Friday, 11 September 2009

Experiment 9 on Forensically Sound Blocks Imaging under Ubuntu

This experiment was part of experiments regarding with essay assignment in my course (i.e MSc in Forensic Informatics at the University of Strathclyde, UK) about the differences of forensic applications between Ubuntu and Windows XP. It was performed on December 2008.
Forensically Sound Blocks Imaging is a small thing but it makes a significant difference between Ubuntu 8.10 and Windows XP on partial imaging of a digital evidence such as hard drive, flash disk and so on. Partial imaging means the forensics investigators do not need to image the whole hard drive, but they can select what blocks to be imaged so that this option is hoped to be able to speed up the process of examination.

The forensics investigators can utilize dcfldd command to organize it, for instance to obtain only the first 572 Mbyte of the first partition of 4 GB experimental flash disk used at the previous experiment, the investigators can run this command :

'dcfldd if=/dev/sdb1 of=partition1a.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1aHash.md5 bs=146484 count=4096'

Figure 1
dcfldd command is used  to image the first 572 Mbyte of 4 GB flash disk

Through the command above, the partition1a.dd image file was produced with the number of blocks was 4096. With dcfldd, the forensics investigators can also set up the forensics imaging as they want, for instance from the 4 GB experimental flash disk above consisting 3 partitions, the investigators can image the combination of full of partition 1 with 1 GB in size and half of partition 2 with 1 GB in size by running this command :

'dcfldd if=/dev/sdb of=partition1and2.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1and2Hash.md5 bs=366210 count=4096'
dcfldd command is used  to image the first 1430 Mbyte of 4 GB flash disk

From this command, the image file of partition1and2.dd will have 1430 Mbyte in size with 4096 blocks. These blocks above will be examined for further analysis, so that the investigators can economize their time in imaging and analysis. As far as I know and experience, this techniques might not be found in forensics imaging tools running under Windows XP such as FTK Imager, EnCase, WinHex and so on. In my point of view, this blocks imaging technique of Ubuntu 8.10 brings dcfldd command to be better and more flexible than imaging tools running under Windows XP.

1 comment:

  1. Muhammad,
    I have just discovered your site and found it interesting. I am MSc student in computer forensics in Virginia, USA. I would like to know if you have any experience with dc3dd imaging and how would you compare it with dcfldd. I seemed to obtain a better image and hash values with dc3dd.

    Nee (