search

Image Adquisition & Mount

hashtag
Acquisition

hashtag
DD

#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img

hashtag
dcfldd

#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes

hashtag
FTK Imager

You can download the FTK imager from herearrow-up-right.

ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'

hashtag
EWF

You can generate a dick image using the ewf toolsarrow-up-right.

ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast

#Then use default values
#It will generate the disk image in the current directory

hashtag
Mount

hashtag
Several types

In Windows you can try to use the free version of Arsenal Image Mounter (https://arsenalrecon.com/downloads/arrow-up-right) to mount the forensics image.

hashtag
Raw

hashtag
EWF

hashtag
ArsenalImageMounter

It's a Windows Application to mount volumes. You can download it here https://arsenalrecon.com/downloads/arrow-up-right

hashtag
Errors

  • cannot mount /dev/loop0 read-only in this case you need to use the flags -o ro,norecovery

  • wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:

Note that sector size is 512 and start is 2048. Then mount the image like this:

PreviousDocker ForensicsNextLinux Forensics

Last updated