Welcome back to the computer forensics path. And this course course 11 we're talking about creating a forensic image. This is actually acquiring our disk image. We've covered sterilizing our target media. We talked about validating our tools. We've talked about creating a clone have a hard drive and we also talked about creating a forensic image. In this module, module five, we're going to talk about using the DG in D CFLDD commands. Now let's talk about the syntax of the Lennox DD command. DD the IF that we're going to use to execute this command stands for input file. This is the file that we're copying and this is very important to remember because if you confuse the input and the output file you're going to override the evidence. The OF is the output file. This is where we're writing the evidence to our target media. This is what we would have sterilized. And OF stands for output file. DD stands for just duplicate. So we're duplicating a disk, we're creating a forensic image. We need to tell the software the program what file we're copying and we were copying it to. So what dr are we copying And this works on a full disk or it would work on a partition. But we have to tell it what we're copying and where we're copying it to to create a duplicate copy of a partition. And we're talking about using Lennox. We're going to use the pseudo so we can get permission if you're not already locked in his room then we'd use the DD for just duplicate I F. For our input file and we have the equal sign and then the path to the input file. In this we're copying a petition sda one and then the output file Is going to be in a directory called Case one. And I'm naming that file disc a one dot tv now to copy the physical disk. But again, we would need to use the Sudo command if we weren't route D D and then our input file is going to be S D, a s D b, S D C, depending on what you know what dr letter we are mounted as. So it would be S D and then A B, C, D E etcetera. And then the output file again, we're going to tell the directory and the file name. Now, if you happen to be in the directory that you want to copy this to, you don't have to put a directory, you can just put the file new now the list of disk partitions. Because we're going to need to list the partition. So we make sure that we are using the right input file and the right output file. And there are some commands we could use here, we could use pseudo, we could use f disk minus L. We could use the L S B L K or we can use Mt. So we want to list the partitions, locate our drives, make sure it works. Have the correct output input files. Now, D C F L D D. We can create a forensic evidence file with a verification value. Yeah. So we can do our MD five and our shore one with D C F L D D. Now in this particular command we are asking for the MD five hash but you can ask for the shore one as well. But when you look at this command, it is the MD five hash that will automatically be created when we execute this command. And again, our input file would be in our device folder and then it would be S T A, R, S, D, B or C or whatever it is mounted as And then her output file. This is simply put in the home directory and than it has to file name now hash we're telling it we want to hash so half. And I'm saying equals MD five and then we have to have a hash law where we're writing this hash out too, so hash log equals. And then the file path in the file name to where we want to output are hash log and again to list the partitions in the disk, including the size we can use our f disk minus L command. There is another command we can use and this is newer and I really like the way this one works better And we're going to get to see that when we go through our demo, we'll walk through each one of these and I'll show you the output it gives, but it's called DC three DD. And with DC three DD. We can create our hash values the same as we did in D c f L D G. But the command is just easier to write and the information it gives us is more robust. We get more information. You'll get about the same information as you would with fbK immature, you're going to get the time it started, you're going to get how many bytes it copied. You're going to get a lot of information and we'll see this way do I walk through. So the command works pretty much the same way It starts with DC three DD. Because that is the program that we're running our input file, which is going to equal deaf for device. and then this one happens to be STB but it could be Akkad depends on what drives you want to image and where the file system mounted it. And then we have hohf, which is a little different. HDs for hash and o F stands for output file. So we're hash of the output file and that equals STD dot i M G. And that's what I'm naming the image. I'll profile with a hash value is going to be STB dot i m G And I have half equals empty five Passion Equal Shaw one. So I'm doing an MD five and assure one with this command and now I'm going to output it to a log and it says log equals hash dot txt. That's what I'm naming my log. Hashtag txt Okay. Mhm. By default it will write this hash log. If I do not put a file path in here, it's going to write it and whatever folder I'm in in terminal and we'll see that when we do our walk through. Okay. We're going to do our demo now of our three commands that we talked about. The DD command, the D C F L D. D command In the DC three DD command, We're going to do a demonstration and this is a demonstration only because I'm running it on a Lennox virtual machine. If you do have the Lennox VM and you want to follow along at home, That's great. The commands we're going to be using are going to be D D D C F L D D and D C three D D. And these are the commands we talked about for imaging a drive, full drive or logical volume in Lennox. Now the D. D command will image the drive. The syntax of the command is D. D. And then we have our input file I. F. And we have to give it the path to the drive. So this is DEv STB is the path to the drive. We're going to image now the output file. I'm putting it in this folder on my desktop called task. So it would be home my name because I'm the user desktop test and I'm calling it flash drive dot I M G flash drive dot image. Now when I do this, but before I would do this, let's back up just a minute for a second. You probably want to if you were doing this on the system and you were doing it live before you created the image, you would want to go ahead and list your blocks out and take a look at what you wanted to image. So let's list the blocks out to list the blocks out. I'm going to use the LS for list and then B L K for list block. Now we do this, we can see all the drives that can be mounted here and I see my STB, I can see how big it is, it's 120 MB. It is my USB test drive and that is the one that I want to create a DVD image of the command. Again, D D for dis duplicate. I. F is the input file and we're pointing it at this S D B O F is the output file and I'm going to output to this test folder on my desktop. Now when I hit enter, it's going to take a second to run and it's already finished and it tells you how many records in and how many records out that number should match. It tells you how many bytes that it copied and it gives us you in megabytes also, but it is not automatically creating a hash value. If we go and look in our test folder, we can see our flash drive dot image. Now D c F L d D. We can create a MD five and sha one image if we'd like, as we're creating the image itself and it runs that fast. So let's take a look at the command. It's D C F L D D again, our input file, which is the same. It's in the devices and it's STB I asked for a hash MD five and sha one I output in my MD five to MD five log equals MD five dot txt. The MD five log is what it's creating and I have to give it a file name. The show one log is the same show one log equals shaw one dot txt. I could have named these anything but I named them MD five dot txt. And shaw one dot txt So I know what they are but you can name them whatever you'd like and I have the hash converting after and bs is the sector size of 5, 12. Now my output file I'm calling it tests USB two dot image and then again it tells me the blocks written and the blocks in and out and all those numbers should match. And I go ahead and look in my test folder, I can see that I have my test to image. I still have my flash drive image but I have my test to image and I have my MD five which gives me the MD five hash value and the shaw one which gives me the shaw one hash value. The next command I'm going to show you is the one that I really like the best and that is the D C three D D. And you'll see why in a second. So I'm going to go ahead and copy this command. I'm going to paste it here and it will run as soon as I paste it. So we have the Dc three DD. The input file and it's the same path devices STB Now the hash output STB image so I'm hashing it with an output and I'm calling the output STB image. My hash is going to equal an MD five and sha one and I'm putting him in the log, the log equals hash dot txt. So we'll go ahead and we'll run the command and you can see it is we're running and you can see that it's running because you see the bites as they're being copied. So it kind of has a progress bar similar to what you can do with F D. K. Imager. Whereas the other two we ran them and we just waited until my command line came back. It's finished and we can see that we get the bytes copied and the bites hashed. And those number of bytes should match. We can see the sectors in. It reports zero bad sectors. And this is the input results for the device. So it's hashing the device similar to FTK imager and then it's hashing the output file, our image file. And it's giving us the hash values for the image file and those hashtags match. And that's showing us that no data on the drive was changed when we created our image and that's what makes a forensically sound image, that we can show that we made no changes to the original evidence. It also gives you a time when it completed at a time when it started. So you get more of a robust output with D C three D D than we do with the other commands like D D or even D C F L, D. D. We can create the hash values but we don't get the hash of the evidence in the hash of the image file so that we can see. We've made no changes. You could always hash your image file using a hash some command, but that's an extra step. And with this using this command, we don't have to take that step. Now. What we can also do is I'm going to go ahead and close terminal for now is I can take a look at my USB test drive and I can see what's on there. What's kind of nice with Lennox. I'm going to go ahead and I am going to eject my test drive. I can open up my test folder and I can take my STB image and I can open it with image dismount. Now I mounted my USB drive, the original evidence itself or my test drive in this case and now I've mounted the image and I can bring the image up and I can see that the files are the same as they were on the test drive and I could go through that if I wanted to. So I do have the ability in Lenox to mount the image as a bribe. And you also have the ability to go ahead and amounted. And that ends our demonstration of the Lennox D D D C F L D D and D C three D D commands for imaging. In our next course, we're going to talk about hash values and file hashing
