Forensic Acquisition Tools
Sebastian
NET 182 W01
September 16, 2012
Chapter 4 Project Summary
Project 4-1 In this project I’ve research current acquisition tools.
The acquisition tool is a program or hardware device used to read digital source and then create either an image file or a clone of a digital source. There are many tools available today to use for computer forensics. They include both open source and proprietary software. Some of the more common software is ProDiscover, SnapBack DatArrest, NTI SafeBack, DIBS USA Raid, ILOOK Investigator IXimager, Vogon International SDi32, ASRData SMART and Australian Department of Defence PyFlag.
Case 4-2 In this case project I need made a fast disk image of the suspect hard drive.
For this purpose I can use Live Linux Cd and USB drive (USB 3.0 with transfer of 625 MB/s) :
1. Boot the target computer to Linux using boot Linux CD (even if the computer is a windows computer you can boot it to Linux)
2. After booting to Linux insert USB thumb drive and I mount USB drive mkdir /mnt/usbdrive mount /dev/sda1 /mnt/usbdrive
3. Then I will execute dd command by typing dd if=/dev/hda6 of=/mnt/usbdrive/murder.img bs=4096
This tells Linux to make a bit stream copy from the input "file" ("if") /dev/hda6 (which is the E partition of the hard drive), to the output "file" ("of") /mnt/usbdrive/murder.img (which is a file called murder.img on the usb drive disk). The "bs" sets the block size to approximately 4K, which is a good size for many moderate sized copying jobs.
4. Now I can unmount the USB drive by typing
Umount /mnt/usbdrive This allow Linux to complete writing to USB drive
5. Now I have bit a bit copy of 10 GB partition E made on USB drive in file called murder.img
Hands on Project 4-3 In this project I’ve create a FAT32 disk partition with usage of Linux. This is the steps to create FAT 32 partition in Linux :
1. I boot computer with Linux Ubuntu
2. Then I connect a
NET 182 W01
September 16, 2012
Chapter 4 Project Summary
Project 4-1 In this project I’ve research current acquisition tools.
The acquisition tool is a program or hardware device used to read digital source and then create either an image file or a clone of a digital source. There are many tools available today to use for computer forensics. They include both open source and proprietary software. Some of the more common software is ProDiscover, SnapBack DatArrest, NTI SafeBack, DIBS USA Raid, ILOOK Investigator IXimager, Vogon International SDi32, ASRData SMART and Australian Department of Defence PyFlag.
Case 4-2 In this case project I need made a fast disk image of the suspect hard drive.
For this purpose I can use Live Linux Cd and USB drive (USB 3.0 with transfer of 625 MB/s) :
1. Boot the target computer to Linux using boot Linux CD (even if the computer is a windows computer you can boot it to Linux)
2. After booting to Linux insert USB thumb drive and I mount USB drive mkdir /mnt/usbdrive mount /dev/sda1 /mnt/usbdrive
3. Then I will execute dd command by typing dd if=/dev/hda6 of=/mnt/usbdrive/murder.img bs=4096
This tells Linux to make a bit stream copy from the input "file" ("if") /dev/hda6 (which is the E partition of the hard drive), to the output "file" ("of") /mnt/usbdrive/murder.img (which is a file called murder.img on the usb drive disk). The "bs" sets the block size to approximately 4K, which is a good size for many moderate sized copying jobs.
4. Now I can unmount the USB drive by typing
Umount /mnt/usbdrive This allow Linux to complete writing to USB drive
5. Now I have bit a bit copy of 10 GB partition E made on USB drive in file called murder.img
Hands on Project 4-3 In this project I’ve create a FAT32 disk partition with usage of Linux. This is the steps to create FAT 32 partition in Linux :
1. I boot computer with Linux Ubuntu
2. Then I connect a