06.Disk Acquisition linux dd

🎯 Lab Objective:

To acquire a forensic image of a hard disk using Linux system tools while dealing with challenges such as bad sectors or large image sizes.

🔎 Personal Note:

During my work on this lab, I used an external hard drive of approximately 112 GB. It appeared empty when opened, but I noticed the free space was only around 100 GB, meaning that about 12 GB was unaccounted for!\ This sparked my curiosity, and instead of acquiring just one partition, I decided to take a full image of the entire disk for comprehensive analysis to find out what caused this missing space.\ It was a valuable and practical experience in digital forensics and highlighted the importance of full disk acquisition, especially when hidden or unclear data is suspected.

🧩 Introduction: What is Disk Acquisition?

Disk Acquisition is the process of copying bit-by-bit from storage media (either a disk or partition) to obtain an exact duplicate for investigation or analysis purposes without altering the original source.

🆚 Image vs Clone:

Type	Description
Image	A digital file containing an exact copy of the disk, which can be easily stored and analyzed.
Clone	A physical copy to another disk, typically of the same size.

✅ Using an image is better because it facilitates copying, verification, storage, and analysis.

🗃️ Locating the Device in the Filesystem

Each physical disk has a path under /dev/ such as:
/dev/sda ← Primary disk.
/dev/sdb ← External disk.
/dev/sdb1 ← A partition.

⚠️ Do not confuse a partition (sdb1) with the whole disk (sdb)!\ ⚠️ Be careful: if you acquire only from /dev/sdb1, you will miss any unallocated or hidden data outside the partition.

🖥️ Step 1: Connect the Disk and Check its Status

Once the external hard drive is connected to a Linux system, it will be in one of two states:

Mounted: The disk is visible in the system and attached to a folder (mount point).
Not Mounted: The disk is connected but not attached, and doesn’t appear in the filesystem.

To check connected disks:

lsblk

Shows device names such as /dev/sda, /dev/sdb and their sizes.

You can also use:

sudo fdisk -l

Gives more detailed info: number of sectors, size, file system type, partitions.

sudo blkid

Displays UUID, file system type, and partition labels.

📝 Important Note: Make sure you distinguish between sdb (entire disk) and sdb1 (a single partition). Choose based on whether you want to copy just one partition or the whole disk.

🔍 Step 2: Analyze Disk and Partition Size

Use this command to analyze used space:

df -h

Compare sector counts between the disk and the partition:

sudo fdisk -lu /dev/sdb

✅ If the disk and partition sizes are nearly equal, you may copy only the partition. If there's a significant difference, hidden partitions may exist, and full disk acquisition is recommended.

💽 Step 3: Acquire the Image using `dd`

dd is a powerful Linux tool that allows bit-by-bit copying.

✅ Basic Syntax:

sudo dd if=/dev/sdX of=/path/image.img bs=4M status=progress

if=: Input source (disk or partition).
of=: Output file path.
bs=4M: Block size to improve performance.
status=progress: Shows operation progress.

🔎 Practical Example:

sudo dd if=/dev/sdb of=~/Desktop/images/ExternalHD-Image.dd bs=4M status=progress

⚠️ Step 4: Handling Bad Sectors During Copy

If you suspect bad sectors, use:

sudo dd if=/dev/sdb of=~/Desktop/images/disk_image_safe.img conv=noerror,sync

Option	Meaning
`noerror`	Ignore read errors (bad sectors).
`sync`	Fills corrupted areas with zero to maintain structure.

🔄 Step 5: Splitting Large Images

If the image is larger than the available storage:

sudo dd if=/dev/sdb | split -b 100M - ~/Desktop/images/disk_part_

Splits the image into files like disk_part_aa, disk_part_ab…

To reassemble later:

cat disk_part_* > full_image.dd

🛡️ Step 6: Verify Image Integrity (Hashing)

To ensure no tampering occurred:

md5sum image.dd > image.dd.md5 

sha256sum image.dd > image.dd.sha256

✅ Comparing hashes later confirms the original image matches the analysis copy.

✅ Real Example:

sansforensics@as: ~/DF/HashFiles
cat MyImageExternalHash.md5 
915d6457aee3439b296e1dcd35021083  Hash_ExternalHD_Image.img
----------------------------------------------------------------------------------
sansforensics@as: ~/DF/Analysis
md5sum F1-ExternalHD-Image.dd 
915d6457aee3439b296e1dcd35021083  F1-ExternalHD-Image.dd

📂 Step 7: Mounting and Analyzing the Image

To analyze content without restoring the image to a new disk:

Create a mount folder:

mkdir Mount_Point

Attach image to a virtual device:

sudo losetup -fP F1-ExternalHD-Image.dd

Confirm partition appearance:

ls /dev/loop*

# out :
/dev/loop0    /dev/loop1  /dev/loop3  /dev/loop5  /dev/loop7
/dev/loop0p1  /dev/loop2  /dev/loop4  /dev/loop6  /dev/loop-control

Mount (for NTFS, for example):

sudo mount -t ntfs-3g /dev/loop0p1 Mount_Point/

Verify successful mount:

ls Mount_Point/

out :
'$RECYCLE.BIN'  'System Volume Information'`

🔎 You’ll see folders like $RECYCLE.BIN and System Volume Information.

🧪 Advanced: If Image Has a Partition Table

Extract partitions from a .img file:

kpartx -av disk_image.img

Then mount:

mount /dev/mapper/loop0p1 /mnt/image_mount

🔄 Forensic Best Practices

Action	Reason
Use a Write Blocker	Prevents accidental writes to original disk.
Work on a copy, not original	Preserves evidence.
Create and document hash	Ensures integrity.
Log each step with timestamps	For court admissibility.

⚙️ Clean Up After Completion

To safely unmount:

sudo umount Mount_Point   

sudo losetup -d /dev/loop0

✅ Summary of Steps

Step	Tool	Purpose
Identify devices	`lsblk`, `fdisk -l`	Determine target disk
Acquire image	`dd`	Create a bit-by-bit copy
Handle errors	`conv=noerror,sync`	Skip bad sectors
Split image	`split`, `cat`	Manage large image files
Verify integrity	`md5sum`, `sha256sum`	Ensure data consistency
Analyze image	`losetup`, `mount`, `kpartx`	Read content safely

📋 Forensic Best Practices

Practice	Purpose
Use Write Blocker	Prevent modification to original evidence.
Work on a copy	Protect digital evidence from accidental changes.
Document hash	Guarantees evidence integrity.
Log every step (Chain of Custody)	Present in court as documented proof.