Imaging with Linux (FOR 240) - Chromosom3/TechNotes GitHub Wiki

Imaging with Linux

Dev Directory Information

/dev/ is a directory that contains special device files. They are not actually files. Just pointers to devices/volumes and other physical and virtual entities. /dev/null is a destination to send data that needs to disappear. /dev/urandom generates random numbers. Can be used to overwrite files. /dev/zero returns a bunch of zeros, can also be used to overwrite files.

DD Command

The dd command is used for imaging disk on linux. dd is included on all copies of linux/unix based operating systems. dd essentially only needs two things, if and of, the input file and the output file. These don't need to be actual files and can be partitions or disks. An example would be dd if=/dev/sda of=image.dd. In the example the dd command will copy all the data on the drive /dev/sda and write it to image.dd in the current directory. The dd command will produce a direct copy of the disk. There is no compression by default with dd however you can pipe the dd command into a compression application. The dd command will normally stops if there is an error, to prevent this we want to use the noerror option. For example dd if=/dev/sda of=image.dd conv=noerror. You will also want to use sync, this will keep the sectors in the right place and allow you to use the file system. You can use the two at the same time by putting a comma (,) after the first option, conv=sync,noerror. You can use bs= to specify the block size you want to use. For example you can use a 1 megabyte blocksize by putting bs=1M when running the dd command. Using a large block size will cause you to lose more data. If the drive has a bad sector when you pull a megabyte if there is a single bad sector you lose the whole megabyte instead of just the sector.

4

Important: Allways use conv=sync. Using sync will sometimes make your files larger by a few sectors because it always goes to the block size.

Hash Algorithms

Once you have the image created you will want to calculate the hash value of the image. You can use the name of the algorithm + "sum" to hash the file. For example sha256sum or sha1sum. Note you may not have all the hashing algorithms available and may have to download the package for the corresponding algorithm.

Linux Distributions for Forensics:

  • Penguins Sleuth
  • F.I.R.E
  • CAINE
  • Deft
  • Kali
  • tsurgui