Forensics with Kali Linux [Its capital mistake to theorize before one has data.]

The crime was committed and we found the culprit. Now we need to collect the evidence from his machine. So before starting the evidence collecting consider the following facts.

• Never touch anything; understand exactly what are you getting into.
• Are you qualified to handle this investigation.
• Do you have all the tool and resources needed.

                                                   Technical order volatility.

                

• Understand the order of volatility.
• CPU, cache and register content
• Routing table, Arp cahce, process table, kernel statics
• Memory
• Temporary file system / swap space
• Data on hard disk
• Remotely logged data
• Data contained on archival media

Collecting evidence

• Photograph the computer and scene
• If the computer is off don’t turn it on
• If the computer is on photograph the screen
• Collect live data – start with RAM image and then collect other live data as required such a network connection state, logged on user, currently executing processes, etc.
• If harddisk encryption detected (using tool like zero view) such as full disk encryption  I.e PGP Disk  collect “logical image” of hard disk using dd.exe, Helix locally or remotely via F-Response
• Unplug the power cord from the back of the tower- if the machine is laptop and doesnot shutdown when the cord is remove then remove the battery
• Digram and label the cords
• Document all device model number and serial number

• Disconnect all cords and devices
• Check for HPA then image hard drive using write blocker, helix or hardware imager
• Package all componenets (anti-static evidence bags)
• Sieze all additional storage media ( creatre respective image and place original device in anti-static evidence bags)
• Kepp all media away from magnets radio transmitter and other potentially damaging elements
• Collect instruction manula documentation and notes
• Document all steps used in the seizure.

Mount the drives for data extraction.

Now get your hands dirty on Kali Forensic tools. 

Mounting an external hard drive on kali

fdisk –l

what this command does is it let me examine all disk drives connected to kali Linux. 

kali sees every mounted device as sd device. The first device is "a" then second device going to be "b" so on.

kali Linux will view sda as first device.

As you can see in above screenshot  there is sda1 , sda2  and sda5 all are the partitions.

what kali does it set number to the partition sda1.sda2 and sda5. sda5 is a Linux swap partition its nothing but paging in computer system.

When I hit more you can see it also show up my plugged-in external drive sb1.

Lets use commad line tool to copy the disk bit by bit.

dclfdd if=/dev/sda hash=md5 of=/media/diskimage.dd bs= 512 noerror

Let break the command and understand

if=/dev/sda is the input device, in this case /dev/sda

hash=md5 tells the command to calculate md5 hash of the image that we can use to assure the image integrity.

of=/media/diskimage.dd is the file that the disk image with go, in this case external device mounted at /media.

bs=512 tells the command we want to transfer the image 512 bytes at time.

noerror tells the command that in case of error continue to do the data transfer, but write where the error occurs.

                                                     

    Thank you for reading.