Forensic Cop Journal Volume 2(3), Dec 2009

http://forensiccop.blogspot.com

Standard Operating Procedure of Acquisition on Ubuntu

by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team
Forensic Lab Centre of Indonesian National Police HQ

Introduction

When dealing with the evidence of storage media, a digital forensic analyst must be careful
in the process of acquisition. Once he makes a mistake, then the next processes would be
doubted, even it could be rejected by the court. As the process of acquisition is very
important in digital forensic, it should be handled properly. To obtain the output of the
acquisition process is reliable; this journal discusses how to perform it properly on Linux
Ubuntu machine.
Usually and mostly the acquisition process is performed by using forensic applications such
as FTK Imager from Access Data and EnCase from Guidance Software running under Ms
Windows operating system. This journal gives different perspective to the digital forensic
analyst how to do it on Ubuntu analysis workstation. The output resulted from Ubuntu
machine is the same as the output yielded from the applications above. With this condition,
the analyst has many ways to perform the acquisition.
One philosophy on digital forensic which is must be understood by the analyst is that never
rely on the analysis of digital forensic on one application only. It means that the analyst
should have as many forensic applications as possible to perform one forensic job. With the
set of these applications, the analyst could have many choices to do it and select one or
some of them which probably give the best results. To use these applications properly, the
analyst should also understand well the procedure of digital forensic.

Step 1: Preparing machine to be forensically sound write protect

After the booting process finishes, open the command console or terminal; and then type
the following command in order to be super user. With this condition, the super user has
privilege to modify any file in the machine.
sudo –s
After that, type the command below
gedit /etc/fstab
This command is aimed to edit the file fstab stored in the folder /etc. Editing the file is
performed with the purpose of configuring “write protect” condition. Opening this file is
also done to ensure whether or not the configuration of “write protect” has been applied.
With the condition of “write protect”, any storage media such as hard disk, flash disk and so
on attached to the analysis machine through USB port is protected from any changes

1
Forensic Cop Journal Volume 2(3), Dec 2009
http://forensiccop.blogspot.com

incidentally or deliberately. Any action applied to the evidence of storage media will not
give impact to the content of media. It means that the contents remain unchanged during
the process of acquisition.
If the file has not been configured yet for the purpose of “write protect”, the commands
below are added in the file of /etc/fstab. It could be put at the end of the file contents.
# Read Only Configuration
/dev/sdb /media/sdbro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb1 /media/sdb1ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb2 /media/sdb2ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb3 /media/sdb3ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb4 /media/sdb4ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb5 /media/sdb5ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0

/media/sdbro is the mounting location of the evidence of storage media in which the
evidence is usually marked as /dev/sdb, while /media/sdb1ro till /media/sdb5ro are the
mounting location of each partition which is marked as /dev/sdb1 to /dev/sdb5. The reason
why the number of partition is five is to anticipate the possibility of the storage media has
five partitions. To prepare the mounting location as mentioned above, type the following
commands.
mkdir /media/sdbro
mkdir /media/sdb1ro
mkdir /media/sdb2ro
mkdir /media/sdb3ro
mkdir /media/sdb4ro
mkdir /media/sdb5ro
After the configuration above has been added into the file /etc/fstab, the file is saved. The
file has been ready for the purpose of forensically sound write protect. For further
information, please access the forensic journal related to this topic at
http://forensiccop.blogspot.com.

Step 2: Ensuring the evidence mounted

After the process of configuring the file /etc/fstab finishes, attach the evidence of storage
media to the analysis workstation through USB port. For the evidence of hard disk, USB to
IDE cable could be used, while for memory card, the card reader could be utilized. If the
evidence is a flash disk, just plug it in the USB port directly.
Type the following command to check the position of the evidence or device attached.
Please make sure the evidence is /dev/sdb, /dev/sdc or others in order to avoid the mistake
of signing the device. With this command, the number of partition of the evidence can be
seen clearly including its size.
fdisk -l

2
Forensic Cop Journal Volume 2(3), Dec 2009
http://forensiccop.blogspot.com

Type the following command to ensure whether or not the storage media is mounted as
read-only. It should be so as the file /etc/fstab has been previously configured for the
purpose of “write protect”.
mount

Step 3: Performing forensic imaging

Type the command below for performing forensic imaging. It means that the evidence of
storage media is physically imaged (i.e. cloned) over bit stream copy. The output of this
process is the dd image file which is identical with the source.
dcfldd if=/dev/sdb of=MediaImage.dd conv=notrunc,noerror hashwindow=512
hashlog=MediaHash.md5
Besides making the dd image file, the command above shows the order to hash the source
and put the results of hashing to the file of MediaHash.md5. This file is essential to check
whether or not the process of forensic imaging is successful. This issue will be discussed in
the next step. For the name of the dd and the md5 file, it could be changed as wanted by
the analyst.
When the size of the evidence of storage media is too big so that it cannot be saved in the
analysis workstation, the external hard drive could be used for this purpose. It means that
the command “of=MediaImage.dd” is placed in the mounting location of the external hard
drive. For instance, it is /media/harddiskname. To reach this path, type the command
below.
cd /media/harddiskname
Ensure this location is not read-only by using the command “mount”. Check the mounting
option of the external drive. It should be rw meaning read-write, so that the external drive
could be used to store the dd file.

Step 4: Checking the results through hashing

After the process of forensic imaging finishes, please verifying the dd file by hashing it
through the following command.
md5sum MediaImage.dd > MediaImageHash.txt
The txt file will contain the value of md5 of the dd file. This value is then compared with the
md5 value of the evidence of storage media which is in this case MediaHash.md5. If the
md5 values between these two items are exactly the same, it means that the process of
forensic imaging is successful. On the other side, if it is different, it means that the process
must be repeated.
To see the content of the MediaImageHash.txt, type the command below.
more MediaImageHash.txt

3
Forensic Cop Journal Volume 2(3), Dec 2009
http://forensiccop.blogspot.com

Meanwhile, to see the content of the Mediahash.md5, type the following command.
tail MediaHash.md5
for the next process of forensic imaging, the step 1 above particularly concerning the
configuration of the fstab file is not needed to repeat as the file has been configured
properly.

Bibliography

ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p
df. Last accessed 30 September 2009.
Al-Azhar, M.N. (2009). Forensically Sound Write Protect. Forensic Cop Journal. 1 (3).
Available: http://forensiccop.blogspot.com. Last accessed 19 December 2009.
Al-Azhar, M.N. (2009). Similarities and Differences between Windows and Ubuntu on
Forensic Applications. Forensic Cop Journal. 1 (2). Available:
http://forensiccop.blogspot.com. Last accessed 19 December 2009.
Al-Azhar, M.N. (2009). Ubuntu Forensic. Forensic Cop Journal. 2 (1). Available:
http://forensiccop.blogspot.com. Last accessed 19 December 2009.
Ferguson, I. (2008). Lab Session Guidance of CS936: Media Imaging. Glasgow: CIS
Department of University of Strathclyde.
Ferguson, I. (2008). Stage 2: Preservation. Glasgow: CIS Department of University of
Strathclyde.
US Department of Justice. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed
30 September 2009.