Information Technology Reference
In-Depth Information
comparison, checking and comparison of encrypted checksums, system setup check,
list of services and processes, systems for backtracing the attacking sites and their
ISPs.
We shall proceed by examining the tools that preserve evidence by creating an
image of it.
2.1.2
Creating Disk Images in a UNIX Environment
I personally believe that in addition to ensuring the integrity of the evidence
base, one of the main objectives of the Preservation phase is to allow for the im-
age to be examined on the greatest possible variety of investigation tools. To this
end, the format I prefer for the image disk is DD. This tool has been tested by
the National Institute of Standards and Technologies as part of their Computer
Forensics Tool Testing (CFTT) project, thus guaranteeing that it will enjoy some
recognition in court. For further information on DD, check out the website at
DD copies a file (by default from the standard input to the standard output) with
preset input and output block dimensions, and may convert the file. It reads the input
one block at a time according to the dimensions specified for input blocks (default
value is 512 bytes). If the
bs
=
byte
option is present and no conversion other than
sync
,
noerror
or
notrunc
is required, it writes the data (which might be less than
required) into a separate output block. This output block has the same length as the
input block, unless the
sync
option is specified, in which case spaces are added to
the end of the data.
Otherwise, the input, read one block at a time, is processed and the resulting output
is collected and written in blocks having the specified dimension. The final output
block may be shorter.
The numerical operations that follow (bytes and blocks) may be followed by a
multiplier:
k =
1024,
b =
512,
w =
2,
c =
1(“
w
” and “
c
” are GNU extensions;
“
w
” should never be used: it means 2 in System V and 4 in 4.2BSD). Two or more
of these expressions may be multiplied by placing an “
x
” between them.
It is possible to import the images created with DD using the most recent versions
of the best known forensic investigation tools, both GNU and commercial, such as
FTK, Encase, or Smart. The basic concept is that DD makes a bit-by-bit copy from
one location to another using the syntax:
dd if=<src> of=<dst>
where, <src> and <dst> may be files, file system partitions or an entire hard drive.
DD is not a network program; you can use 'netcat' to extend it to a network. Netcat
