 Hello everybody. Today we're going to be doing acquisition using GuyMajor in Linux. So the GuyMajor tool in Linux is free and open source and it's also very, very fast at doing acquisitions on disks. Through our tests, we found out that GuyMajor is quicker than most acquisition tools that we tried, sometimes even twice as fast as most acquisition tools we tried. However, it is a GUI-only acquisition tool and you can only use it for Linux and I'm not sure if you can use it for Mac OS X or not. It's been a while since I've used Mac OS X as an acquisition platform, but you can definitely use it for Linux, even on a Linux live CD, and it is extremely, extremely fast. So in Linux, we have to use GuyMajor. I've already installed GuyMajor from basically any repository I'm using. In this case, I'm using Ubuntu, Linux, and for any forensic live CDs, GuyMajor is installed by default for basically all of them. Yeah. So whenever we run GuyMajor, we need to run GuyMajor as root. So I'm going to use sudo, sudo to run the program as root, and it's called GUI-MAGR. So sudo, GuyMajor, and then it says, basically scans for all of the disks in the system. And we're using the same disk as on the Windows acquisition video. So if you haven't seen that video, I recommend looking at it because we also go through talking about some of the setup of the imaging and acquisition. In this case, we have the same disk. I have this four gigabyte USB disk connected through a Tableau write blocker connected via USB. And here we can see basically some information about it in Linux. Well, should I say in Windows, we had the kind of backslash, backslash, period, backslash, physical disk one for our USB disk that we wanted to acquire in Linux. The physical disk is usually found under something like dev slash dev slash SDE. So I know this is a physical disk because if it was a partition, if it was a logical disk, then it would have SDE one or SDE two. And that tells me that this is a, in this case, it's a physical disk. So we have these other disks, SDA, BCD, these are all physical disks within this computer. And then we have this kind of dev mapper dev mapper dev SDA three. So this is actually mapping to a partition. And it looks like it's an encrypted partition, because it's a mapping service here. So what we're actually interested in here is this four gigabyte disk. This is our suspect disk, suspect disk, not to be confused with any of the disks in the system. So you should know what hard drives you have installed in your computer. And with Guy Major, basically, we click on it, and it gives us information that already has about the disk, basically just the size and the sector size. If we scroll over a little bit, again, it doesn't really have any extra information for us, doesn't know if there's hidden areas, things like that. So if we right click, first, if you haven't are, if you don't already have your suspect drive plugged in whenever you started up, you might need to click the rescan, the rescan button to get the new drives to show up. So we right click on the disk that we want to image and we click on acquire image. Okay, now we have a lot of the same options as we had with FTK, Imager and Windows. I am again going to choose Linux DD raw image. And this tool only supports basically the expert witness format, which is the E01, or Linux DD raw image, which is the like we created before 001 or dot DD. It also supports splitting the image files like we talked about before. The split size by default is 2047 megabytes. Remember before, we split it up, I think the default in FTK was I think 1500 megabytes. I'll just keep it at that just for I guess fun. The image directory, like before, where do we actually want to save our image to? We do not want to write back any data to our suspect disk. So I normally, again, like I said, have a special area for this case or a special hard drive for this case. So in this case, I have, I'm just going to save it on the desktop for now. But this is not good practice. Make sure you have a separate hard drive for your cases. And then we have this cases folder and our cases, our case number is 001. I have this images folder and our disk is the first first drive or first device in our case. So I just named it 001. Okay. So now I choose the directory. Okay. And that says the directory, the full path to the directory that I want it to be saved in. And then I give it the image name. And I'm just going to call it 001. I would give it, for example, a serial number, if I knew the serial number of the disk, I should give it some sort of special identifier. But because of my file system structure here, I will, I will know what this is related to, basically. Now we go down to cash that calculation and verification. So we calculate MD five, we want that we had that last time, we also want to calculate shall one, just to make sure that we verify it the same way that we did with up to Cambridge and in this in this case, we can also calculate the shot 256, which is required for some countries. reread source after acquisition for verification, this adds an extra step of verification. And I normally do this whenever we're working whenever we're working with real suspect data, I won't do it now to save a little bit of time, but I will verify the image after acquisition. Okay, so I'm going to go ahead and start. And now the image file that it's saving to the current speed is about 23 mega second and that will probably go down because this is USB 2.0. So it was what we got up to 30. Now it's about 26. I'm sure this will go down shortly. Right. So hash calculation, MD five and shot one source verification off image verification on Okay. This is the disk. This is the model. It's currently running. And progress about 11% average speed 26 meg per second, and time remaining about four minutes. Now, before with FTK major in Windows, of course, it was a virtual machine. We took about 10 minutes for our whole acquisition. This I expect to take about around around five to six minutes. So I will let that run and then we will come back whenever it's done. Okay, so now that we finished, I'm going to well, it finished it verified and okay, okay. So now I'm going to open up the folder of the cases folder, we have images, 001. And then I have, let's see, I have basically the different parts of the image. And I have this 001 dot info. So these are the different parts instead of having 001. As the extension, it started at 0000 to 001. If I double click on zero, actually, if I open up a text editor, and look at the info, this is basically just a text file. So if we change that dot info to dot txt, we could just double click on it. But I just saved it or opened it up here. So let me shrink this down a bit. So this is all the information that we get from Guy Major, and it gives the version number. Again, the version number is very important if we want to actually test or reconstruct what we've done. Compilation time stamp, when Guy Major was actually compiled, compiled with GCC, libwf version, so basically all of the software information so we can reconstruct what's been done. Device information. So a little bit more information about the actual device, no kernel HPA messages, okay. So some parameters from the hard drive itself. Okay, so we were looking at dev sd, and this is some information about dev sd, serial number is not showing up properly, which means it's probably not a standard configuration transfer information device size calculated. Okay, now we get down to the acquisition information. So the device that we acquired, the size of the disk, the format we wanted a split raw image, where we saved all the information to what kind of hashes we collected. And then what we were really interested in are the MD5 hash. So in this case, we got MD5 hash of F7A79, F7A79, and then MD5 hash verified image, so F7A79. Now, I'm just doing these last few numbers as a comparison, but you really should compare and make sure the entire number matches. In this case, it matched, the program matched it automatically, and the SHA hash as well, matched in the original creation as well as the verification afterwards. So that means that we basically collect correctly copied, correctly copied the data. It tells us whenever the acquisition started, whenever it ended, and the acquisition speed overall, and then the verification speed. The verification speed is so fast, probably because caching is actually turned on. So one of we read the disk, the data for the disk, the suspect disk, it's cached in memory. And then whenever it tries to verify, it just verifies that that cache instead of reading it from the disk again. Okay, so this is the information about the drive. And what I'm going to do now is I want to re-verify this disk image. So now that I have the MD5 hash, right, so F7A79, I'm going to open up a terminal and most versions of Linux have, well, they all have a, they should have a terminal of some type. And they mostly all have a program installed called MD5SUM. Okay, if I type MD5SUM in H, then dash dash help, sorry, help. And this tells me all the different ways that I can use MD5SUM. But basically, we just give MD5SUM a, we give MD5SUM a file, and it will calculate the hash of that file. So for example, if I give it MD5SUM001.info, which isn't very useful, I guess, then it calculates the MD5SUM of the info file and gives me the name of the file as well. So now I can use that hash again for verifying that the info file didn't change. Okay, so if I want to calculate the hash of this original image, if I just do MD5SUM001.000, this is the first part of my disk image, right? So let's go back and our hash value for the overall image was f7a79, f7a79, right? f7a79, sorry, f7a79. And I calculated the hash for the first value, and it wasn't f7a79, right? Of course, it's not going to be because I'm not looking at the entire disk image. I'm not calculating the hash value for the entire disk image. I'm only calculating it for that part, okay? So we can do ls-lha, and we see that this is split up into basically 1.5 gig parts, remember? So just like we did with FTK imager and Windows, we have these 1.5 gig parts, but we need to combine all of these parts before we can get all of the data basically. So one way we can do that is by using cat, which stands for concatenate. And if I do 001.0 star, 001.0 star, that will basically read this file, and then this file, and then this file in binary format. And then I want to send that data to MD5SUM. So now it's reading all three of those files concatenated, and it is calculating the MD5SUM. And let's go back. Our file, our hash value, was f7a79. And then here I calculated f7a79. So this is a very quick way to verify your data. Now remember, we always want to work with copies of the original. So since I've just created this disk image, now I would make an exact copy of it, verify that the hash is the same, and then I would only work with the copy. I would archive this image off somewhere else, and I would keep a copy of the image to work with. So this is how to acquire disk images with Gaimager in Linux. If you want to use a user, a GUI user interface, and also how to verify data, especially a multi-part data, using MD5SUM and CAT. So that's it for today. Thank you very much.