CSI Linux Imaging

This lab will teach you about write blocking and forensic imaging.

© CSI Linux – csilinux.com 1

Capturing Evidence in a Forensically sound manner

Chain of Custody

Now you understand that data can be recovered, even from a formatted drive, what
next? Before you touch anything, you need to start a Chain of Custody. Even though you
may not be dealing with forensic investigations, getting in the habit of documenting
everything. This helps with logistics to make sure you know what you received and what
needs to go back. If you do find illegal content and it goes to court, if you treat it like a
“forensic” recovery, you will not have tampered with or destroyed the evidence.

A Chain of Custody is a chronological record of the transfer of physical or electronic

evidence from one person to another. It is an essential aspect of any legal or investigative
process that involves evidence, as it establishes the authenticity and integrity of the
evidence. In this article, we’ll explore what a Chain of Custody is, and how a broken chain
of custody can damage a court case.

A Chain of Custody is a comprehensive record that outlines each step in the transfer of
evidence, from the moment it is collected to the moment it is presented in court. The
chain of custody must include the names of the individuals who collected and handled
the evidence, as well as the date and time of each transfer. This documentation is
essential in establishing the authenticity and reliability of the evidence and is used to
prove that the evidence has not been tampered with or altered in any way.

© CSI Linux – csilinux.com 2

However, if the Chain of Custody is broken, it can have serious consequences for a court
case. A broken chain of custody occurs when the evidence is not properly documented or
when the evidence is transferred to someone who is not authorized to handle it. This can
raise questions about the authenticity of the evidence and can lead to the evidence being
excluded from the court case.

For example, if the evidence is collected at a crime scene but is not properly documented,
it could be considered inadmissible in court. If the evidence is not properly packaged and
stored, it could also be considered inadmissible. Additionally, if the evidence is
transferred to someone who is not authorized to handle it, it could raise questions about
the authenticity of the evidence and lead to the evidence being excluded from the court
case.

© CSI Linux – csilinux.com 3

EVIDENCE CHAIN OF CUSTODY TRACKING FORM

Event Number:
Reason:
Submitting Individual: (Name/ID#)
Client:
Date/Time Seized:
Location of Acquisition:

Description of
Evidence
Item # Quantity Description of
Item (Model,
Serial #,
Condition,
Marks,
Scratches)

Chain of Custody
Item # Date/Time Released by Received by
(Signature & (Signature &
ID#) ID#)

APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back)

Technical Working Group on Biological Evidence Preservation. The Biological Evidence
Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of
Commerce, National Institute of Standards and Technology. 2013.

© CSI Linux – csilinux.com 4

(Continued)

Final Disposal Authority

Authorization for Disposal

Item(s) #: on thisdocument pertaining to (suspect):

is(are) no longer needed as evidence and
is/are authorized for disposal by (check appropriate disposal method)
☐ Return to Owner ☐ Auction/Destroy/Divert Name & ID# of Authorizing
Officer:
Signature: Date:

Witness to Destruction of
Evidence

Item(s) #: on this document were destroyed by Evidence

Custodian
ID#: in my presence on (date) .
Name & ID# of Witness to destruction:
Signature: Date:

Release to Lawful Owner

Item(s) #: on this document was/were released by Evidence Custodian

ID#:
Address:
City: State: Zip Code:
Telephone Number: ( )
Under penalty of law, I certify that I am the lawful owner of the
above item(s).

Signature: Date:

Copy of Government-issued photo identification is attached. ☐ Yes ☐ No

This Evidence Chain-of-Custody form is to be retained as a permanent record by all parties
involved.

APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See front)

Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation
Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of
Standards and Technology.
Within CSI Linux, there are several different templates to choose from and all of them
can be modified to fit your needs. Foe example, you can change the logo from the CSI
Linux logo to your agency or organization’s logo. You can modify the verbiage or change
the legalese.

Just be careful when modifying the document because there are preset variables on the
page. If you change or delete those, the data will no longer propagate in those fields.

To use the chain of custody template that is built into CSI Linux’s case management, you
need to Start a Case.

1. Open the case that you are currently working on or start a new case.
2. Left click on “Document Templates for the Case”.
3. Left click on Chain of Custody.
4. Fill in the with who is acquiring the evidence.
5. Left click OK.

You now have a Chain of Custody document that is filled in with the
agency/organization information, Investigator information, and the person that
acquired the evidence. After you are done filling in any other data, you can save it as a
PDF and print it for the case.

Included is an example of the Chain of Custody document generated by CSI Linux.

© CSI Linux – csilinux.com 1

© CSI Linux – csilinux.com 2
© CSI Linux – csilinux.com 3
© CSI Linux – csilinux.com 4
© CSI Linux – csilinux.com 5
Scope

Before you do anything, you need to determine the intent and scope of the investigation or
recovery. You need to know what to find BEFORE you can find it. This only helps you. If they
want to recover family pictures, this will be your first target to recover. If the client wants
everything, you can hand the drive back and request payment for services rendered. If you
are recovering data for a forensic investigation, if there is no scope, there is no case. In the
United States, the 4th Amendment is clear “The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the persons or things
to be seized”. It is always better to err on the side of caution.

© CSI Linux – csilinux.com 6

Data Destruction / Wiping

Why are we talking about wiping or overwriting data before we even get to the imaging
portion? Logistically, you should always wipe your destination drive, especially if you
are copying from a disk to another disk. The reasoning behind this is to eliminate the
possibility of residual evidence or contamination residing on the destination drive that
could get misidentified in your current investigation. MAKE SURE YOU WIPE THE
RIGHT DRIVE!!! The wrong one could be your Operating System! Always verify!

Lab: dcfldd/dd (CLI) (Linux)

1. Once the OS is loaded, open a terminal window with root access.

2. Verify your drive letter.
a. Type lsblk
b. Type fdisk -l
3. Assuming the drive is sdb
4. Type the following command:

dcfldd if=/dev/zero of=/dev/sdb

Write blockers

Imaging a drive connected to a write blocker pr a “forensic bridge” using an imaging tool
is a process that allows a forensic analyst to create an exact bit stream copy, or forensic
image, of the drive for the purpose of forensic analysis. This process is crucial in order to
preserve the original evidence in its original state and prevent any changes from being
made to the drive.

I was told many years ago by a network engineer that you should never trust software to
do a hardware job. This was in reference to firewalls dealing with high throughput data,
but it applies to write blockers as well.

Think of it this way. A hardware write blocker was designed to copy data in one direction
and many times they are faster. Software write blockers have a tendency to break, have
vulnerabilities, misconfigured, and at the mercy of the Operating System (rootkits, API,
and system resource conflicts).

There are even forensic imagers that are minicomputers with write blockers built in with
the sole job of imaging. These are a Lot faster than imaging with a computer because
they have fewer bottlenecks with the flow of data.

© CSI Linux – csilinux.com 7

Write Blocking Labs

First, print off a copy of the Chain of Custody included in this lab manual. Fill in everything
related to the “case”. Now you have your Scope and Chain of Custody, you can start to acquire
the physical evidence.

Let’s build a lab USB disk.

• Find a small USB drive. The smaller the better. The bigger the drive, the linger it will take to
image and the more space it will take on your destination media.
• Now, wipe that USB drive. Make sure to wipe the entire drive and not just the partition.
• Download a group of files to create a known baseline. When you know what files, you have
copied, you know what content should be recoverable. For example:

o (20) .JPG images,

o (10) .PDF documents
o (10) .DOCX documents
o (5) .TXT files

You can test the differences between the different tools and see the levels of recoverability
with each tool and method. If you don’t have an imager or will never image a drive, it is still
good to go through the basics, so you know how things need to work. You can also use an
image that was already taken from a drive. If you already have an image, skip to “File
Recovery Labs”.

Now, imagine you have a suspect drive and a hardware write blocker (aka: forensic bridge).
Make sure you read the different ports that the drive connects into, versus the output that
plugs into the computer.

© CSI Linux – csilinux.com 8

Lab: Hardware Write Blocking

• Buy a hardware write blocker & connect it to the drive to be protected.

o Skip if you don’t have a hardware forensic bridge/write blocker.
o Follow the instructions provided by the vendor.
o Forensic Bridges or Write Blockers from vendors like: Firefly, Tableau, etc...

Imagine that you need to write block and do NOT have a hardware write blocker. Your
workstation is a Linux system, and you still want to make sure you connect the evidence
drive in a forensically sound manner. The first thing you are going to have to do is log in
and make sure you have root privileges in Linux. You will also need access to a terminal
or a Command Line Interface “CLI” prompt.

Lab: Linux Mount as Read-Only

• Insert the USB (below are multiple options in Linux to identify the right drive).
o Verify your USB device by typing “lsblk” and look for the sd(?) drive
o Verify your USB device by typing “df” and look for the sd(?) drive
o Verify your USB device by typing “dmesg | grep sd” and look for the sd(?) drive
o Verify your USB device by typing “ls /dev/sd*” and look for the sd(?) drive

Assume the drive is sdb for the rest of the lab.

sudo mkdir /media/usbdrive

sudo mount /dev/sdb1 /media/usbdrive -o ro

This will mount the drive or make the drive usable as read-only to the folder:
“/media/usbdrive”. If the drive is already mounted, type:

sudo mount -o remount,ro /media/usbdrive

© CSI Linux – csilinux.com 9

Forensic imaging

Forensic imaging is the process of creating an exact copy of a computer's hard drive or
another digital storage device for the purpose of examination and analysis. This process
is used in criminal investigations, civil cases, and other legal proceedings where
electronic evidence may be relevant.

There are several steps involved in forensic imaging. First, the computer or storage
device to be imaged is connected to a forensic workstation, which is a specialized
computer used for this purpose. The workstation is configured to create an exact copy of
the hard drive or other storage devices, including all data, file structures, and metadata
(information about the data, such as creation and modification dates).

Logical Vs. Physical Imaging

A forensic logical copy is a copy of data that is made using software that captures the
logical structure of the data. A forensic physical copy is a copy of data that is made using
hardware that captures the physical structure of the data.

Here are some examples of the differences between a forensic logical copy and a forensic
physical copy:

• A forensic logical copy of a hard drive might include the files and folders on the drive, as well
as metadata such as file names, dates, and permissions. A forensic physical copy of the same
hard drive might include the raw data on the drive, including deleted files and data that has
been overwritten.
• A forensic logical copy of a smartphone might include the apps, documents, and other data that
is stored on the device. A forensic physical copy of the same smartphone might include the raw
data on the device, including deleted data and data that has been overwritten.
• A forensic logical copy of a social media account might include the posts, interactions, and
other data that is visible to the user. A forensic physical copy of the same social media account
might include hidden data, such as deleted posts or data that is only visible to certain users.

Next, the forensic workstation creates a hash value for the original hard drive, which is
a unique numerical value that represents the data on the drive. The hash value is used to
verify the integrity of the forensic image, ensuring that it is an exact copy of the original
drive.

© CSI Linux – csilinux.com 10

Once the forensic image is created, it can be analyzed using specialized software or tools.
For example, a forensic investigator might use a tool to search the image for specific
keywords or file types or to identify deleted or hidden files. They may also use software
to extract and analyze metadata, such as email headers or internet browsing history.

Examples of how forensic imaging might be used include:

• A criminal investigation into a cybercrime, such as identity theft or fraud. The forensic image of
the suspect's computer can be analyzed to identify evidence of their involvement in the crime.
• A civil case involving the discovery of electronic evidence, such as emails or documents. The
forensic image of the relevant computer can be analyzed to identify relevant evidence.
• A child custody case in which electronic evidence, such as social media messages or text messages,
may be relevant. The forensic image of the relevant devices can be analyzed to identify this
evidence.

Imaging Process

Linux tools, such as dd, dcfldd, dc3dd, and Guymager are commonly used for forensic
imaging due to their flexibility and ability to create bit-level copies of storage devices.
These tools are free and open source, making them accessible to forensic analysts.

To image a drive connected to a write blocker using dd, the analyst would follow the
following steps:

• Connect the write blocker: The write blocker should be connected between the drive and the
forensic analysis computer. This will prevent any changes from being made to the drive during
the imaging process.
• Open a terminal: The analyst should open a terminal window on the forensic analysis
computer.
• Identify the drive: The analyst can use the "lsblk" command to identify the device name of the
drive. For example, the drive may be identified as "/dev/sdc".
• Create the forensic image: The analyst should enter the following command to create the
forensic image:

dd if=/dev/sdc hash=md5,sha256 hashlog=hashes.txt of=image.dd

This command will create a forensic image of the drive and save it as a file called
"image.dd". It will also create hashes of the image using the MD5 and SHA-256
algorithms and save the hashes to a file called "hashes.txt".

© CSI Linux – csilinux.com 11

Verify the image: The analyst can verify the integrity of the image by comparing the
hashes of the original image with the hashes of the forensic image. If the hashes match,
it is an indication that the forensic image is an exact copy of the original drive.

Dcfldd is based off the dd command that can be used for forensic imaging. It has
additional features such as the ability to hash the image as it is being created, which can
be useful for verifying the integrity of the image. To create a forensic image using dcfldd,
the analyst would enter the following command:

dcfldd if=/dev/sda hash=md5,sha256 hashlog=hashes.txt of=image.dd

Guymager is a free and open-source forensic imaging tool that is commonly used to
create forensic images of storage devices. In order to image a drive that is connected to a
write blocker using Guymager, the following steps can be followed:

Connect the write blocker to the forensic analysis computer and the storage device to the
write blocker.

• Open Guymager and select the "Acquire" tab.

• Select the write blocker device from the dropdown menu.
• Choose a destination for the forensic image, such as a local drive or network share.
• Select the "Start" button to begin the imaging process.
• Guymager will create a forensic image of the storage device and save it to the specified
destination.
• Once the imaging process is complete, the forensic image can be analyzed using a variety of
forensic tools.

It is important to note that the write blocker must be properly configured in order to
ensure that no changes are made to the storage device during the imaging process. This
is necessary in order to preserve the original evidence and maintain the integrity of the
investigation. Overall, using Guymager in conjunction with a write blocker is a reliable
and efficient way to create forensic images of storage devices for forensic analysis.

© CSI Linux – csilinux.com 12

Forensic Imaging - Mac

In the case of a Mac, forensic imaging can be done using the

target mode feature, which allows the Mac to be connected
to another computer as an external drive. This allows the
forensic analyst to create a forensic image of the Mac's hard
drive using forensic imaging tools on the other computer.

One way to perform forensic imaging of a Mac in target mode using Linux is to use the
dd tool. Dd is a command-line utility that allows the forensic analyst to create a bit-level
copy of a storage device. To create a forensic image of a Mac in target mode using dd, the
analyst would follow these steps:

• Connect the Mac to the forensic computer using a firewire or thunderbolt cable.
• Boot the Mac into target mode by holding down the "T" key during startup.
• On the forensic computer, open a terminal and enter the following command (assuming the
new drive is sdc):

dd if=/dev/sdc of=image.dd bs=1M

This command will create a forensic image of the Mac's hard drive and save it as a file
called image.dd. The "bs" parameter specifies the block size, which determines the speed
of the imaging process.

Another tool that can be used for forensic imaging of a Mac in target mode is dcfldd.
Dcfldd is similar to dd but has additional features such as the ability to hash the image as
it is being created, which can be useful for verifying the integrity of the image. To create
a forensic image using dcfldd, the analyst would enter the following command:

dcfldd if=/dev/sdc hash=md5,sha256 hashlog=hashes.txt of=image.dd

This command will create a forensic image of the Mac's hard drive and save it as a file
called image.dd. It will also create hashes of the image using the MD5 and SHA-256
algorithms and save the hashes to a file called hashes.txt.

Once the forensic image has been created, it can be analyzed using a variety of forensic
tools. These tools can be used to search for evidence such as deleted files, internet history,
and system logs.

© CSI Linux – csilinux.com 13

Remote Imaging

Plain text dd or dcfldd

of the image. To create a forensic image using dcfldd, the analyst would enter the
following command:

dd if=/dev/sdc | nc [destination_IP] [port] > image.dd

Encrypted dd or dcfldd

The syntax used to remotely image a hard drive in Linux is

dd if=/dev/source
of=ssh://[user@]hostname[:port]/path/to/destination/image.dd

This command will copy the contents of the source hard drive to the destination.
Additionally, it can be used to compress the data being copied, such as by adding "bzip2 -
z" after the of= parameter.

© CSI Linux – csilinux.com 14

Forensic Imaging Labs

You have already filled out the Chain of Custody and connected the drive in a forensically
sound manner. Now what? Well, Copy the data... Never analyze the original disk. Always
make at least two copies of the original evidence before you start to work with it.
Working on the original runs the risk of damaging the evidence and making it
inadmissible in court. The second copy is what you work with. The first copy, you put in
storage, so you do not have to touch the original again unless there is an emergency. It is
also suggested to make an MD5 hash along with a SHA hash of the original evidence and
each copy. A hash is a digital fingerprint that ads a level of trust that the data has not
changed during the usage.

There are two types of copies. There is a “Physical copy” (aka: bit stream, clone, image,
etc...) that duplicates allocated and un-allocated space. This means all data. You can
recover deleted content and even partially over written data. The other copy is called a
“Logical copy” (aka: backup, archive, file copy, dos copy, copy & paste, etc...). The most
forensically sound copy is of course a physical copy.

Image credit: Atola TaskForce atola.com

Most physical forensic imagers have write blockers built into them and it takes some of
the risk out of the equation. Just make sure to put the evidence drive as the source and if
you are imaging to another disk, that will be your destination. Too many people destroy
the evidence by attaching the wrong drive to the destination…

© CSI Linux – csilinux.com 15

What we want to do in these labs: create a known baseline. As mentioned previously,
copy files in groups so we have a consistent set to play with. Since computer forensics IS
a science, everything you do needs to be done is a consistent and reproducible manner.
Once you are comfortable with the tools and methods, you can use what you have
learned with real evidence and have confidence in your scientific results or analysis.

If you want to do your Imaging from a Windows computer, use FTK Imager. FTK Imager
has software write blocking built in, so you will not destroy the evidence, but your next
issue is the Operating System. Microsoft has had a history of trying to “help” the user
when a new drive is added by adding data to the drive. If this happens, the evidence is
destroyed due to contamination. To prevent this, use a physical write blocker. With that
said, FTK Imager can be downloaded from accessdata.com. You may have to register to
download the tool here: accessdata.com/product-download.

Lab: dcfldd (Linux)

Follow the steps below to make different images. Each image

will have a different level of data recoverability. In the end, we
should have an image with full recoverability, an image with
deleted files that are fully recoverable, an image with a
formatted file system that should be partially recoverable, and
a wiped drive with zero recoverability.

• Open a terminal window with root access.

• Type “mkdir /recovery”
• Type “cd /recovery”
• Type “mkdir usb1”
• Repeat for usb2-4
• Wipe the drive by typing “sudo dcfldd if=/dev/zero of=/dev/sdb”
• Format the USB with FAT by typing “sudo mkfs.vfat /dev/sdb1”
• Download a theme of files (.jpg, .pdf, .txt). This will create a controlled environment.
• Copy the files onto the USB.
• Image the drive typing “sudo dcfldd if=/dev/sdb of=/recovery/usb1.dd”.
• Delete all the files on the USB.
• Image the drive typing “sudo dcfldd if=/dev/sdb of=/recovery/usb2.dd”.
• Format the USB with FAT by typing “sudo mkfs.vfat /dev/sdb1”
• Image the drive typing “sudo dcfldd if=/dev/sdb of=/recovery/usb3.dd”.
• Wipe the drive by typing “sudo dcfldd if=/dev/zero of=/dev/sdb”
• Image the drive typing “sudo dcfldd if=/dev/sdb of=/recovery/usb4.dd”.

© CSI Linux – csilinux.com 16

To benefit of DCFLDD, is that it can create a hash instead of being forced to use a third-
party tool. This makes scripting things or automation that much easier.

Example:

sudo dcfldd if=/dev/sdb1 of=usb(?).dd hashwindow=0 hashlog=hash.txt

cat hash.txt

Lab: Hardware Imaging

If you have the hardware, use it. Doing this will minimize the risk of destroying
evidence... Make sure you connect it to the right port. You do not want to wipe or
overwrite the evidence drive. Then follow the instructions provided by the forensic
imager vendor.

Here is a list of vendors for forensic Imagers.

• Forensics: SuperChief, Tableau, Forensic Duplicator...

Here is a list of vendors for Data Recovery Imagers

• Data Recovery: DeepSpar, Atola, Data Copy King, etc...

If you image the logical drive/volume/partition, you can mount the volume directly.

Lab: Volume Image Mount in Linux

mkdir /mnt/evidence
sudo mount usb(?).dd /mnt/evidence
cd /mnt/evidence
ls

If you image the physical drive, all partitions, you can use losetup (losetup is used to
associate loop devices with regular files or block devices).

Lab: Drive Image Mount for All Partitions in Linux

sudo losetup --show -f -P usb(?).dd

© CSI Linux – csilinux.com 17