Basics Forensics Imaging with dd, dcfldd, and dc3dd

 

Linux Data acquiring commands

DD (Data Dump)

dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes.

Some practical examples on dd command:

To backup the entire hard disk: 

To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.

    # dd if=/dev/sda of=/dev/sdb

    'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully.

To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.

    # dd if=/dev/sda of=/dev/sdb conv=noerror, sync

To backup a Partition:

You can use the device name of a partition in the input data file, and into the output data either you will be able to specify your target path or image file as shown below dd command.

    # dd if=/dev/hda1 of=~/partition.img

To restore using the Hard Disk Image:

To restore a hard disc with the image file of other hard disc, following command is beneficial.

    # dd if=hdadisk.img of=/dev/hdb

The image file hdadisk.img file, is image of a /dev/hda, therefore the above command will restore the image of /dev/hda to /dev/hdb.

To create an image of a Hard Disk:

Instead of taking a backup of the hard disc, you will be able to create an image file of the hard disc and save it in another storage devices. This method is generally faster than another kinds of backups, enabling you to quickly restore data following an unexpected catastrophe. It creates the image of a hard disc /dev/hda.

    # dd if=/dev/hda of=~/hdadisk.img

To create CDROM backup:

dd command allows you to make an iso file from a source file. So, we are able to insert the CD and enter dd command to make an iso file of a CD content.

    # dd if=/dev/cdrom of=tgsservice.iso bs=2048

dd command reads one block of input and process it and writes it into an file. You'll specify the block size for input and output data file. Within the above dd command example, the parameter 'bs' specifies the block size for the both the input and resulting file.

Following screenshot shows the one of the drive's image file creating using dd command.

DCFLDD

dcfldd is an enhanced interpretation of GNU dd with features useful for forensics and security. dcfldd has the subsequent added features:

Hashing on-the-fly: dcfldd can hash the input file because it is being transferred, helping to make sure data integrity.
Status output: dcfldd can leverage the user of its progress in terms of the volume of information transferred and how much longer operation will take.
Flexible disk wipes: dcfldd can be used to wipe disks speedily and with a known pattern if asked.
Image/wipe verify: dcfldd can validate that a target drive is a bit-for-bit match of the required input data or pattern.
Multiple outputs: dcfldd can output to multiple files or disks at the identical time.
Split output: dcfldd can divide output to different files with further configurability than the split command.
Piped output and logs: dcfldd can transfer all its log data and output to commands similarly as files natively.

dcfldd if=/dev/sdb of=sdb_image.img hash=md5

Check the image created:

dcfldd if=/dev/sda2 vf=sda2_image.img

DC3DD

dc3dd is a advanced version of GNU dd with added features for computer forensics.

We can use this command for various purposes like on the fly hashing (md5, sha-1, sha-256, and sha-512), possibility to write down errors to a file; group errors within the error log; pattern wiping; progress report; split output.

Comments

Post a Comment

Popular posts from this blog

Understanding and Demonstrating working of Jumplists

Image
  To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool. Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7. For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic. There are two sets created for storing jumplists in windows: AutomaticDestinations This is automatically generated by Operating System when any file or application opened. The files stored in it, has  .automaticDesinations-ms  extension. To access this file we need to go through the following path. C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinat...
Read more

Study and install Pro-discover and Encase free version

Image
  Pro-discover Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation. Some key features of Pro-discover includes: Preview and Image Disks Investigate all filesystems Analyse email artifacts and web Report generation (hash value or automatic) View Internet History You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button. Standard format of Project Number is like  '001-HDD-1-27-07-2022'  and Project File Name is  'SampleDemo-001-HDD-1-27-07-2022'. Then click on the Capture and Add Image which is in the left h...
Read more