Getting an image of a drive within Linux
Data Definition is specified by dd command
Identify the machine which needs to be investigated, and take an image of the hard disk. You can capture the disk and connect to your forensics machine in order to take its image. The disk may be anything from a hard disk to a floppy. That way, you’ll have two copies of the suspected disk-one image as well as the physical disk itself. We’ll be examining both images one by one. The tool ‘dd’ can be used to take an image of the disk by using this command:
Here, we are taking image of the disk sdc and saving it as image.dd. You can give the image any name, and .dd is an extension just to denote that it’s an image taken through ‘dd’ tool.
Input file and output file should be mentioned very carefully, if you mention source device in the target and vice versa, you might loss all your data
“if” represents inputfile, and “of” represents output file. So the exact copy of /dev/sdc will be available in /dev/fd0
dd if=/dev/sdc of=/dev/fd0
dd if=<media/partition on a media> of=<image_file>,
Example:
This creates an image of a harddrive in current directory
dd if=/dev/hda of=~/hdadisk.img
Now mount it to a device “floppy device called fd0”:
# dd if=image.dd of=/dev/fd0
---------------------------------------------------- Mount
The Image as Read Only ------------------------------------------
This
will mount the image as read-only to the direct /mnt/investigation
Here ‘ro’ and ‘noexec’ denotes that the file should be
mounted as read-only and non-executable.
mount -o ro,noexec,loop hdadisk.image /mnt/investigation
reference taken from:
http://resources.infosecinstitute.com/linux-and-disk-forensics/
