Disk Forensics P6

This is an alternative approach for dd to create a disk image file for further forensic analysis.

dcfldd is a modified version of GNU originally created by Nicholas Harbour from the DoD
Computer Forensics Laboratory (DCFL). It supports hashing, fast disk wiping (through patterns)
and status output

This command will do the same like in the last exercise, but will also automatically create a md5 hash file

dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log sha256log=sha.log

If we compare the md5 sum with the evidence.img file from the last exercise, I’ll get the same value

There are some other cool stuff we can do, like splitting the disk image file into different parts

dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log split=64M splitformat=000 sha256log=sha.log of=evidence_3.img

As we can see, this give us 4 parts of a 256MB disk file.

This approach can help while imaging a large evidence disk. The smaller parts of the image can be then sent over the internet or carried on relatively smaller portable storage device

If we choose that option, the analyst needs to know how he can set the splittet parts together. Let’s use the following command

cat evidence_3.img.0* > evidence4.img

As we can see, the checksum is still the same 😎


Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.