Disk Imaging and Analysis

#imaging #incident_response #forensics

(OBJ 4.8)

Walkthrough of creating a disk image from a USB using DD

  1. Connect your USB thumb stick through a write blocker
  2. Use fdisk -l to list the devices that you have available.
    • The USB device should look something like this
    ...
Disk /dev/sdb: 1.9 GiB, 2003828736 bytes, 3913728 sectors
Units: sectors of 1 * 512 = 512 bytes
...
  3. Enter DD bs-64k if-/dev/sdb of-usb2gb.dd to start copying a drive
    • bs-64 is setting block size of 64 kilobytes
    • if-/dev/sdb sets the input file to whatever the disk you want to select
      • Here is where you decide to either copy the entire disk or just one partition
      • For the entire disk use /dev/sdb (the whole name of the disk)
    • of-usb2gb.dd defines the output file
    • After it finished, you will see in the current working directory the output file listed
  4. Create a hash using md5sum usb2gb.dd
    • It will calculate it and output it
    • Consider also using a SHA-1 or a SHA-256 hash because remember MD5 is considered a little bit weak
  5. Download and install the FTK Imager on Windows, run it, give it administrative permission.
  6. Inside FTK Imager, go to 'Files' and then go down to Create Disk Image.
    • Select whether a physical image or a logical drive, an image file, contents of a folder, or multiple CDs and DVDs.
    • Click 'Next'
    • Select available drives and click 'Finish'
    • Select where to save the file to be created
      • Raw (dd), SMART, E01, AFF
      • Any forensic tool can use dd format
    • Give it any information you want
      • Case Number
      • Evidence Number
      • Unique Description Examiner
      • Notes
    • Click 'Next'
    • Select place to be stored
    • Set the Image Filename
  7. See the drive results including MD5 hash, SHA1 hash
    • Hit 'Close'
  8. You will notice a couple new files on the folder you selected the image to be stored
    • USB2GB.dd.001 (1.5GB) is where the software by default is going to break these into chunks.
      • Chunks it into a separate file so you will be able to read it.
    • USB2GB.dd.001 (Text Document) having the summary contents for us.
      • Tells us it was created by FTK, and this is part of our chain of custody now.
      • Tell us what the drive looked like
      • Shows hashes before and after the image is copied
  9. To open this dd file we're going to do that inside of FTK and we can analyze it.
    • Do 'File' on top left
    • Add evidence item, it's gonna be an 'Image file' this time
    • Find it and open the 001 dd file.
    • As you open it you will see the partitioned and the unpartitioned space
      Pasted image 20250723232847.png|500
    • Any files that may have been hidden will show up in the Unallocated space
    • Open up the drive, take a look at the root of the drive, you will see the different types of drives with files on it/
      • Notice the ones with Xs, these are deleted files
        Pasted image 20250723233055.png|475
      • Some of these files can be restored using this forensic software