Session 07 - Carving Partitions with dd

Requirements are found here

Make sure you've transferred able2.tar.gz to your machine, as usual, the home directory is a good place.

Start the Task

Create a directory to store the transferred able2.tar.gz file.

$ mkdir ~/analysis/able2

Move the able2.tar.gz file from your home directory into the able2 directory.

$ mv ~/able2.tar.gz ~/analysis/able2

Now change directory into that newly created directory.

$ cd ~/analysis/able2

Now extract able2.tar.gz.

$ tar -xzvf able2.tar.gz

List the contents of the able2 directory again to see if the files were extracted successfully.

$ ls -lh

When the forensic image file was created, the author helpfully also created an md5sum generated hash file. Have a look at its contents.

$ cat md5.dd

Make a note of the hash, or you could also have md5sum check it for you and inform you if the hashes match instead of you comparing this long sequence of numbers and letters manually with your eyeballs.

$ md5sum able2.dd

Better have this be done automatically.

$ md5sum -c md5.dd

The next command will give the output of what would have been an fdisk -l /dev/hdd and sfdisk -l -uS /dev/hdd. Scroll down to the sfdisk output/refer to output on page 76 of the Grundy tutorial file version 2.55.

$ less able2.log

Now it is time the image file is split into its various partitions which correspond to the information given in the log file.

$ dd if=able2.dd of=able2.part1.dd bs=512 skip=57 count=10203

$ dd if=able2.dd of=able2.part2.dd bs=512 skip=10260 count=102600

$ dd if=able2.dd of=able2.part3.dd bs=512 skip=112860 count=65835

$ dd if=able2.dd of=able2.part4.dd bs=512 skip=178695 count=496755

$ sfdisk -l -uS able2.dd