Creating a forensic image of the suspect disk

Make an image of the practice disk. This is your standard forensic image of a suspect disk. Execute the command from within the_/root/evidence/_directory:

dd if=/dev/fd0 of=image.disk1 bs=512

This takes your floppy device(/dev/fd0) asthe input file (if) and writes the output file (of) calledimage.disk1_in the current directory (/root/evidence/_). Thebsoption specifies the block size. This is really not needed for most block devices (hard drives, etc.) as the Linux kernel handles the actual block size. It’s added here for illustration

For the sake of safety and practice, change the read-write permissions of your image to read-only.

chmod 444 image.disk1

The444gives all users read-only access. If you are real picky, you could use400**.**Note that the owner of the file is the user that created it.

Now that you have created an image file, you can restore the image to another disk for analysis and viewing. Putanother (blank) floppy in and type:

dd if=image.disk1 of=/dev/fd0 bs=512

This is the same as the firstddcommand, only in reverse. Now you are taking your image (the input file “if”) and writing it to another disk (the output file “of”) to be used as a backup or as a working copy for the actual analysis.

Note that usingddcreates an exact duplicate of the physical device. This includes all the file slack and unallocated space. We are not simply copying the logical file structure. Unlike many other forensic imaging tools,dddoes not fill the image with any proprietary data or information. It is a simple bit stream copy from start to end. This (in my ever-so-humble opinion) has a number of advantages, as we will see later.