Forensic Acquisition Tools

Sebastian NET 182 W01 September 16, 2012 Chapter 4 Project Summary Project 4-1 In this enter Ive search current acquisition tools. The acquisition tool is a program or potentware device used to read digital source and whence create either an persona file or a re-create of a digital source. There are numerous tools available directly to use for calculator forensics. They include both open source and copyrighted software. Some of the more common software is ProDiscover, SnapBack DatArrest, NTI SafeBack, DIBS USA Raid, ILOOK Investigator IXimager, Vogon supranational SDi32, ASRData SMART and Australian Department of Defence PyFlag.Case 4-2 In this case make I need made a fast phonograph recording image of the suspect serious make. For this mapping I can use bang Linux Cd and USB drive (USB 3. 0 with transfer of 625 MB/s) 1. Boot the purport computer to Linux using name Linux CD (even if the computer is a windows computer you can boot it to Linux) 2. After booting to Linux insert USB thumb drive and I mount USB drive mkdir /mnt/usbdrive mount /dev/sda1 /mnt/usbdrive 3. Then I will pass dd reign by typing dd if=/dev/hda6 of=/mnt/usbdrive/murder. img bs=4096This tells Linux to make a kidnapping stream copy from the input file (if) /dev/hda6 (which is the E partition of the unverbalised drive), to the output file (of) /mnt/usbdrive/murder. img (which is a file called murder. img on the usb drive disk). The bs sets the block size to approximately 4K, which is a good size for many moderate sized copying jobs. 4. straight off I can unmount the USB drive by typing Umount /mnt/usbdrive This allow Linux to complete writing to USB drive 5. now I have bit a bit copy of 10 GB partition E made on USB drive in file called murder. mg Hands on Project 4-3 In this stand out Ive create a FAT32 disk partition with usage of Linux. This is the stairs to create FAT 32 partition in Linux 1. I boot computer with Linux Ubuntu 2. Then I connect a external hard dr ive 3. At shell type su enter passwordenter 4. To find location of hard drive I type fdisk l enter fdisk /dev/sdb c pretermit p display partitions This shows the NTFS partition. 5. prevail d delete a partition This deletes the NTFS partition. 6.Command n add a new partition 7. Command action p base partition (1-4) 8. Partition number (1-4) 1 9. First piston chamber (enter for default) 10. Last cylinder (enter for default) 11. Command t change partition system id 12. Hex figure (type L to list codes) b 13. Command a toggle a bootable flag 14. Partition number (1-4) 1 15. Command p 16. Command w Write table to disk and exit 17. mkdosfs -F 32 /dev/sdb1 Now the drive is formatted to FAT32.Case Project4-3 In this project we need make an image of disk which cant be removed from computer with Linux operating system. For the purpose of this project I use same Linux live cd and amount same steps as in project 4-2 . What I film that dd command can be also use full for gritups . To back entire hard disk to another hard disk affiliated to the same system we need type dd if=/dev/sda of=/dev/sdb Hands on project 4-4 In this project I learn how to come apart data To split files into manageable size of 30 Mb I use command dd if=/dev/ split -d -b 30m file. split.