Computer Investigations and Forensic Lab: Creating an Image with DD

00:00

In today's episode, we're gonna be using the computer investigation of forensics Lab provided by Sight buried out I t. In order to in order to create an image with the D Command.

00:11

So in today's video, we're gonna be talking about the computer forensics and investigation lab

00:16

Go over the DD command.

00:18

I'm gonna demo out imaging a partition and then verifying the image. So the separate that I t. Lab that we're gonna be leveraging for today's demo is the computer forensics investigation.

00:29

I'm not gonna be displaying the full on lap. I took out the portion of the lab and

00:35

that leverages the creation of an image using the D D command. So I had to recommend that you go through the lab yourself. I don't go into details of everything that lab was meant to teacher. So there's a lot of valuable information that's missing about the live in this lecture.

00:51

I focus solely on the acquisition process being performed in this lab and leave the rest of it for you to go export.

00:58

One of the reasons I like this particular live was the fact though they created an image with a D D command

01:04

using two separate virtual environments, an examiner is able to make a accusation of an image,

01:12

so the ditty command stands for a data duplicate. ER. It's used for duplicating covered Ian data. It's a very powerful tool found in Lenox operating systems and should be only used by super users due to the fact that massive data loss could occurred to improper usage. The Do Command

01:30

provides backup and restoration of entire disk or partition,

01:34

a backup of your master boot record copy and converting of magnetic type formats. So we have asking an E V C D I C formats.

01:45

The copying conversion of swap it's and converts lower case to upper case is

01:49

this is typically used by then the next colonel for creating are for creating its boot images.

01:56

So once you begin the computer forensics and investigation lab

02:00

to get to the point of the demo where I'm at,

02:01

you have to first start all three PM's by selecting them

02:06

on the the Windows 10 love, open up the Tiger VI nce viewer application and then, using that tool log into the Lennox ER

02:15

on the Lennox virtual environment, open up the Lenox Terminal.

02:19

The lab does an excellent job guiding you to the points at which I will start your demo. So here we are in our Lenox terminal. If you see on the left you have three separate virtual sheets and then on the right, we have our Callie than X terminal. So Cal UNIX is a Lennix distribution designed for forensics

02:37

and penetration Testing.

02:38

It is maintained and funded by the offensive security. And it includes applications such as and map, which is a port scanner. More a shark, which is a packet analyzer.

02:51

John the Reaper, password, cracker air, crack. And in G, which is a whole software suite for penetration testing on wireless lands and a wide variety of security tools.

03:01

So now here in the terminal, we're gonna open up G parted utility tool.

03:06

So this G part of Utility Tool is a free partition editor for

03:10

graphically managing your dispositions. It's available on a Linux operating system with departed. You can resize copy and even move partitions without data loss. So now we're gonna go ahead and select the deaf SDA on the top. Right?

03:27

I move that to dove S d. B.

03:30

On this partition, we have

03:32

one partition, which is STV won. The file system is stated to be an X four,

03:38

which is a andro. SD came out with the size of 20. So we're gonna go ahead and amount the partition and elites you right click to click on MT.

03:47

We didn't have the partition.

03:51

Now we're gonna create a new partition.

04:03

So G partner pops up a new module for you to create a new partition. We're gonna set the new size to 4000 and 96. Create this as a premier partition, said the foul assistance to fat 32 make the label off windows.

04:20

So now we're gonna apply the pending operations. So we apply the changes we've just done, we'll click apply. It doesn't take that long, and here it's completed.

04:30

We'll switch over to we're going to switch over to the terminal. So now we're gonna run F disco. This is a command line utility that provides this partitioning functions

04:40

and just take a moment to review what we see

04:43

in De Parted. We noticed that we had two separate partitions. We had S d. B and s t eight as to be based on the information that leftists provides. It also defines the number of heads sectors per track still unders on your total number of sectors after it performs a calculation. So after this

05:01

provides a lot of information

05:03

about the disk partition itself. You're also given units, so the size of a sector, your Iot size, your desire identifier, and then a layout list of your device boots. If you see the device boot table tells you in which sector it starts, which sector and ends, how many total Block says

05:24

Does it take

05:25

the particular idea that it maps it to system So or STB one is Olynyk system. If you look down on S d A, we can see we have three different types of systems. For I D 33 we have Lennox I d five. We have extended and I D 82 we have linen swap.

05:44

I'll go ahead and create a new directory interment. Call it STB one and proceed with opening up the pad.

05:49

Once I get into the pad, I'm gonna look for more. Look for the F Slams at age file,

05:55

not the directory, the actual file.

05:59

Once I opened up that file, I'm gonna create a new line

06:02

and add the new partition that I've just mounts it.

06:09

My STB one

06:12

for separating our line attributes you hit tab and continue with the rest.

06:18

So once you do this, that defines a new partition to the F slash file.

06:26

Once that's complete, were saved the file and run F disc l once again to see the difference.

06:31

So now, ever an f disco

06:34

and see that the the size for the first this partition or STB never really changed. The only thing that changed was the i. D. That identified it previously, which was 83 on the system, which was Lennox. Now it's changed from I d be. And our system is Windows 95 fat 32.

06:53

Now we've created partition. We've

06:56

on added this new partition into our system. So it identifies in and see it not gonna go and create a directory for a case and call it case 01

07:09

I'll reader to that directory and then using the DD command, create an image of that partition.

07:15

So I made the directory case 01

07:18

Move into that directory.

07:21

Now I'm gonna create a partition using the DD command for the partition that was just created. As you can see, the duty command has multiple options. We're not gonna go into the different options. So I recommend writing this down and looking at the d d Man page to see what these options are available

07:39

from the duty command. When piping it to Jesus to make it into a zip file, spending the size of file and then storing it as system underscored, Dr. Underscore backup image that Jeezy.

07:51

Once the DD command is complete, it will display the records out records. In

07:57

a breakdown of the bits that were copy,

08:01

we locate the system file within the file system and proceed with copying that file.

08:07

I'm gonna move instrument SD one case 01

08:11

and pace the image file.

08:15

So I've now pasted the system underscore drive back up, thought imaged out to see a file into my separate partition.

08:24

So in today's video, we're not gonna go into analyzing this actual file. All we're gonna do is joy this file for a later lecture.

08:33

So I hope you enjoyed today's lecture in which we talked about the computer Forensics and investigation lab went over the deke command line and then using and then using the DD command within the computer forensics and investigation lab, we created a image partition.

08:50

This image will be later examined in future videos,