{"id":831,"date":"2020-09-30T12:40:09","date_gmt":"2020-09-30T11:40:09","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=831"},"modified":"2020-09-30T12:40:09","modified_gmt":"2020-09-30T11:40:09","slug":"disk-forensics-p7","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=831","title":{"rendered":"Disk Forensics P7"},"content":{"rendered":"
\n

Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the investigators to analyze this image while ensuring the integrity and present condition of the real evidence disk.<\/p>\n

In this lab, the evidence hard disk is mounted on \u2018\/dev\/sdc\u2019. The ewf-tools<\/b><\/a>\u00a0are installed on the lab machine. The tool uses the Expert Witness Compression Format (EWF).<\/p>\n

Objective:<\/b>\u00a0Create a disk image for evidence hard disk using ewf-tools tools.<\/p>\n<\/blockquote>\n

First I’ll check if the disk is mounted on the filesystem<\/p>\n

\"\"<\/a><\/p>\n

To prevent any failures during disk imaging, let’s unmount the disk first<\/p>\n

umount \/dev\/sdc<\/code><\/p>\n

\"\"<\/a><\/p>\n

Everything is prepared now to use ewfacquire to create a disk image<\/p>\n

ewfacquire \/dev\/sdc<\/code><\/p>\n

\"\"<\/a><\/p>\n

Further you can enter some more informations like Case Number, Description or Examiner name..<\/p>\n

For all the other options I’ll leave the default values:<\/p>\n

\"\"<\/a><\/p>\n

Let’s start the process:<\/p>\n

\"\"<\/a><\/p>\n

To verify the disk image we can use the following command:<\/p>\n

ewfinfo evidence.E01<\/code><\/p>\n

\"\"<\/a><\/p>\n

\n

\n","protected":false},"excerpt":{"rendered":"

Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the […]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":832,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,16],"tags":[],"class_list":["post-831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-linux"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=831"}],"version-history":[{"count":3,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/831\/revisions"}],"predecessor-version":[{"id":841,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/831\/revisions\/841"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/832"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}