Skip to main content

Part 4 Imaging tools

Part 4 Imaging tools

Imaging tools are software applications used in digital forensics to create exact copies or images of digital media, such as hard drives, memory cards, and other storage devices. These tools create a bit-by-bit copy of the original media, which is then used for analysis and investigation.

1.1 Here are some commonly used imaging tools in digital forensics:

1. dd: dd is a command-line tool used in Linux and other Unix-based operating systems to create images of digital media. It is a simple and powerful tool that can create exact copies of disks, partitions, and files.

Eg. Scenario: we need to clone usb drive

· make sure USB is present with USB 3

· open terminal : $ sudo fdisk -l

· create image using dd command : sudo dd if=/dev/sdb1 of=/home/sansforensics/Desktop/cases/usb_image.img bs=4M

FTK Imager: FTK Imager is a popular imaging tool used in digital forensics. It supports a wide range of file formats and allows investigators to create images of disks, partitions, and individual files. It also has advanced features such as the ability to view and extract data from memory dumps.

· Scenario: we need to dump memory from running suspect machine and finf store password in ram

Eg. https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/

· First download FTK from Accessdata website to windows machine

· Copy the entire "FTK Imager" installation folder (default installation folder is in C:Program FilesAccessDataFTK

· run FTK one victim

· Capture memory

· Open analyze machine

· FTK open memory dump location

· Right-click on ASCII

· Find example www to search open site , password ……


2. Hash image file

In digital forensics, a hashing tool is a software application used to calculate and verify hash values of files, data, and other digital artifacts. Hashing is a process of generating a unique fixed-size digital fingerprint of a file or data set, which can be used to identify and verify the integrity of the original data. Hashing tools are used extensively in digital forensics investigations to verify the authenticity of digital evidence, ensuring that the data has not been tampered with or altered. These tools can also be used to compare the hash values of different versions of the same file, helping investigators to determine if any modifications have been made.

Some commonly used hashing tools in digital forensics include:

· FTK Imager: A popular digital forensics tool that includes a hashing module, allowing investigators to quickly generate hash values for files and data sets.

· Md5sum

· sha256sum

In summary, a hashing tool is an essential component of any digital forensics’ investigation, allowing investigators to verify the integrity and authenticity of digital evidence.

Eg. Scenario: generate a hash value for evidence to make sure no one alter it

1. Md5sum

$ md5sum filename. Extensions

8be0a2700ed6e587ee9c6d5bd89b8ce2 reg.reg


Note : for big file it take time


Eg. Scenario: make sure file content not change: create text file and generate hash value for it then modify file and create new hash the compare:

$ md5sum cv.txt

fd2b2ef1f3f3f7f5da52623f8b84fa3d cv.txt


Change some content

$ md5sum cv.txt

d6b29ea623deb3fdb1a6314be853b032 cv.txt

$ sha256sum cv.txt

27a72ef1f0236d7e3a1d406723f9c58c3427c6979934d4c37fee09f0bb7005e5 cv.txt

$ sha256sum cv2.txt

f137f03fc4543c8158b1607012e44e3286bedd280c6795a9c5fb4727b429589d cv2.txt



Note that the likelihood of two different files having the same hash value is extremely low, which makes hash values a useful tool for verifying the integrity of files.


Compare 2 results

To compare two MD5 checksum results, you can follow these steps:

You can compare the checksums manually by visually inspecting them, or you can use a software tool to compare them automatically. Most file comparison tools have the ability to compare checksums, and they will indicate if the checksums are identical or different.

It's worth noting that MD5 checksums are not 100% reliable for verifying the integrity of files, as it is possible for two different files to have the same MD5 checksum (known as a "collision"). For stronger security, you can use a more secure hashing algorithm like SHA-256.



$ diff -u cv.txt cv2.txt

If no result that mean two files identical

To perform the verification function using md5sum, simply run the command:

$ md5sum cv.txt > cv.md5

$ md5sum -c cv.md5

cv.txt: OK

when we change some content:

$ md5sum -c cv.md5

cv.txt: FAILED

md5sum: WARNING: 1 computed checksum did NOT match


Labels:

Comments

Post a Comment

Popular posts from this blog

Chain of Custody – Digital Forensics

  Chain of Custody – Digital Forensics Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the chain of custody is about following the correct and consistent procedure and hence ensuring the quality of evidence. The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or chronological documentation of the evidence. ·         Chain of custody indicates the collection, sequence of control, transfer and analysis. ·         It also documents details of each person who handled the evidence, date and time it was collected or transferred, and the purpose of the transfer. ·         It de...
Post a Comment
Read more

Part 1: Introduction to Computer Forensics for Windows

  Part 1: Introduction to Computer Forensics for Windows: https://tryhackme.com/room/windowsforensics1 Microsoft Windows is by large the most used Desktop Operating System right now. Private users and Enterprises prefer it, and it currently holds roughly 80% of the Desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics. In this module, we will learn about the different ways we can gather forensic data from the Windows Registry and make conclusions about the activity performed on a Windows system based on this data. In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person's actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations 'normal' users won't t...
Post a Comment
Read more

Step 2 : Collection & Preservation of evidence

Step 2 :  Collection  & Preservation of evidence   The collecting process in digital forensics is a critical phase of the investigation. It involves the systematic and careful acquisition of digital data from electronic devices or storage media in a manner that preserves the integrity and authenticity of the evidence. The following are the steps involved in the collecting process: Collection : This step involves the actual acquisition of the data from the device or storage media. This can be done by using a variety of techniques, including   Imaging : The first step in the collection process is to create a forensic image of the digital device or media that is being investigated. This involves creating an exact copy of the device or media, including all data, file systems, and metadata. The imaging process ensures that the original evidence is preserved and can be examined without altering it.  Live analysis: In some cases, it may be necessary to conduct...
Post a Comment
Read more