Lets take some time to learn about some accepted practices in computer forensics.
The question that I'm aiming to answer here is what are the most basic steps of a forensics examination and how do we accomplish or complete these steps successfully? Computer forensics is really quite simple. There are only three (on a most basic level) steps that must be completed: acquisition, analysis, and reporting. Each of these steps present its own challenges.
Acquisition is (usually) the first step. I don't want to get into all the variables here because I don't want to waste time. Acquisition is the process of making a copy of the suspect hard drive. That doesn't mean just copying the files from one place to another. We want more than that (if possible). We want the hidden files and we want the the data that isn't allocated or assigned to a file (unallocated space is the part of the hard drive that isn't taken up by a file). There is also slack space but I will cover that in a later post. The key to a good acquisition is getting all the data without altering the data.
It's important to not alter the data because if the data is altered then you may actually damage important information. The use of a write block device is widely accepted in computer forensics.
These devices can allow you to access the drive and create an image of the device without writing any data to the suspect drive. These tools make the acquisition process very easy but at a price. These devices are very expensive and are generally used by the professional industry. For those of us who don't have a few thousand dollars lying around there is the more classic method. Linux (and yes even mac and windows) is capable of mounting a partition as READ ONLY. We will discuss that at a later time just be aware of the importance of mounting as read only.
There are a few programs for acquiring a disk image (a duplicate of a hard drive). In the Linux environment you can use the ewfaquire command (part of the libewf package) to create a disk image. To use this tool you must download and install the libewf package from the link above. Once you downloaded the tar.gz follow the directions here to install the package. The command for creating an image will look something like this:
# ewfacquire /dev/sda
Notice the # indicating root access. Then simply the location of the device you wish to acquire. Then you will be asked a series of questions including where you would like the output file and what type of output you would like (dd=data dump and ewf or E01 = Expert Witness Format).
Working with ewfacquire can be complicated but it is capable of create E01 and Ex01 image files with compression. A better example of creating a forensic image using ewfacquire can be seen below:
sudo ewfacquire -C Demo002 -d sha1 -D Demo002_ITEM-001 -e *** -E ITEM_001 -t ITEM_001 -v -w /dev/sdc
Bus type: USB
Model: USB Flash Drive
Storage media information:
Media type: Removable
Media size: 15 GB (15703474176 bytes)
Bytes per sector: 512
Acquiry parameters required, please provide the necessary input
Media type (fixed, removable, optical, memory) [removable]:
Media characteristics (logical, physical) [logical]: physical
Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]:
Compression method (deflate) [deflate]:
Compression level (none, empty-block, fast, best) [none]: best
Start to acquire at offset (0 <= value <= 15703474176) :
The number of bytes to acquire (0 <= value <= 15703474176) :
Evidence segment file size in bytes (1.0 MiB <= value <= 7.9 EiB) [1.4 GiB]:
The number of bytes per sector (1 <= value <= 4294967295) :
The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) :
The number of sectors to be used as error granularity (1 <= value <= 64) :
The number of retries when a read error occurs (0 <= value <= 255) :
The following acquiry parameters were provided:
Image path and filename: ITEM_001.E01
Case number: Demo002
Evidence number: ITEM_001
Examiner name: ***
Media type: removable disk
Is physical: yes
EWF file format: EnCase 6 (.E01)
Compression method: deflate
Compression level: best
Acquiry start offset: 0
Number of bytes to acquire: 14 GiB (15703474176 bytes)
Evidence segment file size: 1.4 GiB (1572864000 bytes)
Bytes per sector: 512
Block size: 64 sectors
Error granularity: 64 sectors
Retries on read error: 2
Zero sectors on read error: yes
Continue acquiry with these values (yes, no) [yes]:
Acquiry started at: Wed Mar 9 10:36:53 2016
This could take a while.
Status: at 0%.
acquired 32 KiB (32768 bytes) of total 14 GiB (15703474176 bytes).
Status: at 1%.
acquired 149 MiB (157057024 bytes) of total 14 GiB (15703474176 bytes).
completion in 51 minute(s) and 9 second(s) with 4.8 MiB/s (5065636 bytes/second).
[REDACTED Percentage and Time Information here]
Status: at 100%.
acquired 14 GiB (15703474176 bytes) of total 14 GiB (15703474176 bytes).
completion in 0 second(s) with 5.9 MiB/s (6175176 bytes/second).
Acquiry completed at: Wed Mar 9 11:19:16 2016
Written: 14 GiB (15703475648 bytes) in 42 minute(s) and 23 second(s) with 5.9 MiB/s (6175177 bytes/second).
MD5 hash calculated over data: 79187ed64a07494d9adc0066b493396b
SHA1 hash calculated over data: 39827c8401dfc2bd526fe38aee5e18d85c72dbfc
For those of you who prefer a graphical interface there is the guymager tool. For those of you who use Debian or Ubuntu this package can be obtained simply with a sudo apt-get install guymager. Then launched with a sudo guymager.
Just select the device you want to image, right click, and select Acquire. Then follow the instructions on the screen.
For all you windows users try FTK Imager or EnCase Imager. Both tools are free and pretty simple to use.
Analysis and Reporting will come at a later time as I continue to learn the open source tools.