Tuesday, September 14, 2010

Forensics 1: Extracting an Image for Investigation

Forensic investigations are usually performed on Static Data (images). Many open source (TSK) and commercial tools (Encase) are available for forensic analysis of a given image.
Lets look at how to take the image of a drive, hard disk, partition etc. Few tools which can be used are dd, windd etc.
Well, what is an image? Image is a bit-by-bit copy of the Hard Disk.
I used dd.exe command for taking the image of the computer under investigation.
dd command is found by default in Linux. On windows we can obtain the binary from The Sleuth Kit (TSK) or comes by default if Cygwin is installed.
First, lets list all the available drives (A:, B:, C: etc.,) or partitions on the machine where we want to collect image.
Below is the snapshot of the dd command used for extracting the image for investigation.
We should be very cautious while collecting the image for investigation because nothing should be changed on the machine under analysis. So most of the time we should use CD with all the tools and redirect the image to external drive or network share for saving rather than saving the image on local machine.
dd command can also be used to extract a File System from Raw image.
This is just a high level overview of Forensics will come up with more articles.
For further reading you can start from
http://en.wikipedia.org/wiki/Computer_forensics