The reason for creating this image of the flash drive is to ensure we have a working copy. We should never be performing work on original data. If we damage the original data or compromise it in any way, then we have bigger problems than just trying to figure out what is on the disk.
After plugging the USB into my analysis machine, I took a look at my "dmesg" output
Above we see the USB was successfully connected and was assigned to device "sdd". We also see the drive has 1 partition which was detected "sdd1"
As always, before executing a tool, we should at least take a look at the help
sansforensics@securitynik:~$ dc3dd --help | more
Now that we have some information from the help on what are the tool's capabilities, let's move ahead with making a working copy of the flash drive
sansforensics@securitynik:~/firefox-analysis$ sudo dc3dd if=/dev/sdd of=securitynik-firefox.dc3dd hof=securitynik-firefox.log hash=md5 hash=sha1
if=/dev/sdd - Tells dc3dd to use the input file which is at "/dev/sdd"
of=securitynik-firefox.dc3dd - Tells dc3dd to create an output file from the input named "securitynik-firefox.dc3dd"
hof=securitynik-firefox.log - Tells dc3dd to write the hash information to a log file named "securitynik-firefox.log"
hash=md5 - tells dc3dd to create a md5 hash of the image
hash=sha1 - tells dc3dd to create a sha1 hash of the image
Once the command has been completed we have the results below
We see that 2 files were created. The output file as well as the file containing the hashes.
To verify these hashes let take a md5sum of "/dev/sdd"
If we look above we see the md5sum result matches that which was calculated by dc3ddLet's now take a look the sha1sum of "/dev/sdd"
Once again from the above it matches.
Looks like we successfully created an image of the flash drive. In the next post we will look at mounting this image.
Other posts in this series:
References
http://www.linuxcertif.com/man/1/dc3dd/
No comments:
Post a Comment