Sunday, April 10, 2016

Kali Tool Series - dc3dd

“dc3dd is a patched version of GNU dd with added features for computer forensics” - from ForensicsWiki.

Comparison to GNU dd

While I was using dd, I found it’s hard to know how long will it take, and if the cloning was done completely without error. However, dc3dd fixes all these problems by providing:

  • on the fly hashing with multiple algorithms (MD5, SHA–1, SHA–256, and SHA–512)
  • progress reports
  • writing errors directly to a file

When and Why using dd or dc3dd

In the movies or TV series, we can see hackers plugin a USB disk then copy all the data out of the machine, and that’s the case we can use dd or dc3dd.

To be more specific, the flow is:

  • insert a Kali live usb disk into the target machine
  • do the Kali Forensics Boot
  • dd or dc3dd the disk of the target machine into a file on the Kali USB disk or another USB disk

Usage

I use VMs, so I won’t have the target machine in this example. However, you can pretend the disk I am going to clone (/dev/sda5) is the disk of the target machine. And, I am cloning the disk into a file stored in another USB disk.

First of all, list out the partitions of all the disks.

> fdisk -l

Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b852532

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sda1  *        2048 40136703 40134656 19.1G 83 Linux
/dev/sda2       40138750 41940991  1802242  880M  5 Extended
/dev/sda5       40138752 41940991  1802240  880M 82 Linux swap / Solaris

Disk /dev/sdb: 3.8 GiB, 4026531840 bytes, 7864320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x893a988d

Device     Boot Start     End Sectors  Size Id Type
/dev/sdb1         976 7864319 7863344  3.8G  b W95 FAT32

Pick the one you want to clone later, and here I am using the Linux swap (/dev/sda5), which is kind of meaningless but enough for practice purpose.

Then, locate the place you want to save your cloned disk image. Usually, you would want to use another USB disk since the machine may not belong to you, and what you want to do is to clone the disk, save in the USB disk, then take away. I will save the file on the /dev/sdb disk, which is mounted at /media/root/0909-B70D/disk-img/.

Start dc3dd:

> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256

dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed),      922,746,880 bytes
sector size: 512 bytes (probed)
   261455872 bytes ( 249 M ) copied ( 28% ),   33 s, 7.6 M/s                  

  • if: input disk location
  • of: output image location
  • hash: calculate the hash on the fly

Verification

After the cloning is completed, we can check if the file looks exactly the same as the original by comparing the hash code:

> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256

dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed),      922,746,880 bytes
sector size: 512 bytes (probed)
   922746880 bytes ( 880 M ) copied ( 100% ),  236 s, 3.7 M/s                 

input results for device `/dev/sda5':
   1802240 sectors in
   0 bad sectors replaced by zeros
   f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f (sha256)

output results for file `/media/root/0909-B70D/disk-img/cloned':
   1802240 sectors out

dc3dd completed at 2016-04-10 13:00:45 +0800

> file /media/root/0909-B70D/disk-img/cloned 
/media/root/0909-B70D/disk-img/cloned: Linux/i386 swap file (new style), version 1 (4K pages), size 225279 pages, no label, UUID=767f785e-d7fb-4b3c-9f8e-b02761db620e
> sha256sum /media/root/0909-B70D/disk-img/cloned 
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f  /media/root/0909-B70D/disk-img/cloned

As you can see, the swap file is copied, and the hashs are the same (f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f).

Kali Forensics Boot

By doing the Kali Forensics Boot, one can gain lots of benefits from being silent. That is, the Kali Forensics Boot provides following features:

  • the internal hard disk is never touched
  • auto-mounting of removable media is disabled

Reference