Activity 13.1 Create a Disk Image

In this excercise I will go over how to use the linux dd tool to create a disk image and then verify the image’s integrity.

  1. First, I will start my Kali Linux VM. (Although any linux distro can be used)
  2. Next mount a USB flashdrive into the VM. In VirtualBox, flash drives can be mounted by clicking the little USB icon and selecting the drive you would like to mount. Forensics
  3. If you have issues mounting the USB, you may need to install VirtualBox guest additions first.
  4. Once the USB file is mounted, it should appear on the desktop or filesystem. Verify the files are contained inside the USB drive. Forensics
  5. Next make a directory to hold the copy of your disk image. I have created a directory called tmp in my home directory. mkdir ~/tmp
  6. Next we will create an MD5 checksum of the USB drive before creating the image. This checksum will be used to validate the integrity of the drive. I will create an MD5 checksum called “…original.md5”. Here is the command I used. Note: you may need to elevate your priveleges in order to run this command. Let the command run, as it could take some time to generate. Forensics
  7. Lets check the md5 generated. Forensics
  8. Now I will clone the the USB drive. Here is the command: dd if=/dev/disk/by-label/CYSA of=~/tmp/excercise7_1_disk.img bs=64k Breaking down each part of the command:
    • if=/dev/disk/by-label/CYSA - Sets the input file by drive label name
    • of=~/tmp/excercise7_1_disk.img - Sets the path of the output file
    • bs=64k - Set the block size of the copy, if you know the block seize of the copy, this will result in a performance increase.
  9. Wait until the command completes. There is not progress bar, but once the command completes, the following output will apppear. Forensics
  10. Now I will create an md5 checksum of the clone. Forensics
  11. Last, I will compare md5 checksums the clone and original in order to cerify the integrity of the forensic copy.
    more excercise7_1_clone.md5 
    more excercise7_1_original.md5

Activity 13.2 Conduct the NIST Rhino Hunt

In this excercise we will go on the great NIST Rhino Hunt. NIST provides numerous practice forensic images which can be downloaded to hone your skills.

  1. First we will download SIFT. A forensics toolkit VM by the SANS institute. According to SANS SIFT is “The SIFT Workstation is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.” After creating a free community membership on the SANS site, the SIFT can be downloaded as an OVA appliance from:
  2. Once downloaded, the appliance can be imported into Virtualbox with File > Import Appliance Forensics
  3. Start the VM. Login with a password of forensics. You should be greeted with a screen similar to this: Forensics
  4. From within this VM, we will download and extract the SANS Rhino Hunt disk image. This can easily be downloaded from: wget
  5. Navigate to the disk image’s directory in the terminal. Now mount the Rhino USB image. sudo mount RHINOUSB.dd /mnt/usb
  6. Navigate to the folder to view the pictures. Note there are only two files in this directory. What has been deleted? ls /mnt/usb
  7. Lets recover the deleted files. Create a directory for the output mkdir output
  8. Run the foremost utility against the RHINOUSB utility. The foremost utility automatically recovers files based on headers and other info. If you recieve the processing image below, the utility has been successful. foremost -o output/ RHINOUSB.dd Forensics
  9. Navigate to the output folder and open the new document recovered from the USB image. Forensics


A glossary of all the terms, acronyms and slang I run across for this chapter.

Forensic Toolkit Components Digital forensics workstation, forensic investigation software, write blockers, drive duplicators, wiped drives, cables, camera, labels, notebooks, chain of custody forms
Common Forensic Software FTK, EnCase, CAINE, Autopsy, SIFT, DumpIt, Memoryze, dd, WinDbg
Slack Space Space leftover when a file is written, can contain fragments of previous files or hidden files.
File Carving Tools which look at data on a block-by-block basis and attempt to recover data
Legal hold States information must be retrained for a legal case
Hashing Used to validate that drive data has not changed
Binary Any executable file, i.e. non-text file
Volatility Open source memory forensics tool
Advanced Office Password Recovery Utility for recovering passwords
Order of volatility Refers to how easy data is to lose. The order of volatility is 1. CPU cache, registers, running processes, RAM 2. Network Traffic 3. Disk Drives 4. Backups, Printouts, Optical Media
Windows Registry Provides info about files and services, locations of deleted files, evidence of applications being run
Autorun Keys Lists programs set to run at startup
MFT Master File Table; details of inactive and removed records
Event logs Logins, service start/stop, evidence of applications being run
INDX files and change logs Evidence of deleted files, MAC timestamps
Volume Shadow Copies Point-in-time info from prior actions
User Directories and files Logged-in user artifacts
Hibernation Files or Memory Dumps Memory artificats of commands run
Temp Directories Artifacts of software installation, user temp file storage, limited lifespan data
dd Linux utility used to lone drives in RAW format
Write blocker Attach to a drive to prevent forensic software from writing to it and ruining drive integrity
USB Historian Tracks the history of USB drives connected to a system
md5sum Hash used to determine if a drive is forensically sound
FTK Full featured forensics suite
WinDbg Tool used to review Windows memory dumps