ACTIVITY: USING DD TO COPY AND COMPARE FILES
Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.
Time: This activity should take you approximately 30 to 60 minutes to complete.
SOFTWARE
If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise.
USB DRIVE
For this activity, you will need a USB drive as described in the Software and Equipment page.
GOAL
After capturing volatile system information, the next step is to acquire nonvolatile data on the suspect machine. In this activity, we will use the *nux dd utility and several of its options to copy a file, image a drive, and also use hashes to check the integrity of the copies.
You may want to review my dd and nc Demo before beginning this activity.
INSTRUCTIONS
Launch SIFT Workstation 3 and open a terminal.Use the command dd to copy an existing file on your computer. Name the new file copy.dd.Using md5sum, create MD5 hashes of the original file and the copy.Compare the hash of the copy to the hash of the original file; confirm that the hashes are the same.Repeat Steps 3 and 4 using shasum to generate SHA1 hashes.Use dd to copy one block of zero from /dev/zero to a file called zero.dd. (Hint: use the dd option count).Insert the USB drive and connect your USB to SIFT Workstation 3. The USB drive should auto-mount.Run the command mount to find the USB device file name. You will use the device file name in command dd to make a full image of your USB.For example, my USB’s device file is /dev/sdc1; it is mounted on /media/sansforensics/B86D-C764.Use dd to make a full image of your USB flash drive. Name the image usb.dd. (Hint: dd if=/dev/sdc1 of=usb.dd)Create both MD5 and SHA1 hashes of the USB flash. (Hint: md5sum /dev/sdc1; shasum /dev/sdc1)Create both MD5 and SHA1 hashes of the USB image. (Hint: md5sum usb.dd; shasum usb.dd)Make sure that:The md5 hash of the USB flash matches with the md5 hash of the USB imageThe sha1 hash of the USB flash matches with the sha1 hash of the USB image.Answer the Check Your Work questions.
If you used the same USB flash as you did in the Unit 1 FTK Imager activity, and if the USB has NOT be modified, the hashes from FTK Imager should be same as the hashes you generated in this exercise.
转载于:https://www.cnblogs.com/sec875/articles/10013518.html
