Abstract
The objectives of this chapter are to:
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
B. Carrier, “The Sleuth Kit,” 2017. [Online]. Available: www.sleuthkit.org.
https://www.symantec.com/connect/articles/freeware-forensics-tools-unix
C. Marko. Introduction to The Sleuth Kit (TSK). 2005.
Sleuthkit.org, “Sleuth Kit Wiki,” Sleuthkit, [Online]. Available: https://wiki.sleuthkit.org/index.php?title=Main_Page. [Accessed February 2017].
The SANS Investigative Forensic Toolkit (SIFT). https://digital-forensics.sans.org/community/downloads
What is Virtualization? https://www.igi-global.com/dictionary/an-evolutionary-approach-for-load-balancing-in-cloud-computing/31852
The Computer Forensic Reference Data Sets (CFReDS) Project. [Online]. Available: http://www.cfreds.nist.gov/
A Beginners Guide to using apt-get commands in Linux(Ubuntu). https://codeburst.io/a-beginners-guide-to-using-apt-get-commands-in-linux-ubuntu-d5f102a56fc4
Author information
Authors and Affiliations
Appendices
Appendix A Installing software in Linux
You will need to become root (or superuser) to install software.
There are many ways to install software in Linux, and it can be accomplished either graphically or using the command line. There are two popular ways of installing software in Linux, installing software from source code and installing software with Apt [14], a Linux package manager for Debian and Debain-based Linux distributions like Ubuntu and Kali Linux.
Note that there exist many Linux distributions, and the way of how to install software is slightly different for each distribution. Kali Linux is based on Debian Linux, which uses Apt.
-
(a)
Using the “apt-get” commands to manage packages in Linux
- apt-get :
-
Apt-get performs installations, package searches, updates and many other operations to software packages available to your Debian and Debain-based Linux systems.
For example, to install a package, use:
% apt-get install [package_name]
To remove a package, use:
% apt-get remove [package_name]
-
(b)
Compiling and installing software from source in Linux
The installation procedure for a software that comes in tar.gz (or tgz) and tar.bz2 packages isn’t always the same, but usually it’s like the following, assuming that the name of the package containing the source code of the program is archive:
- # tar -zxvf archive.tar.gz (or tar -zxvf archive.tgz) or tar -xvjf archive.tar.bz2:
-
Decompress the files contained in the zipped and tarred archive called archive
- # cd archive:
-
Change directory to software package
- # ./configure:
-
Execute the script preparing the installed files for compiling, including Makefile
- # make:
-
GNU make utility to maintain groups of programs
- # make install:
-
Install the software
Appendix B dcfldd Cheat Sheet
dcfldd is “an enhanced version of GNU dd with features useful for forensics and security”, for example, creating a forensic image of an entire disk. The basic syntax of the command is:
-
dcfldd if= input file bs=512 skip=0 count=1 of= output file
This command will read data from the source (drive or file) and write that to an output file (or drive). It will then read one block from the beginning of the input file. The block size for transferring has been set to 512 bytes.
Where:
-
1.
If indicates input file. Example input files include:
LINUX
- File name:
-
The input file
- /dev/stdin:
-
“standard input” (stdin) device, i.e., keyboard
- /dev/hda:
-
(First IDE Physical Drive)
- /dev/hda2:
-
(Second Logical Partition)
- /dev/sda:
-
(First SCSI Physical Drive)
WINDOWS
- File name:
-
The input file
- \\.\PhysicalDrive0:
-
(First Physical Drive)
- \\.\D::
-
(Logical Drive D:)
- \\.\PhysicalMemory:
-
(Physical Memory)
-
2.
Of indicates output file. Example output files include
- imagefile.img:
-
(Bit Image File)
- /dev/usb:
-
(USB Drive)
- /dev/hdb:
-
(2nd IDE Drive)
-
3.
Useful Options
- bs=block size:
-
(Sets the block size)
- count=N:
-
(Copy only N blocks of input file)
- skip=N:
-
(Skip ahead N blocks FILE. By default, skip=0, which means it reads input file from beginning.)
- conv=noerror,sync:
-
(Do not skip on errors)
- hashwindow=num:
-
(Hash every num bytes)
- hashwindow=0:
-
(Hash entire file)
- hashlog=filename:
-
(Write md5 hash to file)
-
4.
Usages and Examples
-
(a)
Create a disk image
Example: dcfldd if=/dev/sdb of=/datatraveller.img
This command will create a disk image of external USB drive, and write the image to an output file called datatraveller.img.
-
(b)
Wipe out hard drives and flash drives, for example, with all zero
Example: dcfldd if=/dev/zero of=/dev/sdb
This command will fill external USB drive with zeros.
-
(c)
Extract a random portion of a data file
Example: dcfldd if=thumbimage_fat.dd bs=512 skip=0 count=1 of=mbr.dd
Assume that thumbimage_fat.dd is an image of MBR disk. This command will extract the MBR of the disk.
-
(a)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Lin, X. (2018). Building a Forensics Workstation. In: Introductory Computer Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-00581-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-00581-8_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00580-1
Online ISBN: 978-3-030-00581-8
eBook Packages: Computer ScienceComputer Science (R0)