Simple Forensics imaging with dd, dc3dd & dcfldd

Quick guide to create a forensics image of a drive using dd, dc3dd and dcfldd.

See also this post:

dd

Brief description of the tool from wiki:

dd is a command-line utility for Unix and Unix-like operating systems, the primary purpose of which is to convert and copy files.

$ dd if=/dev/sdb1 of=/evidence/image.dd bs=4096
 conv=sync,noerror

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4096 is the block size (default is 512kb),

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

dc3dd

If you are interest in a complete drive acquisition guide, you can also refer to this article: drive acquisition using dc3dd

Brief description from the official website:

A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.

$ dc3dd if=/dev/sdb1 of=/evidence/image.dd bs=4k hash=sha256 hashlog=hash.log log=image.log progress=on

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4k is the block size

hash=sha256 on the fly hashing algorithm

log=image.log is the output path for the log

hashlog=hash.log save hash output to hash.log instead of stderr

progress=on display a progress meter

dcfldd

Brief description from the official website:

dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:

  • Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs – dcfldd can output to multiple files or disks at the same time.
  • Split output – dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
$ dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log of=/evidence/image.dd

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

of=/evidence/image.dd is where the output file is saved

hash=sha256 on the fly hashing algorithm

hashlog=hash.log save hash output to hash.log instead of stderr

Find out Windows installation date

There are a lot of ways to determine when a Windows operating system have been installed on a machine. In this post you will find some examples.

The installation date is very important during a forensic invegation in order to quickly understand when a Windows operating system have been installed on the analyzed machine.

Please bare in mind, that on Windows 10, this date can refer to the last major update (e.g. creators update).

      1. Extraction from Windows registry with Powershell:

        It is possible to retrieve the date and the time directly from a registry which is:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

        The value of the registry key “InstallDate” is expressed as UNIX time, in a few words, it displays the time in number of seconds since 1st Jan 1970.
        You can obtain a readeable value with Powershell, writing:

        $date = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' | select -ExpandProperty InstallDate

        The variable $date contains the installation datetime in UNIX time. In order to convert it into a human readable format in the same Powershell, you shall write:

        (Get-Date "1970-01-01 00:00:00.000Z") + ([TimeSpan]::FromSeconds($date))

        Now you have a human readable installation date time.

        Requirement: Powershell
        SO: Windows 7+

        Extracting from Windows registry with Powershell
      2. Using systeminfo via CMD:

        Systeminfo displays configuration information about a computer and its operating system, and also the Original Installation Date. To extract the installation date, open a cmd and type:

        systeminfo | find /i "original"

        Using the string “Original Install Date” please note that in order to find valid information, your OS language shall be English, otherwise you may not be able to find anything.
        Requirement: cmd
        SO: Windows XP+

      3. Using WMI via Powershell:

        It is also possible to extract the installation date and time with WMI, which stands for “Windows Management Instrumentation“. Open a powershell windows and write this command:

        ([WMI]'').ConvertToDateTime((Get-WmiObject Win32_OperatingSystem).InstallDate)

        With this command, you will get the installation date in a human readable format.
        Requirement: Powershell
        SO: Windows 7+

      4. Client side Cache Folder on Windows 10:

        On Windows 10, all the methods listed before, could retrieve the date of the last major updates (e.g. creators update) and not the Original Installation date.
        A nice way to find the closest thing to the original installation date on a Windows 10 system is to look at the “last write time” of the client side cache and you can do it by using powershell:

        Get-Item C:\Windows\CSC\

         

        The “Last Write Time” is one of the closest things to the original installation date of the system.
        Please refer also to this interesting discussion.

        Requirement: Powershell
        SO: Windows 10

If you use other methods to get the installation date, please share them in the comment box.