Skip to content

Digital Forensics

April 6, 2007

This week I played around with some great digital forensics tools in ubuntu. I had an old laptop hard drive to try out, which I wanted to recover some old deleted data from. Last weekend I finally found an adapter to attach a 2.5 inch laptop hard drive to a desktop IDE: an HX-IDE-K adaptor I found in a surplus store for $8. hxidek1_s.jpg

I booted the desktop pc using an xubuntu liveCD. The other hard drive I had plugged in was an old 8GB hard drive that was formatted ext3 to copy the recovered data to from the old dying drive. I used dd to make an image of the laptop drive. The commands I entered in terminal went like this:

$ sudo mkdir /mnt/backup
$ sudo mount -t ext3 /dev/hdb1 /mnt/backup
$ sudo dd if=/dev/hda of=/mnt/backup/image.raw

It copied the 6.5 GB hard drive in about 15 minutes at about 7.4 mb/s. I could then set aside the failing laptop drive and work from a hard drive image file on another good hard disk.

When I got home I needed to attach the 8GB IDE hard drive containing the drive image file to my ubuntu laptop that I was going to use for doing the data forensics work. I used a spare external IDE hard drive enclosure to plug in to my laptop through a USB 2.0 cable.

I installed some new ubuntu (versions 6.10 – edgy or newer) packages for data forensics:

$ sudo apt-get install autopsy sleuthkit afflib

Sleuthkit is a bunch of command line tools for data forensics, and autopsy gives a nice graphical interface that runs through a web browser. Using autopsy I was able to easily search through all my old files.
All I had to do was enter the file type or keyword and all the
relevant files would be listed. Even deleted files could be listed at
the click of a button, and searched through by keyword or file type. (Using a tool like this only demonstrates further how important it is for a drive to be wiped with random data several times before being given away or disposed.)

Along the way I ran into the AFF format… I knew that some people used bzip2 to compress the drive image for better storage, but programs like autopsy would require the image to be decompressed first. But autopsy can use drive images compressed in the AFF format… I’d never heard of this before.

I used afconvert to convert the raw drive image made with dd into the AFF format (advanced forensics format). This allows compression (uses the LZMA algorithm) and for random data seeking with programs like autopsy. On my duo core 2 laptop, the 6.5GB image was compressed (at the maximum compression setting) to 3.8GB and written to disk in about 30 minutes.

$ sudo afconvert -X9 -o /root/image.aff /media/usbdisk/image.raw

I was impressed how I could then burn the drive image file to a DVD+RW. Great for doing a backup. I’m curious how large of a hard drive image could be fit in the compressed AFF format onto a 4.6GB DVD. Often the hard disk contains alot of empty space–and if that empty space is filled with zeros before, possibly a half full 10GB hard drive partition could be backed up onto a DVD quite easily?

Another variation of the AFF file; large AFF files can be broken into multiple AFD files which can be more easily moved around.

There doesn’t appear to be currently much information out on the net about using the aimage command to create a AFF drive image. It has many features worth investigating, like intelligent error recovery, similar to what is in ddrescue. Where dd is the good old classic standby, aimage provides many newer more sophisticated features; compression and error recovery just to start.

Had I known about this before I would have used aimage to image the drive to the AFF format, (although it would probably have taken much longer to image the drive using a PIII than it did using dd.)

Here’s the man page:

aimage 1.6.31

usage: aimage [options] INPUT1 [OUTFILE1] [INPUT2 OUTPUT2] …— image indev to outfile
INPUT may be any of these:
A device (e.g. /dev/disk1)
– (or /dev/stdin, for standard input)
listen:nnnn Listen on TCP port nnnn
OUTFILE may be:
outfile.aff — image to the AFF file outfile

General Options:
–quiet, -q — No interactive statistics.
–batch, -Y — Batch output
–silent, -Q — No output at all except for errors.
–readsectors=nn, -R nnnn, — set number of sectors to read at once (default 32768)
–version, -v — Just print the version number and exit.
–skip=nn[s], -k nn — Skip nn bytes [or nns for sectors] in input file
–no_beeps, -B — Don’t beep when imaging is finished.
–logfile=fn, -l fn — Where to write a log. By default none is written
–logAFF, -L — Log all AFF operations
–preview, -p — view some of the data as it goes by.
–no_preview, -P — do not show the preview.

Existing File Options:
–append, -a — Append to existing file
–zap, -z — Erase outfile(s) before writing

Raw Output Options:
–raw=fname, -r fname — write block-by-block output to fname.

AFF Options:
–outfile=fname, -ofname — write an AFF file.
–image_pagesize=nnn, -S nnnn
— set the AFF page size (default 16777216)
(number can be suffixed with b, k, m or g)
Also sets maxsize to be 2^32 – image_pagesize if not otherwise set.
–make_config, -m — Make the config file if it doesn’t exist
Config file is aimage.cfg by default
and can be overridden by the AIMAGE_CONFIG enviroment variable
–no_dmesg, -D — Do not put dmesg into the AFF file
–no_ifconfig, -I — Do not put ifconfig output into AFF file
(Currently unset)
–no_compress, -x — Do not compress. Useful on slow machines.
–compression=n, -Xn — Set the compression level
–auto_compress, -A — write as fast as possible, with compression if it helps.
sets compression level 1
–maxsize=n, -Mn — sets the maximum size of output file to be n..
Default units are megabytes;
suffix with ‘g’, ‘m’, ‘k’ or ‘b’
use ‘cd’ for a 650MB CD.
use ‘bigcd’ for a 700MB CD.
–setseg name=value, -s name=value
— Create segment ‘name’ and give it ‘value’
This option may be repeated.
–no_hash, -H — Do not calculate MD5 and SHA1 of image.

Error Recovery Options:
–error=0, -e0 — Standard error recovery:
Read disk 256K at a time until there are 5 errors in a row.
Then go to the end of the disk and read backwards
until there are 5 erros in a row. Then stop.
–error=1 -e1 — Stop reading at first error.
–retry=nn -tnn — change retry count from 5 to nn
–reverse, -V — Scan in reverse to the beginning.

–help, -h — Print this message.
–fast_quit, -Z — Make ^c just exit immediately.
–allow_regular, -E — allow the imaging of a regular file
–title=s, -T s — change title to s (from IMAGING) and disable blink
–debug=n, -d n — set debug code n (-d0 for list)
–use_timers, -y — Use timers for compressing, reading & writing times

Create image.aff from /dev/sd0:
aimage /dev/sd0 image.aff
aimage -o image.aff /dev/sd0

Create image0.aff from /dev/sd0 and image1 from /dev/sd1:
aimage /dev/sd0 image0.aff /dev/sd1 /image1.aff

5 Comments leave one →
  1. Nicola Ken Barozzi permalink
    May 7, 2007 6:00 am

    Thanks a bunch, without your post and afflib I couldn’t have put my image on a smaller drive I had! 😀

  2. June 11, 2007 4:09 am

    Do you have any suggestion? Why I can’t do file analysis on my image. I have tried the .img, .raw, .zip format. All of it, and it doesn’t work!

  3. September 17, 2008 8:42 pm

    I saw a picture of the laptop drive side of the HX-IDE-K and there is no blanked out hole, so how do you know which way to plug a laptop drive into it so you don’t blow up the laptop drive by guessing wrong (it allows you to plug the laptop drive in either way)? Thank you.

  4. Duke permalink
    December 14, 2009 4:33 pm

    … Whoa! And I thought Windows was bad. Looks like I’ll be busy encrypting and wiping for a while

  5. fourpointluxor permalink
    February 12, 2013 10:15 am

    Your post was still helpful….thanks a lot

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: