Sunday, November 1, 2015

FireFox 41.0.1 Browsing session analysis - Creating a Forensic copy of a USB Thumb drive using dc3dd


The reason for creating this image of the flash drive is to ensure we have a working copy. We should never be performing work on original data. If we damage the original data or compromise it in any way, then we have bigger problems than just trying to figure out what is on the disk.


After plugging the USB into my analysis machine, I took a look at my "dmesg" output



Above we see the USB was successfully connected and was assigned to device "sdd". We also see the drive has 1 partition which was detected "sdd1"

As always, before executing a tool, we should at least take a look at the help
sansforensics@securitynik:~$ dc3dd --help | more



Now that we have some information from the help on what are the tool's capabilities, let's move ahead with making a working copy of the flash drive

sansforensics@securitynik:~/firefox-analysis$ sudo dc3dd if=/dev/sdd of=securitynik-firefox.dc3dd hof=securitynik-firefox.log hash=md5 hash=sha1 


if=/dev/sdd - Tells dc3dd to use the input file which is at "/dev/sdd"
of=securitynik-firefox.dc3dd  - Tells dc3dd to create an output file from the input named "securitynik-firefox.dc3dd"
hof=securitynik-firefox.log - Tells dc3dd to write the hash information to a log file named "securitynik-firefox.log"
hash=md5 - tells dc3dd to create a md5 hash of the image
hash=sha1  - tells dc3dd to create a sha1 hash of the image

Once the command has been completed we have the results below


We see that 2 files were created. The output file as well as the file containing the hashes.


To verify these hashes let take a md5sum of "/dev/sdd"

If we look above we see the md5sum result matches that which was calculated by dc3dd

Let's now take a look the sha1sum of "/dev/sdd"


Once again from the above it matches.

Looks like we successfully created an image of the flash drive. In the next post we will look at mounting this image.



Other posts in this series:




References
http://www.linuxcertif.com/man/1/dc3dd/

No comments:

Post a Comment