How to do Live Data Acquisition using KALI Linux

What is KALI Linux?

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools aimed at various information security tasks, such as  Penetration Testing, Forensics and Reverse Engineering.

Why I use KALI Linux to do Live Data Acquistion?

KALI Linux is used because it comes with the forensics mode,so it is ready with the forensics tools like DCFCLDD,hashlog and others tool.KALI Linux can also be booted to Windows and Apple Operating System platform.

Step 1:

– Insert KALI Linux USB Bootable to ‘Suspect’ notebook or workstation.

– Turn on ‘Suspect’ notebook or workstation and boot the KALI Linux system.

– Select ‘Live (forensic mode)’ from the KALI Linux startup (Refer to Picture 01).

p1290149 Picture 01


Step 2:

– Open terminal command page in the left pane of KALI desktop (Refer to Picture 02).

p1290151Picture 02


Step 3:

– Type command “fdisk -l” to view the suspect notebook or workstation drive.From the picture below,the main suspect drive for physical label as ‘sda’ and divide into two partition that is ‘sda1’ and ‘sda2’ (Refer to Picture 03).

p1290152Picture 03


Step 4:

– Attach destionation hard disk storage to store the image from suspect hard drive (Refer to Picture 04).

p1290153Picture 04


Step 5:

– Type “fdisk -l” command to view if the destination hard drive storage is attach to suspect notebook or workstation.From the picture below the destination storage is label as “sdc” (Refer to Picture 05).

p1290154Picture 05


Step 6:

– Format the destination hard drive storage.Type command “mkfs.ntfs -f /dev/sdc1” to format the destination hard drive storage (Refer to Picture 06).

p1290157Picture 06

 Step 7:

– Make virtual directory folder.For example create virtual directory folder name as evidence.Type command “mkdir /mnt/evidence” to create the virtual directory folder (Refer to Picture 07).

p1290160 Picture 07


Step 8:

– Mount the virtual directory evidence folder in the destination hard drive storage that created before.Type command “mount /dev/sdc1 /mnt/evidence” to mount the evidence folder (Refer to Picture 08).

p1290162Picture 08


Step 9:

– Type command “cd /mnt/evidence” to enter evidence directory folder (Refer Picture 09).          

p1290164Picture 09

Step 10:

– Type command “dcfldd if=/dev/sda of=/mnt/evidence/DF20160922-1-NB01.dd haslog=/mnt/evidence/DF20160922-1-NB01.md5” to start acquire the suspect hard drive (Refer to Picture 10).

Note: DF20160922-1-NB01 is the case reference no.You can put you own reference case no or label.

p1290166Picture 10


Step 11:

– Live acquisition start running (Refer to Picture 11).

p1290167Picture 11


Step 12:

– Image acquisition completed (Refer to Picture 12).

p1290168Picture 12


Step 13:

– Type “ls” command to check if the image and md5 file is created (Refer to Picture 13).

p1290169Picture 13


Step 14:

– Type command “cat DF20160922-1-NB01.md5” to view the hash value (Refer to Picture 14).

p1290170 Picture 14

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s