Disk acquisition with dd

1. Introduction

Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the investigators to analyze this image while ensuring the integrity and present condition of the real evidence disk.

In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The dd tools are installed on the lab machine.

Create a disk image for evidence hard disk using dd tools.

2. Create Image with dd

Our target disk where we need to do a copy for forensic analysis is mounted on /dev/sdc. Let’s check that first.

df -h

It seems that our disk is allready mounted, but is it useful to create a disk image when the disk is mounted?

When you’re reading/writing to a file on a partition, it should be mounted (obviously, in order to access the file). When you’re reading/writing to a raw disk, it should be unmounted to prevent corruption or inconsistency.

So for preventing any failures it’s better to unmount the disk first!

umount /mnt/evidence

So now I’ll use the dd utility to create the image file

dd if=dev/sdc of=evidence.img

3. Create MD5 SUM

To finalize this task I’ll create a MD5 Checksum of that evidence.img file

md5sum evidence.img

4. Summary