In this case I’m running this command as the root user. I’ll break down the command: First I have sudo, this command allows me to run a command as a different user. In this screenshot I invoked the dd command to image the USB bit for bit and to send the image file to a location of my choosing. Now that I know the location of the USB device I can start the imaging process. dev/sdc1 is where the USB device is located within the Linux filesystem. The third line before the last line says: /dev/sdc1 on /media/Thumb Drive This is the device I’m looking for. The mount command will show where the USB device is in the Linux filesystem. This post will demonstrate how to use the tools I mentioned: dd, dcfldd, and FTK Imager.įor dd and dcfldd I’ll be using the SANS SIFT kit and for the FTK Imager demo I’ll by using a Windows 7 machine.įirst let’s start with dd: With the dd command I need to know the location of the mounted USB device that I’m going to image. In my last post I talked about some of the acquisition tools that are available to use for imaging evidence.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |