Image acquisition using Guymager

Guymager is another standalone acquisition tool that can be used for creating forensic
images and performing disk cloning. Developed by Guy Voncken, Guymager is
completely open source, has many of the same features of dc3dd, and is also only available
for Linux-based hosts. While some investigators may prefer CLI tools, Guymager is a GUI
tool and is for beginners, so it may be preferable.

For this acquisition, I'll use the very same 2-GB flash drive used in the dc3dd examples,
at the end of which we can compare results.

As previously done in the dc3dd acquisition, we should first ensure that we are familiar
with the devices attached to our machine, using the fdisk -l or sudo fdisk -l
command.

Running Guymager

Guymager can be started by using the menu in Kali Linux. Click on Applications on the
side menu, then click on Forensics and scroll down to Guymager:
 Image acquisition using Guymager

Figure 5.35 – Screenshot to the Forensic Tool menu in Kali Linux

Guymager can also be started using the Terminal by typing in guymager. You may also
try the sudo guymager command. Once started, the default locations of the log file
and configuration (cfg) files can be changed if required:

Figure 5.36 – Starting Guymager in Kali using the CLI

The Guymager application runs and then displays the existing drives recognized in Kali
Linux. As in the following screenshot, the details of the 2 GB flash drive being used are
shown, including the following:

• Linux device: Recognized as /dev/sdb

• Model: USB_Flash_Memory
• State: Shown as Idle as the image acquisition has not yet begun
 • Size: 2.0GB

Figure 5.37 – Guymager interface displaying detected drives

Should your device not be listed in Guymager, or should you need to add an additional
device, click the Rescan button at the top-left corner of the application.

Acquiring evidence with Guymager

To begin the acquisition process, right-click on the evidence drive (/dev/sdb in this
example) and select Acquire image. Note that the Clone device option is also available
should you wish to clone the evidence drive to another. Again, as previously mentioned,
when cloning a device, the capacity of the destination device must be equal to or exceed
that of the source (original) evidence drive:

Figure 5.38 – Image acquisition shortcuts

Before the actual acquisition process starts, the investigator is prompted to enter details
about themselves and the evidence under the following three sections:
File format:

• File extensions: .dd, .xxx, and .Exx.

• Split size: Allows the investigator to choose the size of multiple image parts.
 Image acquisition using Guymager

• Case management information: Case number, evidence number, examiner name,

description, and notes:

Figure 5.39 – Guymager image acquisition fields

Destination:

• Image directory: The location of the created image file and log (info file)
• Image filename: The name of the image file
• Info filename: The name of the log file containing acquisition details:

Figure 5.40 – Guymager image destination fields

• Hash calculation / verification: Multiple hashing algorithms can be selected and
calculated, allowing the investigator to choose from MD5, SHA-1, and SHA256.
• Re-read source after acquisition for verification: This verifies the source.
• Verify image after acquisition: This verifies that the image has been successfully
created and does not contain any errors that may have occurred during acquisition.

Important note
Guymager also adds the convenience of having a Duplicate image... button
to create duplicate copies without having to repeat the data entry process.
For new users, you may want to specify the directory where the image file will be saved.
In the destination section, click on the Image directory button and choose your location.
You should choose a drive or directory that is unique to the case as the location for both
the image and the log/info file:

Figure 5.41 – Guymager image destination directory selection screen

The following screenshot shows the data that I've used for the Guymager acquisition,
having chosen the desktop as the Image directory and MD5 and SHA-1 hashing
algorithms:

Figure 5.42 – Snippet of the completed Guymager image acquisition fields

Once the Start button is clicked, you will notice that the State changes from Idle to
Running. The Progress field also now displays a progress bar:

Figure 5.43 – Snippet of the acquisition process and status in Guymager

Taking a closer look at the details in the lower-left corner of the screen, we see the size,
image, info file paths, names and extensions, current speed, and chosen hash calculations.
We also see that Image verification is turned on:

Figure 5.44 – Snippet of the image acquisition details

Once the acquisition process is completed, the color of the State button changes
from blue to green, indicating that the acquisition process is finished. It also
displays Finished - Verified & ok if verification options were selected in the Hash
verification / calculation area. The progress bar also displays 100%:

Figure 5.45 – Snippet of the acquisition process and status in Guymager

Our output file and info file can be found on the desktop as this was specified in the
Acquire images section earlier. If you have selected a different directory, change to the
new directory, using the cd command, in a new Terminal. In the following screenshot,
I've changed to the Desktop directory using the cd Desktop command and then
listed the contents using the ls command:

Figure 5.46 – Viewing the acquired images using the ls command

We can also browse the desktop, or even the desktop folder, to open the info file, which
presents us with information about the acquisition details:

Figure 5.47 – Snippet of the location of the image file

Using Guymager may be much simpler for those that are unfamiliar with DD or dc3dd,
also because Guymager comes pre-installed on Kali Linux.