Wednesday, September 9, 2020

Beginning File System Forensics - Acquiring Disk Image

In this series, I am looking at file system forensics. For this post, I inserted a USB device which can be found at: "/dev/sdb"

Taking a quick look at the disk using "fdisk --list" before we make a copy of it, we see:

kali@securitynik:~$ sudo fdisk --list /dev/sdb
[sudo] password for kali: 
Disk /dev/sdb: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Disk model: USB DISK        
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

We will revisit this as we compare our cloned disk with the output above.

Let's now go ahead and create an image of the disk, so that we can perform our "dead" forensics.

kali@securitynik:~$ sudo dcfldd if=/dev/sdb of=linux_mint_usb.raw bs=512 errlog=linux_mint_err.log hash=md5,sha1,sha256 hashlog=linux_mint_usb_.hash status=on verifylog=linux_mint.verify hashwindow=100M

Specify the input file, which we know is the USB located at /dev/sdb
if=/dev/sdb 


Specify an output File
of=linux_mint_usb.raw 

Specify a block size of 512 bytes.
bs=512 

Send all errors to a log file, rather than writing to the screen
errlog=linux_mint_err.log 


Specify the hash algorithms to use. This ensure we can validate the integrity of the image as it is analyzed during the forensic process.
hash=md5,sha1,sha256 


Send the hash information to a log file
hashlog=linux_mint_usb_.hash 

Displays the status message
status=on 

Send the verified results to a log 
verifylog=linux_mint.verify 

Perform a hash on every 100 Megabytes
hashwindow=100M


Once completed, here is what the output looks like:

61440000 blocks (30000Mb) written.
61440000+0 records in
61440000+0 records out

Looks like the total records read in equals to the total records written out. 

and the created files

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify


Looking at the "linux_mint_err.log" file

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify

Looking at the "linux_mint_usb.hash" file 

kali@securitynik:~/forensics$ cat linux_mint_usb.hash | more
0 - 104857600: a833657ba6ffe7aecc9502474830d0e3
0 - 104857600: 9c1a801e95178826c4e49bb498fdae18389429fa
0 - 104857600: 74b7b3f871998cc0bd614dea1d345e5057f87f0ff3579e8f372226ec0ae9e1df
104857600 - 209715200: 8d6305573b4500f27dbcee6cd582e4a8
104857600 - 209715200: 25bb8f02271ede26bfad67d6350ae038ee88a9f5
104857600 - 209715200: 308e467ed64fc4efb36a3c7e520ea6406e360fa260c7d87f9810345ecd09abf4
209715200 - 314572800: ce08ffdb8612f95e4752539044daf1ee
209715200 - 314572800: 4ae41ba71b7c70c470eadc8fa351d78c863facae
209715200 - 314572800: 987da527a07d254d8448233673b81a3843a0aafd0607527df67f333ebec0b913
314572800 - 419430400: 36c76342755d6828990a480c0056d31a
...
31352422400 - 31457280000: 75a8749d0ad3734052147bfa16069060
31352422400 - 31457280000: 9675bdbe94ccb0cd25601e35687a235a2630768a
31352422400 - 31457280000: 90db0b4ccf1b539dfc5c28cca76fd1e3b43316622c9fe4fc1f274ac0cb94e380

Total (md5): e995c8773f355b895792fafdc24e80d4

Total (sha1): 1473fda5a96d0b286b6ffba2b9f2550c1b67ab93

Total (sha256): 998a16707ee4aec57987e2ef768764d652cc55d648fc0f30b295b56b417b4747

Looking at the file "linux_mint_usb.raw"

kali@securitynik:~/forensics$ file linux_mint_usb.raw 
linux_mint_usb.raw: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 61435904 sectors

Now that we have the image, let's mount and perform some basic analysis in the next post.

Post in this series:


No comments:

Post a Comment