Data Acquisition

Practice Labs Module
Time
50 minutes
Difficulty
Intermediate

The Data Acquisition module provides you with the instructions and devices to develop your hands on skills in the following topics: Preparing a Target Drive for Acquisition in Linux, Acquiring Data with dd in Linux, Capturing an Image with ProDiscover Basic, Using ProDiscover’s Proprietary Acquisition Format, Hands-On Project 3-1...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

Overview

Introduction

The Data Acquisition module provides you with the instructions and devices to develop your hands on skills in the following topics:

  • Preparing a Target Drive for Acquisition in Linux
  • Acquiring Data with dd in Linux
  • Capturing an Image with ProDiscover Basic
  • Using ProDiscover’s Proprietary Acquisition Format
  • Hands-On Project 3-1
  • Hands-On Project 3-2
  • Hands-On Project 3-3
  • Hands-On Project 3-4

Exercise 1 - Preparing a Target Drive for Acquisition in Linux

The Linux OS has many tools you can use to modify non-Linux file systems. Current Linux distributions can create Microsoft File Allocation Table (FAT) and New Technology File System (NTFS) partition tables. Linux kernel version 2.6.17.7 and earlier can format and read only the FAT file system, although an NTFS driver, NTFS-3G, is available that allows Linux to mount and write data only to NTFS partitions. You can download this driver from http://sourceforge.net/projects/ntfs-3g, where you can also find information about NTFS and instructions for installing the driver. For information on Mac OS X file systems and acquisitions, see Chapter 7.

Exercise 2 - Acquiring Data with dd in Linux

Follow these steps to make an image of an NTFS disk on a FAT32 disk by using the dd command.

Exercise 3 - Capturing an Image with ProDiscover Basic

In Chapter 2, you learned how to acquire an image of a USB drive. ProDiscover automates many acquisition functions, unlike current Linux tools. Because USB drives are typically small, a single image file can be acquired with no need to segment it. In this section, you learn how to make an image of a larger drive and apply the Split function in ProDiscover Basic to create segmented files of 650 MB each that can be archived to CDs.

Before acquiring data directly from a suspect drive with ProDiscover Basic, always use a hardware write-blocker device.

Exercise 4 - Using ProDiscover’s Proprietary Acquisition Format

Follow these steps to perform the second task, starting ProDiscover Basic and configuring settings for the acquisition:

Learning Partner
Practice Labs

IT & Cybersecurity certification hands on practice labs and practice exams for certifications and skill development.

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.

Courses