I've been planning to write up some instructions on how to safely aquire an image of a hard drive for a couple of weeks now, and the only reason I haven't gotten around to it is because I wanted to make up one of those cool videos that other people have put up. However, I've had some trouble getting my hands on both software and time, and I also decided that maybe it was best if these instructions were written out so it would be easier to reference them later. So without further delay, here are my instructions on gathering a hard drive image with Helix and mounting the image with ubuntu.
For this lab I will be using two virtual machines, one with a 10GB hard drive and the other with a 3GB hard drive. The small drive allows me to aquire the image more quickly, and the methods will remain the same. Both machines are running pristine fresh installs of Ubuntu 6.10 (edgy eft) with the latest patches, but no additional software. I'll also be using a helix boot cd to aquire the hard drive image.
First we need to set up our target machine to gather some evidence from the suspect machine. Open a command prompt and type
nc -l -p 2000 > fdisk-output
and hit enter. This command instructs the target machine to listen for network connections on port 2000 and send the output of any connection into a file called fdisk-output.
Start the evidence aquisition by booting the suspect machine with the Helix boot CD. Open a command prompt and type
to get a list of partitions and devices that are available on the machine. In the case of my virtual machine the hard drive itself is represented by /dev/sda
, and each partition on the drive is represented by another file, sda1, sda2, and sda5. You're going to want to keep a copy of this output, so type the following command:
fdisk -l | nc 192.168.0.130 2000 -q 10
and hit enter. This command will print the partition table for the suspect machine and send it over the network to your target machine, which will write it into a file called fdisk-output. Go back to your target machine and type
and you should see the exact same output as the fdisk -l command on the suspect machine.
Next we need to capture a hash value of the hard drive. On the target machine type
nc -l -p 2000 > hard-drive-hash
and hit enter. Then, on the suspect machine type
md5sum /dev/sda | nc 192.168.0.130 2000 -q 10
. This command will take a while to complete so dont get impatient. The larger your hard drive, the more time it will take. Be patient. Eventually it will be done and if you go to the target machine and type
you should see a long string of numbers. This is the hash value of the suspect hard drive. If you make any changes to the suspect hard drive this number will change. If you don't believe me, do this for some extra credit: on the suspect machine in the command prompt type mkdir /mnt/sda1. Then mount the first partition on the drive by typing mount /dev/sda1 /mnt/sda1. Then type unmount /dev/sda1. All you've done is mounted the drive and unmounted it. You haven't even looked at any of the contents, but if you type md5sum /dev/sda you'll see that the hash value of the hard drive has changed. If you just went through these steps then you should probably repeat the steps at the begining of this paragraph so that the correct hash value is on the target machine.
Now we're ready to aquire the hard drive image. On the target machine you should enter the following command
nc -l -p 2000 | dd of=hard-drive-image.gz
so that the machine will be ready to accept the image. On the suspect machine open the Helix menu on the bottom, go to forensics and select AIR. There are several tools for gathering hard drive images, but AIR is my favorite so far. In the source device/file enter the device file for the suspect hard drive, in my case /dev/sda
. Next, click on the network button under connected devices. A dialog box will come up and ask if the remote computer is the source or the destination. In this example it is the destination. Then another box will ask for the ip address and port number of the remote computer. You can see a screenshot of my example at http://mavdisk.mnsu.edu/kevin/air-setup.JPG
. After saying yes to the promts, we should set up compression. The process of transferring a hard drive over the network takes a long time as it is, and without compression it takes even longer. From the compression drop down, select gzip. In the hash box make sure it says md5. Finally you can click on the start button. I would recommend that after you do that you also click on Show Status Window so you can see how it is going. Over on the target machine you can open another command prompt and type
watch ls -lh hard-drive-image
to see an updated status of the file size. When the process is finished, AIR will give you the md5 hash of the hard drive as it was copied, and this number should match the md5 sum that you gathered when you first hashed the drive.
If you go back to the target machine you'll have the contents of the suspect machine's hard drive compressed in a file called hard-drive-image.gz. If you md5sum this file it will not match the other hash because you're hashing the compressed hard drive. First we need to uncompress the hard drive image with this command
. This will leave you with a file called hard-drive-image, and if you run md5sum hard-drive-image then the resulting hash should match the original hash you took from the suspect machine. If it does not then something went wrong in the evidence collection and you do not have a perfect copy of the suspect hard drive.
Now we want to mount one of the partitions that was on the suspected drive. From the target machine type
fdisk -ul hard-drive-image
which should list the partitions with sectors instead of cylinders. Each cylinder is 512 bytes. So if your first partion starts at sector 63, like mine does, then you need to multiply 512 bytes by 63 sectors. That means that the first partition starts 32,256 bytes into the file. Now we can mount that partition
sudo mkdir /mnt/suspect
sudo mount -o loop,offset=32256 hard-drive-image /mnt/suspect
Voila, you're now looking at the contents of the suspect hard drive, and you haven't made any changes to the drive itself, and since you saved the hash value you can prove that the original hard drive has not been altered in any way.