How to do Live Data Acquisition using KALI Linux

What is KALI Linux?

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools aimed at various information security tasks, such as  Penetration Testing, Forensics and Reverse Engineering.

Why I use KALI Linux to do Live Data Acquistion?

KALI Linux is used because it comes with the forensics mode,so it is ready with the forensics tools like DCFCLDD,hashlog and others tool.KALI Linux can also be booted to Windows and Apple Operating System platform.

Step 1:

– Insert KALI Linux USB Bootable to ‘Suspect’ notebook or workstation.

– Turn on ‘Suspect’ notebook or workstation and boot the KALI Linux system.

– Select ‘Live (forensic mode)’ from the KALI Linux startup (Refer to Picture 01).

p1290149 Picture 01

 

Step 2:

– Open terminal command page in the left pane of KALI desktop (Refer to Picture 02).

p1290151Picture 02

 

Step 3:

– Type command “fdisk -l” to view the suspect notebook or workstation drive.From the picture below,the main suspect drive for physical label as ‘sda’ and divide into two partition that is ‘sda1’ and ‘sda2’ (Refer to Picture 03).

p1290152Picture 03

 

Step 4:

– Attach destionation hard disk storage to store the image from suspect hard drive (Refer to Picture 04).

p1290153Picture 04

 

Step 5:

– Type “fdisk -l” command to view if the destination hard drive storage is attach to suspect notebook or workstation.From the picture below the destination storage is label as “sdc” (Refer to Picture 05).

p1290154Picture 05

 

Step 6:

– Format the destination hard drive storage.Type command “mkfs.ntfs -f /dev/sdc1” to format the destination hard drive storage (Refer to Picture 06).

p1290157Picture 06

 Step 7:

– Make virtual directory folder.For example create virtual directory folder name as evidence.Type command “mkdir /mnt/evidence” to create the virtual directory folder (Refer to Picture 07).

p1290160 Picture 07

 

Step 8:

– Mount the virtual directory evidence folder in the destination hard drive storage that created before.Type command “mount /dev/sdc1 /mnt/evidence” to mount the evidence folder (Refer to Picture 08).

p1290162Picture 08

 

Step 9:

– Type command “cd /mnt/evidence” to enter evidence directory folder (Refer Picture 09).          

p1290164Picture 09

Step 10:

– Type command “dcfldd if=/dev/sda of=/mnt/evidence/DF20160922-1-NB01.dd haslog=/mnt/evidence/DF20160922-1-NB01.md5” to start acquire the suspect hard drive (Refer to Picture 10).

Note: DF20160922-1-NB01 is the case reference no.You can put you own reference case no or label.

p1290166Picture 10

 

Step 11:

– Live acquisition start running (Refer to Picture 11).

p1290167Picture 11

 

Step 12:

– Image acquisition completed (Refer to Picture 12).

p1290168Picture 12

 

Step 13:

– Type “ls” command to check if the image and md5 file is created (Refer to Picture 13).

p1290169Picture 13

 

Step 14:

– Type command “cat DF20160922-1-NB01.md5” to view the hash value (Refer to Picture 14).

p1290170 Picture 14

Advertisements