air
AIR, or Automated Image and Restore, is a utility used to create forensics-grade disk images from device drives. AIR itself is a GUI frontend for dd/dc3dd, which is the program that is actually used to create the image. On Backtrack, when you first select air, it will download and compile the necessary components to run the program. From here, the GUI is easy to use.
AIR GUI
dc3dd
dc3dd is an altered version of dd, the utility that is used to operate low level disk functions. dc3dd contains several features that are of great use to forensics investigates, including features that help safeguard the original disk being copied. The example below shows how to split a large disk image into smaller pieces, which is extremely useful when dealing with image files that are too large to be moved around easily. It takes /dev/sda as the input file, calculates hashes for the individual new files and the original large file, splits the large file into 2 GB pieces with “000″ as a suffix in the filename, logs all data to /root/Desktop/log.txt, and outputs the smaller files to /root/Desktop/imagesExample usage: dc3dd if=/dev/sda progress=on hashconv=after hash=md5,sha1 hashwindow=2GB splitformat=000 split=2GB log=/root/Desktop/log.txt bs=512 iflag=direct conv=noerror, sync of=/root/Desktop/images
ddrescue
ddrescue is a tool used to copy data from a file or device to another. In the case of a damaged device, it attempts to reconstruct the damaged areas, unlike dd, which simply fills the damaged areas with zeros. ddrescue can also be used to merge damaged copies a file together, created a single copy of the file with (hopefully) no damage. Here is an example of ddrescue being used, as found on their website. Together, these commands are used to rescue a disk containing 3 ext2 partitions, including using a logfile and e2fsck to check the filesystems.Example usage: ddrescue -f -n /dev/hda /dev/hdb logfile
Example usage: ddrescue -d -f -r3 /dev/hda /dev/hdb logfile
Example usage: fdisk /dev/hdb
Example usage: e2fsck -v -f /dev/hdb1
Example usage: e2fsck -v -f /dev/hdb2
ewfacquire
ewfacquire is a tool used to create disk images in the EWF format. EWF formatted images are used in several forensic toolkits, including the EnCase and FTK (Forensic Toolkit). It includes several message digests including MD5 and SHA1. The example below shows ewfacquire creating an image from /dev/sdb1, creating a SHA1 message digest, and logging data to /root/Desktop/log.txtExample usage: ewfacquire -d sha1 -l /root/Desktop/log.txt /dev/sdb1
No comments:
Post a Comment