F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA.

Slides:



Advertisements
Similar presentations
Preparing for Installation Reviewing the list of tasks Working with DNS Recording information Backing up files Uncompressing the drive Disabling disk mirroring.
Advertisements

Chapter 12: File System Implementation
Operating Systems File Management.
Volume Analysis. What is a volume?  Carrier defines a volume: “… a collection of addressable sectors that an Operating System (OS) or application can.
CSN08101 Digital Forensics Lecture 6: Acquisition
Linux+ Guide to Linux Certification, Second Edition
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Guide to Computer Forensics and Investigations Fifth Edition
Module 1: Installing Windows XP Professional
F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Chapter 5 Chapter 5: Server Installation. Chapter 5 Learning Objectives n Make installation, hardware, and site- specific preparations to install Windows.
Exploring the UNIX File System and File Security
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
COS/PSA 413 Day 5. Agenda Questions? Assignment 1 due –Not corrected-still missing one submission Assignment 2 posted –Case project 2-1 on page 72 and.
Guide to Computer Forensics and Investigations Fourth Edition
Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Lesson 4-Installing Network Operating Systems. Overview Installing and configuring Novell NetWare 6.0. Installing and configuring Windows 2000 Server.
Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.
Partitioning the SD card ● First of all remember that check the drive which you are formatting otherwise you will loose all your data, “SDA” is reserved.
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations Fourth Edition
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
This courseware is copyrighted © 2011 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
F9-Common Forensic Analysis Techniques Dr. John P. Abraham Professor UTPA.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Boot Diskettes, Bootable USB Keys and Live CDs Used when the computer can't start for some reason, as a diagnostic, repair and recovery tool. Boot diskettes.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Digital Crime Scene Investigative Process
1 Web Server Administration Chapter 3 Installing the Server.
Module 1: Installing Microsoft Windows XP Professional.
Chapter 3 Installing Windows XP Professional. Preparing for installation Pre-installation requirement; ◦ Hardware requirements ◦ Hardware compatibility.
Chapter Eight Exploring the UNIX Utilities. 2 Lesson A Using the UNIX Utilities.
Miguel Cárdenas Montes, EGEE, JSPG, Deer Hass, Procedure for scaling images of computers under attack or under suspicion” Joint Security Policy.
CSN08101 Digital Forensics Lecture 4: System Level Disk Control Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Dr. John P. Abraham Professor UTPA
Module 1: Installing Microsoft Windows XP Professional.
1 Review last lecture Pre-installation checks. 2 Post Installation Identify installation problems Install patches, upgrades, service packs MS announces.
Guide To UNIX Using Linux Third Edition Chapter 8: Exploring the UNIX/Linux Utilities.
Page 1 File Systems and Disk Management Lecture 5 Hassan Shuja 10/19/2004.
Linux+ Guide to Linux Certification Chapter Six Linux Filesystem Administration.
FAT File Allocation Table
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Module 4: Managing Access to Resources. Overview Overview of Managing Access to Resources Managing Access to Shared Folders Managing Access to Files and.
File System Lab. ext2 file system layout The layout of the system:
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
+ Introduction to Unix Joey Azofeifa Dowell Lab Short Read Class Day 2 (Slides inspired by David Knox)
Linux Filesystem Administration
Boot Diskettes, Bootable USB Keys and Live CDs Used when the computer can't start for some reason, as a diagnostic, repair and recovery tool. Boot diskettes.
Kevin Brouelette OCLUG
Data Acquisition Chao-Hsien Chu, Ph.D.
Guide to Linux Installation and Administration, 2e
Preinstallation Tasks
Joint Security Policy Group Ginebra, Enero 2005
Troubleshooting (CPU)
Guide to Computer Forensics and Investigations Third Edition
Hard disk basics Prof:R.CHARLES SILVESTER JOE Departmet of Electronics St.Joseph’s College,Trichy.
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 3 Data Acquisition.
Presentation transcript:

F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA

DD Data dump Copy bits from to another.

Creating and evidence file Check all current drives (dmesg command) and write down the ID of the drives. Use fdisk to create a partition for the destination drive (if it is a new drive). Make sure to make the appropriate type of partition such as fat, ext3, NTFS, etc. Create a file system using mkfs Power down Plug the hard drive you want to copy, making sure that it will still boot from the computer’s boot drive rather than the one you are copying. It is a good idea to test with a sample drive first, each time you do this operation. Determine which disk is which, a very important step. Use dmesg command. Mount all drives. Example for destination drive: mount –t /dev/hdc1 /mnt/hdc1 Make a directory on the destination mkdir –p /mnt/hdc1/case- 0001/tag1

Copying Change your directory to your destination drive directory you created. cd /mnt/hdc1/case-0001/tag1 Copy: dd if=/dev/hdb of=tag1.bin conv=notrunc,noerror,sync Flags = if =input file, of = output file notrunc=do not truncate file in case of error, noerror=do not stop copying in case of error, sync= place zeros in the block where error found. make the file read only chmod 444 tag1.bin Create md5 hash. Md5sum –b tag1.bin >md5sum.txt Make it read only. Chmod 444 md5sum.txt Any time we can check the hash by: md5sum –c md5sum.txt

More about copying You may want to split files into 2-GB sections (for enCase use). To copy 3,000,000 blocks of 512K bytes (about 1.56GB) from the beginning of a file do the following: –dd if=/dev/hdb of=tag1.bin.1 conv=notrunc, noerror, sync count= skip 0. –You can copy the next blocks using: –dd if=/dev/hdb of=tag1.bin.2 conv=notrunc, noerror, sync count= skip –You can move files to another drive with a different file system: mv tag1.bin.* /mnt/fat32

Creating an Evidence hard drive You can make an exact copy of the hard drive by first cleansing the destination drive by placing zeros in all the blocks: dd if=/dev/zero of=dev/hdc conv=ntrunc, noerror,sync. Then use the dd command: dd if=/dev/hdb of=/dev/hdc conv=notrunc,noerror,sync Now create the hash md5sum –b /dev/hdc. dd-rescue is a variation of the dd command. You can use this command to copy it forward or backward from the end to the beginning. This is useful if you encounter errors.

DCFLDD Computer forensics labs dd command. Greater authentication using built-in MD5. the hash log is written to a file. Reports MD5 hash for every 512-byte bock. It has additional switches than dd.

NED – network evidence duplicator Originally named ODESSA Operates using client and server model. The client can be run directly from the suspect computer, the host will be the forensic workstation. Copy NED client onto a bootable floppy. The client computer will detect the server, then will give you option to choose the drive to duplicate. It is a powerful forensic duplication toolkit.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.