In the previous chapter, we learned that documentation and proper procedures are key in any investigation. These ensure the integrity of the investigation by providing proof of data authenticity and preservation of the original evidence and documentation, which can be used to achieve the same exact results if the usage of tools and methods are repeated.
In this chapter, we will demonstrate forensically sound techniques for the acquisition of data using bitstream copies, including creating data hashes, in keeping with best practices.
In this chapter, we will cover the following topics:
The first tool we will use for acquisition is called Department of Defense Cyber Crime Center Data Dump (dc3dd). dc3dd is a patch of the very popular Data Dump (DD) tool used for forensic acquisition and hashing.
Users new to Kali Linux or any Linux variations may find that the drive, partition recognition, and naming in Kali Linux are different from that of Windows devices.
A typical device in Linux can be addressed or recognized as /dev/sda, whereas drives in Windows are usually recognized as Disk 0, Disk 1, and so on:
The sd stands for SCSI Mass-Storage Driver, with the letter after it representing the drive number:
While Windows recognizes partitions as primary, logical, and extended, Linux partitions are recognized as numbers after the drive letter:
For the exercises in this chapter, I'll be using an old 2 GB flash drive for the acquisition process using dc3dd. At this point, we should consider attaching our media to a write blocker before examining it. It's also important to remember to continue using your write blocker when acquiring and creating forensic images of evidence and drives, in order to not write data to the drives or modify the original evidence files.
To list your devices and ensure that you are aware of them before performing any acquisition operations, the fdisk -l command should be run before any other. The sudo fdisk -l command may have to be used if the previous one does not work. The sudo command allows the user to run the command as root, which is similar to the Run as Administrator feature in Windows.
The fdisk-1 command has been executed in the following screenshot. Then, the 2 GB flash drive is attached. There is one hard disk listed as sda. The primary partition is listed as sda1, with the Extended and Linux swap partitions listed as sda2 and sda5, respectively:
After attaching the 2 GB flash drive for acquisition, the fdisk -l command was run yet again and can be seen in the following screenshot with these details:
As seen in the preceding screenshots (and also explained earlier in this chapter), Kali Linux recognizes two devices:
Now that we've distinguished and become certain of which drive is to be imaged (sdb), we can begin the forensic imaging using dc3dd.
Important note
Although I have used an older 2 GB flash drive to demonstrate the usage of dc3dd, you can use any drive (portable or otherwise) to practice using the tools in this chapter. Be sure to use the fdisk -l command to identify your drives and partitions.
In order to provide proof that the evidence was not tampered with, a hash of the evidence should be provided before and during, or after, an acquisition.
In Kali Linux, we can use the md5sum command, followed by the path of the device, to create an MD5 hash of the evidence/input file – for example, md5sum /dev/sdx.
You may also try the command with superuser privileges by typing in sudo md5sum /dev/sdx.
For this example, the 2 GB flash drive that I'll be using (named test_usb) is recognized as sdb and the command I will be using is shown in the following screenshot:
In the previous example, the output of the md5sum command of the 2 GB flash drive is displayed as 9f038....1c7d3 /dev/sdb. When performing the acquisition or forensic imaging of the drive using dc3dd, we should also have that exact result when hashing the created image file output to ensure that both the original evidence and the copy are exactly the same, thereby maintaining the integrity of the evidence.
I've also created an SHA-1 hash (which will be used for comparative purposes) using the following syntax:
Now that we can identify our devices and create MD5 and SHA-1 hashes in Kali Linux, let's move on to using dc3dd in the next section.
Before we get started using dc3dd, I need to again draw your attention to one of the features of DD: being able to wipe data, partitions, and drives. Hence, you may find that DD is sometimes also fondly referred to as the Data Destroyer. Be sure to always first identify your devices, partitions, input and output files, and parameters when using DD and dc3dd.
These are the features of DD:
dc3dd was developed by the Department of Defense Cyber Crime Center and is updated whenever DD updates. dc3dd offers the best of DD with more features, including the following:
Important note
Although we'll only be looking at DD and dc3dd there is also another tool called dcfldd, which can be installed on Linux-based systems.
dc3dd is a patch of DD and is regularly updated whenever there are updates to DD. dc3dd offers more features than DD, which is why we'll be using it.
Unlike previous versions of Kali Linux, dc3dd must now be installed manually in Kali Linux 2019.3. First, we'll update our version of Kali Linux by using the apt-get update command:
Once Kali Linux updates, you can manually install dc3dd by typing in the sudo apt-get install dc3dd command. It is recommended to install dc3dd on your flash drive or SD card before performing any live acquisitions and not do so at the time of acquisition, which may tamper with the investigation:
dc3dd is a CLI tool and can be easily run in Kali Linux by first opening a Terminal and typing in dc3dd. To start with, I recommend using the dc3dd --help command, which lists the available parameters used with dc3dd:
Important note
When copying an image to a drive, the destination drive size should be of equal size or larger than the image file.
As seen in the preceding screenshot, when using the dc3dd --help command, the typical usage looks as follows:
dc3dd [option 1] [option 2] ... [option n]
In our previous example, I've used the following options:
The code terms used here are:
The device size (in sector and bytes) should be noted and later compared to the output results for device field.
The last line also displays the progress and status of the acquisition process, showing the amount of data copied, the elapsed time in seconds, and the speed of the imaging process in Mbps:
Important note
The larger the drive or file to be acquired, the lengthier the time taken to do so. Might I suggest you get yourself a cup of coffee or other refreshing beverage, or even have a look at some other wonderful titles available from Packt Publishing at https://www.packtpub.com/.
Once the acquisition process has been completed, the input and output results are displayed as follows:
Analyzing the results, we can see that the same amount of sectors (3913664) have been imaged, with no bad sectors being replaced by zeros. We can also see that the exact MD5 hash was created for the image, assuring us that an exact copy was created without modification.
In the Terminal, we can also use the ls command to list the directory contents to ensure the dc3dd output file (test_usb.dd) and log (dc3ddusb) have been created:
To access our forensic image and log file, we can go to our /home directory by clicking on places (top-left corner) and then Home.
Within my Home folder, the first file, 2GBdcedd.dd, is the output image created by dc3dd using the of=test_usb.dd command. The last file, dc3ddusb, is the log file, created when we used the log=dc3ddusb command:
It's important to keep this log file to have a record of the acquisition process and its results, which are displayed on-screen upon completion:
In future chapters, we will be analyzing acquired forensic images using various tools. However, the image can also be copied or directly cloned to another device if the investigator so wishes.
As an example, we could clone the forensic image acquired previously (test_usb.dd) onto a new drive recognized as sdc. The command used to perform this task is as follows:
dc3dd if=test_usb.dd of=/dev/sdc log=drivecopy.log
In keeping with proper and formal case management, the names of the image file and log file should be unique to the investigator and the investigation for easy reference, as you may find yourself with multiple images and log files later on. The location of the images should also be stored on forensically sound or sanitized drives and labeled accordingly.
Depending on the size of the evidence, manageability and portability can become an issue. dc3dd has the ability to split forensically acquired images into multiple parts.
This is accomplished using the ofsz and ofs options:
Tip
Always ensure that you have specified enough zeros for the file extension. Logically, .000 allows for more parts than .00.
For this example, I've used the same 2 GB flash drive as before. However, for demonstrative purposes, you'll notice two changes.
Instead of using the MD5 hash, I've specified that SHA-1 be used and the output file type will be .img instead of the previously used .dd.
In this instance, the imaged 2 GB flash size will instead be split into multiple parts (four in total) of 500 MB each using ofsz=500M with the parts named as 2GBdc3dd2.img.ooo, 2GBdc3dd2.img.oo1, 2GBdc3dd2.img.oo2, and 2GBdc3dd2.img.oo3.
The command used to achieve this is as follows:
dc3dd if=/dev/sdb hash=sha1 log=dd_split_usb ofsz=500M ofs=split_test_usb.img.ooo
In the following screenshot, we can see the command as well as the output and status of the process:
Once completed, the input results for the device show the SHA-1 hash output and also display the first part of the split image files:
Using the ls command once more, we can see that the extensions of each of the four split output files are all in numerical format, from .000 to .003:
All split parts of the image file can be found in the Home folder along with the log file:
Now that we have successfully created bitstream copies of the evidence, let's look at verifying the integrity of the forensic acquisitions using hash verification.
Double-clicking on the .info file in the Image directory location allows us to inspect a variety of details about the acquisition process from start to completion, including the hashed outputs.
This .info file contains much more data than the log file produced by dc3dd, including the case management details:
Let's have a closer look at the hash details within the .info file.
We can see that the MD5 and SHA-1 hashes have been created and verified and, as stated in the last line of the following screenshot, Image verification OK. The image contains exactly the data that was written:
If we compare these hashes with the ones created using dc3dd we would have the exact same MD5 and SHA-1 outputs, proving that these images are exact forensic copies of the original evidence.
Compare the hashes in the following screenshots, created by dc3dd, with the ones in the previous screenshots, created by Guymager:
If we look at the preceding hashes and compare them with the ones created by Guymager in the .info file, we can see that the SHA-1 hash contains more characters than the MD5 hash, as the MD5 (although faster) has a 128-bit output whereas the SHA-1 has a 160-bit output. I'd highly recommend using SHA-1 or SHA256 instead of MD5 as MD5 is outdated and no longer used as it was proven to be vulnerable to hash collision attacks, where different sets of hashed data can produce the same output, rendering it invalid. More on MD5 collisions can be found in this document, written by the researchers responsible for discovering the vulnerability, at http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf.
To verify the hash of the split files, the following command can be used:
cat split_test_usb.img.* | sha1sum
In the following screenshot, we can see that a lengthy SHA-1 hash was created using the preceding command:
This also matches the sha1sum output of the 2 GB flash drive itself, displayed by using the following command:
sha1sum /dev/sdb
Using this command creates the following output:
With our verification processes now complete, we'll look at using dc3dd to forensically wipe drives.
We've seen the power of dc3dd as a very impressive forensic acquisition tool, but I'd also like to go one step further and introduce you to its capabilities as a data wiping tool.
dc3dd can wipe data and erase drives by overwriting data in three ways:
All three of the preceding methods efficiently erase drives. Let's also look at using the DD command, which is pre-installed in Kali Linux, to make forensic bitstream copies of evidence.
Should you also wish to use the DD tool, the commands and usage are very much the same.
You may want to first ensure that you can access the DD tool by running dd –-help. If the dd command cannot be found, update Kali Linux by running the apt-get update command and then running the dd –-help command again:
Attach the storage you wish to acquire. For this example, I'll be using an older 2 GB Sony Pro Duo card that I'd like to image and analyze.
Run the fdisk –l command in the Terminal to view the device details. In the following screenshot, we can see that the device is recognized as /dev/sdb and is 1.89 GB with a default sector size of 512 bytes:
I'll also manually create hashes to verify the integrity of the created images by comparing the hashes of the images with these.
To create the MD5 hash, run the md5sum /dev/sbd command:
To create the SHA-1 hash, run the sha1sum /dev/sbd command:
To perform image acquisition, I've used this command:
dd if=/dev/sdb of=sdb_image.img bs=65536 conv=noerror,sync
The following command output shows that the input and output records match, along with the speed of the acquisition at 54.6 MB/s:
Let's do a breakdown of the individual options in the preceding command:
In the preceding command, the output file extension, .dd, was specified. However, you can use another format, such as .iso, but specifying such in the output file (of) option:
We can view the created files in two ways. The first option is to click on Places and then click on Home. We can see two items listed as the produo_image.dd and produo_image.iso files that were created by DD:
The second option is to simply use the ls command, where we can also see the two images:
Now that we've used dc3dd to create forensic images, used md5sum and sha1sum to verify our images, and used DD to wipe drives, let's now have a look at Guymager, which also performs image acquisition via a simple GUI.
Guymager is another standalone acquisition tool that can be used for creating forensic images and performing disk cloning. Developed by Guy Voncken, Guymager is completely open source, has many of the same features of dc3dd, and is also only available for Linux-based hosts. While some investigators may prefer CLI tools, Guymager is a GUI tool and is for beginners, so it may be preferable.
For this acquisition, I'll use the very same 2-GB flash drive used in the dc3dd examples, at the end of which we can compare results.
As previously done in the dc3dd acquisition, we should first ensure that we are familiar with the devices attached to our machine, using the fdisk -l or sudo fdisk -l command.
Guymager can be started by using the menu in Kali Linux. Click on Applications on the side menu, then click on Forensics and scroll down to Guymager:
Guymager can also be started using the Terminal by typing in guymager. You may also try the sudo guymager command. Once started, the default locations of the log file and configuration (cfg) files can be changed if required:
The Guymager application runs and then displays the existing drives recognized in Kali Linux. As in the following screenshot, the details of the 2 GB flash drive being used are shown, including the following:
Should your device not be listed in Guymager, or should you need to add an additional device, click the Rescan button at the top-left corner of the application.
To begin the acquisition process, right-click on the evidence drive (/dev/sdb in this example) and select Acquire image. Note that the Clone device option is also available should you wish to clone the evidence drive to another. Again, as previously mentioned, when cloning a device, the capacity of the destination device must be equal to or exceed that of the source (original) evidence drive:
Before the actual acquisition process starts, the investigator is prompted to enter details about themselves and the evidence under the following three sections:
File format:
Destination:
Important note
Guymager also adds the convenience of having a Duplicate image... button to create duplicate copies without having to repeat the data entry process.
For new users, you may want to specify the directory where the image file will be saved. In the destination section, click on the Image directory button and choose your location. You should choose a drive or directory that is unique to the case as the location for both the image and the log/info file:
The following screenshot shows the data that I've used for the Guymager acquisition, having chosen the desktop as the Image directory and MD5 and SHA-1 hashing algorithms:
Once the Start button is clicked, you will notice that the State changes from Idle to Running. The Progress field also now displays a progress bar:
Taking a closer look at the details in the lower-left corner of the screen, we see the size, image, info file paths, names and extensions, current speed, and chosen hash calculations. We also see that Image verification is turned on:
Once the acquisition process is completed, the color of the State button changes from blue to green, indicating that the acquisition process is finished. It also displays Finished - Verified & ok if verification options were selected in the Hash verification / calculation area. The progress bar also displays 100%:
Our output file and info file can be found on the desktop as this was specified in the Acquire images section earlier. If you have selected a different directory, change to the new directory, using the cd command, in a new Terminal. In the following screenshot, I've changed to the Desktop directory using the cd Desktop command and then listed the contents using the ls command:
We can also browse the desktop, or even the desktop folder, to open the info file, which presents us with information about the acquisition details:
Using Guymager may be much simpler for those that are unfamiliar with DD or dc3dd, also because Guymager comes pre-installed on Kali Linux. Let's now move on to some tools that can be used for live memory acquisition.
There are several tools for Windows systems that you may wish to take advantage of to be able to capture the memory and paging file on a Windows device. The forensic images can then be opened on your Kali Linux machine for analysis with Volatility, as we'll delve into in a later chapter.
Forensic Toolkit (FTK) Imager from AccessData is a free tool for the live acquisition of memory, the paging file, and drive images. To download FTK Imager, visit their website at https://accessdata.com/product-download/ftk-imager-version-4-2-1 and click on the Download Now button, which then carries you to their registration page.
Once all the fields are completed, a download link will be sent to the email address which you specified. The file size is approximately 53 MB and, at the time of writing, I've downloaded version 4.2.1 but any version between 4.0 and 4.2.1 will do for this exercise.
Important note
Remember that this tool is to be installed on a Windows machine and not on Kali Linux.
Once downloaded and installed, open the program:
To view the options for imaging and acquisition, click on File:
Within the File menu, we are presented with all the options needed. The Create Disk Image… option allows you to perform a forensic acquisition of physical and logical drives, contents of a folder, and CDs and DVDs. Click on the Create Disk Image… option:
Click on Next > to continue. I've selected a 32 GB Kingston Physical drive to acquire. You may select any drive of your choice. Once selected, click on Finish:
Next, we'll need to choose a destination to save the image file to. Click on Add and choose the image type (Raw (dd), SMART, E01, or AFF). E01 is the Expert Witness Compression Format and is one of the more common formats as it is widely recognized by many tools, including EnCase, FTK, and Autopsy. More on the file format types can be found at https://www.loc.gov/preservation/digital/formats/fdd/generic_fdd.shtml.
Click on Next > to proceed:
Complete the forms with the Evidence Item Information fields and click on Next >:
Lastly, click on Browse to select the image destination folder and type in a filename with an extension:
I've specified the Image Fragment Size to be a value of 0. This tells the software to not fragment or split the image file. Click on Finish and then click on Start to begin the process. Be sure to select the option to calculate the MD5 or SHA hash upon creation when prompted:
The created disk image can now be analyzed using tools of your choice.
We can also perform live acquisition with FTK Imager whereby we acquire the RAM and paging file.
Click on File and Capture Memory…:
Next, select the destination path and specify a filename for the memory dump (.mem) file. To include the page file, select the Include pagefile checkbox.
Click on Capture Memory to begin the acquisition process:
The status bar indicates when the process is completed. This is usually not a lengthy process compared to the static dive acquisition process:
Let's look at another free tool for memory acquisition on Windows devices called Belkasoft RAM Capturer.
Belkasoft also has a full suite of tools available for forensic acquisition and analysis along with the free RAM capturer tool, which can be downloaded from https://belkasoft.com/ram-capturer. Click on the DOWNLOAD NOW button and enter your email address, then click on Proceed. An email with the download link should be sent to you within an hour.
Once downloaded and extracted on your Windows machine, choose the appropriate version (x86 or x64) and launch the environment.
The GUI is as simple as it gets with Belkasoft RAM Capturer. You are prompted to specify an output folder path and from there it captures the memory and paging file after clicking on Capture!:
The tool takes a few minutes to perform the acquisition, and from there you can hash and analyze using the tools of your choice.
Opening the output folder, I can see that the file is saved as a .mem file (20191115.mem) with the date of acquisition as the date:
You'd have probably noticed that both FTK Imager and Belkasoft RAM Capturer are very fast and efficient tools for performing RAM and paging file acquisitions on Windows machines. The choice is yours when performing memory acquisitions for later analysis which we'll look at in a later chapter where we'll use Volatility to find artifacts stored in memory and even perhaps find traces of malware.
In this chapter, we've looked at two tools readily available in Kali Linux for the acquisition of digital evidence. It's very important to be able to tell your devices apart so you can accurately acquire a forensic and exact copy or image of the evidence file using the fdisk - l command. For forensic analysis, bitstream copies of the evidence are needed as these provide an exact copy of the evidence, bit by bit, which is why we used dc3dd and Guymager.
Firstly, we used dc3dd, the enhancement of the data dump tool, and through the Terminal performed quite a few tasks, including device imaging, hashing, splitting of files, and file verification. Our second tool, Guymager, has built-in case-management abilities and also has many functional similarities to dc3dd, but it comes as a GUI tool and may be easier to use.
Both tools deliver accurate and forensically sound results. For those who may not constantly work with DD and dc3dd, Guymager may be the easier tool to use seeing that all acquisition options, including cloning, are readily available through the GUI.
We also looked at FTK Imager and Belkasoft Ram Capturer. FTK Imager runs on Windows and is capable of acquiring RAM and disk images, whereas Belkasoft RAM Capturer (also for Windows) performs only RAM acquisition.
Next, we'll move on to file recovery and data carving using three very powerful tools. Exciting stuff!
3.16.70.101