Letterpad
LoginRegister

Creating forensic disk images via the command line

Using the dd Linux tool

Author name
tcincere
Cyber-security Graduate
Published on
5 min read
Creating forensic disk images via the command line

Introduction

Numerous graphical tools such as FTK Imager can be used to create disk images for later analysis. However, these same processes can be replicated via the command-line. The task is not as daunting as it possibly may sound, however.

What is a forensic image?

To create an image, we must first understand what a forensic image is. Put simply, it is a copy of a storage device, such as a hard-drive, solid-state drive or even a USB stick. Numerous formats are available to a forensic analyst but the most prevalent is a bit-by-bit copy of the image (dd format) or an image with the .E01 extension (the Expert Witness format).

The image must be an exact copy of the target drive. This then can be verified by comparing hashes of both the target drive and the forensic image. The forensic analyst will then start to analyse the drive and report his/her findings. It is good forensic practice to create multiple copies of the image and work on those copies; this is to reduce the likelihood of having to access the suspect drive again, thus reducing the risk of modifying any data.

Creating a forensic image

In order to create a forensic image, we will be utilising the datadump (dd) tool. In it's simplest form, it takes a target drive and creates a bit-by-bit copy at a target destination. This is accomplished by two parameters: the input file if= and the output file of=.  Running lsblk on our system, we can see the block devices attached to our system. 

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda      8:0    0 223.6G  0 disk 
├─sda1   8:1    0   484M  0 part /boot
├─sda2   8:2    0  36.8G  0 part /
└─sda3   8:3    0 186.3G  0 part /home
sdb      8:16   0 111.8G  0 disk 
├─sdb1   8:17   0   100M  0 part 
├─sdb2   8:18   0    16M  0 part 
├─sdb3   8:19   0 111.2G  0 part 
└─sdb4   8:20   0   517M  0 part 
sdc      8:32   0   1.8T  0 disk 
├─sdc1   8:33   0    16M  0 part 
└─sdc2   8:34   0   1.8T  0 part

This is a sample output from this command. Here, we can see three drives, each labeled sd with a corresponding letter after it. We can also see, the different partitions on each disk.

Let's say we wanted to take an image of the entiresda disk. How does one do that? Using the dd command we can quite simply. First, we envoke dd and provide the drive to image, in this case sda. Secondly, we provide a destination for this drive with a name for the image, for example, /home/forensics/test.img. Lastly, we can provide additional options, such as notrunc , noerror, and sync  using the conv= parameter. These options, essentially, prevent dd from stopping if an error occurs. The full command would look like this:

dd if=/dev/sda of=/home/forensic/test.img conv=noerror,sync

Pretty simple, right?

Count and skip

dd has a number of parameters, but two which may come in handy is count and skip

The count switch indicates how many blocks are copied from an input drive or image, whereas skip indicates the number of blocks to be skipped from the input drive, before copying starts. Here's a simple example: dd if=/dev/had of=img.dd count=1000 skip=2000 

Disk sanitisation

So, we've learned how to create a disk image, but how may one destroy any existing data on a storage medium, like a hard drive? We must first understand that when a file is deleted, although to a user, it seems the file has been transported into the abyss, this not the case. Only the pointer to the file has been deleted, but the contents of the file still remain. Thus, this data is then recoverable. 

In order to fully make files irrecoverable, we must overrite that space on the storage device, where the previous data was. Leaving the operating system to carry this out is not practical, as it up to the operating systems leisure as to where it will store new data. It may not overwrite the contents of a deleted file for some time. Sometimes, parts of the contents of a file may be overwritten, yet not in totality. This means some data can be carved from the target drive, and thus retrieved.

There are, however, some Linux utilities which can successfuly overwrite this data, and make data retrievable most difficult. One utility is shred which overwrites data and by default has three iterations. However, we shall focus on dd.  We can use /dev/zero which is a pseudo-device that returns streams of 0's when read from. Thus, we can use this as our input file and ovewrite /dev/sda. Here's the command:

dd if=/dev/zero of=/dev/sda

To summarise, we are reading zeros and writing them to a target drive.

Conclusion

You should now know the basic functionality of the dd command, and how it can be utilised in various ways: to create forensic images and even to wipe out storage drives. 

technologyallforensicslinux
Author
tcincere

Discussion (0)

Subscribe