Image Adquisition & Mount

Acquisition

DD

#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img

dcfldd

#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes

FTK Imager

You can download the FTK imager from here.

ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'

EWF

You can generate a dick image using the ewf tools.

ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast

#Then use default values
#It will generate the disk image in the current directory

Mount

Several types

In Windows you can try to use the free version of Arsenal Image Mounter (https://arsenalrecon.com/downloads/) to mount the forensics image.

Raw

EWF

ArsenalImageMounter

It's a Windows Application to mount volumes. You can download it here https://arsenalrecon.com/downloads/

Errors

  • cannot mount /dev/loop0 read-only in this case you need to use the flags -o ro,norecovery

  • wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:

Note that sector size is 512 and start is 2048. Then mount the image like this:

PreviousDocker ForensicsNextLinux Forensics

Last updated