{"id":809,"date":"2020-09-29T23:02:00","date_gmt":"2020-09-29T22:02:00","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=809"},"modified":"2020-09-29T23:02:00","modified_gmt":"2020-09-29T22:02:00","slug":"disk-forensics-p5","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=809","title":{"rendered":"Disk Forensics P5"},"content":{"rendered":"
\n

Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the investigators to analyze this image while ensuring the integrity and present condition of the real evidence disk.<\/p>\n

In this lab, the evidence hard disk is mounted on \u2018\/dev\/sdc\u2019. The dd tools<\/b><\/a>\u00a0are installed on the lab machine.<\/p>\n

Objective:<\/b>Create a disk image for evidence hard disk using dd tools.<\/p>\n<\/blockquote>\n

Our target disk where we need to do a copy for forensic analysis is mounted on \/dev\/sdc<\/strong>. Let’s check that first.<\/p>\n

df -h<\/code><\/p>\n

\"\"<\/a><\/p>\n

It seems that our disk is allready mounted, but is it useful to create a disk image when the disk is mounted?<\/p>\n

\n

When you’re reading\/writing to a file on a partition, it should be mounted (obviously, in order to access the file).
\nWhen you’re reading\/writing to a raw disk, it should be unmounted to prevent corruption or inconsistency.<\/p>\n<\/blockquote>\n

So for preventing any failures it’s better to unmount the disk first!<\/p>\n

umount \/mnt\/evidence<\/code><\/p>\n

\"\"<\/a><\/p>\n

So now I’ll use the dd utility to create the image file<\/p>\n

dd if=dev\/sdc of=evidence.img<\/code><\/p>\n

\"\"<\/a><\/p>\n

To finalize this task I’ll create a MD5 Checksum of that evidence.img file<\/p>\n

\"\"<\/a><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the […]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":820,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,16],"tags":[],"class_list":["post-809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-linux"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=809"}],"version-history":[{"count":6,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions"}],"predecessor-version":[{"id":821,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions\/821"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/820"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}