Login or Sign Up
Add a Fix
How to Create an Image of a Hard Drive for Forensic Purposes
How Do I...How can I create a forensic image of a hard drive or partition?
Summary: This how-to is part of a tutorial about DIY Computer Forensic Investigation.
This tutorial will guide you through making an image using a tool that was developed for the Department of Defense Cyber Crime Center called dc3dd. It is a powerful imaging tool that will create a file that contains an exact replica of a hard drive. To use this program you will first need to download the CAINE live cd image (Computer Aided INvestigative Environment), which you can do from here. This tutorial uses CAINE version 2.0. After you download the CAINE live cd image, you will need to burn it to a CD. If you are not sure how, click here for a tutorial about how to burn a CD image using free software.
Put your CD into the computer you would like to image and plug in the external hard drive, then turn the computer on. The computer should now boot from the cd rom, if it does not, you will need to change a BIOS setting so that computer checks for a bootable cd before it checks for a bootable hard drive. Here you will find a good tutorial about change your boot order.
When CAINE boots it will first load a text menu with a few options, click enter to accept the default option, or if you wait for 30 seconds it will be selected automatically.
After CAINE boots you will need to mount (create a connection to) your external hard drive, where you will be saving your drive image. On the bottom left of the screen click MENU, then select Forensic Tools, then click Mount Manager. (Image 1) You will be prompted for a password, type caine (which is the default password for CAINE).
When Mount Manager loads find your external hard drive (the drive you would like to copy the image to) in the list on the left. The quickest way to determine which is your external hard drive is by its size. My external hard drive is 1 terabyte; in the image you will see that it is actually 931.5 gigabytes. For each storage device (ex: hard drive, cd rom, pen drive) there will be a sub item, representing a partition, on the list. For example, sdc is my external hard drive and sdc1 is the first and only partition on it. Right click on your external hard drive's partition and click mount. (Image 2) Jot down this device id as your destination (ex: sda1) By default CAINE will mount any hard drive as read only, so you need to change this setting so that you can save your image to your hard drive. On the half of the window it will say Options, click in the text box next to options, go to the end of the text box. You will see unmask=000,ro Delete the ,ro (Image 3) Ro stands for Read Only) You can now click the Mount button just below the text box.
Your external hard drive should now be mounted and ready for you to put the image file on it. Before you move on to the next step you should identify the hard drive you would like to image. This is easier to do in Mount Manager since you can see the size information. Once you have identified the drive, jot down its device id (ex: sda) as your source.
You can now close the Mount Manager window.
To create the image you will use AIR (Automated Image and Restore), it is a GUI for dc3dd. To open AIR click, MENU, Forensic Tools, AIR 2.0.0. You will be prompted for the password, which is caine Then it will ask you about the previous log file, click OK
. In the bottom of the window you will see a list of icon representing storage devices. (Image 1) Click the id of the device that you would like to copy. In the window that opens, click Set as Source. Now click the "folder" button next to the Destination device/file. (Image 2) In the window that opens click the "up folder" button twice. You should now see a list of folders: bin, boot, cdrom. Double click on the folder called Media, and then you will see a list of storage devices. Double click on the folder that has the same id as your destination (you jotted this down in step 2, ex: sda1). You should now see any files or folders that you have on your external hard drive. Type in a name for the file name and then type .raw (ex: image.raw) Click Save.
This tutorial assumes that your time to create this image is limited. If it is not you can ignore this next time saving step. Air can automatically verify the data that it copies, it can also compress the data. However this takes extra time. Here is how to turn off data verification and compression:
Under Compression make sure None is selected. Under Hash 1 and Hash 2 select None. Under verify select No.
Check your settings to make sure that they are correct, they should look something like they do in this image (Image 3).
Click Start. It will now start imaging the drive. To see the status, click Show Status Window.
While you are waiting, click the MENU button, then click Places, then select your External Hard Drive. Make sure that the image file has been created. If you did not mount the drive is Read/Write (ie, it stayed read only) CAINE will not prompt you, it simply will not copy the data, even though AIR will show progress.
It will take a few hours to image the drive. If it seems to be taking too long, you can stop the process and change the block sizes. A larger block size will use more resources, but will copy faster. Just be sure to keep the block sizes syncronized.
Once its finished just click MENU, Shut Down, Shutdown
Remember to remove the CD!
Now that you have created a forensic image here is what you can do with it:
There are no resources.
CommentsAdd a Comment
There are no comments.