies the suffix length.
- -b4G = Binary input, split after 4 GB (K, M, G)
How can you split image on-the-fly with dd?
# dd if=/dev/sdd | split -d -a3 -b4G - case1.disk1.split.
How can you reassemble the image?
# cat case1.disk1.split* > case1.disk1.new.raw
How can you hash every single split file?
# sha1sum case1.disk1.split.*
How can you hash the complete file?
# cat case1.disk1.split*| sha1sum
What are the basics steps to acquire a block device?
- identify the device: # lsscsi
- document media: # hdparm | #usb-devices
- hash the device: # sha1sum
- image the device: # dd
- check the size of the image: # ls
- hash the image: # sha1sum
Name a few alternative acquisition tools?
- # dc3dd - Enhanced dd program for forensic use (based on dd code).
- # dcfldd - Enhanced dd program for forensic use (fork of dd code).
- # ewfacquire - Part of the libewf project, this tool is used to acquire Expert Witness Format (EWF) images.
- # ddrescue - An imaging tool specifically designed to recover data from media exhibiting errors.
- # aimage - Forensic imaging tool provided primarily to create images in the Advanced Forensic Format (AFF).
How does a standard dc3dd command looks like with:
- Hash and split the output
- Two hashes
- Logfile
- Output size 512 MB
# dc3dd if=/dev/sdb hofs=thumb.dc3dd.000 ofsz=512M hash=sha1 hash=md5 log=thumb.dc3dd.log
Other options are:
- if=<device></device>: input device (subject device/file)
- of=<file></file>: output file (the forensic image)
- hof=FILE or DEVICE: hashes the input bytes, hashes the output bytes, writes the output to the specified destination
- hash=<algorithm></algorithm>: specify the algorithm we will use to hash input/output bytes (md5, sha1, sha256, etc.) when we use hof or hofs.
- ofs=BASE.FMT: split the output file. use the name BASE for the output files. use the extension FMT for the output files. FMT naming scheme: FMT=aa (filename.aa, filename.ab, filename.ac), FMT=aaa (filename.aaa, filename.aab, filename.aac), FMT=00 (filename.00, filename.01, filename.02), FMT=000 (filename.000, filename.001, filename.002)
- ofsz=<bytes></bytes>: output file size; when using either ofs or hofs, this parameter sets the size of each split file.
- hofs=BASE.FMT: hash and split the output file
- log=<logfile></logfile>: log the output to <logfile></logfile>
- hlog=<logfile></logfile>: write a hash log of the image and any split files to FILE
How can you create multiple duplicate images with dc3dd?
# dc3dd if=/dev/sdb hof=thumbcopy.dc3dd hof=duplicate.dc3dd hash=md5
Name the six tools of the tools from the libewf project?
- ewfacquire - create Expert Witness Format (EWF) images (E01)
- ewfinfo - print the metadata from and EWF image (# ewfinfo subject_flash_001.E01)
- ewfverify - check the stored hash against the stored data (hashes raw data only; # ewfverify subject_flash_001.E01 OR # ewfverify -d sha1 subject_flash_001.E01)
- ewfexport - export the data from an EWF image to a raw format (# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01)
- ewfmount - provide a fuse mounted “raw” image from an EWF image file
- ewfacquirestream - Allow us to take a stream of input (with the same netcat pipe) and create an EWF file from it.
How does a simple ewfacquire command looks like?
ewfaquire /dev/sdb
How does a complex ewfacquire command looks like?
# ewfacquire -C “2019-001” -d sha1 -D “Thumb drive seized from bad guy” -e “Barry J. Grundy” -E “2019-001-002” -m removable -M physical -S 512M -t case1.disk2 -u /dev/sdb
Options are:
-C : the case number is specified with -C
-D : the evidence description is given with -D
-e : the examiner given with -e
-E : evidence number with -E
-f encase6 : encase6 format is specified with -f encase6
-m : the media type, options: fixed (default), removable, optical, memory
-M : the media flags, options: logical, physical (default)
-N : notes are provided with -N
-t /path/file : the target path and file name is specified with -t /path/file
-d : Calculate additional digest (hash) types besides md4. Options: sha1, sha256
-S : Segment file size in bytes (default is 1.4 GiB)
How can you convert an EWF file into a raw bitstream image?
# ewfexport -t NTFS_Pract_2l017 -f raw -u NTFS_Pract_2017.E01
-t: target to write to a file; -f: file format we are writing to; -u: to accept remaining defaults and prevent interaction
How does ddrescue works?
# ddrescue /dev/sdc sdcrescue.img.raw sdcrescue.map
More options:
- -i0 : Start at sector 0
- -d : Directly access disk, bypassing the kernel cache
- -N : Prevent from trimming the bad areas that are found. Leave whole bad clusters out. Collect good data first.
- –cluster-size=X : Defines cluster size.
- -rX : Number of retries.
Map File:
- ? = non-tried
- * = bad area - non trimmed
- / = bad area - non scraped
- - = bad hardware block(s)
- + = finished
How can you image over the network? Explain Listener and suspect.
Listener:
root@forensic:~# nc -l -p 2525 | dd of=/mnt/evid/netimg.raw
- netcat is listening on port 2525
- anything coming through the port is directed to dd
Suspect:
root@bootdisk:~# dd if=/dev/sda | nc 192.168.0.1 2525
- First calculate hash of suspect drive: # sha1sum /dev/sda
- dd sends the contents of if to netcat
- netcat sends the data to the IP address and port provided
- if you want to use dd options like conv=noerror,sync or bs=x, then you do that on the dd side of the pipe.
- Check when done hash of image file
How can you image over the network with dc3dd?
Listening Host:
# nc-l -p 2525 | dc3dd ofs=/mnt/evidence/net_dc3dd.000 ofsz=4G log=/mnt/evidence/dc3dd.log
Suspect Host:
# dd if=/dev/sda | nc 192.168.0.1 2525
How can you image over the network with ewfacquirestream?
Listening host:
# nc -l -p 2524 | ewfacquirestream -c 2019-001 -D”Subject Disk” -e “BGrundy” -E ’1’ -f encase6 -m fixed -M physical-N “Imaged via network connection” -t mnt/evidence/net_ewfstream
Suspect host:
# dd if=/dev/sda | nc 192.168.0.1 2525
Explain the following compresssions with dd using gzip:
- Compress a file (file replace)
- Decompress a file (file replace)
- Create new compressed file
- Decompress into new file
- Calculate hash of compressed file
- Calculate hash of compressed file content
# dd if=/dev/sdc | gzip -c > sdc_img.raw.gz
- # gzip
- # gzip -d
- # gzip -c >
- # gzip -d -c >
- # sha1sum
- # gzip -cd | sha1sum
How can you image compressed over the network with dd?
Listening Host:
# nc -l -p 2525 | gzip -cd | dc3dd hash=sha1 hof=netCompress.raw log=netCompress.log
Suspect Host:
# dd if=/dev/sda | gzip -c | nc 192.168.0.1 2525
How can you wipe the media with:
- dd
- dc3dd
- Verification
- dc3dd + Verification
- # dd if=/dev/zero of=/dev/sdc
- # dc3dd wipe=/dev/sdc
- # xxd -a /dev/sdd
- # dc3dd hwipe=/dev/sdc hash=sha1
