Linux Imaging and Volumes - caitlinmallen/TechWiki GitHub Wiki
Disks and Volumes in Linux
Windows Volumes – Represented by drive letters
Windows Disks – Not shown by Windows
Use diskpart CLI utility then type "list disk" it shows the disks
FTK Imager – Add Physical Drive – Shows available drives
Linux Disks – CLI "lsblk" , list block devices/drives
Sd – SATA disk
Hd – IDE disks
Mvme – MVME disk
Loop – Virtual devices that can be ignored
Linux disks – CLI "sudo fdisk"
-l will list out all the disks on the system
On newer Ubuntu versions it shows the loopback devices
Made to look like a device but it is not
Raw Disk Representation
Linux - /dev/sdx or hdx
X is a,b,c etc.
Windows – PHYSICALYDRIVE#
is 1,2,3 etc.
Mounted Volume
Linux - /dev/sdx#
is 0,1,2 etc.
Windows - X:\
Where X is a,c,b
Fdisk makes it easy to see where the partition starts in the sector, where it ends, the amount of sectors, and the total size along with type (Type 83 – Linux)
Disk identifier and 1 sector is 512 bytes
Lsblock shows this info more visually
Just use lsblock
Acquisition
Make disk to acquire
Power off VM
Edit VM Settings – Add new hard drive – Use defaults – Power on VM
In terminal - lsblk or sudo fdisk -l
Create a partition – sudo fdisk /dev/sdx (In video its sdb) – create a new DOS partition table by typing "o"
Add new partition with command "n" & go with defaults which are "p"
Add size with +xxxM,G,T,P whatever
Write disk with "w"
Confirm with lsblk
Format and put filesystem on disk
CLI tool – mkfs.ext3 /dev/sdb1
Write the proper partition
Shortcut for a bunch of commands
Mounting – Computer picks up on a new drive and its partitions, size, etc.
Mount command will show you whats mounted in Linux
Mount | grep /dev/sd will show you what sata disks are mounted
Will show you:
Rw – Root partition mounted as read write
Errors=remount-ro will mount is as read-only if theres an issue
Create mount point
Mkdir mountpoint
Mount /dev/sdb1 mountpoint
Mount source and destination
Cant write or anything to mounted it
Sudo chown -R user destination
Unmount – unmount path to mountpoint or partition
Do not mount forensic images as read write -> Mount as read-only
Sudo mount -o ro /dev/sdb1 mountpoint
Mount as read-only
Imaging
/dev
Special devices
Not actually files, just pointers to devices/volumes and other physical or virtual entities
/dev/fd# - Floppy
/dev/null – Black hole -> Destination to send data that you don't want appearing
/dev/urandom – Generates random numbers
/dev/zero – Returns zero
Dd
Used for imaging disks on Linux
Included in anything derived from Linux or anything Unix
Native
Dd if=<input> of=<output> [options]
Copies blocks from input to output
Input/Output can be file or disk or partition/volume
Dd if=/dev/sda of=image.dd
Raw disk image, no compression, exact copy
Dd cannot compress like E01
Give it an output file or it'll spit data back to you on the console that's garbage
Pipe input of dd to a compression tool and you can compress it
Default block size is 512 bytes
Copying is slow
Specify a different block size with option bs
Dd if/dev/sda of=image.dd bs=1M
Dd option noerror
Dd will halt the moment it gets an error
To stop it from halting from a bad sector or error use noerror
Conv=noerror
Allows dd to continue without halting on errors
Always use this
Dd option sync
Conv=sync
Without sync if you skip over sectors you are sectors short due to skipping errors
With sync, it will not shift the sectors and cause things to crash
Fills bad sectors with zeros
Everything is where it should be and is functional