Split Large Capacity Disk
list device from yaour laptop or compter
root@bt:~/evid# fdisk -l
root@bt:~/evid# fdisk -l
WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util fdisk doesn't support GPT. Use GNU Parted.
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0xb05cd80c
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 102400 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/sda2 13 12749 102297600 7 HPFS/NTFS
/dev/sda3 12749 18828 48828125 83 Linux
/dev/sda4 18828 60801 337154049 f W95 Ext'd (LBA)
Partition 4 does not start on physical sector boundary.
/dev/sda5 18828 19077 1999872 82 Linux swap / Solaris
/dev/sda6 19077 60801 335153152 7 HPFS/NTFS
Disk /dev/sdc: 7803 MB, 7803174912 bytes
241 heads, 62 sectors/track, 1019 cylinders
Units = cylinders of 14942 * 512 = 7650304 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00044125
get informatin device de/sdc is 8Gb space , we will DD /dev/sdc to create image file we clone Flasdisk
root@bt:~/evid# dd if=/dev/sdc of=image.disk2.dduse ls to see file and folder in evid folder,
split normally works on lines of input (i.e. from a text file). But if we use the –b option, we force split to treat the file as binary input and lines are ignored.
In newer versions of split we can also use the -d option to give us numerical numbering (*.01, *.02, *.03, etc.)
split -d -b XXm <file to be split> <prefix of output files>split image.disk2.dd
root@bt:~/evid# split -d -b 2000m image.disk2.dd image.split2.This would result in 2 files (8GB in size) each named with the prefix “image.split.” as specified in the command, followed by “01”, “02” and so
on (assuming a newer version of split that supports the -d option is used):
root@bt:~/evid# ls image.split2.*
The process can be reversed. If we want to reassemble the image from
the split parts (from CD-R, etc.), we can use the cat command and redirect the
output to a new file.
root@bt:~/evid# cat image.split2.00 image.split2.01 > image2.new
OR
root@bt:~/evid# cat image.split2.0* > image2.newlook hasing
root@bt:~/evid# cat image.split2.0* | md5sum
root@bt:~/evid# md5sum image2.new
Looking at the output of the above commands, we see that all the sha1sum’s match (don't confuse sha1sum output with md5sum output). We find the same hash for the disk, for the split images “cat-ed” together, and for the newly reassembled image.
Data carving using DD
download and copy to /evid
Have a brief look at the file image_carve.raw with your wonderful command line hexdump tool, xxd:
root@bt:~/evid# xxd image_carve.raw | less
Find the start of the JPEG (xxd and
grep)
root@bt:~/evid# xxd image_carve.raw | grep ffd800052a0: b4f1 559c ffd8 ffe0 0010 4a46 4946 0001 ..U.......JFIF..
root@bt:~/evid# echo "ibase=16;00052A0" | bc21152
Now it’s time to find the end of the
file.
root@bt:~/evid# xxd -s 21156 image_carve.raw | grep ffd90006c74: ffd9 d175 650b ce68 4543 0bf5 6705 a73c ...ue..hEC..g..<
calculate decimal
root@bt:~/evid# echo "ibase=16;0006C74" | bc27764
nclude the ffd9 (giving us 27766)
root@bt:~/evid# echo "27766 - 21156" | bc6610
We now know the file is 6610 bytes in size, and it starts at byte offset 21156. The carving is the easy part! We will use dd with three options: skip= how far into the data chuck we begin “cutting”. bs= (block size) the number of bytes we include as a “block”. count = the number of blocks we will be “cutting”.
root@bt:~/evid# dd if=image_carve.raw of=carv.jpg skip=21156 bs=1 count=66106610+0 records in6610+0 records out6610 bytes (6.6 kB) copied, 0.0285196 s, 232 kB/s
our current
directory called carv.jpg. If you are in X, simply use the xv command
to view the file
xv from a command line (while in
an X session) will display the graphic image in it's own window.
The libewf tools and detailed project information can be found at:
https://www.uitwisselplatform.nl/projects/libewf/
https://www.uitwisselplatform.nl/projects/libewf/
We will cover the
following tools briefly here:
ewfinfo
ewfverify
ewfexport
ewfacquire
ewfacquirestream
ewfinfo
root@bt:~/evid#
ewfinfo ntfs_pract.E01
ewfverify
root@bt:~/evid#
ewfverify ntfs_pract.E01
ewfexport
root@bt:~/evid#
ewfexport ntfs_pract.E01 | md5sum
root@bt:~/evid#
ewfexport -t ntfs_image.dd ntfs_pract.E01
root@bt:~/evid#
md5sum ntfs_image.dd
d3c4659e4195c6df1da3afdbdc0dce8f
ntfs_image.dd
ewfacquire
root@bt:~/evid#
ewfacquire /dev/sdc
Acquiry parameters required, please provide the necessary inputImage path and filename without extension: /root/ntfs_ewfCase number: 111-222Description: Removable media (generic thumdrive)Evidence number: 1Examiner name: Umar AlfaruqNotes: Seized from subjectMedia type (fixed, removable, optical, memory) [removable]: removable diskSelected option not supported, please try again or terminate using Ctrl^C.Media type (fixed, removable, optical, memory) [removable]: removableMedia characteristics (logical, physical) [logical]: physicalUse compression (none, empty-block, fast, best) [none]: fastUse EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]: encase5Start to acquire at offset (0 >= value >= 4040748544) [0]:The amount of bytes to acquire (0 >= value >= 4040748544) [4040748544]:Evidence segment file size in bytes (1.0 MiB >= value >= 1.9 GiB) [1.4 GiB]:The amount of bytes per sector (0 >= value >= 4294967295) [512]:The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]:The amount of sectors to be used as error granularity (1 >= value >= 64) [64]:The amount of retries when a read error occurs (0 >= value >= 255) [2]:Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]: yes