Mounting in Linux - BenWare-FED/Notes-for-df-analysis GitHub Wiki

mount: makes a partition logically accessible through the file system

dd if= of= [options}

copies blocks from input to output

ex: dd if=/dev/sda of=image.dd

specify block size with option bs

ex: dd if=/dev/sda of=image.dd bs=1M

conv=noerror

allows dd to keep working if it encounters errors

always use it

dd option sync

fills spaces left empty by errors with zeros so that the data has more integrity

Larger block sizes does allow for faster copying but bad sectors cause more data loss

hashing

sha1sum calculates the hash

sha256sum calculates the hash

sha512sum calculates the hash

Data wiping

wipe the place where the evidence is going to be stored before putting new evidence into the location. Also be sure to wipe any new drives

ex: sudo dd if=/dev/zero of=/dev/sdb1 conv=noerror,sync bs=1M

Imaging

if=diskpath of=image.dd

Cloning

Uncompressed replica of a drive if=diskpath of=diskpath

Other imaging tools

variants of the dd: dcfldd and dc3dd

gnu ddrescue and dd_rescue

Using the variants

dcfldd if=/dev/sdb split=2M of=sdb_image.img hash=md5

split: splits the image into files of certain sizes

hash: used to automatically generate the hash

dc3dd if=/dev/sdb of=sdb_image.img bs=4K hash=md5 log=dc3dd

⚠️ **GitHub.com Fallback** ⚠️