Cyber Forensic — cloning evidence drive (the first step to data acquisition)
when collecting evidence from a crime scene first thing and most important to do is take an exact copy of devices that need to analyze. because if something happens to the original device while the data acquisition there is no other way of collecting the data.
so let's take a look at how to create an exact copy of a flash drive which is going to use for data acquisition.
let's start …
as a first step, we need to protect the flash drive from altering while acquiring data because while running the data acquisition tools flash drive can be altered. so we should write-protected the flash drive. for that we use tool name “Diskpart”, this tool comes with windows OS
- Plug the flash drive to the forensic work station and run the Diskpart tool
Command: “diskpart”
you can list the drives connected to the workstation by issuing “list disk” command.
now select the flash drive from the list in my case flash drive is “disk 1” so I use “select disk 1” command to select the flash drive.
after that, you can check the status of the flash drive from “attributes disk” command.
so you can see the read-only status is No, we should enable that for write-protect the flash drive.
for that issue, the command “attributes disk set readonly”. there is manual more attributes command. you can see it by issuing “help attributes” command.
so let's check the drive status again.
see now the read-only status is yes. so now drive is write-protected. now we can use the drive to data acquisition safely.
1. now we need to clone the flash drive for that we are going to use the “winhex” tool. first, download and install the tool.
Run the tool as an administrator.
2. now let's load the flash drive to the software.
go to Tools -> Load disk
then select the flash drive and press ok
now the flash drive will be loaded to the tool.
3. now let's generate the hash of the drive. this hash value is very important because after we clone the drive we can use the hash value of clone and original to verify that flash drive is correctly cloned.
for generating the hash go to tools -> compute hash or press ctrl+F2
then select the algorithm and press ok. this will take several minutes to compute the hash. after that hash value will be shown as follows. you need to keep it somewhere for use later.
the hash value of the flash drive — 31E68EE321177C1167811EA764532902
4. now we are going to lone the flash drive. for that
go to Tools->disk tools-> clone disk or Ctrl+D
you need to select source medium by selecting the flash drive for that use the disk icon on the source medium. (don't use file icon coz we are going to clone a drive, not a file)
next select where to save the raw image (clone of the flash drive) for that use file icon.
now press ok to clone the flash drive.
this will take some time depends on the size of the drive and performance of your workstation
5. let's compute the hash value of the clone after the cloning has finished.
go to Tools -> compute hash or ctrl+F2
6. select the same hash algorithm as before otherwise the hash value will not be matched.
the hash value of the disk clone — 31E68EE321177C1167811EA764532902
so you can see both hash values are the same. it means you successfully clone the flash drive into raw image. now you can use this disk clone to data acquisition and keep the original flash drive somewhere safe.
so now our work is done ….
