Chris Harrington, profile picture
Uploaded byChris Harrington
PPTX, PDF1,219 views

Capturing forensics image

This document provides guidance on acquiring forensic images of digital evidence for investigation using either Windows or Linux tools. It outlines the necessary hardware requirements, recommended wiping of the destination drive, imaging software options like FTK Imager or dd, and technical procedures for capturing a disk image while avoiding modification of the original data. Checksums are generated to validate image integrity and documentation of all capture steps is emphasized.

Embed presentation

Downloaded 45 times
Data acquisition for forensics investigation User guide By Chris Harrington
 Linux or Windows OS  Hard drive larger than the one being captured ◦ Hard drive must be forensically wiped so no old data can be found from previous cases  Windows Applications ◦ FTK Imager  Linux Applications ◦ dd Note: There are other capturing tools available
 Conduct a forensic wipe on the external drive before capturing  In Windows OS many tools exist  FreeShred  Shred  Etc…  In Linux dd is used to write 0’s to all sectors ◦ Command: dd if=/dev/zero of=/dev/sdX bs=4K conv=noerror,sync
 Run FTK Imager and create a disk image
 Check that Physical Drive is selected for source and the correct physical drive  Click Add in Create Image window
 Raw dd format is accepted by so many tools for further processing. Enter evidence information and saving location.  Image fragment size will split the image file into smaller sizes
 It can take time for the image to finish writing depending on the size of the disk  A log file is produced with md5 & sha1 checksums and other drive details
 Start up the suspect’s computer and boot up with a Linux live CD. The live CD should avoid writing to local drives. Many options available: ◦ Knoppix ◦ Kali ◦ Deft ◦ Etc…
 Open a terminal  Command: dd if=/dev/sdX of=yourimage.img bs=512  If drive is unknown, fdisk –l command will show connected devices  Create checksum hash
 Multiple OS available to capture images for different scenarios  Toolkits  Backup toolkits  Document every move taken  Avoid changes to suspect’s data  Is a forensic capture really necessary for this scenario?
 My contact details  C.k.harrington@gmail.com

More Related Content

PPTX
Forensic imaging
byDINESH KAMBLE
 
PPTX
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
byJared Atkinson
 
PPTX
DVD Technology
byashubhardwaj03
 
PPT
File system
byHarleen Johal
 
PDF
NTFS file system
byRavi Yasas
 
PPTX
killdisk and its use in ukraine hacks
bySrishti Kumari
 
PPTX
Mac book i phone android
byTapan Khilar
 
PPTX
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
byJared Atkinson
 
Forensic imaging
byDINESH KAMBLE
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
byJared Atkinson
 
DVD Technology
byashubhardwaj03
 
File system
byHarleen Johal
 
NTFS file system
byRavi Yasas
 
killdisk and its use in ukraine hacks
bySrishti Kumari
 
Mac book i phone android
byTapan Khilar
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
byJared Atkinson
 

Viewers also liked

PDF
Windows 7 forensics -overview-r3
byCTIN
 
PPT
Mac Forensics
byCTIN
 
PPTX
Windows 10 Forensics: OS Evidentiary Artefacts
byBrent Muir
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
PPT
Registry forensics
byPrince Boonlia
 
PPTX
Open Source Forensics
byCTIN
 
PPTX
Windows 7 forensics jump lists-rv3-public
byCTIN
 
PPTX
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PPT
Live Forensics
byCTIN
 
PDF
Windows logging cheat sheet
byMichael Gough
 
ODP
Introduction to memory forensics
byMarco Alamanni
 
PDF
Become an Internet Sleuth!
byNearpod
 
PDF
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
PDF
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
PPT
Vista Forensics
byCTIN
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PPT
Installation of Joomla on Windows XP
byRupesh Kumar
 
PPT
Level1 Part8 End Of The Day
byCTIN
 
PPT
Part6 Private Sector Concerns
byCTIN
 
Windows 7 forensics -overview-r3
byCTIN
 
Mac Forensics
byCTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
byBrent Muir
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
Registry forensics
byPrince Boonlia
 
Open Source Forensics
byCTIN
 
Windows 7 forensics jump lists-rv3-public
byCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
Forensics of a Windows System
byConferencias FIST
 
Live Forensics
byCTIN
 
Windows logging cheat sheet
byMichael Gough
 
Introduction to memory forensics
byMarco Alamanni
 
Become an Internet Sleuth!
byNearpod
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
Vista Forensics
byCTIN
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
Installation of Joomla on Windows XP
byRupesh Kumar
 
Level1 Part8 End Of The Day
byCTIN
 
Part6 Private Sector Concerns
byCTIN
 

Similar to Capturing forensics image

PPTX
Data Acquisition
byprimeteacher32
 
PPT
Ch 04 Data Acquisition for Digital Forensics.ppt
bywhbwi21Basri
 
PPTX
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
PPT
data acquisition in computer forensics and
byssuserec53e73
 
PDF
CNIT 152 8. Forensic Duplication
bySam Bowne
 
PPTX
Computer Forensics and investigation module 3
byssuserec53e73
 
PPTX
Lecture 4 - Data Acquisition1234_MH.pptx
bymuhammadosama0121
 
PDF
Foundation of Digital Forensics
byVictor C. Sovichea
 
PPT
Guide to computer forensics and investigation.ppt
byMaluOffice
 
PPTX
Module 02 ftk imager
byParminderKaurBScHons
 
ODP
Introduction to forensic imaging
byMarco Alamanni
 
PDF
dataacquisition.pdf
byJayaprasanna4
 
PPT
Electornic evidence collection
byFakrul Alam
 
PDF
the Cyber - Forensics - Lab - Manual . pdf
by22cc005
 
PPTX
Forensic_Imaging_Presentationhjsksjsj.pptx
bykingtigerdhanu6903
 
PPTX
Unit-2 Process of Digital Forensics [Autosaved].pptx
bySunny94841
 
DOCX
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
bymaxinesmith73660
 
PDF
Guide to Computer Forensics'.pdf
byLaceyTatum1
 
PPTX
First Responder Course - Session 10 - Static Evidence Collection [2004]
byPhil Huggins FBCS CITP
 
PDF
Accessing Forensic Images
byCTIN
 
Data Acquisition
byprimeteacher32
 
Ch 04 Data Acquisition for Digital Forensics.ppt
bywhbwi21Basri
 
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
data acquisition in computer forensics and
byssuserec53e73
 
CNIT 152 8. Forensic Duplication
bySam Bowne
 
Computer Forensics and investigation module 3
byssuserec53e73
 
Lecture 4 - Data Acquisition1234_MH.pptx
bymuhammadosama0121
 
Foundation of Digital Forensics
byVictor C. Sovichea
 
Guide to computer forensics and investigation.ppt
byMaluOffice
 
Module 02 ftk imager
byParminderKaurBScHons
 
Introduction to forensic imaging
byMarco Alamanni
 
dataacquisition.pdf
byJayaprasanna4
 
Electornic evidence collection
byFakrul Alam
 
the Cyber - Forensics - Lab - Manual . pdf
by22cc005
 
Forensic_Imaging_Presentationhjsksjsj.pptx
bykingtigerdhanu6903
 
Unit-2 Process of Digital Forensics [Autosaved].pptx
bySunny94841
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
bymaxinesmith73660
 
Guide to Computer Forensics'.pdf
byLaceyTatum1
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
byPhil Huggins FBCS CITP
 
Accessing Forensic Images
byCTIN
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
The year in review - MarvelClient in 2025
bypanagenda
 
December Patch Tuesday
byIvanti
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

Capturing forensics image

  • 1.
    Data acquisition forforensics investigation User guide By Chris Harrington
  • 2.
     Linux orWindows OS  Hard drive larger than the one being captured ◦ Hard drive must be forensically wiped so no old data can be found from previous cases  Windows Applications ◦ FTK Imager  Linux Applications ◦ dd Note: There are other capturing tools available
  • 3.
     Conduct aforensic wipe on the external drive before capturing  In Windows OS many tools exist  FreeShred  Shred  Etc…  In Linux dd is used to write 0’s to all sectors ◦ Command: dd if=/dev/zero of=/dev/sdX bs=4K conv=noerror,sync
  • 4.
     Run FTKImager and create a disk image
  • 5.
     Check thatPhysical Drive is selected for source and the correct physical drive  Click Add in Create Image window
  • 6.
     Raw ddformat is accepted by so many tools for further processing. Enter evidence information and saving location.  Image fragment size will split the image file into smaller sizes
  • 7.
     It cantake time for the image to finish writing depending on the size of the disk  A log file is produced with md5 & sha1 checksums and other drive details
  • 8.
     Start upthe suspect’s computer and boot up with a Linux live CD. The live CD should avoid writing to local drives. Many options available: ◦ Knoppix ◦ Kali ◦ Deft ◦ Etc…
  • 9.
     Open aterminal  Command: dd if=/dev/sdX of=yourimage.img bs=512  If drive is unknown, fdisk –l command will show connected devices  Create checksum hash
  • 10.
     Multiple OSavailable to capture images for different scenarios  Toolkits  Backup toolkits  Document every move taken  Avoid changes to suspect’s data  Is a forensic capture really necessary for this scenario?
  • 11.
     My contactdetails  C.k.harrington@gmail.com