Month: October 2020

Simple Forensics imaging with dd, dc3dd & dcfldd

Quick guide to create a forensics image of a drive using dd, dc3dd and dcfldd.

See also this post:

dd

Brief description of the tool from wiki:

dd is a command-line utility for Unix and Unix-like operating systems, the primary purpose of which is to convert and copy files.

$ dd if=/dev/sdb1 of=/evidence/image.dd bs=4096
 conv=sync,noerror

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4096 is the block size (default is 512kb),

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

dc3dd

If you are interest in a complete drive acquisition guide, you can also refer to this article: drive acquisition using dc3dd

Brief description from the official website:

A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.

$ dc3dd if=/dev/sdb1 of=/evidence/image.dd bs=4k hash=sha256 hashlog=hash.log log=image.log progress=on

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4k is the block size

hash=sha256 on the fly hashing algorithm

log=image.log is the output path for the log

hashlog=hash.log save hash output to hash.log instead of stderr

progress=on display a progress meter

dcfldd

Brief description from the official website:

dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:

  • Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs – dcfldd can output to multiple files or disks at the same time.
  • Split output – dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
$ dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log of=/evidence/image.dd

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

of=/evidence/image.dd is where the output file is saved

hash=sha256 on the fly hashing algorithm

hashlog=hash.log save hash output to hash.log instead of stderr

Forensics timeline using plaso log2timeline for Windows

As you may know, the popular tool log2timeline can be also used directly on Windows. But the question is, why do I need to use log2timeline on windows? The answers is quite easy, for performance purpose.

log2timeline is a fantastic tools, but the process of creating a forensics timeline can be long and time consuming, for this reason I prefer instead of using a virtualized enviroment, to use directly log2timeline for Windows.

In this guide, we will do a timeline using log2timeline for Windows.

First of all, let’s download the Windows version of plaso from the official Github repo (https://github.com/log2timeline/plaso/releases), then just look for the Windows 32 or 64.

Plaso for Windows

After the download, unzip the files, now you are ready to use plaso.

Let’s made our first timeline under Windows.

  • Open a cmd with administrator privileges, then move to the directory where you extracted plaso.
  • Use log2timeline.exe to gather the timeline data from your image.
log2timeline.exe plaso.dump drive_d.dd
  • Command explanation:
    • plaso.dump is the output file
    • drive_d.dd is the bitestream copy of the drive of which you want to create a timeline

  • You may choose the partition on which you want that log2timeline will collect data, in my case is p3 as you can see in the picture below.
Select log2timeline partition
  • You may also choose the vss (Volume Snapshot Service) that you want to include in your timeline. Press enter if you don’t want to include any vss.
  • Wait until the process is completed, it can last several hours.
  • When the process is finished you can run isort.exe for filter the timeline data.
psort.exe -z "UTC" -o L2tcsv plaso.dump "date > '2020-09-01 00:00:00' AND date < '2012-10-15 00:00:00'" -w timeline.csv
  • Command explanation:
    • -z is the timezone, in this case UTC
    • -o is the output time, in this case CSV
    • plaso.dump is the file created with log2timeline
    • date (YYYY-MM-DD HH:MM:SS) is the timeslot on which you want to create the timeline.
    • -w timeline.csv is the output CSV file

  • Now you have the CSV, with the data of your timeline.
  • For a better visualization import the csv into the xlsx file created by Rob Lee, that you can find at this link: https://www.sans.org/blog/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files/
  • Enjoy your first windows created timeline!