As I've learned in class, there seems to be three basic scenarios: A drive is handed to you to image (dead acquisition,) using Helix (you need to copy a drive from a machine but you can't take the drive,) and finally imaging a drive where the machine can not be shut down (live acquisition.)
1. When the drive is handed to you:
- Attach drive to the system. Use SIFT or Helix. Use write-blocker if available.
- run fdisk -l to see new (acquisition) drive
- attach external USB drive as target drive
- run fdisk -l to see usb drive
- mkdir /mnt/usb
- mount USB to filesystem (ntfs-3g -o force /dev/"usbdrive" /mnt/usb)
- dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5
- Know that the system is going to be rebooted and there will be loss of volatile evidence
- Boot the machine with Helix
- run fdisk -l to see the acquisition drive
- attch external USB drive as a target drive
- run fdisk -l to see the usb drive
- mkdir /mnt/usb
- mount USB to filesystem (ntfs-3g -o force /dev/"usbdrive" /mnt/usb)
- dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5
- This will be a snapshot of the system, because the system will stay up
- Will be able to gather volatile evidence first
- Attach USB to system
- You will have to have a copy of dc3dd to run (cd, usb)
- dc3dd if=/dev/"acquistion drive" of=/mnt/usb/name.img progress=on hash=md5 hashlog=/mnt/usb/name.md5
This comment has been removed by a blog administrator.
ReplyDelete