A step-by-step guide on how to perform a drive acquisition using dc3dd

Photo by Gemini

Step 1: Identify the Target Drive

Before starting, you must identify the correct device path for the drive you wish to image. Using a command like fdisk helps ensure you don't accidentally image the wrong disk.

• Command: sudo fdisk -l

• 
  


• Result: In the provided example, the target drive is identified as /dev/sdb, a 1.9 GiB device.

  

Step 2: Prevent Data Overwriting (Write-Blocking)

ISO/IEC 27037

Option A: Hardware Write-Blocker (Recommended)

ฮาร์ดแวร์คอมพิวเตอร์

Use a physical hardware write-blocker (like Tableau or WiebeTech) between the suspect drive and your workstation. This is the gold standard in forensics.

Option B: Software Write-Block (Forensics Mode) 

Step 3: Execute the Acquisition Command

Run the dc3dd command with the necessary flags for hashing and logging. This ensures the integrity of your forensic image.

Command: sudo dc3dd if=/dev/sdb of=Desktop/CF005.dd hash=sha256 log=CF005.log

Breaking down the flags:

• if=/dev/sdb: The input file (source drive).
• of=Desktop/CF005.dd: The output file (forensic image destination).
• hash=sha256: Calculates the SHA256 hash during the imaging process.
• log=CF005.log: Creates a log file detailing the acquisition.

Step 4: Monitor Progress

dc3dd provides a real-time progress bar, showing the percentage completed, the amount of data copied, and the current transfer speed.

• Example: The image shows the process at 9% completion with a speed of 7.4 M/s.

  

Step 5: Review Acquisition Results

Once completed, dc3dd will display the input and output results. This includes the total sectors processed and the final hash value.

• Input Results: 3870720 sectors in.

• SHA256 Hash: f2404d910f82fc1e7d5907e28cb511cfb1d8a7d61d2f965e17f9019200054184.

• 

A log file detailing the acquisition

• 
  
  

Step 5: Verify Integrity 

To ensure the image is a perfect bit-for-bit copy, you should manually verify the hashes of both the source drive and the resulting image file.

1. Check Source Hash: sudo sha256sum /dev/sdb > source_CF005.txt

   
   


2. Check Image Hash: sudo sha256sum Desktop/CF005.dd > Image_CF005.txt

Pro Tip: If the hashes match (as seen in the example images), you have successfully maintained the chain of custody and proven that the data has not been altered during the process.

Forensic Imaging with DD command

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud