Forensic Guide : Forensic Acquisition ( FTK IMAGER , DC3DD , DCFLDD , GUYMAGER, EWFACQUIRE) — II
Now the part has come where we have to acquire forensic images from a suspect device. An forensic image is nothing but a bit-by-bit copy of a device like an HDD, SSD, RAM, etc. We are going to use multiple tools for this purpose. The usage of tools depends upon the user and the workstation the user is working in. We are going to explore the FTK imager, DC3DD, DCFLDD, and GUYMAGER.
Forensic Acquisition using FTK imager :-
This is the default look of FTK imager. Now to create an image, we have to click on the File option from the top left corner.
A small dropdown menu will appear along with many new options , We have to click on the “Create disk image” .
There are various options for choosing the source evidence type:
1. The physical drive means the whole of the HDD OR SSD will be imaged bit by bit.
2. The logical drive is the man-made partitions inside of a HDD or SSD. It’s meant to acquire the image of a particular partition of a HDD or SSD.
3. The image file options are used to image another image from the storage media.
4. Contents of a folder can also be imaged with this option.
5. The last option A fermico device is not used widely. It is used
to image the contents of a CD/DVD together because data were splitted in multiple CDs. It captures multiple CD/DVD data in a single image.
We have selected the physical drive because we are imaging a pen drive, and in this image we have selected the pen drive.
Now we have to click on the add option.
Verify images after they are created — After creation of the image, it will also re-verify it, thus taking double time.
Pre-Calculate Progress Statistics — IIt will create a text file where much information will be stored, like the acquisition start time, end time, file type, etc.
Create a directory listing of all files in the image after they are created — it will create another text file with all the files and folders.
Raw — DD means disk dump, and it is Raw Data.
Smart — It is not widely used in corporate forensics.
E01 — It is an Encase File format. In maximum cases, we select the E01 file format. It is widely supported.
AFF — It is also not widely used.
We have selected E01 and click on next.
Here we can add various details about us and for the Case , Like case number , evidence number , Examiner name etc .
Now it will ask for the image destination , we have to also give our file name without the file extension as we already have chosen the file type as E01 , and we should also keep in mind that while acquiring an image of 1tb or more storage media , we should fragment it in 3–4 fragments , and Compression means if we have select the compression speed as 1 it will create the image in fast speed but it will not be compressed , An 8gb pen drive will be of same size after compression . AD encryption is use for protection of the forensic image with password but we have to make sure that when we are transporting the image into another analyzer it will ask for the password .
Acquisition with DC3DD AND DCFLDD :-
Two popular dd derivatives, dcfldd and dc3dd, were independently devel oped specifically for use in a forensic context. Because dcfldd and dc3dd originate from GNU dd, they use a similar command syntax. Neither tool has built-in support for writing to forensic formats (FTK, EnCase, AFF), compression, or image encryption. But you can achieve these functions through the use of command piping, which I’ll demonstrate in subsequent sections. The following example uses dcfldd to image a disk, ensuring blocks containing unreadable sectors are padded and don’t cause an abort:
# dcfldd if=/dev/sde of=image.raw conv=noerror,sync errlog=error.log
# dc3dd if=/dev/sde of=image.raw log=error.log
Errors are written to a separate error log file. The dcfldd tool does not use conv=noerror,sync by default; you must add it manually.
Here if= specifies the input file, which in this case is a raw disk device attached to the acquisition system. The of= parameter is the output file, which is a normal file that contains the raw data copied from the disk device. Oncompletion, dd reports how many bytes were transferred. You can divide the number of bytes transferred by the sector size, and the result should exactly match the number of sectors identified when you attached the device.
There can be challenges when using dd to forensically image a disk. If read errors occur in the middle of an acquisition, dd will abort with an “Input/output error.” Address this issue by adding conv=noerror, which will force dd to skip over the unreadable block and continue. The problem with skipping over unreadable blocks is that the sector offset on the des tination file changes for filesystem blocks on the rest of the disk, causing the rest of the filesystem on the disk to appear corrupted. To illustrate, consider the pages of a book. Suppose page 99 is ripped out. If the table of contents points to a chapter starting at page 200, it’s still possible to find it. The book’s page numbers are intact, even with the missing page. But this is not the case when sector 99 is ripped out of a disk image (due to a read error). The rest of the sectors are renumbered, and the filesystem’s “table of contents” will point to the wrong blocks after sector 99. The sync parameter corrects this by padding the unreadable output block with zeros, essentially creating a “fake” sector or block (full of zeros) to represent the missing one. The rest of the disk image will then have the correct sector numbers (offsets) expected by the filesystem it contains. Using the previous example, but this time with protection from unread able blocks (skipping and padding them with zeros), gives this result:
Acquisition with GUYMAGER :-
We have to click on the Guymager option in our kali linux , The storage media for acquisition will be showed , Upon right click on the storage media , We have to click on the Acquire image option .
The interface looks similar like FTK imager so we should fill-up the necessary details .
Here , The acquisition has started .
Acquisition with EWFACQUIRE :-
It is almost same as FTK imager , To start the tool , The command is
sudo ewfacquire /dev/sdb
You have to fill the Necessary details Like Media Type , Media Characteristics , File Format , Compression value , Segmentation Size etc. You can Customize it according to the case or your needs .
Once Done , A preview will be shown to confirm the settings and the Process of Imaging will start .
