Skip to main content

Part 4 Imaging tools

Part 4 Imaging tools

Imaging tools are software applications used in digital forensics to create exact copies or images of digital media, such as hard drives, memory cards, and other storage devices. These tools create a bit-by-bit copy of the original media, which is then used for analysis and investigation.

1.1 Here are some commonly used imaging tools in digital forensics:

1. dd: dd is a command-line tool used in Linux and other Unix-based operating systems to create images of digital media. It is a simple and powerful tool that can create exact copies of disks, partitions, and files.

Eg. Scenario: we need to clone usb drive

· make sure USB is present with USB 3

· open terminal : $ sudo fdisk -l

· create image using dd command : sudo dd if=/dev/sdb1 of=/home/sansforensics/Desktop/cases/usb_image.img bs=4M

FTK Imager: FTK Imager is a popular imaging tool used in digital forensics. It supports a wide range of file formats and allows investigators to create images of disks, partitions, and individual files. It also has advanced features such as the ability to view and extract data from memory dumps.

· Scenario: we need to dump memory from running suspect machine and finf store password in ram

Eg. https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/

· First download FTK from Accessdata website to windows machine

· Copy the entire "FTK Imager" installation folder (default installation folder is in C:Program FilesAccessDataFTK

· run FTK one victim

· Capture memory

· Open analyze machine

· FTK open memory dump location

· Right-click on ASCII

· Find example www to search open site , password ……


2. Hash image file

In digital forensics, a hashing tool is a software application used to calculate and verify hash values of files, data, and other digital artifacts. Hashing is a process of generating a unique fixed-size digital fingerprint of a file or data set, which can be used to identify and verify the integrity of the original data. Hashing tools are used extensively in digital forensics investigations to verify the authenticity of digital evidence, ensuring that the data has not been tampered with or altered. These tools can also be used to compare the hash values of different versions of the same file, helping investigators to determine if any modifications have been made.

Some commonly used hashing tools in digital forensics include:

· FTK Imager: A popular digital forensics tool that includes a hashing module, allowing investigators to quickly generate hash values for files and data sets.

· Md5sum

· sha256sum

In summary, a hashing tool is an essential component of any digital forensics’ investigation, allowing investigators to verify the integrity and authenticity of digital evidence.

Eg. Scenario: generate a hash value for evidence to make sure no one alter it

1. Md5sum

$ md5sum filename. Extensions

8be0a2700ed6e587ee9c6d5bd89b8ce2 reg.reg


Note : for big file it take time


Eg. Scenario: make sure file content not change: create text file and generate hash value for it then modify file and create new hash the compare:

$ md5sum cv.txt

fd2b2ef1f3f3f7f5da52623f8b84fa3d cv.txt


Change some content

$ md5sum cv.txt

d6b29ea623deb3fdb1a6314be853b032 cv.txt

$ sha256sum cv.txt

27a72ef1f0236d7e3a1d406723f9c58c3427c6979934d4c37fee09f0bb7005e5 cv.txt

$ sha256sum cv2.txt

f137f03fc4543c8158b1607012e44e3286bedd280c6795a9c5fb4727b429589d cv2.txt



Note that the likelihood of two different files having the same hash value is extremely low, which makes hash values a useful tool for verifying the integrity of files.


Compare 2 results

To compare two MD5 checksum results, you can follow these steps:

You can compare the checksums manually by visually inspecting them, or you can use a software tool to compare them automatically. Most file comparison tools have the ability to compare checksums, and they will indicate if the checksums are identical or different.

It's worth noting that MD5 checksums are not 100% reliable for verifying the integrity of files, as it is possible for two different files to have the same MD5 checksum (known as a "collision"). For stronger security, you can use a more secure hashing algorithm like SHA-256.



$ diff -u cv.txt cv2.txt

If no result that mean two files identical

To perform the verification function using md5sum, simply run the command:

$ md5sum cv.txt > cv.md5

$ md5sum -c cv.md5

cv.txt: OK

when we change some content:

$ md5sum -c cv.md5

cv.txt: FAILED

md5sum: WARNING: 1 computed checksum did NOT match


Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more