sdb: Flash drive to be forensically acquired or imaged.sda: Primary hard disk with three partitions.
The primary partition is listed as sda1, with the Extended and Linux swap partitions listed as sda2 and sda5, respectively:įigure 5.2 – Full output of the fdisk command in Kali LinuxĪs seen in the preceding screenshots (and also explained earlier in this chapter), Kali Linux recognizes two devices: The fdisk-1 command has been executed in the following screenshot.
The sudo command allows the user to run the command as root, which is similar to the Run as Administrator feature in Windows. The sudo fdisk -l command may have to be used if the previous one does not work. To list your devices and ensure that you are aware of them before performing any acquisition operations, the fdisk -l command should be run before any other. It's also important to remember to continue using your write blocker when acquiring and creating forensic images of evidence and drives, in order to not write data to the drives or modify the original evidence files. At this point, we should consider attaching our media to a write blocker before examining it.
While Windows recognizes partitions as primary, logical, and extended, Linux partitions are recognized as numbers after the drive letter: sda: Drive 0, or the first drive recognized.The sd stands for SCSI Mass-Storage Driver, with the letter after it representing the drive number: /sda: Refers to the Small Computer System Interface ( SCSI), SATA, and USB devices./dev: Refers to the path of all devices and drives, which can be read from or written to, recognized by Linux.Users new to Kali Linux or any Linux variations may find that the drive, partition recognition, and naming in Kali Linux are different from that of Windows devices.Ī typical device in Linux can be addressed or recognized as /dev/sda, whereas drives in Windows are usually recognized as Disk 0, Disk 1, and so on:
dc3dd is a patch of the very popular Data Dump ( DD) tool used for forensic acquisition and hashing. The first tool we will use for acquisition is called Department of Defense Cyber Crime Center Data Dump ( dc3dd). Using the Guymager GUI for data acquisition.In this chapter, we will cover the following topics: In this chapter, we will demonstrate forensically sound techniques for the acquisition of data using bitstream copies, including creating data hashes, in keeping with best practices. These ensure the integrity of the investigation by providing proof of data authenticity and preservation of the original evidence and documentation, which can be used to achieve the same exact results if the usage of tools and methods are repeated. In the previous chapter, we learned that documentation and proper procedures are key in any investigation. Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager