![]() ![]() The more we know about the specific steganography programs utilized by the suspect, the more targeted the subsequent steps would be. This step is quite important in order to potentially streamline the process in Steps 2 and 3. During this stage, we would also examine any Web history, downloaded applications, and network searches performed by the suspect that would point to an interest in steganography. During this step we are looking not only for executable files, but also collateral files, and registry entries related to these known steganography programs. ![]() Once obtained, a scan would be performed to identify known steganography or data hiding programs. This would include local storage devices, remote storage, memory sticks, SD Cards, etc. We must create a forensically sound image (or perform a write blocking scan) of the suspect’s data storage devices. Step 1 requires access to the suspect data storage containers. :~$ sudo dcfldd bs=32k if=/dev/sdg of=dcfldd.img hashwindow=512M hash=md5,sha1 hashlog=dcfldd.hashlog In the code section following, we reimage the same device as previously, but at the same time generate a log of the md5 and sha1 hashes generated of each 512 megabyte chunk of the disk. In fact, if we did not want to take advantage of the additional features of dcfldd, we could use the exact same arguments as before and would get the same results. ![]() Unsurprisingly, performing the same image acquisition that was done with dd using dcfldd is quite similar. The extended dcfldd functions, as well as base dd functions, can be reviewed by passing the -help flag to the dcfldd command. Most of the capabilities revolve around hash creation and validation, logging of activity, and splitting the output file into fixed-size chunks. However, dcfldd has some interesting capabilities that aren't found in vanilla dd. The dcfldd project forked from GNU dd, so its basic operation is quite similar. The first of these to be examined is dcfldd, created for the Defense Computer Forensics Laboratory by Nick Harbour. While dd can and has been used to acquire forensically sound images, versions of dd are available that are specifically designed for forensic use. Cory Altheide, Harlan Carvey, in Digital Forensics with Open Source Tools, 2011 dcfldd ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |