 Hello everyone, today we're going to continue on our discussion of forensic data acquisition. And now we are going to be using command line to do acquisition. So first we use FTK imager in Windows using the GUI interface or interface that you can interact with basically. Once then we used guy major in Linux, which also had a GUI interface and we saw it was quite, quite fast in its acquisition. So both of those were quite easy and relatively fast. But you can't really automate them. You can't add them to some sort of program chain very easily. So a tool that we will be using today is purely from the command line and it works for more tools like it or this tool works in Windows and OS X and Linux. You do have to have administrative privileges to use it. So just be aware of that if you're ever doing a live acquisition. But assume that this is our forensic workstation. Our forensic workstation is Linux and it's running Ubuntu Linux. And I want to run the tool from the command line. So first I actually have to open up a terminal. And I have this terminal open here and I'm already inside my cases folder. So I have my cases 001 images and then my exhibit is 001. I have this 4 gigabyte USB stick plugged into a Tableau write blocker and the write blocker is connected to my computer and my forensic workstation using a USB cable. So now I have the disk plugged in and I have a terminal open. Now I need to figure out which disk or what identifier did my computer detect the disk as. So we can do that in Linux by running sudo, which means that I get super user privileges sudo fdisk-l, okay, sudo fdisk-l. And then this will basically give me a list of all of the disks in the system, but I'm really interested in this one at the bottom. So disk slash dev slash SDE 3.8 gigabytes and this looks like the disk that I want. I see that it has 512 byte sectors and disk label is DOS, disk identifier. This looks like the disk that I'm interested in. I'm also interested in the number of sectors that it has in this case, it's 512 bytes. If I want to verify this disk, then I can do sudo mount. If I just type mount, then we can go through and find, for example, dev SDE, which is what I suspected before, and it's mounted on media Joshua test USB and I know that this is, well, I assume that this is the name of the USB stick and it's type VFAT. So this VFAT tells me that it's definitely my disk or the suspect disk because I know that I do not have any VFAT disks installed in this system. So I know that this is it. If I want to, for example, if I know what file system is installed, if I know it has a partition and what file system I can use grip, let me clear this out real quick, clear. So I can use sudo mount and then pipe that into grip and do VFAT and then we say we see boot EFI, but this is for booting. And then I see dev SDE media Joshua. Okay. So I know that this is my suspect disk. So now I want to collect or I want to memorize or I should be documenting at least this dev SDE. And this is the physical disk identifier. And I want to make a physical disk image of this disk. Okay. So I'm going to clear this out. I'm already in my case folder and I'm already in the folder that will store my acquired disk image. And the tool I'm we're going to use is called DCFL DD. Okay. And this is a version. This tool is actually pretty common. The tool that's built into OS X and Linux is by default DD, but DD doesn't have as many features as DCFL DD DCFL DD is kind of an enhanced version of DD that has some, some interesting features for use in for forensic investigators, basically. So we will type actually pseudo. I need to be pseudo because I need access to the actual disk. So pseudo DCFL DD. And then I want to put my input interface. And this is the important part. I want to put my input interface or if equals and then dev SDE. And this is the disk that I am going to copy. If you get the disk that you're going to copy in the disk that you're copying to mixed up, you will overwrite some data. So make sure you make sure you get this right, right? I F input interface. So DCFL DD I F equals dev SDE and that's making a copy of the, uh, the disk that I have. Okay. And then DCFL DD has the ability to make hashes, uh, while it's reading the data. So we want to say hash equals MD five and Sha one. Um, now remember, uh, FTK imager and guy imager, I, I made a, uh, MD five and Sha one hashes in both of them. And now I'll do it for this as well. And then I can say MD five log equals, uh, MD five.txt. And that will just say, where do I save the MD five log to, uh, Sha one log equals, uh, Sha one.txt. And it will save this Sha one hash to a different log. And then I can say hash, uh, convert after, okay. So in this case, it's going to, um, basically do all the, the, the hashing afterwards bite size here is five 12 because I want to basically be copying sectors here. So I want to, uh, uh, make this the same size as the sector size. And then some extra flags, um, basically to make, uh, this run a little bit better if it runs into any errors or anything like that. Um, and then I want to split the image, split the disk image. Now, before, uh, we were splitting the disc image by 1,500 megabytes and in both programs prior to this. So 1,500 M for Meg, 1,500 M, uh, sections. And then I want to say split format equals, and I'll go, uh, zero, zero, zero. Okay. Which is very similar to the way that guy major was doing it. Uh, so this will give it the, the zero, zero, zero extension, uh, zero, zero, zero extension, which will look exactly like the way guy major, uh, made it look. And then O F and this is my output interface. So I F input interface, O F output interface. I F is where I'm reading the data from. O F is where I'm saving the data to, um, so it's very important that we, we get the output interface, right? Because if you don't, then you, you could overwrite data. You could override your hard drive and lose all of your data. So, uh, be very careful whenever you run this, uh, command, make sure you're running it in a test system until you really know what you're doing. Um, and in this case, I'm going to call it, um, USB, uh, test USB. So the outputs interface, I'm just writing it in this case to a file in the directory, uh, cases, zero, zero, one images, zero, zero, one. And then it will be test USB and it will have the extension zero, zero, zero. Okay. So whenever we run that, let's click. Okay. Now it's writing the data. So let's go to the zero, zero, one file and see, and, uh, see what's going on. I'll move this up so we can see what's going on. Okay. Uh, so we can see the, the first part of the image. Okay. First part of the image is created. It has test USB dot zero, zero, zero. And then whenever it got to, uh, 1.6, basically 1.5 gigabytes, then it made the second part test USB zero, zero, one. Now it's test zero test USB zero, zero, two. If I go to MD five dot text, well, it hasn't saved anything yet because it's not finished yet. Okay. So now it's finished. We should have yet the MD five value. And if you recall from a guy major, our MD five value was F seven a seven nine. Uh, so this looks like it is the same value as before. And our shot one value is in this shot one log. Um, the reason that this was so quick is because we, uh, actually just finished the guy major example and the disk image or the disk data was still in cash or it's in memory. So this was reading from memory and not from the actual physical disc. So be aware of this for, for this example, um, I used it because it makes the video much faster, uh, but be aware. If you read the disc once and especially if you're in a Linux system, um, you have to clear your caches, clear your memory cache, uh, before you read the disc again, otherwise you won't be reading directly from the suspect disc, you will be reading from your cached memory. Uh, so that's pretty much it for, um, copying data from the command line because this is a command, um, really the advantage of this is first off, it's relatively simple. You just need this very small program. You don't have to have a whole interface. If you can just remember a command like this, um, now not all of these options are necessary, but if you can remember this command, um, then it's very easy to use, but you can also write it in different scripts. So in forensics, we use a lot of different scripts, uh, and you could basically put this into a program that just, uh, essentially runs automatically. Um, so it makes it much easier for you to, to run basically, um, this tool works in, uh, Linux, OS X and Windows. Um, there are versions, uh, for all the different, all most different operating systems, or you can compile it yourself. Um, so, um, this is just to get you used to working with the command line a little bit. Um, the more you can work with command line, the better, um, the easier things will be for you, uh, in doing kind of automation in forensics. So that's, uh, pretty much it. I guess we can, um, just use like last time the same method for verifying our hashes. So we have our MD five hash text here and we have, uh, F seven seven F seven A seven nine. And if I go back in and I do cat and then test USB star, right? That's going to read all of the data from the three different parts of my disk image. And then I'm going to pipe that into MD five some and it will make the hash value for that. And we'll open this back up just to make sure. So now it's reading all the data. And then we get F seven a seven nine. So all of the, uh, images that were collected, uh, they do verify. We do have the correct value. So again, I would make, um, since I've just acquired my data, I would make an archive of this data. I would basically copy the data, make an archive of the data, make sure everything, all the hash is matched and then, uh, save this data someplace else, uh, so it doesn't get damaged. Um, yeah. So that's it for copying data using Linux command line and DCFL DD. Thank you very much.