SlideShare a Scribd company logo

Capturing forensics image

Download as PPTX, PDF
Chris Harrington
Chris Harrington

Guide on forensic image captures. Two tools are shown here, dd and FTK Imager.

Technology
1 of 11
Data acquisition for forensics investigation User guide By Chris Harrington
 Linux or Windows OS  Hard drive larger than the one being captured ◦ Hard drive must be forensically wiped so no old data can be found from previous cases  Windows Applications ◦ FTK Imager  Linux Applications ◦ dd Note: There are other capturing tools available
 Conduct a forensic wipe on the external drive before capturing  In Windows OS many tools exist  FreeShred  Shred  Etc…  In Linux dd is used to write 0’s to all sectors ◦ Command: dd if=/dev/zero of=/dev/sdX bs=4K conv=noerror,sync
 Run FTK Imager and create a disk image
 Check that Physical Drive is selected for source and the correct physical drive  Click Add in Create Image window
 Raw dd format is accepted by so many tools for further processing. Enter evidence information and saving location.  Image fragment size will split the image file into smaller sizes
 It can take time for the image to finish writing depending on the size of the disk  A log file is produced with md5 & sha1 checksums and other drive details
 Start up the suspect’s computer and boot up with a Linux live CD. The live CD should avoid writing to local drives. Many options available: ◦ Knoppix ◦ Kali ◦ Deft ◦ Etc…
 Open a terminal  Command: dd if=/dev/sdX of=yourimage.img bs=512  If drive is unknown, fdisk –l command will show connected devices  Create checksum hash
 Multiple OS available to capture images for different scenarios  Toolkits  Backup toolkits  Document every move taken  Avoid changes to suspect’s data  Is a forensic capture really necessary for this scenario?
 My contact details  C.k.harrington@gmail.com

Recommended

killdisk and its use in ukraine hacks
killdisk and its use in ukraine hackskilldisk and its use in ukraine hacks
killdisk and its use in ukraine hacks
Srishti Kumari
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
Jared Atkinson
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
Mac book i phone android
Mac book i phone androidMac book i phone android
Mac book i phone android
Tapan Khilar
 
DVD Technology
DVD TechnologyDVD Technology
DVD Technology
ashubhardwaj03
 
File system
File systemFile system
File system
Harleen Johal
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
Ravi Yasas
 

Recommended

killdisk and its use in ukraine hacks
killdisk and its use in ukraine hackskilldisk and its use in ukraine hacks
killdisk and its use in ukraine hacks
Srishti Kumari
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
Jared Atkinson
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
Mac book i phone android
Mac book i phone androidMac book i phone android
Mac book i phone android
Tapan Khilar
 
DVD Technology
DVD TechnologyDVD Technology
DVD Technology
ashubhardwaj03
 
File system
File systemFile system
File system
Harleen Johal
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
Ravi Yasas
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
Marco Alamanni
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Mark Matienzo
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
Nearpod
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Basis Technology
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
Rupesh Kumar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
Eduardo Chavarro
 
iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
mukhtaransarcloth
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 

More Related Content

Viewers also liked

Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
Eduardo Chavarro
 

Viewers also liked (20)

Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 

Similar to Capturing forensics image

iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
mukhtaransarcloth
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
Fedora linux installtion
Fedora linux installtionFedora linux installtion
Fedora linux installtion
Deepa Rani
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
CTIN
 

Similar to Capturing forensics image (20)

iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic Duplication
 
Deft
DeftDeft
Deft
 
Fedora linux installtion
Fedora linux installtionFedora linux installtion
Fedora linux installtion
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 
Linux Installation
Linux InstallationLinux Installation
Linux Installation
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
Ransomware and Backups
Ransomware and BackupsRansomware and Backups
Ransomware and Backups
 
dataacquisition.pdf
dataacquisition.pdfdataacquisition.pdf
dataacquisition.pdf
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Stellar phoenix dvd data recovery
Stellar phoenix dvd data recoveryStellar phoenix dvd data recovery
Stellar phoenix dvd data recovery
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Hirens Boot CD 15.2 ppt
Hirens Boot CD 15.2 pptHirens Boot CD 15.2 ppt
Hirens Boot CD 15.2 ppt
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
 
Beauty of open source in cyber forensics
Beauty of open source in cyber forensicsBeauty of open source in cyber forensics
Beauty of open source in cyber forensics
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Capturing forensics image

  • 1. Data acquisition for forensics investigation User guide By Chris Harrington
  • 2.  Linux or Windows OS  Hard drive larger than the one being captured ◦ Hard drive must be forensically wiped so no old data can be found from previous cases  Windows Applications ◦ FTK Imager  Linux Applications ◦ dd Note: There are other capturing tools available
  • 3.  Conduct a forensic wipe on the external drive before capturing  In Windows OS many tools exist  FreeShred  Shred  Etc…  In Linux dd is used to write 0’s to all sectors ◦ Command: dd if=/dev/zero of=/dev/sdX bs=4K conv=noerror,sync
  • 4.  Run FTK Imager and create a disk image
  • 5.  Check that Physical Drive is selected for source and the correct physical drive  Click Add in Create Image window
  • 6.  Raw dd format is accepted by so many tools for further processing. Enter evidence information and saving location.  Image fragment size will split the image file into smaller sizes
  • 7.  It can take time for the image to finish writing depending on the size of the disk  A log file is produced with md5 & sha1 checksums and other drive details
  • 8.  Start up the suspect’s computer and boot up with a Linux live CD. The live CD should avoid writing to local drives. Many options available: ◦ Knoppix ◦ Kali ◦ Deft ◦ Etc…
  • 9.  Open a terminal  Command: dd if=/dev/sdX of=yourimage.img bs=512  If drive is unknown, fdisk –l command will show connected devices  Create checksum hash
  • 10.  Multiple OS available to capture images for different scenarios  Toolkits  Backup toolkits  Document every move taken  Avoid changes to suspect’s data  Is a forensic capture really necessary for this scenario?
  • 11.  My contact details  C.k.harrington@gmail.com