Hack Like a Pro: Digital Forensics Using Kali, Part 2 (Acquiring a Hard Drive Image for Analysis)

Digital Forensics Using Kali, Part 2 (Acquiring a Hard Drive Image for Analysis)

Welcome back, my aspiring hackers and those who want to catch my aspiring hackers!

As most of you know, this series on digital forensics is inspired by the motivation to keep all of you all out of custody. The more you know about the techniques used by law enforcement and forensic investigators, the better you can evade them.

In this second installment, I want to address the first step that a forensic investigator takes after being brought in to an investigation, namely acquiring evidence in a way that is forensically sound and can be used in a court of law. This step MUST be done correctly if the investigation is to be successful and have any legal standing. If this initial step is done incorrectly, then weeks and months of work that follow will likely all be for naught.

Image via Shutterstock

If you have a background as a system or network admin, you have probably done system backups. These are simple copies of the operating system, applications, and data to a hard drive, or sometimes, to tape. Unfortunately, such a copy won't work for us, the forensic investigator.

What we need is a bit-by-bit copy of the hard drive or memory that does not alter a single bit of information. Any software that we might use to transfer the image will alter that image and we can't have that and still present it in a court of law.

The "Dd" Command

Historically, nearly every Linux/UNIX distribution has included a command known as dd (disk-to-disk). Its purpose was to make a bit-by-bit copy of any file, drive, or partition. The basic dd syntax looks something like this:

dd if=<source> of=<destination> bs=<byte size>

For an example, let's say:

dd if=/dev/sda2 of=/dev/sdb2 bs=512

This would create a bit-by-bit copy of sda2 to sdb2 using a byte size of 512 bytes.

There are many options for dd, but one of the of the most commonly used is noerror. When we use the noerror option, dd will not terminate when it encounters errors, so then our command would look like this:

dd if=/dev/sda2 of=/dev/sdb2 bs=512 noerror

Although most Linux distributions include dd, several variations have been developed and enhanced that make our forensic image acquisition process easier. Nearly every image acquisition tool out there, whether for Windows or Linux, is a variation on dd.

In Kali Linux, we have a version of dd that was developed by the Department of Defense's Digital Computer Forensics Laboratory that is dcfldd (presumably, digital computer forensic laboratory dd).

Hashing

Among the most critical tasks that we need to do when acquiring an image is to ensure its integrity. In essence, we want to be able to prove in a court of law or other venue that the image we used for analysis was not tampered with or in any way changed since we acquired it.

You can only imagine a defense attorney or other representative who will argue that any evidence that you have found on the computer was placed there by law enforcement or the forensic investigator.

Hashing is one-way encryption that creates a unique output (digest) for any input. Hashing is used to assure that nothing changes in the original input. If even a single bit changes in the original input, the hash will change.

You have probably seen or used hashes when you downloaded software. In fact, when you downloaded Kali, Offensive Security provides you the MD5 hash of it so that you can check that the Kali you downloaded has not been corrupted or otherwise altered in any way before it gets to you.

Hashing ensures integrity.

The most popular hashes are MD5, SHA1, SHA256, and SHA512. As we will see, we can use any of these to ensure the integrity of our forensic image when we use dcfldd or other image acquisition tools.

Step 1: Open Kali & Find "Dcfldd"

Now, let's start by firing up Kali and finding dcfldd. Go to Kali Linux -> Forensics -> Forensic Imaging Tools -> dcfldd. It will be the fifth choice in the menu system as seen below.

Step 2: Open "Dcfldd"

When we click on the dcfldd, it will open a help screen like that below.

The syntax we use for dcfldd is nearly identical to dd, but with more options suited to forensic acquisition.

Step 3: Linux Hard Drive Designations

If we were using this dcfldd in a forensic environment, we would likely be using it as a Live CD. We would then likely want to capture an image of the computers hard drive to an external device, probably another hard drive of equal or larger size.

Since I am using Kali as a VM, I am going to capture an image of my virtual hard drive and send it to an external hard drive. To do so, we need to know how Linux designates our hard drives.

You may know that Linux doesn't designate hard drives with single letters like Windows (I really need to do a Linux tutorial on Linux devices). A regular IDE or E-IDE hard drive uses the hd designation, so our first hard drive is hda, our second is hdb, and some on.

Historically, Linux designated SCSI (Small Computer System Interface) hard drives with sd so that the first SCSI hard drive would be sda, the second sdb, and so on. In our modern computers, our hard drives are SATA and Linux sees them as SCSI drives (both have serial connections), so our SATA drives are designated with sda, then sdb, then sdc, etc. If that hard drive is partitioned, then the first partition is sda1, the second partition is sda2, etc.

Step 4: Capturing the Image

Now, to capture the bit-by-bit image of the hard drive and generate the MD5 of the image, we can type:

dcfldd if=/dev/sda hash=md5 of=/media/diskimage.dd bs=512 noerror

  • if=/dev/sda is the input device, in this case /dev/sda.
  • hash=md5 tells the command to calculate an MD5 hash of the image that we can use to assure the image integrity.
  • of=/media/diskimage.dd is the file that the disk image with go, in this case on an external device mounted at /media.
  • bs=512 tells the command we want to transfer the image 512 bytes at a time.
  • noerror tells the command that in the case of error continue to do the data transfer, but write zeros where the error occur.

This will create a bit-by-bit identical image of the hard drive and send it to our external drive with a filename of "diskimage.dd", 512 bytes at a time, and write zeros when it encounters an error rather than terminate and provide us with the md5 hash of the image.

This is the first task in the forensic process. Now that we have this forensically sound image and hash, we can begin the process of analysis looking for artifacts and evidence. If this step is done improperly, everything that follows will be a waste of time.

Step 5: Other Tools for Image Acquisition

There are multiple other tools in Kali for image acquisition. All work similarly with some different features. Outside of Kali, there are also many commercial tools for image acquisition, but probably the most popular is in the Forensic Tool Kit. Access Data publishes the FTK Suite of Forensic tools, and these excellent tools are widely used among law enforcement. Among their suite of tools is the FTK Imager, which they give away for free.

In the screenshot below, we can seethe GUI of FTK Imager acquiring a bit-by-bit image of a hard drive.

Now that we have successfully acquired a forensically sound hard drive image of the evidence hard drive, we can now proceed to analyze it for artifacts and evidence of the illegal activity.

In my next tutorials, I will be showing how to find artifacts of illegal activity on that hard drive that can lead to the perpetrator and disclose their actions, so keep coming back my aspiring hackers!

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover image via Shuttestock

18 Comments

enjoyable reading :-)

:OTW

What can you tell me about the mary's web

:OTW

I want to know more about Darknet level 5. Do you have any info about it ?

I do. I'll have to do an article on it.

Im lost XD

I need more info to help you.

:CYBERHITCHHIKER

I know about tor, i2p, freenet. but the deep net also have levels. upto 3 levels can be accessible by any one. Fourth one using closed shell system (OTW this one too what it is) and fifth one (Mary's Web) Just rumors are there. I found out some about it but still no idea what does it mean

"Mariana's Web is a type of structured architecture in which code disobeys many laws of quantum dynamics. It is an unstable environment in most situations but when accessed under certain conditions, the architecture is warped and becomes more stable for the user. I'm not sure what the conditions are because I am not able to access Mariana's Web, unfortunately. Code that does not obey conventional quantum law is highly valuable and also highly inaccessible. Many people seek to destroy the type of code that is available on Mariana's Web because of what it is capable of."

Wha?

lol. That's some imagination.

I really enjoy reading your articles since you always underline your descriptions with some kind of story :)

However, I have one question: What difference would it make if I used bs=1024 (random number) instead of bs=512. Would the Output be any different?

PS: And i wouldn't mind if you did the tutorial on Linux devices ;)

I'll 2nd that, very easy on the eye - nice work!

from a noob's pov -

I used an external HD but dcfldd just kept telling me the directory didn't exist, was puzzling because I thought referencing it as SDC1 might be acceptable to dcfldd but in the end I realised the problem was the disk was mounted with the label: 'Expansion Drive'

I'm used to Access DB's really so I never use spaces...

Fixed the error by using GParted to unmount and change the disk label to 'Expansion(under-score)' (i'm sure there are easier ways).

Thanks for the cool tutorial,
My external hard drive is broken so i tried it with
dd if=/dev/sdc2 of=/dev/sdb3 bs=512 noerror to save my data but i got allways the error:

dd: unrecognized operand `noerror'
Try `dd --help' for more information

Thanks for any help

Thank you OTW. Awesome information and tutorial. Love the forensics series, is extremely pertinent to me!

I get a "dcfldd: unrecognized option noerror" when trying to run the command. Anyone know why it doesn't recognize its own commands?

Just run it without the noerror switch.

try conv=noerror

This is a really cool series... So are all your other articles OTW. Really enjoy reading them. The stuff I learn from them is just awesome. Thanks OTW. Keep writing such articles. Really appreciate your work.

Share Your Thoughts

  • Hot
  • Latest