Digital Forensics

Digital Forensics, Part 1: Capturing a Forensically Sound Image

Digital Forensics, Part 1: Capturing a Forensically Sound Image

Digital forensics is rapidly growing field of information security. The hacker needs to understand what evidence can be recovered and the security engineer needs to know how to find it.

These skills are applicable to law enforcement, corporate investigations, network intrusions, malware analysis and incident response, among many others. No matter what area of information security your are in or hope to join, skills in this field will prove invaluable, so let’s get started.

Introduction

Before any forensic investigation or analysis can begin, a forensically sound image must be captured of the data storage device. These forensically sound images must be a bit-by-bit, physical copy of the device. Without such a copy, any evidence will likely be inadmissible in a court of law.

There are multiple ways to capture forensic image of a storage device. We will look a few of the most popular methods here.

 

Using Linux/UNIX dd command

The Linux dd command is built into nearly distribution of Linux. It simply copies a storage device bit-by-bit from a input or source file (if) to an output or destination file (of). We can use it here with our Kali, or for that matter any Linux distribution, to do this.

First, we need to find out how our USB flash drive is represented in the Linux operating system. We can do this by typing;

kali > fdisk -l

Our flash drive is represented as /dev/sdb1 in Linux. Since the 1 at the end represents the partition number and we want to capture the entire device, we can represent the flash drive as simply /dev/sdb.

To then capture the flash drive entirely, we simply need to invoke the dd command followed by the input file if=/dev/sdb and then the output file. This can be anything we want to name our output file. Here I will name it usbimage.dd.

kali > dd if=/dev/sdb of= usbimage.dd

After hitting enter, the dd command will begin to copy, bit-by-bit, the data from the USB drive to the file we designated usbimage.dd. If we want to check to see whether anything is actually happening, we can open another terminal window and type ls -l.

6a4a49 24d0572da5e147eca59874cccd02b0d2~mv2

As we can see in the screenshot above, dd has begun the process of creating my forensically sound image.

dd represents the most basic of all image capture techniques and creates the foundation used in many other methods

Using dcfldd

A few years back, the Department of Defense Computer Forensics Lab (dcfl) developed of an open source version of dd specifically designed for creating forensic images. While the dd command is a generic command for copying storage devices, this command has options tailored for creating forensic images, but at its heart, it is still dd.

dcfldd has the capabilities to;

(1) hash the image on the fly
(2) a progress bar
(3) wiping disks
(4) verification that the new image is identical to the original
(5) simultaneous output to multiple files or disks
(6) logs and output can be piped to external applications

Like dd, dcfldd can ONLY produce raw images.

To create a forensically sound image of our USB flash drive, we can use dcfldd similarly to dd, but we have more options. So for instance, if we wanted to create a MD5 hash of the image (a good idea), we can type;

kali > dcfldd if=/dev/sdb of= usbimage2.dd hash=md5 hashlog=usbimage.log

6a4a49 2808792cb05443beb6856d547f7dbcc1~mv2
Notice that dcfldd shows us the status of your imaging process, unlike dd.
6a4a49 31c980b173954439aa5cc0b0d401ba12~mv2
When dcfldd has completed its imaging, it responds by telling how many blocks were written and how many blocks went in and how many blocks out.

Once the capture is complete, we can then check to see whether the images and log have been completed by typed ls -l.

kali > ls -l

6a4a49 eb33981ee4fd49be9a733c29968a4180~mv2
As we can see, dcfldd created the image and also created the image log. Inside the image log should be the MD5 hash of the image. To see it, simply type;

kali > more usbimage.log

6a4a49 94fc747392fe40e1bea1c7f3444d35ae~mv2
dcfldd is an excellent, if rudimentary, tool for creating forensically sound device images. Very few frills and no GUI, but fast and straightforward.
FTK Imager

The software developer, Access Data, sells a forensic suite known as the Forensic Tool Kit or FTK. As part of that suite of tools they have developed a tool known as the FTK Imager. This tool is designed specifically to create forensically sound images with a easy to use GUI. They have long provided this tool for free and as a result it has become the tool of choice in many forensic environments for creating forensically sound images.

You can download the FTK Imager at https://www.exterro.com/

After installing and executing FTK Imager, you will be greeted with a familiar interface like that below.

6a4a49 63d0ddc9a058490c86fc42d2ec42cf40~mv2

Note that like many Windows applications, it has the familiar top-line pull-down menus starting with “File”.

Click on “File” and go to “Create Disk Image”.

6a4a49 687e85fbbf6d4c079c03dd2f4eb29346~mv2

When you do, a window like the one below will open. Select “Physical Drive”.

6a4a49 b596966c251841d3aa0cfb170021c933~mv2

This will open another window asking you to select the source drive location. Here, I have selected “General USB Flash Disk”. Yours may be slightly different.

6a4a49 1cfa8724abb64c45bac0133fbf7999bd~mv2

Click “Finish” after selecting the device.

Next, you will prompted to enter the “Image Destination”. Click “Add” . Note also that I have indicated in the lower left corner that I want the images verified after they are created.

6a4a49 a9469493e47d4dc59a64282e78f39f84~mv2

You should then be prompted for the type of image you would like to create. Select a “Raw” or dd image.

6a4a49 69c273ec88494334b3a470d3daf4ae57~mv2

After we have entered all that information about our image creation, FTK Imager will prompt us to create a case. The case creation process requires;

(1) a case number

(2) evidence number

(3) a unique description

(4) the examiners name
(5) notes
6a4a49 8b50b0fba3944d68848c1622bf8c4934~mv2

Fill in this form appropriately and hit “Next”. We will next be prompted for the image destination. Here, I have created a folder specifically for forensic images named unimaginatively, c:\forensic images. I have also named the image file, “firstimage.dd“.

6a4a49 bcd673c82a6044dab79cdd2a817822ac~mv2

Now, click “Finish”. You will now be returned to the “Create Image” window. Click “Start”.

6a4a49 fe780e15a3584de3a938e721a0e81af8~mv2

FTK Imager will now begin the time consuming process of copying the device, bit-by-bit to the file you have designated.

6a4a49 3955615d69ae4952a8115e83e0115470~mv2

When it has successfully completed, you will see it stop and in the status window you will see “Image created successfully”. It will then begin to try to verify that that the newly created image is identical to the original. This can take awhile, so be patient.

6a4a49 df7cbbc299cf41048da75f59432eecd2~mv2

Finally, when the image verification is complete, click on “Image Summary” and it will open a window of summary statistics on the image including the all important hashes like that below.

6a4a49 c27b7df4f14942f0bc3aad15ad1d8fa4~mv2

Success! We have created a forensically sound image of our USB device, verified that it identical to the original and generated both a MD5 hash and a SHA1 hash.

 

Conclusion

In this tutorial, we have created a forensically sound image using the three (3) most popular methods. This is usually the first step in any investigation and is critical to the overall success of the investigation. Without a good image, any further work invested in the investigation may be for naught.