Taking a quick look at the disk using "fdisk --list" before we make a copy of it, we see:
kali@securitynik:~$ sudo fdisk --list /dev/sdb [sudo] password for kali: Disk /dev/sdb: 29.3 GiB, 31457280000 bytes, 61440000 sectors Disk model: USB DISK Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00051443 Device Boot Start End Sectors Size Id Type /dev/sdb1 2048 61437951 61435904 29.3G c W95 FAT32 (LBA)
We will revisit this as we compare our cloned disk with the output above.
Let's now go ahead and create an image of the disk, so that we can perform our "dead" forensics.
kali@securitynik:~$ sudo dcfldd if=/dev/sdb of=linux_mint_usb.raw bs=512 errlog=linux_mint_err.log hash=md5,sha1,sha256 hashlog=linux_mint_usb_.hash status=on verifylog=linux_mint.verify hashwindow=100M
Specify the input file, which we know is the USB located at /dev/sdb
if=/dev/sdb
Specify an output File
of=linux_mint_usb.raw
Specify a block size of 512 bytes.
bs=512
Send all errors to a log file, rather than writing to the screen
errlog=linux_mint_err.log
Specify the hash algorithms to use. This ensure we can validate the integrity of the image as it is analyzed during the forensic process.
hash=md5,sha1,sha256
Send the hash information to a log file
hashlog=linux_mint_usb_.hash
Displays the status message
status=on
Send the verified results to a log
verifylog=linux_mint.verify
Perform a hash on every 100 Megabytes
hashwindow=100M
Once completed, here is what the output looks like:
61440000 blocks (30000Mb) written. 61440000+0 records in 61440000+0 records out
Looks like the total records read in equals to the total records written out.
and the created files
kali@securitynik:~/forensics$ ls linux_mint_usb_.hash linux_mint_err.log linux_mint_usb.raw linux_mint.verify
Looking at the "linux_mint_err.log" file
kali@securitynik:~/forensics$ ls linux_mint_usb_.hash linux_mint_err.log linux_mint_usb.raw linux_mint.verify
Looking at the "linux_mint_usb.hash" file
kali@securitynik:~/forensics$ cat linux_mint_usb.hash | more 0 - 104857600: a833657ba6ffe7aecc9502474830d0e3 0 - 104857600: 9c1a801e95178826c4e49bb498fdae18389429fa 0 - 104857600: 74b7b3f871998cc0bd614dea1d345e5057f87f0ff3579e8f372226ec0ae9e1df 104857600 - 209715200: 8d6305573b4500f27dbcee6cd582e4a8 104857600 - 209715200: 25bb8f02271ede26bfad67d6350ae038ee88a9f5 104857600 - 209715200: 308e467ed64fc4efb36a3c7e520ea6406e360fa260c7d87f9810345ecd09abf4 209715200 - 314572800: ce08ffdb8612f95e4752539044daf1ee 209715200 - 314572800: 4ae41ba71b7c70c470eadc8fa351d78c863facae 209715200 - 314572800: 987da527a07d254d8448233673b81a3843a0aafd0607527df67f333ebec0b913 314572800 - 419430400: 36c76342755d6828990a480c0056d31a ... 31352422400 - 31457280000: 75a8749d0ad3734052147bfa16069060 31352422400 - 31457280000: 9675bdbe94ccb0cd25601e35687a235a2630768a 31352422400 - 31457280000: 90db0b4ccf1b539dfc5c28cca76fd1e3b43316622c9fe4fc1f274ac0cb94e380 Total (md5): e995c8773f355b895792fafdc24e80d4 Total (sha1): 1473fda5a96d0b286b6ffba2b9f2550c1b67ab93 Total (sha256): 998a16707ee4aec57987e2ef768764d652cc55d648fc0f30b295b56b417b4747
Looking at the file "linux_mint_usb.raw"
kali@securitynik:~/forensics$ file linux_mint_usb.raw linux_mint_usb.raw: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 61435904 sectors
Now that we have the image, let's mount and perform some basic analysis in the next post.
Post in this series:
Beginning File System Forensics - Acquiring Disk Image
Beginning File System Forensics - mounting and learning about the drive
Beginning File System Forensics - Timeline analysis
Beginning File System Forensics - mounting and learning about the drive
Beginning File System Forensics - Timeline analysis
References:
No comments:
Post a Comment