Disk forensics deals with the process of examining a computer hard disk drive.
While responding to incidents that involve examining a computer, the incident responders will seize the hard disk or create a disk image of the hard disk. This disk image is then provided to the analysts to locate and recover deleted files, and other artifacts of interest. These artifacts/files depend on the objective of the investigation. For example, in the case of internal financial fraud, the excel/word documents and emails will be important, whereas, in the case of a breach, the access logs and config changes to make access persistent will be important.
What will you learn?
Creating a disk image from the provided evidence disk
Mounting a disk image for analysis
Carving files from provided disk images
References:
The Sleuth kit (https://www.sleuthkit.org/)
Foremost (http://foremost.sourceforge.net/)
Scalpel (https://github.com/sleuthkit/scalpel)
EWF Tools (https://dfir.science/2017/11/EWF-Tools-working-with-Expert-Witness-Files-in-Linux.html)
Labs Covered:
Analyze a provided disk image and discover the files present on it using The Sleuth Kit.
Carve/extract a JPEG file present on a provided disk image using the Foremost tool.
Carve/extract a PDF file present on a provided disk image using the Scalpel tool.
Extract all files present on a provided disk image using the Bulk Extractor tool and locate relevant information.
Create a disk image of the provided evidence hard disk using DD tools.
Create a disk image of the provided evidence hard disk using EWF tools.
Mount a provided evidence hard disk image using native Linux tools.
Mount a provided evidence hard disk image using EWF tools.
Mounting Disk Image (Raw mount)
Mount a provided evidence hard disk image using native Linux tools.
Mount a provided evidence hard disk image using Python.