Forensic Imaging through Encase Imager

Scenario: Mr. X is suspected to be involved in selling his company’s confidential data to the competitors, but without any evidence, no action could be taken against him. To get into reality and proof Mr. X guilty, the company has requested the forensic services and have come to know all the relevant data is present inside the desktop provided to him.

This article is about getting the forensic image of the digital evidence and restoring it to any other drive.

Since it is never advised to work with the original evidence because we may lose some relevant data accidentally, so we will create an image of the original evidence and work on it further. This way the original evidence is safe and the integrity and authenticity of the evidence could be proved through hash values.

This article is also very helpful if we need to back up the data safely.

To image the desktop we will use Encase Imager. First, download the Encase Imager from here

Open Encase Imager and Select Add local device option.

From the menu select all the options and uncheck “only show write blocked” as shown in the image and click next.

We can see all the physical drives, logical partitions, Cd Rom, RAM and process running on the system. We need to select what we need to image as our evidence, ideally, it is a good practice to select the physical drives which contains the logical partitions as we get the complete disk image through the physical drive. In certain case, we may select only a logical drive or RAM as required.

Select / Check the number of the evidence you want to image and click on finish.

The evidence you have selected will get listed in case more than one evidence is selected we will could have seen multiple evidence listed here.

Double Click on the evidence, we can see the contents present inside it and if we wish we can skip any part, file or folder from getting imaged at this stage.

Click on Acquire to proceed for the imaging. Now we need to enter the case related information, ie case number, output path, file format in which we want to generate the image

File format selected here is E01 as this is supported by multiple tools and is suitable for further analysis.

If we want to password protect/encrypt our image we can do this at this stage.

Note: It is ideal to store the image on any other external storage drive so that the storage space is not a constraint but for the sake of practical we are saving the image on the desktop at the following path “C:\Users\…..\Desktop\Evidence Image\1.E01”.

Click ok and image acquisition will start, you can check the status of image acquisition on the same window at the lower right corner along with the time remaining (refer below image).

Once the acquisition is complete the image will get saved to the output folder (refer below image).

To prove the authenticity of the evidence we can generate the Hash value of the evidence

To generate the hash value of the image click on the evidence and select hash as shown in the image below.

Once the hashing process is complete click on the report section on the lower pane

Right, Click and select Copy to copy the report and paste in a word /text document.

Save the report along with the Image (E01) files. This report contains all the relevant details along with the detailed report containing the hash values.

The Evidence acquisition is complete

Restoring the Evidence Image

We are done with imaging of the disk/evidence. Now we will restore this acquired image to the drive. To start with open Encase Imager and add the evidence to Encase imager

Browse to the image (.E01) file and add it to the case. The evidence added will get listed 

Double click on the image, select he files to be restored and select the restore option located under Device option.

When we click on restore, connect the drive where we want to restore the image and click next

All the drives will be read

All the drives will be displayed, select the drive where the image is to be restored. Use the blank drive for restoring the image as the existing data will be wiped.

If required we can verify the Hash values and click on finish.

Type “Yes” in the text box and click on OK this will wipe the existing data on the drive and start with the image restoration.

Image Restoration will start, we can check the progress on the lower right corner of the window.

Once the restoration is complete, we can see the data in the drive we have selected.

To ensure the integrity of the data, we can see the report section on the bottom pane and check the hash values. The hash values should be the same as of the image (we can check the original hash value in the image report.)

If required we can copy and save the report in any text / word file for any future reference.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

Memory Forensics Investigation using Volatility (Part 1)

Our focus today is on the Volatility framework, on its capability of analyzing process activity.

The Volatility framework is an open source tool that is used to analyze volatile memory for a host of things. This framework comes with various plugins that can be used by the investigators to get an idea of what was going on in the machine when it was being used. Volatile memory is the primary storage of most computers, by primary storage I’m referring to the RAM.

If the live acquisition is done for a piece of evidence, an image of the volatile memory can hold various clues that can help an investigation, for instance: passwords, services, network activity, processes, etc. All these can be acquired from live memory.

In another instance, after an incident, volatility can be used to uncover the cause. It has plugins that let you sift through the primary storage and pinpoint suspicious processes that might have been running at the time of the incident or might have led up to it.

This framework is available for both Windows and Linux, for this demonstration, we will be using Volatility in Kali Linux, it comes pre-installed and can be found under the Forensics menu.

We have used Dump it to create the .raw file for 2 GB of RAM from a machine running Windows 10.

All you need to do it download the program, run it and press “y” and it does the rest.

Navigate to the address given in front of the Destination, as it is shown in the image above and you will find the .raw file that contains the information copied from the RAM, this can now be subjected to the Volatility framework.

For ease of usage, create a folder by the name of “volatility” on the Kali desktop and place the .raw file we created on it. Right-click anywhere in the folder and choose open in Terminal.

Let’s fire up Volatility in Kali, navigate to the Forensics menu or, in the terminal type volatility -h.

This command will show you a host of plugins that are available in Volatility along with their usage pattern. We will be using a different .raw file here, it was acquired earlier, so don’t be thrown off by the change in the file name.

As an investigator, one is working under the pretense that this is a file we have no prior knowledge about so, we must start from scratch.

The first thing to ascertain is the profile, that is, the operating system that this was most probably derived from.

Type “volatility -f name of the file. Raw imageinfo”. A breakdown of the command for further reference:

-f is to declare the target file.

Imageinfo is used to get the basic details about the file, including the profile. The plugin uses the kernel debugger data block to guess the profile.

In the image above we can see that Volatility is telling us that this image file most probably belongs to the Win10*64_10586 profile. The guessing aspect of the plugin bases it’s functionality on another plugin called kdbgscan. The kdbgscan analyses the data structures present in the NT kernel module, there are numeric values that denote the minor and major build numbers and service-pack level.

To illustrate, let’s run the kdbgscan.

Type “volatility -f name of file.raw kdbgscan”.

The result of the profile that we will be using is this one.

The data given below tells us that the file belongs to a 64-Bit version of Windows 10, has no installed service pack, and has a total of 177 loaded modules and 82 active processes.

Volatility gives us the option to manually override the profile (–profile) while using plugins as the automatic OS detection can be misled due to accidental or intended tampering of the kernel by malware; this gives us a higher rate of accuracy in the operations we perform. We will be using this override function throughout combined with the plugins.

pslist

The machine might have been running certain processes; the plugin we will be using to find them is pslist.

Type “volatility -f name of file.raw –profile Win10*64_10586 pslist”

The scan will show us the following results. We can see OneDrive and Skype were being run on the machine so, we can infer that it is most probably a client or workstation rather than a server. All the system processes are running on session 0 and 1, which infers that only 1 user was logged on

psscan

The psscan plugin uses the _EPROCESS objects, it can be used to determine hidden and terminated processes.
Type the following “volatility –f name of the file.raw –profile Win10*64_10586 psscan”

The scan shows us that one of the processes by the name of TabTip.exe started and stopped within a second, it’s a process that is used by windows touch screen devices for touch keyboard and handwriting, by this we can infer the device did not have touch screen capabilities. Not the most potent of discoveries but it helps build a profile for further investigation.

psxview

The last plugin we will be utilizing will be psxview. This plugin is useful for uncovering malicious processes, the way it assists in this is by locating processes that are using alternative listings. The list can then be cross-referenced with different sources of information to pinpoint discrepancies.
Type the following “volatility –f name of the file.raw –profile Win10*64_10586 psxview”

The psxview enumerates every single process by Process Object scanning, thread scanning, CSRSS handle table, PspCid table, Sessions processes, Desktop threads, and Active Processes Linked list. That’s 7 ways of enumeration.
This plugin is very useful and efficient at finding rootkits. One of the things that it focuses on is that, being able to successfully weaponize a process that is not hidden is far more practical and efficient than to hide a process 7 different ways.

pstree

The pstree plugin is used to see the parent-child relationship between processes, it takes the output from the pslist and depicts it in a tree view format.

Type “volatility –f name of the file.raw –profile Win10*64_10586 pstree”

The Pstree scan shows the process tree-like process id, PPid, threads and the time it starts.

Volatility is a very robust framework, it gives us the ability to further apply various filters to our scan results and generate reports. To make it more comprehensive in its usage and approach, its capabilities have been designed based on reverse engineering. It has capabilities far surpassing even that of Microsoft’s own kernel debugger.
The tool provides a wealth of insights into the working of a machine, helping the investigator make accurate and coherent profiles, every bit of information gets the forensic process one step closer to uncovering the truth.

About The Author
Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Forensic Investigation of Nmap Scan using Wireshark

Today we are discussing how to read hexadecimal bytes from an IP Packet that helps a network admin to identify various types of NMAP scanning. But before moving ahead please read our previous both articles “Network packet forensic” and “NMAP scanning with Wireshark” it will help you in a better understanding of this article.

Requirement

Attacking Tool: Nmap

Analysis Tool: Wireshark

We are going to calculate hexadecimal bytes of Wireshark using given below table and as we know Wireshark capture network packet mainly of 4 layers which are described below in table as per OSI layer model and TCP/IP layer model.

Nmap ARP Scanning

Let ’s start!!

Hopefully, the reader must be aware of basic NMAP scanning techniques if not then read it from here, now open the terminal and execute given below command which known as “HOST SCAN” to identify a live host in the network.

Nmap uses the –sP/-sn flag for host scans and broadcasts ARP request packet to identify which IP is allocated to the particular host machine. From given below image you can observe that “1 host up” message.

Working of ARP Scan for Live Host

  1. Send ARP request for MAC address
  2. Receive MAC address through ARP Reply packet

Step to Identify Nmap ARP Scan

  • Collect Ethernet Header details

Here we used Wireshark to capture the network packet coming from victim’s network and in order to analysis only ARP packet we have applied filter “ip.addr == VICTIM IP || arp” as shown in given below image. Here you will find 2 arp packets, basically, the 1st arp packet is broadcasting IP for asking MAC address of that network and the 2nd packet is unicast contains Answer of IP query.

Now let’s read Hex value of Ethernet header for identifying source and destination Mac addresses along with that we can also enumerate the bytes used for an encapsulated packet, in order to identify Ether type is being used here.

Hence from Ethernet header, we can conclude it as ARP broadcast packet asking for destination Mac address. There shouldn’t be any uncertainty in concern with source Mac address who is responsible for sending packet but if we talk about Destination Mac address then we got ff:ff:ff:ff:ff:ff:ff which means exact Destination is the machine is not available here. Further moving ahead we found Ether type 0x0806 highlighted in yellow colour is used for ARP protocol.

Collect ARP Header (Request/Reply)

In order to identify ARP scan, you need to investigate some important parameters which could help a network admin to make a correct assumption in concern of ARP scan.

Try to collect the following details as given below:

  • Opcode (Request/Reply)
  • Source Mac
  • Source IP
  • Destination MAC
  • Destination IP

Now with help of the following table, you can read the hex value highlighted in above and below image for ARP Request and Reply packets respectively.

Nmap ICMP Scanning

Now execute given below command which known as “HOST SCAN” to identify a live host in a network by sending Ping request with the help of ICMP packet.

Now above command will send ICMP request packet instead of ARP request for identifying the live host in a network.

Working of NMAP ICMP Ping when a host is live:

  1. Send ICMP echo request packet.
  2. Receive ICMP echo reply.
  • Send TCP SYN packet on any TCP port (this port must be rarely blocked by network admin).
  1. Receive TCP RST-ACK from target’s Network.

As a result, NMAP gives “HOST UP” message as shown in given below image.

Step to Identify NMAP ICMP Scan

  • Collect IP Header Details for Protocol version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Since we know ICMP is Layer 3 protocol according to the OSI model, therefore, we need to focus on following details for ICMP forensic with help of IP Header of a packet.

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (01 for ICMP)
  3. Source IP
  4. Destination IP

From given below image you can observe Hexadecimal information of IP header field and using the given table you can study these value to obtain their original value.

The IP header length is always given in form of the bit and here it is 5 bit which is also minimum IP header length and to make it 20 bytes multiple 5 with 4 i.e. 5*4 bytes =20 bytes.

Identify ICMP Message type  (Request /Reply)

Now we had discussed above according to Nmap ICMP scanning technique the 1st packet is should be ICMP echo request packet and a 2nd packet is should be of ICMP echo reply packet.

Now with help of the following table, you can read hex value highlighted in above and below image for ICMP Request and Reply packets respectively.

Identify TCP Flags

AS discussed above after ICMP reply, the 3rd packet should be of TCP-SYN packet and 4th should be of TCP-RST/ACK.  We had seen in our previous article the hex value of all TCP-Flags are different from each other, so if we are talking for TCP-SYN flag then its Hex value should 0x02.

From given below table you can observe the sequence of TCP flag and how bits of these flags are set for sending the packet to the destination port.

For example, if you found TCP SYN packet then the bit for SYN flag is set 1 for which the binary value will be 000000010 and its hexadecimal will be 0x02.

NS CWR ECE URG ACK PSH RST SYN FIN
0 0 0 0 0 0 0 1 0

Sometime you will get the combination of two or more flag in TCP header, so in that scenario take the help of the following table to read the Hex value of such packet to identify TCP flags bits are being set 1.

For example, if you found TCP SYN/ACK packets then indicates that SYN & ACK flags are set 1 for which the binary value will be 000010010 and its hexadecimal will be 0x12

NS CWR ECE URG ACK PSH RST SYN FIN
0 0 0 0 1 0 0 1 0

Therefore I design below table to let you know more about of Hex value when two or more than two flags are set 1.


The image given above contains the hex value of TCP-SYN packets and the image given below contains the hex value of TCP-RST/ACK packet from which we can calculate the source port and the destination port of the packet respectively like one given below.


Conclusion! So as stated above regarding the working of NMAP ICMP scan, we had obtained the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that Someone has Choose NMAP ICMP scan for Network enumeration.

Default NMAP Scan (Stealth Scan)

Here we are going  with the default scan method to enumerate the “open” state of any specific port

Working of Default Scan for open port:

  1. Send TCP-SYN packet
  2. Receive TCP-SYN/ACK
  3. Send TCP-RST packet

It is also known as half Open TCP Scan as it does not send ACK packet after receive SYN/ACK packet.

Step to Identify NMAP Default Scan (Stealth Scan)

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (6 for TCP)
  3. Source IP
  4. Destination IP

From given below image you can observe Hexadecimal information of the IP header field and using the given table you can study these value to obtain their original value.

Analysis TCP Header  Details

 

Since from the above image we had to obtain Source and Destination IP and protocol used for communication i.e. TCP, now we need to identify the source and Destination port and TCP Flag used for establishing the connection between two systems.

In the image we have highlighted source port in “Light brown” colour and destination port in “yellow colour”, you can use given below table to read the hex value of the given image.


So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been sending from port 80.

Take the help given above table to read the hex value of the given image. Hex value 12 for TCP flag is used for SYN + ACK as explained above,  and we get 0x12 by adding Hex value “ 0x02 of SYN” and “0x10 of ACK”. 

In the image given below, we come to know that TCP-RST packet is used for sending Reset connection to Port 80.


Conclusion! So as declared above regarding the working of NMAP default scan or NMAP stealth scan we had to obtain the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

Nmap TCP Scan

Here we are going  with TCP scan to enumerate state of any specific port

Working of Default Scan for open port:

  1. Send TCP-SYN packet
  2. Receive TCP-SYN/ACK
  1. Send TCP-ACK packet
  2. Send TCP-RST/ACK packet

Step to Identify NMAP TCP Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect the following details as given below:

  1. Ip header length 20 bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP stealth Scan and using a given table you can study these values to obtain their original value.

  • Analysis TCP Header  Details

NMAP TCP Scan follows 3-way handshake of TCP connection for enumeration open port. Identifying source and destination port along with Flag hex value (TCP-SYN) are similar as above.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been sent via port 80.


The only difference between Stealth Scan and TCP scan is that here a packet of ACK flag is sent by source machine who initiate the TCP communication.  Again we read next packet then here we found hex value 0x10 indicates that TCP- ACK has been sent via port 80.


Conclusion! So as stated above regarding the working of NMAP TCP scan, we had obtained the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NOTE:  For  packet TCP-RST/ACK the hex value will be “ 0x14” send by the attacker machine

Nmap FIN Scan

Here we are going with TCP-FIN scan to enumerate “OPEN” state of a particular port in any Linux based system, therefore, execute given below command.

Working of FIN Scan for open port: Send  2 packets of TCP-FIN on a specific port

FIN is part TCP flag and NMAP used FIN flag to initiate TCP communication instead of following three-way handshake communication.

Step to Identify NMAP FIN Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5 bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using given below table you can study these values to obtain their original value.

  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-FIN) is similar as above.

So through given below image and with help of a table, we came to know that here TCP-FIN packet is used for sending connection request on Port 22.

Conclusion: So as declared above regarding the working of NMAP FIN scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP FIN scan for Network enumeration.

NOTE: If you found 1st FIN packet (0x01) and 2nd RST packet (0x04) then indicates “Closed Port” on the targeted network.

Nmap NULL Scan

Here we are going with TCP Null scan to enumerate “OPEN” state of any specific port in any Linux based system.

Working of Null Scan for open port: Send  2 packets of TCP-NONE on a specific port

Here NMAP used NONE flag  (No flag) to initiate TCP communication and bit of each flag is set “0” instead of following three-way handshake communication.

Step to Identify NMAP Null Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using the given table you can study these values to obtain their original value.


  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-NONE) is similar as above.

So through given below image and with help of a table, we come to know that here TCP-NONE packet is used for sending connection request on Port 22.

Conclusion: So as stated above regarding the working of NMAP NONE scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that someone has Chosen NMAP NONE scan for Network enumeration.

NOTE: If you found 1st NONE packet (0x00) and 2nd RST packet (0x04) then indicates “Closed Port” on the target network.

Nmap XMAS Scan

Here we are going with XMAS scan to enumerate “OPEN” state of any specific port in any Linux based system

Working of XMAS Scan for open port: Send 2 packets of TCP Flags in a combination of FIN, PSH, URG on the specific port.

Here NMAP used 3 TCP flags (FIN, PSH, and URG) to initiate TCP communication and bit of each flag is set “1” instead of following three-way handshake communications.

Step to Identify NMAP XMAS Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using the given table you can study these values to obtain their original value.


  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-XMAS) is similar as above.

So through given below image and with help of the table, we come to know that here TCP flags {FIN, PSH, URG} packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP XMAS scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that someone has Choose NMAP XMAS scanned for Network enumeration.

NOTE: 

  • If you found 1st {FIN, PSH, URG} packet (0x29) and 2nd RST packet (0x04) then indicate “Closed Port” on targeted network.
  • NMAP FIN, NMAP NULL, and NMAP XMAS scan are only applicable on Linux based system

Nmap UDP Scan

Here we are going  with XMAS scan to enumerate state of any specific port in any Linux based system

Working of XMAS Scan for open port: Send  2 packets of UDP on a specific port

It is quite different from the TCP communication process because here no Flag is used for establishing a connection or initiate a connection request with the target’s network.

Step to Identify NMAP UDP Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5 bits*4=20 bytes)
  2. Protocol (11 for UDP)
  3. Source IP
  4. Destination IP

It is quite similar as NMAP above Scan as “IP header” and “Ethernet header” information will be same either is TCP communication or UDP communication and using the given table you can study these values to obtain their original value.

Basically, 11 is hex value use for UDP protocol which is quite useful in identify NMAP UDP scan from remanding scanning method.

  1. Analysis UDP Header  Details

Now lets Identifying the source and destination port an as done above in TCP Scanning.

Conclusion! Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that Someone has Choose NMAP UDP scan for Network enumeration.

NOTE: If you found 1st UDP packet and 2nd UDP with ICMP Message Port is unreachable then indicates “Closed Port” on the target network.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Forensic Data Carving using Foremost

Foremost is a program that is used to carve data from disk image files, it is an extremely useful tool and very easy to use.

For the purpose of this article we have used an Ubuntu disk image file and the process has been repeated twice. The purpose of doing so was to see if Foremost can carve data out of incomplete disk images as well. We have used Kali Linux but if you want you can install Foremost on pretty much any distro of Linux.

Here’s how it was done:

Navigate to the Applications menu in Kali, Forensics is option 11. The fifth option from top in the Forensics menu is Foremost. Click on it and let’s get to carving some data!!

Foremost starts and shows you the options you have at your disposal.

In order to keep things simple, you first want to navigate to the Desktop using “cd Desktop”.

Next, make a folder on the desktop by the name of “recov”. This isn’t a mandatory step, it just makes things easier to access by making a new folder where the carved data will be stored.

We will be dealing with the disk image of a flash drive partition, so let’s make one using the “dd” command. The dd command can be used to copy files and with the option of converting the data format in the process.

In the interest of thoroughness we have copied .docx, .jpeg, .png, .zip, .pdf and .avi files onto the partition from which we will be making our disk image.

Now let’s make a disk image.

In a new terminal window, type the following “fdisk –l | grep /dev/”. This command will show you the disk partitions available to you without any clutter.

The partition we are concerned with is /dev/sbd2, this was specially allocated 10 MB of space so that the imaging process is quick.

The command to create the disk image is “dd if=/dev/sdb2 of=disk.img”. Here, “dd” is the utility we are using, “if=” is to denote the input destination and “of=” is to denote the output destination and name of the image file we are creating.

We have not specified any output destination, but, just the name for the image file. The image file will be created in the Home directory by default. Copy the disk image file from here and place it on the desktop.

Let’s navigate back to the terminal where we have Foremost running and start the file carving process.

This disk image file will be carved for .jpeg, .png, .zip, .pdf and .avi  file formats. We will not be instructing Foremost to carve the .docx but, since one exists in the .zip we have placed inside the disk image, it will do so automatically.

Type the following “foremost -t jpeg,png,zip,pdf,avi -i disk.img -o recov –v”.

To break this down “-t” is setting the file types we want to carve out of the disk image, here those are .jpeg and .png.

“-i” is specifying the input file, the “disk.img” that is placed on the desktop.

“-o” is telling Foremost where we want the carved files to be stored, for that we have the “recov” folder on the desktop that we made earlier.

“-v” is to tell Foremost to log all the messages that appear on screen as the file is being carved into a text file in the output folder (recov) as an audit report.

That’s all it takes for Foremost to start digging into the disk image. The process looks like this.

Once Foremost is done carving the disk image, it shows you the result: that’s is, how many of which file types have been carved. All it took was a second, to get the job done.

Now open the output (recov) folder and you will see an audit report and six folders which will be named by the file types we invoked Foremost to carve for us.

First, the audit report. It shows us the particulars of the scan, which file types were carved, from which image file, the size of the image file, where it was located, where the output folder was located, etc. Let’s have a look.

The end of the report contains shows the total files extracted with more particulars.

We will open one file from the jpg folder to see what we have.

One from the png folder.

Inside the docx folder.

Inside the pdf folder.

Now the avi folder

And finally the zip folder.

As you can see, Foremost was successfully able to carve files out of the disk image file and give us the results. Let’s put it to the test.

This a very interesting tool and its simplicity is what makes it stand out.

The only issue I could see with this is that the file names are not recovered, which can make the search process very tedious unless the option of automation and a frame of reference are available.

That being said, in forensics, just being able recover the files without opening or extracting disk image itself is a huge advantage, the reason for saying so is that, if you do extract or open the disk image you never know what might be waiting for you inside, this way you have more control over the entire investigation process. Enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here