1 / 8

F8-Noncommercial-Based Forensic Duplications

F8-Noncommercial-Based Forensic Duplications. Dr. John P. Abraham Professor UTPA. DD. Data dump www.gnu.org/directory/gnu Copy bits from to another. Creating and evidence file. Check all current drives (dmesg command) and write down the ID of the drives.

jena
Download Presentation

F8-Noncommercial-Based Forensic Duplications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA

  2. DD • Data dump • www.gnu.org/directory/gnu • Copy bits from to another.

  3. Creating and evidence file • Check all current drives (dmesg command) and write down the ID of the drives. • Use fdisk to create a partition for the destination drive (if it is a new drive). Make sure to make the appropriate type of partition such as fat, ext3, NTFS, etc. Create a file system using mkfs • Power down • Plug the hard drive you want to copy, making sure that it will still boot from the computer’s boot drive rather than the one you are copying. It is a good idea to test with a sample drive first, each time you do this operation. • Determine which disk is which, a very important step. Use dmesg command. • Mount all drives. Example for destination drive: mount –t /dev/hdc1 /mnt/hdc1 • Make a directory on the destination mkdir –p /mnt/hdc1/case-0001/tag1

  4. Copying • Change your directory to your destination drive directory you created. cd /mnt/hdc1/case-0001/tag1 • Copy: dd if=/dev/hdb of=tag1.bin conv=notrunc,noerror,sync • Flags = if =input file, of = output file notrunc=do not truncate file in case of error, noerror=do not stop copying in case of error, sync= place zeros in the block where error found. • make the file read only chmod 444 tag1.bin • Create md5 hash. Md5sum –b tag1.bin >md5sum.txt • Make it read only. Chmod 444 md5sum.txt • Any time we can check the hash by: md5sum –c md5sum.txt

  5. More about copying • You may want to split files into 2-GB sections (for enCase use). To copy 3,000,000 blocks of 512K bytes (about 1.56GB) from the beginning of a file do the following: • dd if=/dev/hdb of=tag1.bin.1 conv=notrunc, noerror, sync count=3000000 skip 0. • You can copy the next 3000000 blocks using: • dd if=/dev/hdb of=tag1.bin.2 conv=notrunc, noerror, sync count=3000000 skip 3000000 • You can move files to another drive with a different file system: mv tag1.bin.* /mnt/fat32

  6. Creating an Evidence hard drive • You can make an exact copy of the hard drive by first cleansing the destination drive by placing zeros in all the blocks: dd if=/dev/zero of=dev/hdc conv=ntrunc, noerror,sync. Then use the dd command: dd if=/dev/hdb of=/dev/hdc conv=notrunc,noerror,sync • Now create the hash md5sum –b /dev/hdc. • dd-rescue is a variation of the dd command. You can use this command to copy it forward or backward from the end to the beginning. This is useful if you encounter errors.

  7. DCFLDD • Computer forensics labs dd command. • Greater authentication using built-in MD5. the hash log is written to a file. Reports MD5 hash for every 512-byte bock. • It has additional switches than dd.

  8. NED – network evidence duplicator Originally named ODESSA Operates using client and server model. The client can be run directly from the suspect computer, the host will be the forensic workstation. Copy NED client onto a bootable floppy. The client computer will detect the server, then will give you option to choose the drive to duplicate. It is a powerful forensic duplication toolkit.

More Related