What is KALI Linux?
Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools aimed at various information security tasks, such as Penetration Testing, Forensics and Reverse Engineering.
Why I use KALI Linux to do Live Data Acquistion?
KALI Linux is used because it comes with the forensics mode,so it is ready with the forensics tools like DCFCLDD,hashlog and others tool.KALI Linux can also be booted to Windows and Apple Operating System platform.
– Insert KALI Linux USB Bootable to ‘Suspect’ notebook or workstation.
– Turn on ‘Suspect’ notebook or workstation and boot the KALI Linux system.
– Select ‘Live (forensic mode)’ from the KALI Linux startup (Refer to Picture 01).
– Open terminal command page in the left pane of KALI desktop (Refer to Picture 02).
– Type command “fdisk -l” to view the suspect notebook or workstation drive.From the picture below,the main suspect drive for physical label as ‘sda’ and divide into two partition that is ‘sda1’ and ‘sda2’ (Refer to Picture 03).
– Attach destionation hard disk storage to store the image from suspect hard drive (Refer to Picture 04).
– Type “fdisk -l” command to view if the destination hard drive storage is attach to suspect notebook or workstation.From the picture below the destination storage is label as “sdc” (Refer to Picture 05).
– Format the destination hard drive storage.Type command “mkfs.ntfs -f /dev/sdc1” to format the destination hard drive storage (Refer to Picture 06).
– Make virtual directory folder.For example create virtual directory folder name as evidence.Type command “mkdir /mnt/evidence” to create the virtual directory folder (Refer to Picture 07).
– Mount the virtual directory evidence folder in the destination hard drive storage that created before.Type command “mount /dev/sdc1 /mnt/evidence” to mount the evidence folder (Refer to Picture 08).
– Type command “cd /mnt/evidence” to enter evidence directory folder (Refer Picture 09).
– Type command “dcfldd if=/dev/sda of=/mnt/evidence/DF20160922-1-NB01.dd haslog=/mnt/evidence/DF20160922-1-NB01.md5” to start acquire the suspect hard drive (Refer to Picture 10).
– Note: DF20160922-1-NB01 is the case reference no.You can put you own reference case no or label.
– Live acquisition start running (Refer to Picture 11).
– Image acquisition completed (Refer to Picture 12).
– Type “ls” command to check if the image and md5 file is created (Refer to Picture 13).
– Type command “cat DF20160922-1-NB01.md5” to view the hash value (Refer to Picture 14).