Back to Blog
Hard drive image tool6/20/2023 ![]() ![]() ![]() We would then likely want to capture an image of the computers hard drive to an external device, probably another hard drive of equal or larger size. If we were using this dcfldd in a forensic environment, we would likely be using it as a Live CD. The syntax we use for dcfldd is nearly identical to dd, but with more options suited to forensic acquisition. It will be the fifth choice in the menu system as seen below. Go to Kali Linux -> Forensics -> Forensic Imaging Tools -> dcfldd. Now, let's start by firing up Kali and finding dcfldd. As we will see, we can use any of these to ensure the integrity of our forensic image when we use dcfldd or other image acquisition tools. The most popular hashes are MD5, SHA1, SHA256, and SHA512. In fact, when you downloaded Kali, Offensive Security provides you the MD5 hash of it so that you can check that the Kali you downloaded has not been corrupted or otherwise altered in any way before it gets to you. You have probably seen or used hashes when you downloaded software. If even a single bit changes in the original input, the hash will change. Hashing is used to assure that nothing changes in the original input. Hashing is one-way encryption that creates a unique output (digest) for any input. You can only imagine a defense attorney or other representative who will argue that any evidence that you have found on the computer was placed there by law enforcement or the forensic investigator. In essence, we want to be able to prove in a court of law or other venue that the image we used for analysis was not tampered with or in any way changed since we acquired it. HashingĪmong the most critical tasks that we need to do when acquiring an image is to ensure its integrity. In Kali Linux, we have a version of dd that was developed by the Department of Defense's Digital Computer Forensics Laboratory that is dcfldd (presumably, digital computer forensic laboratory dd). Nearly every image acquisition tool out there, whether for Windows or Linux, is a variation on dd. When we use the noerror option, dd will not terminate when it encounters errors, so then our command would look like this:ĭd if=/dev/sda2 of=/dev/sdb2 bs=512 noerrorĪlthough most Linux distributions include dd, several variations have been developed and enhanced that make our forensic image acquisition process easier. There are many options for dd, but one of the of the most commonly used is noerror. This would create a bit-by-bit copy of sda2 to sdb2 using a byte size of 512 bytes. The basic dd syntax looks something like this: Its purpose was to make a bit-by-bit copy of any file, drive, or partition. ![]() Historically, nearly every Linux/UNIX distribution has included a command known as dd (disk-to-disk). Any software that we might use to transfer the image will alter that image and we can't have that and still present it in a court of law. What we need is a bit-by-bit copy of the hard drive or memory that does not alter a single bit of information. Unfortunately, such a copy won't work for us, the forensic investigator. These are simple copies of the operating system, applications, and data to a hard drive, or sometimes, to tape. If you have a background as a system or network admin, you have probably done system backups. ![]()
0 Comments
Read More
Leave a Reply. |