Analysis organization
Having already said that this is just an introduction, most of the work you will do here can be applied to actual casework. The tools are standard Linux tools, and although the example shown here is_very_simple, it can be extended with some practice and a little (ok, a lot) of reading.The practice floppy (in raw image format from a simpledd) for the following exercise is available at:
ftp://ftp.hq.nasa.gov/pub/ig/ccd/linuxintro/practical.floppy.dd
Once you download the floppy image, put a floppy disk in your drive and create the practice floppy with the following command (covered in detail later):
dd if=practical.floppy.dd of=/dev/fd0
The output of various commands and the amount of searching we will do here is limited by the scope of this example and the amount of data on a floppy. When you actually do an analysis on larger media, you will want to have it organized. Note that whenyou issue a command that results in an output file, that file will end up in your current directory, unless you specify a path for it in the command.
One way of organizing your data would be to create a directory in your “home” directory for evidenceand then a subdirectory for different cases. Since we will be executing these commands as root, the home directory is/root
mkdir ~/evidence
The tilde (~) in front of the directory name is shorthand for “home directory”, so when I type~/ev**idence**, Linux interprets it
$HOME/evidence. If I am logged in as root, the directory will be created as/root/evidence. Note that if you are already in your home directory, then you don't need to type~/. Simply usingmkdir evidencewill work just fine. We are being explicit for instructional purposes. Directing all of our analysis output to this directory will keep our output files separated from everything else and maintain case organization.
For the purposes of this exercise, we will be logged in as “root”. I have mentioned already that this is generally a bad idea, and that you can make a mess of your system if you are not careful. Many of the commands we are utilizing here require root access (permissions on devices that you might want to accessshould notbe changed to allow otherwise, and doing so would be far more complex than you think). So the output files that we create and the images we make will be found under/root/evidence/
An additional step you might want to take is to create aspecial mount point for all physical subject disk analysis (not that we normally mount subject disks…). This is another way of separating common system use with evidence processing.
mkdir /mnt/analysis