Now we let’s see a list of native Linux commands that can be really useful in our forensic activities.
dd
Designed as a useful command to copy or convert files from an input device to an output file or device, the dd command returns physical or bit-to-bit copies of connected devices. it is therefore the basis for every copying activity on Linux.
The image thus obtained will have a 1: 1 ratio with the original file or device, constituting the exact or physical copy.
Unlike a logical copy, that is executed on the single files present on the filesystem, the physical copy involves the duplication of all the areas of the disk, even those that do not contain any file directly visible to the user, specifically the following two categories:
not allocated space: Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk
slack space: Bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides
Since in most filesystems the removal of a file simply involves deleting the index that contains the location of the file on disk, being able to access the unallocated areas allows the recovery of deleted files or information no longer available at the user of the system.
We can use the .dd or .raw or .img extensions, and the result will be always the same: a copy identical in every single bit to the original file or device.
Note that in a forensic environment you must use a write-blocker to connect the seized device to your workstation. This because Ubuntu mount, by default, mounts “read and write” the connected devices, unless 1you’re using a forensic distro like Caine or Deft.
For example, we can make a copy of a USB Pendrive identified with the disk name /dev/sdb:
Note that if we don’t specify a certain folder, the output will be set to our working directory.
md5sumsha1sumTwo commands that provide for the execution of MD5 and SHA1 hashing algorithms directly from the bash shell.We will use md5sum for the next examples, but the syntax is the same for both commands:
md5sum [options] [file]
We can use it on the .dd image we’ve just created:
md5sum USB_DISK.dd
Figure 1.5.2
We can also calculate the hash of both the forensic image and the original drive and instantly check the values:
md5sum USB_DISK.dd /dev/sdb
Figure 1.5.3
Otherwise we can automate a little the process by storing the hash values of both image and source device in a single .md5 file and the use it for checking:
Short for concatenate, cat is one of the most frequently used command in Linux/Unix like operating systems. It allows us to create single or multiple files, view contain of file, concatenate files and redirect output in terminal or files.
We will deal with the use of this command along with the next one, grep
grep
The name stands for the long “globally search a regular expression and print”. As the name implies, grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. It is a really powerful tool that can also be used on forensic images.
Take the case where you have an index of words taken from the analysis of a suspect's notebook.
With cat we can see a preview of the file, perhaps limiting ourselves to the first 20 lines with the head command followed by the -n option:
cat [file] | head -n[number of lines]cat keywords.txt -n20
Figure 1.5.5
We can use grep to search for the lines with match the word password:
grep [pattern] [file] grep password keywords.txt
Figure 1.5.6
If we want to use multiple patterns, the syntax is the following:
The file command is a standard program of Unix and Unix-likeoperating systems for recognizing the type of data contained in a computer file. It provides information about metadata and helps to discover the presence of mismatched files.
For examples, note the difference between a real .jpg file and a renamed .rar:
Figure 1.5.8
We can use the pipeline in conjunction with grep to automate the search process filtering only the non JPEG files by adding the -v parameter:
Useful commands in forensic activities
Now we let’s see a list of native Linux commands that can be really useful in our forensic activities.
dd
Designed as a useful command to copy or convert files from an input device to an output file or device, the dd command returns physical or bit-to-bit copies of connected devices. it is therefore the basis for every copying activity on Linux.
The image thus obtained will have a 1: 1 ratio with the original file or device, constituting the exact or physical copy.
Unlike a logical copy, that is executed on the single files present on the filesystem, the physical copy involves the duplication of all the areas of the disk, even those that do not contain any file directly visible to the user, specifically the following two categories:
Since in most filesystems the removal of a file simply involves deleting the index that contains the location of the file on disk, being able to access the unallocated areas allows the recovery of deleted files or information no longer available at the user of the system.
This is the basic syntax of the dd command:
dd if=[input-file] of=[output-file.dd] bs=[block-size] status=progressWe can use the .dd or .raw or .img extensions, and the result will be always the same: a copy identical in every single bit to the original file or device.
Note that in a forensic environment you must use a write-blocker to connect the seized device to your workstation. This because Ubuntu mount, by default, mounts “read and write” the connected devices, unless 1you’re using a forensic distro like Caine or Deft.
For example, we can make a copy of a USB Pendrive identified with the disk name /dev/sdb:
dd if=/dev/sdb of=USB_DISK.dd bs=512 status=progressFigure 1.5.1
Note that if we don’t specify a certain folder, the output will be set to our working directory.
md5sum sha1sum Two commands that provide for the execution of MD5 and SHA1 hashing algorithms directly from the bash shell. We will use md5sum for the next examples, but the syntax is the same for both commands:
md5sum [options] [file]We can use it on the .dd image we’ve just created:
md5sum USB_DISK.ddFigure 1.5.2
We can also calculate the hash of both the forensic image and the original drive and instantly check the values:
md5sum USB_DISK.dd /dev/sdbFigure 1.5.3
Otherwise we can automate a little the process by storing the hash values of both image and source device in a single .md5 file and the use it for checking:
Figure 1.5.4
cat
Short for concatenate, cat is one of the most frequently used command in Linux/Unix like operating systems. It allows us to create single or multiple files, view contain of file, concatenate files and redirect output in terminal or files.
We will deal with the use of this command along with the next one, grep
grep
The name stands for the long “globally search a regular expression and print”. As the name implies, grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. It is a really powerful tool that can also be used on forensic images.
Take the case where you have an index of words taken from the analysis of a suspect's notebook.
With cat we can see a preview of the file, perhaps limiting ourselves to the first 20 lines with the head command followed by the -n option:
Figure 1.5.5
We can use grep to search for the lines with match the word password:
Figure 1.5.6
If we want to use multiple patterns, the syntax is the following:
Figure 1.5.7
file
The file command is a standard program of Unix and Unix-like operating systems for recognizing the type of data contained in a computer file. It provides information about metadata and helps to discover the presence of mismatched files.
For examples, note the difference between a real .jpg file and a renamed .rar:
Figure 1.5.8
We can use the pipeline in conjunction with grep to automate the search process filtering only the non JPEG files by adding the -v parameter:
file *.jpg | grep -v tarFigure 1.5.9
https://speakerdeck.com/zubie7a/basic-linux-commands-for-forensics?slide=18
-
Add a note