Laptop Imaging Simplified

by Chetan Gupta, NII Consulting

How many times in an investigation does a forensic investigator come across the problem of acquiring data from a suspect’s laptop? The answer to this question would be ‘many times’. Whenever such a situation arises, the investigator is usually in a dilemma as to whether he should open the laptop, take out the hard disk, connect it to IDE-to-USB converter and then perform the duplication or should he try to do it without opening the laptop. The preferrable choice usually is the latter one in which the investigator acquires the suspect disk over the network. Choosing the first option could lead to the laptop/hard disk getting damaged or the warrantly of the laptop being rendered void.

Now, the question is how would an investigator perform the imaging through the network?
Well, lets see what all he requires:

  1. A bootable Linux distribution such as Helix, Knoppix-STD, PenguinSleuth, etc.
  2. A cross cable to connect the forensic workstation with the laptop

The beauty of this method is that the investigator can achieve fast duplication of the suspect media without spending a penny!
So, the scenario would be something like this:
The suspect laptop is booted with a live Linux distribution. The forensic workstation is running under Linux operating system. Both the machines are connected with a Ethernet cross cable. For the purpose of clarity, the investigator creates a directory called ‘evidence’ under /mnt/ to store the image file. He would ensure that there is enough space on the disk to store the image file. To analyze the rate of data transfer between the suspect’s laptop and the forensic workstation, the investigator would have installed a utility called Pipebench.

About Pipebench

Pipebench is an amazing utility that shows the current throughput and amount of data going through a pipe. Usually when we run a command which includes two communicating processes that exchange data and may take forever to complete, we need a mechanism to know how much data is passing from one end to another. Pipebench measures the speed of a pipe, by sitting in the middle passing the data along to the next process. It works on most flavours of Unix. Pipebench is available here.
The investigator would then create a ‘netcat’ listener on a randomly chosen port (usually above 1024) and issue the following command at his workstation:

nc -l -p #any random port#|gunzip|pipebench > /mnt/evidence/image.dd

Suspect Laptop

The suspect laptop is running a Linux distribution from the live cd. The investigator would opena terminal and issue the following command.

dd if=/dev/hda|gzip --fast|nc #ip address of the forensic workstation# #port number on which netcat is listening#
And we are done! The investigator can monitor the data transfer rate on the forensic workstation. After the image transfer, the investigator can verify the image using md5sum or sha1sum in the following manner:

On the Forensic Workstation

md5sum -b /mnt/evidence/image.dd > /mnt/evidence/image.dd.md5
nc -l -p #any random port# > /mnt/evidence/suspect.hda.md5

On the Suspect Laptop

md5sum -b /dev/hda | nc #ip address of the forensic workstation# #port number on which netcat is listening#

Now, on the Forensic Workstation, the investigator would compare the two files using standard utility diff

diff image.dd.md5 suspect.hda.md5

If the following output is returned, the image is a bit-by-bit replica of the suspect disk.
0 No differences were found.

In our personal experience, we have seen upwards of 30Mb/s data transfer rates through a 100 Mbps LAN connection.

Happy imaging!

6 Comments

  1. This article was very informative. Especially to those of us who really almost 100% of the time rely on using Windows based imaging tools. I normally remove the suspect HDD from the laptop and image direct, but I would prefer to do a cable access image using a Linux based CD. This article shows me step by step how to accomplish this method. Thanks

  2. Hi Chetan,

    This is a brilliant article, thanks very much.
    I tried this successfully, to transfer one partition. Unfortunately during the transfer of partition 2 , dd failed (dd: reading /dev/hda2 input/output error ) after copying 11 GB.
    Perhaps if time permits you could pen your thoughts on using dd.

    Suranjith

  3. Hi Suranjith,
    Thanks for the nice words.
    I suppose you ve got some bad sectors.. you can use some options of dd which would help u in error handling:
    dd if=/dev/hda2 of=/destination/image.dd conv=noerror,notrunc,sync
    this allows the utility to handle the errors in a dignified manner…
    Better still, you can use dd_rescue available at http://www.garloff.de/kurt/linux/ddrescue
    dd_rescue has advanced error handling and I hope that would solve ur problem…
    Chetan

  4. Many a time during Forensics investigation or during Reverse business, we come across the need where we have to check or haul out the contents of an executable file. There are many viable data carving tools such as enclose, Win hex, Access data FTK, Data Lifter, I Look examiner.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.