Forensic Acquisition Tools¶
links: DF TOC - Storage & Acquisition and DF TOC - Labs & Tools - Index
Write Blocker¶
- Portable Kits: Compact and portable solutions for field use, allowing investigators to use them on-site.
- Drive Bay: Write blockers integrated into drive bays for desktop or lab environments.
- Duplicator Appliances: Devices that can duplicate drives while ensuring no data is written to the source drive.
- Multiple Interface Compatibility: Write blockers that support various interfaces (e.g., SATA, USB, FireWire) to accommodate different types of storage devices.
Confirm Attached Evidence Drive¶
Double-checking source and destination devices is critical in forensic investigations to ensure the integrity and accuracy of data acquisition.
Commands to Identify Attached Drives
lshw -class disk
: Lists hardware information about disks.lspci
: Displays information about PCI devices, including storage controllers.lsusb
: Shows USB devices connected to the system.lsscsi
: Lists SCSI devices and hosts.lsblk
: Provides a list of all available block devices.dmesg
: Displays kernel messages, useful for identifying newly attached hardware.
Gathering Disk Information
- Photograph of Drive: Take a physical photograph for visual reference and documentation.
- S.M.A.R.T Data (Self-Monitoring, Analysis, and Reporting Technology): Retrieve health and status data of the drive.
hdparm -I /dev/sda
: Displays detailed information about the drive.smartctl -x /dev/sda
: Provides extensive diagnostics and health information for the drive.
Always double-check the source and destination devices to avoid data corruption or loss. This step ensures that you are working with the correct hardware throughout the forensic process.
dd¶
History
- Origin: The
dd
command originates from the IBM DD command, which stands for "Data Definition." - Unix: Introduced in the 1970s in Unix systems primarily for data conversion tasks.
Function
- Block Copying:
dd
copies data blocks from an input source to an output destination. - Sector Copying: Used for copying disk sectors, not just individual files. This is crucial for creating exact disk images in forensics.
Usage
- Basic Syntax:
dd if=myinputfile of=myoutputfile
- For Copying Disk Sectors:
dd if=/dev/sda of=myoutputfile
- With Error Handling:
dd if=/dev/sda of=myoutputfile conv=noerror,sync
conv=noerror
continues operation even if errors are encountered.sync
pads each input block to the full length of the block, ensuring synchronized data.
Dangerous and Deadly
dd
is powerful but must be used with caution. Incorrect usage can lead to data loss or overwriting important data. Always double-check command parameters before execution.
Variations of dd
Forensic variations of dd
have been developed to include additional features such as cryptographic hashing, improved error handling, activity logging, performance optimization, hash verification, and live progress monitoring.
Forensic Acquisition Tools Based on dd
- dcfldd: Enhanced version of
dd
with additional forensic features. - dc3dd: Another improved version used in digital forensics.
- Data Rescue/Recovery Tools: Tools like
ddrescue
anddd_rescue
for recovering data from damaged drives. - sfsimage Script: Used for creating Squashfs container files for efficient storage and analysis.
Additional Notes
- Raw Data Output: The output from these tools is raw data, not formatted in a specific file system or structure.
- Padding for Bad Sectors: Bad sectors encountered during copying are padded to maintain data alignment and integrity.
Other Free and/or Open-Source Tools¶
Commercial Forensic Acquisition Tools/Formats
- ewfacuire: A tool for creating EnCase Evidence File (EWF) format forensic images.
- ftkimager: A utility for creating forensic images and verifying data integrity.
Tools for Partitions and Filesystem Identification
- disktype: Quick check of partition and filesystem types.
- testdisk: Recovers deleted partitions.
- gpart: Searches for filesystems on a disk.
Tip: GPT partitions save a backup copy at the end of the drive.
Acquisition Cheat Sheet¶
Identify Attached Drive and Hardware Details
- Use commands like
dmesg
,journalctl
,lshw
,lspci
,lsusb
,hdparm
, andsmartctl
.
Acquire a Forensic Image
- Tools:
sfsimage
,dc3dd
,ewfacquire
,ftkimager
,guymager
.
Verify Hash
- Use
md5sum
,sha*sum
, or built-in hash verification in acquisition tools.
Identify Disk Layout and Partition Tables
- Tools:
img_stat
,mmstat
,mmls
,disktype
,gpart
,testdisk
.
Identify Filesystem Type and Details
- Tools:
fsstat
,disktype
.
links: DF TOC - Storage & Acquisition and DF TOC - Labs & Tools - Index