“dc3dd is a patched version of GNU dd with added features for computer forensics” - from ForensicsWiki.
Comparison to GNU dd
While I was using dd
, I found it’s hard to know how long will it take, and if the cloning was done completely without error. However, dc3dd
fixes all these problems by providing:
- on the fly hashing with multiple algorithms (MD5, SHA–1, SHA–256, and SHA–512)
- progress reports
- writing errors directly to a file
When and Why using dd
or dc3dd
In the movies or TV series, we can see hackers plugin a USB disk then copy all the data out of the machine, and that’s the case we can use dd
or dc3dd
.
To be more specific, the flow is:
- insert a Kali live usb disk into the target machine
- do the Kali Forensics Boot
dd
ordc3dd
the disk of the target machine into a file on the Kali USB disk or another USB disk
Usage
I use VMs, so I won’t have the target machine in this example. However, you can pretend the disk I am going to clone (/dev/sda5
) is the disk of the target machine. And, I am cloning the disk into a file stored in another USB disk.
First of all, list out the partitions of all the disks.
> fdisk -l
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b852532
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 40136703 40134656 19.1G 83 Linux
/dev/sda2 40138750 41940991 1802242 880M 5 Extended
/dev/sda5 40138752 41940991 1802240 880M 82 Linux swap / Solaris
Disk /dev/sdb: 3.8 GiB, 4026531840 bytes, 7864320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x893a988d
Device Boot Start End Sectors Size Id Type
/dev/sdb1 976 7864319 7863344 3.8G b W95 FAT32
Pick the one you want to clone later, and here I am using the Linux swap (/dev/sda5
), which is kind of meaningless but enough for practice purpose.
Then, locate the place you want to save your cloned disk image. Usually, you would want to use another USB disk since the machine may not belong to you, and what you want to do is to clone the disk, save in the USB disk, then take away. I will save the file on the /dev/sdb
disk, which is mounted at /media/root/0909-B70D/disk-img/
.
Start dc3dd
:
> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed), 922,746,880 bytes
sector size: 512 bytes (probed)
261455872 bytes ( 249 M ) copied ( 28% ), 33 s, 7.6 M/s
if
: input disk locationof
: output image locationhash
: calculate the hash on the fly
Verification
After the cloning is completed, we can check if the file looks exactly the same as the original by comparing the hash code:
> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed), 922,746,880 bytes
sector size: 512 bytes (probed)
922746880 bytes ( 880 M ) copied ( 100% ), 236 s, 3.7 M/s
input results for device `/dev/sda5':
1802240 sectors in
0 bad sectors replaced by zeros
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f (sha256)
output results for file `/media/root/0909-B70D/disk-img/cloned':
1802240 sectors out
dc3dd completed at 2016-04-10 13:00:45 +0800
> file /media/root/0909-B70D/disk-img/cloned
/media/root/0909-B70D/disk-img/cloned: Linux/i386 swap file (new style), version 1 (4K pages), size 225279 pages, no label, UUID=767f785e-d7fb-4b3c-9f8e-b02761db620e
> sha256sum /media/root/0909-B70D/disk-img/cloned
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f /media/root/0909-B70D/disk-img/cloned
As you can see, the swap file is copied, and the hashs are the same (f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f).
Kali Forensics Boot
By doing the Kali Forensics Boot, one can gain lots of benefits from being silent. That is, the Kali Forensics Boot provides following features:
- the internal hard disk is never touched
- auto-mounting of removable media is disabled
No comments:
Post a Comment