# Disk acquisition with dd
### 1. Introduction
> Image acquisition involves making a copy (or several copies) of the seized hard disk which can be then used to forensics analysis. This allows the investigators to analyze this image while ensuring the integrity and present condition of the real evidence disk.
In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The [**dd tools**](https://en.wikipedia.org/wiki/Dd_\(Unix\)) are installed on the lab machine.
Create a disk image for evidence hard disk using dd tools.
### 2. Create Image with dd
Our target disk where we need to do a copy for forensic analysis is mounted on **/dev/sdc**. Let’s check that first.
`df -h`
It seems that our disk is allready mounted, but is it useful to create a disk image when the disk is mounted?
> When you’re reading/writing to a file on a partition, it should be mounted (obviously, in order to access the file).\
> When you’re reading/writing to a raw disk, it should be unmounted to prevent corruption or inconsistency.
So for preventing any failures it’s better to unmount the disk first!
`umount /mnt/evidence`
So now I’ll use the dd utility to create the image file
`dd if=dev/sdc of=evidence.img`
### 3. Create MD5 SUM
To finalize this task I’ll create a MD5 Checksum of that evidence.img file
`md5sum evidence.img`
### 4. Summary
{% embed url="" %}
