Dic 31

image, mount, calculate hashes: examples

Tag: 01Joaquim Anguas @ 5:46 pm

I wish you all the best for 2010!

I’ve been working in an article related to serving search warrants and I thought the following examples may be useful. They cover imaging, mounting imaged drives and calculating hashes for every file in a drive.

CASE_ID identifies the case, LOCATION_ID identifies the location where the media was seized, MEDIA_ID identifies the media device and PARTITION_ID identifies each partition into the media.

Image

This is an example for dcfldd imaging. The command calculates the MD5 hash on the fly.
See here for options’ reference.

ubuntu@ubuntu:~$ date; sudo dcfldd if=/dev/sdc of=/media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd conv=sync,noerror hashwindow=0 hashlog=MEDIA_ID_md5.txt; date

Thu Nov 16 13:18:22 UTC 2009

4883968 blocks (152624Mb) written.
4884090+1 records in
4884091+0 records out

Thu Nov 16 15:26:34 UTC 2009


Mount

Disk images can be mounted as loopback devices. The command parted allows you to get the needed partition starting points in bytes.
Start parted, set unit to bytes and print the partition table information.

ubuntu@ubuntu:/media/disk/CASE_ID/LOCATION_ID/$ parted MEDIA_ID.dd

WARNING: You are not superuser.  Watch out for permissions.
Warning: Unable to open /media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd read-write (Permission denied).
/media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd has been opened read-only.

GNU Parted 1.7.1
Using /media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd

Welcome to GNU Parted! Type ‘help’ to view a list of commands.

(parted) unit
Unit?  [compact]? B
(parted) print

Disk /media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd: 30005821439B
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 8225280B 10487231999B 10479006720B extended lba
5 257536B 10487231999B 10478974464B logical ntfs
2 10487232000B 29997596159B 19510364160B primary ntfs boot

(parted) q

Now you can mount the partition.

ubuntu@ubuntu:/media/disk/CASE_ID/LOCATION_ID/$ sudo mount -r -o loop,offset=10487232000 -t ntfs MEDIA_ID.dd /media/test

Calculate hashes

With the partition mounted, you can calculate the MD5 hash for every file with:

ubuntu@ubuntu:/media/test/$ find $@ ! -type d -print0 | xargs -0 md5sum | tee /media/disk/CASE_ID/LOCATION_ID/MEDIA_ID-PARTITION_ID.md5