Capturing forensics image

Data acquisition for forensics investigationUser guide

By Chris Harrington

Linux or Windows OS Hard drive larger than the one being

captured◦ Hard drive must be forensically wiped so no old

data can be found from previous cases Windows Applications

◦ FTK Imager Linux Applications

◦ dd

Note: There are other capturing tools available

Requirements

Conduct a forensic wipe on the external drive before capturing

In Windows OS many tools exist FreeShred Shred Etc…

In Linux dd is used to write 0’s to all sectors◦ Command:dd if=/dev/zero of=/dev/sdX bs=4K conv=noerror,sync

Forensic wipe

Run FTK Imager and create a disk image

Windows capture

Check that Physical Drive is selected for source and the correct physical drive

Click Add in Create Image window

Creating the image

Raw dd format is accepted by so many tools for further processing. Enter evidence information and saving location.

Image fragment size will split the image file into smaller sizes

Finalizing creation

It can take time for the image to finish writing depending on the size of the disk

A log file is produced with md5 & sha1 checksums and other drive details

Notes

Start up the suspect’s computer and boot up with a Linux live CD. The live CD should avoid writing to local drives. Many options available:◦ Knoppix◦ Kali◦ Deft◦ Etc…

Linux capture

Start capturing Open a terminal Command:dd if=/dev/sdX of=yourimage.img bs=512

If drive is unknown, fdisk –l command will show connected devices

Create checksum hash

Multiple OS available to capture images for different scenarios

Toolkits Backup toolkits Document every move taken Avoid changes to suspect’s data Is a forensic capture really necessary for

this scenario?

Notes

My contact details

C.k.harrington@gmail.com

Questions?