Question Linux forensics help with dd command

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
I have an assignment I am working on in a class that I am stumped with. I don't use linux enough to know how to complete this and its an extra credit deal via a virtual machine.

Scenario
Recently Gary Thatcher our senior system administrator, came across a thumb drive attached to an employee's system. According to the employee, the thumb drive was attached without their consent and they are unsure of the origin of said drive. The drive was passed to Ione Leventis one of our security analysts. Ione has attached the drive to our sheep-dip system which in our case is the Security-Desk machine. However, Ione was called away on other matters and you are now entrusted with the task. According to current company policy the thumb drive must be inspected for any malicious agents that could threaten DAS Web's overall security. Your job is to create a forensically sound duplicate image of the thumb drive using dd so it can be examined without the risk of inadvertently modifying potential evidence. SHA512 hashes should also be taken and compared between the original thumb drive which is already attached, but not mounted, to the system and the forensic image.

I have been able to create the directory, and I can make an image of the file. I don't know how to incorporate the hash part in the dd command if that is possible, and then how to compare them. Any help would be greatly appreciated. I HAVE to use the dd command. I cannot use dcfldd or anything else. Thanks in advance!
 

ex_bubblehead

Champion
Moderator
Looks like a forensics class.

What, specifically, are you stuck on?
What, specifically, have you already done for yourself? (Show ALL of your work here)

We will be glad to give pointers but we will not do your classwork for you.

As far as using dd. Well, dd doesn't do the requested hashes so you will have to use pipes to pass the output of dd into another application. The rest I leave as an exercise for you.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
haha. I am 49 years old and well, it is extra credit, and I don't need it as I have an A already. I have not taken my linux class yet and I simply don't know the commands. But help is what I was asking for, and unlike most college "kids" I don't expect anyone to do it for me. That is fine. All I found what I researched and can't find much more that actually works.

So far I have made the directory sudo mkdir forensicimages and then made the image that went into that directory sudo dd if+/dev/sdb of=~/forensicimages/forensicimage.dd
It shows that x amound of records in and x amount out so it copied over fine. This is where I am stuck. How to generate a sha512 hash for each and then compare them. This class uses NICE Challenge website and if it isn't done a specific way, it won't give me a green checkmark showing done.

I was able to get a hash of the image I copied using sha512sum /home/playerone/forensicimages/forensicimage.dd
Not sure how to get a hash of the actual drive. Trying the same thing, but changing the path to /dev/sdb it says I don't have permission. Once I can figure out how to do that, I then don't know the command to check both and verify they match. Thanks for pointers and suggestions.
 
I then don't know the command to check both and verify they match. Thanks for pointers and suggestions.
The hash should just be a hexadecimal string, a text file basically, if it's the same it's the same, you can use your eyes to check if it matches it's so short.

To read the hash of the attached disk you would have to read the whole disk in, which is what you already did with dd, you could try "sha512sum /dev/sdb" comparing the two is irrelevant because it will always be the same unless there was an error in one of the passes, this is probably more of a double check to see if the second read is the same to the first.

Hash checking is usually done if somebody physically sends you a disk, they also send you the hash per email or whatever so you can verify that the drive wasn't tempered with.

They must have given you a list of tools you are able to use so listing them here, or reading up on each one of them yourself, would help in finding out what exactly they want you to do.
 
The first question should be easily obtain by committing a web search on "dd command clone hdd disk image".

The second question. Um, normally I'd reply sha512sum - but that's possible a trick question.
Bonus information : If using Fedora, you can use command "dnf search <part-of-command-name>" and "dnf search sha512sum" reveals nothing. This is also possible from Debian/Ubuntu based distros via apt command <details here>.

So it's back to the wonder of the search engines on the internet, a search phrase of "linux command sha512" will cough up an answer for you.

As already mentioned, everything are files in Linux, so I'd expect openssl dgst -sha512 works both at the unmounted usb drive as well as the file created afterwards.

Depending on distro you choose, you need to install the openssl package, and for Fedora that command will be sudo dnf install openssl.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
The first question should be easily obtain by committing a web search on "dd command clone hdd disk image".

The second question. Um, normally I'd reply sha512sum - but that's possible a trick question.
Bonus information : If using Fedora, you can use command "dnf search <part-of-command-name>" and "dnf search sha512sum" reveals nothing. This is also possible from Debian/Ubuntu based distros via apt command <details here>.

So it's back to the wonder of the search engines on the internet, a search phrase of "linux command sha512" will cough up an answer for you.

As already mentioned, everything are files in Linux, so I'd expect openssl dgst -sha512 works both at the unmounted usb drive as well as the file created afterwards.

Depending on distro you choose, you need to install the openssl package, and for Fedora that command will be sudo dnf install openssl.
Thanks for the response. Unfortunately, we aren't allowed to install anything on the machine.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
The hash should just be a hexadecimal string, a text file basically, if it's the same it's the same, you can use your eyes to check if it matches it's so short.

To read the hash of the attached disk you would have to read the whole disk in, which is what you already did with dd, you could try "sha512sum /dev/sdb" comparing the two is irrelevant because it will always be the same unless there was an error in one of the passes, this is probably more of a double check to see if the second read is the same to the first.

Hash checking is usually done if somebody physically sends you a disk, they also send you the hash per email or whatever so you can verify that the drive wasn't tempered with.

They must have given you a list of tools you are able to use so listing them here, or reading up on each one of them yourself, would help in finding out what exactly they want you to do.
I appreciate the reply. I have tried sha512sum /dev/sdb but I continually get "permission denied". I can us the same command successfully on the image of the drive. I will have to check on permissions to the drive perhaps?
 
I appreciate the reply. I have tried sha512sum /dev/sdb but I continually get "permission denied". I can us the same command successfully on the image of the drive. I will have to check on permissions to the drive perhaps?
Or maybe you have to run the command with su (super user) in front of it, or depending on the distribution you might have to do something else to get elevated privileges.
 

ex_bubblehead

Champion
Moderator
I appreciate the reply. I have tried sha512sum /dev/sdb but I continually get "permission denied". I can us the same command successfully on the image of the drive. I will have to check on permissions to the drive perhaps?
This is forensics. You NEVER EVER under ANY circumstances change ANYTHING on the source. You can look but not touch. You touch, you change the signature. You change the signature, you invalidate everything.
 
Reactions: Grobe

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
This is forensics. You NEVER EVER under ANY circumstances change ANYTHING on the source. You can look but not touch. You touch, you change the signature. You change the signature, you invalidate everything.
Well, like I said. My instructions are that I MUST get a hash of the drive. I eventually completed the task successfully doing the following:

I realized after it kept telling me permissions were denied, that I had to use sudo su to grant the correct privileges. I was signed into the machine with an admin account, but evidently not enough permissions on it. Then ran a sha512sum on the drive, directing it to a folder sha512sum /dev/sdb > /forensicimages/originalsha512.

Then created an image of the drive using dd if=/dev/sdb1 of= sending it to the same forensicimages folder, then using the same sha512sum command to get a hash of the image file. Finally, I used the "cat" command to visually check the hash of each. cat /forensicimages/originalsha512 and cat /forensicimages/imagesha512 The lab concluded saying I completed the tasks successfully.

I appreciate the pointers and tips from everyone.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
The first question should be easily obtain by committing a web search on "dd command clone hdd disk image".

The second question. Um, normally I'd reply sha512sum - but that's possible a trick question.
Bonus information : If using Fedora, you can use command "dnf search <part-of-command-name>" and "dnf search sha512sum" reveals nothing. This is also possible from Debian/Ubuntu based distros via apt command <details here>.

So it's back to the wonder of the search engines on the internet, a search phrase of "linux command sha512" will cough up an answer for you.

As already mentioned, everything are files in Linux, so I'd expect openssl dgst -sha512 works both at the unmounted usb drive as well as the file created afterwards.

Depending on distro you choose, you need to install the openssl package, and for Fedora that command will be sudo dnf install openssl.
I wish it would have been that easy, however I was not able to install anything. I could only use what was there as a base install.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
The hash should just be a hexadecimal string, a text file basically, if it's the same it's the same, you can use your eyes to check if it matches it's so short.

To read the hash of the attached disk you would have to read the whole disk in, which is what you already did with dd, you could try "sha512sum /dev/sdb" comparing the two is irrelevant because it will always be the same unless there was an error in one of the passes, this is probably more of a double check to see if the second read is the same to the first.

Hash checking is usually done if somebody physically sends you a disk, they also send you the hash per email or whatever so you can verify that the drive wasn't tempered with.

They must have given you a list of tools you are able to use so listing them here, or reading up on each one of them yourself, would help in finding out what exactly they want you to do.
The hash should just be a hexadecimal string, a text file basically, if it's the same it's the same, you can use your eyes to check if it matches it's so short.

To read the hash of the attached disk you would have to read the whole disk in, which is what you already did with dd, you could try "sha512sum /dev/sdb" comparing the two is irrelevant because it will always be the same unless there was an error in one of the passes, this is probably more of a double check to see if the second read is the same to the first.

Hash checking is usually done if somebody physically sends you a disk, they also send you the hash per email or whatever so you can verify that the drive wasn't tempered with.

They must have given you a list of tools you are able to use so listing them here, or reading up on each one of them yourself, would help in finding out what exactly they want you to do.
For whatever reason, they want me to verify that both hashes match. Its just how the lab is set up. If I do that, it automatically gives me a green check on that task. If I don't complete it, I don't get full credit. Hope that make sense. You helped me out a lot though.
 

chadpmarshall

Honorable
Sep 8, 2016
34
0
10,530
0
I should have made a separate post on this, but I did finally complete this taks thanks to the great advice on using super user privalages.

I realized after it kept telling me permissions were denied, that I had to use sudo su to grant the correct privileges. I was signed into the machine with an admin account, but evidently not enough permissions on it. Then ran a sha512sum on the drive, directing it to a folder sha512sum /dev/sdb > /forensicimages/originalsha512.

Then created an image of the drive using dd if=/dev/sdb1 of= sending it to the same forensicimages folder, then using the same sha512sum command to get a hash of the image file. Finally, I used the "cat" command to visually check the hash of each. cat /forensicimages/originalsha512 and cat /forensicimages/imagesha512 The lab concluded saying I completed the tasks successfully.

I appreciate the pointers and tips from everyone.
 

ASK THE COMMUNITY