Week 3 Lab
Hardware/Software Setup Required
dd for Windows (available at http://www.chrysocome.net/dd)
Any distribution of Linux. For this exercise, we are using Knoppix 5.1Live CD available at http://www.knoppix.net/.
Problem Description
When investigating a computer-related crime, you should never work directly with the information stored in the computer hard disk (or any other storage medium). Instead, you should perform a bit-stream copy of the disk and analyze the data using this forensic copy. In this exercise, you are asked to create a forensic copy (image) of a flash drive connected to a Windows-based computer using the dd command. Then, you will need to mount the acquired image on a Linux box and explore the content of the flash drive.
Estimated completion time: 1 hour
Outcome
Report the steps you need to perform these tasks.
Validation/Evaluation
• To acquire the image, you need to know the preferred device name. How can you find out the name of the device using dd?
• How can you force dd to display progress information when acquiring the image?
• Is the image mounted for read-only operations?
• How can you mount the image with read-only permissions?
Lab Solution
1. Download dd for Windows from http://www.chrysocome.net/dd.
2. Unzip the dd-0.5.zip file to C:\dd-0.5.
3. Click Start->Run, write cmd and press Enter to open a new command prompt window.
4. In the command prompt window type cd c:\dd-0.5 and press Enter.
5. Connect the pendrive to your computer and check the drive letter assigned to it. Note: For this exercise, the pendrive was assigned H. Notice also that the file system is reported as FAT32.
6. Before acquiring the image, you need to know the preferred name for the device. For this, type dd –list and press Enter.
7. Now, to acquire the image type dd –progress if=\\.\h: of=pendrive.img and press Enter.
8. Verify that the image file was created. Type dir and press Enter. A file named pendrive.img should be listed. Note: the size of the file depends on the capacity of the flash drive. In our case, we are working with a 256Mb drive.
9. Next, we will mount this image on a Linux box and analyze the data acquired. Copy the pendrive.img file to another flash drive and take it with you.
10. Use your Linux workstation for the following steps. Note: In our case, we will boot on the same computer using Knoppix 5.1 Live CD, but any other Linux distribution can also be used. When booting from the same computer, you can mount the image directly from the computer hard disk instead of the flash drive. However, we will mount the image copied to your flash drive to avoid any confusion.
11. Connect your flash drive with the acquired image to your Linux computer. Note: You may need to manually mount it if the drive wasn’t automatically mounted. Check man mount for help. Also, in our case, the flash drive was mounted to /media/sda1/. This might be different on each computer.
12. Open a new shell window and type su to gain root privileges.
13. You need to create a mounting directory before mounting the image. Type mkdir /mnt/pendrive and press Enter.
14. To mount the image type mount –t vfat –o loop /media/sda1/pendrive.img /mnt/pendrive and press Enter.
Note: We are using vfat as the file system type since the image was acquired from a FAT32 device. Check man mount for other file systems options.
15. Read the man pages for the mount command and fill the table below with the appropriate option for mounting the following file systems:
File System Mount -t option
Ext3
NTFS
FAT32
ISO 9660
16. Now use your preferred file explorer and open the /mnt/pendrive directory.
17. The mounting command used above mounts the image with read and write permissions. It is advisable to mount the image for read-only operations. For this, type mount –t vfat –o loop,ro,umask=0222 /media/sda1/pendrive.img /mnt/pendrive and press Enter.
What does umask=0222 mean? What other values are accepted?
18. Now type cd /mnt/pendrive and press Enter to go to the mounted image. Then, try creating a new directory with mkdir NewDir and press Enter. Notice the error message.