Disk Forensics

Disk Forensics includes where you are required to investigate the files which were deleted off the system.

Mounted Devices

  • The devices that were mounted to the devices can be identified with the commands

df -h
mount

Quick Wins

  • Every device blocks connected to the UNIX systems store its contents in binary format and everything connected is CATable / GREPable

  • Once the mounted device is identified we can cat / grep the device block

cat /dev/sdb
sudo xxd /dev/sdb  | grep -Ev '(0000 0000 0000 0000 0000 * | ffff ffff ffff ffff ffff *)'

Forensic Way

  • With the dcfldd 

dcfldd if=/dev/sdb of=/tmp/file.dd

root@raspberrypi:/home/pi# dcfldd if=/dev/sdb of=/tmp/test
256 blocks (8Mb) written.
320+0 records in
320+0 records out
root@raspberrypi:/home/pi# ls -lash /tmp/test
10M -rw-r--r-- 1 root root 10M Mar 13 10:34 /tmp/test

  • With this file transferred to the attacker machine we can run utilities like testdisk or photorec to investigate this dd file

PreviousForensicsNextInspection

Last updated