In digital forensics, you can use the command line to acquire forensic evidence images in several formats, such as the Expert Witness Format (EWF) files, the EnCase Evidence Files E01, dd (RAW), SMART and AFF.
This article will show you how to use the command line in Windows, Mac and Linux to acquire forensic images.
How to Acquire Forensic Images in E01 and dd formats using the Command Line?
Here are the three (3) different ways you can use the command line to perform forensic image acquisition.
Method 1. Acquire E01 format using the command line
Using Linux and Mac, you need to install the libewf and ewf-tools to acquire E01 evidence files.
Type the following to install from APT;
sudo apt install libewf-dev ewf-tools
Begin E01 acquisition
Once installed, you can acquire a disk image in E01 format using the following command;
sudo ewfacquire -t /Cases/001/001_2022_USB_folder /dev/sdc
- -t option here allows us to specify a destination folder.
- /Cases/001/001_2022_USB_folder refers to our destination folder where we store our E01 evidence files.
- /dev/sdc refers to the target disk we want to acquire.
Change all the options and parameters according.
Once you hit <Enter>, you may be asked additional questions like inputting a case number and specifying a segment size for each evidence file.
You can use –S 4G to have the segment size of the evidence size to be 4 gigabytes per file.
Verify E01 acquisition
Verifying your E01 is essential to ensure that you got the forensic imaging process done correctly.
The acquisition hash must match the verification hash. Both hash values must be the same.
This can be checked using the following command.
ewfinfo /Cases/001/001_2022_USB_folder.E01
ewfverify /Cases/001/001_2022_USB_folder.E01
You must point to the first E01 file, which will automatically verify the subsequent evidence files.
Method 2. Acquire dd (RAW) format using the command line
Using Linux and Mac, you can acquire the raw dd image format.
Note that this raw image does not require additional installation as it is built-in onto Linux and Mac operating systems.
Begin dd (RAW) acquisition
Login to the Terminal as a root user, type the following and key in your user password;
sudo su
Before you acquire any drives, always list the drives using this command;
df- h
As the dd (raw) format does not contain any computation hash in its header, it is important that you need to hash the drive first, so you can verify it after the forensic image is done.
md5sum /dev/sdb1 > /media/originalMD5
Start the forensic acquisition process
dd if=/dev/sdb1 of=/media/diskImage.img bs=1k
- if refers to the input file. This is the target disk
- of refers to the output file. This is your destination drive/folder
- bs refers to block size. You can leave it as 1K default.
Verify dd (RAW) acquisition
Once the acquisition is completed, verify your forensic evidence file by hashing it again to ensure it matches the original hash.
md5sum /media/diskImage.img > /media/verificationMD5
Method 3. Acquire RAW, SMART, E01 and AFF formats using FTK Imager Command Line
Using Windows, you can use the FTK Imager command line version, a popular forensic image acquisition tool to acquire forensic images.
The command line imager can be run on an external USB flash drive and plugged into the target machine.
Type the following to see the Help manual.
ftk imager --help
Begin forensic acquisition
Before you acquire any drives, always list all the attached physical drives in the target machine first. Use the following command;
ftkimager --list-drives
Begin forensic acquisition using;
ftkimager.exe C:/ F:\path\to\destinationfile\image001 --e01
- C:/ is the target disk you want to image
- F:\path\to\destinationfile\image001 is the destination drive/folder you want to image onto
- -e01 is the E01 evidence file format you want as the output. You can change this into dd, SMART or AFF.
Verify forensic acquisition
Verify the forensic evidence files using the following;
ftkimager --verify F:\path\to\destinationfile\image001
Once completed, you will get the message that says, “Image verification complete”
Make sure that the computed hash and the verification hash match.