Offline Hard Disk Imaging - security



Offline Hard Disk Imaging

Using write-blocking hardware and Helix CD

Imaging Note: These commands assume sdb is evidence and sdc is image storage.

|1. Find devices | |

|dmesg | grep hd | |

|2. Mount image storage drive | |

|mount /dev/sdc1 /media/sdc1 | |

|3. Make directory for incident case | |

|mkdir /media/sdc1/[case_no] | |

|4. Make subdirectory for evidence | |

|mkdir /media/sdc1/[case_no]/[evidence_no] | |

|5. Case info: name, organization, case number, date, description | |

|mousepad /media/sdc1/[case_no]/case_info.txt | |

|6. Evidence info: name, org, case_no, date and time of image, make, model, serial of comp, make, model, serial of HD, where hd came | |

|from and why imaging | |

|mousepad /media/sdc1/[case_no]/[evidence_no]/evidence_info.txt | |

|7. Change directory and save dmesg to text file | |

|cd /media/sdc1/[case_no]/[evidence_no] | |

|dmesg | tee case_no_dmesg.txt | |

|8. Save info of evidence disk | |

|hdparm -giI /dev/sdb | tee case_no_hdparm.txt | |

|9. Save partition info of evidence disk | |

|sfdisk -luS /dev/sdb | tee sfdisk.txt | |

|10. Check sum for text files | |

|md5sum *.txt | tee case_no_txt_hashes.txt | |

|11. Check sum for evidence disk | |

|md5sum /dev/sdb | tee serial_no_.original.md5.txt | |

|12. Make image with dcfldd | |

|dcfldd if=/dev/sdb of=/media/sdc1/[case_no]/[evidence_no]/serial_no.dd conv=noerror,sync hashwindows=0 hashlog=serial_no.md5.txt | |

|13. Record filenames, check sums for original HD and image, on form | |

Analysis

|1. Create loop back device for disk image (offset = sectors x block size) | |

|losetup -o 32256 /dev/loop1 /media/sdc1/disk.img | |

|2. Mount filesystem on loop back device (disk image) | |

|mount -t ntfs /dev/loop1 /media/diskimg/ | |

|3. Use Retriever or other utilities to perform analysis | |

|4. Unmount filesystem | |

|umount /dev/loop1 | |

|5. Remove loop back device | |

|Losetup -d /dev/loop1 | |

IT Security Office

1300 Torgersen Hall (0284)

security.vt.edu

November 16, 2006

Offline Hard Disk Imaging

Description / reason for image: _____________________________________________

______________________________________________________________________

______________________________________________________________________

Location: ______________________________________________________________

Date and Time: _________________________________________________________

Started Finished

Files Created:__________________________________________________________

______________________________________________________________________

|Original |(((((((((((((((((((((((((((((((( |

|MD5Sum | |

|Image |(((((((((((((((((((((((((((((((( |

|MD5Sum | |

Persons who performed imaging:

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Chain of Custody

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Name Organization Signature Date

______________________________________________________________________

Name Organization Signature Date

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download