Forensic analysis on a disk image (dd)

    2022, Sep 16

    If you have a disk image file (dd file), here is a presentation of some tools to perform a forensic analysis. You can find more information about this extension here [WhatIsFileExtension].

    Retrieve information

    • file

    Determine file type

    Documentation : linux.die.net/man/1/file

     file <filename>.dd
    • minfo

    Print the parameters of a MSDOS filesystem

    Documentation : linux.die.net/man/1/minfo

    minfo -i  <filename>.dd
    • fstat

    Get file status

    Documentation : linux.die.net/man/3/fstat

    fstat <filename>.dd

    Reference : [Azad 2020b]

    List files - Fls

    With the fls command you can list the files contained in the disk image

    Manpage : sleuthkit.org/sleuthkit/man/fls.html

    • fat32
    fls -rp -f fat32 <filename>.dd
    • NTFS
    fls -rp -f ntfs <filename>.dd

    If the files is preceded by an *, it is a deleted files

    Reference : [Azad 2020b]

    Mount the dd image

    You can mount the image with the command mount.

    Documentation : linux.die.net/man/8/mount

    mkdir /mnt/image
sudo mount -o loop <filename>.dd /mnt/image

    Warning: do not mount the image on an existing directory containing files, they will be deleted!!!

    Reference : [Mohan 2016]

    Recover Files - Photorec

    Photorec is a utility to recover files from a disk image. The interest of photorec is that it also recovers deleted files. You can find a presentation of the tool here : cgsecurity.org - PhotoRec

    photorec <filename>.dd

    Reference : [Sharma 2021]

    Reference

    1. AZAD, Usama, 2020a. How to Use Kali Linux Forensics Mode. LinuxHint. Online. 2020. [Accessed 16 September 2022]. Retrieved from: https://linuxhint.com/kali_linux_forensics_mode/
    2. AZAD, Usama, 2020b. USB Forensics. LinuxHint. Online. 2020. [Accessed 16 September 2022]. Retrieved from: https://linuxhint.com/usb_forensics/
    3. MOHAN, Shini, 2016. Solution To Mount DD Image In Linux OS. TechNewsKB. Online. 8 December 2016. [Accessed 16 September 2022]. Retrieved from: https://technewskb.com/mount-dd-image-linux-using-terminal-commands/
    4. SHARMA, Shashank, 2021. How To Recover Deleted Files From Any Drive in Linux. tom’sHardware. Online. 21 August 2021. [Accessed 16 September 2022]. Retrieved from: https://www.tomshardware.com/how-to/recover-deleted-files-from-any-drive-in-linux
    5. WHATISFILEEXTENSION, no date. What is DD File Extension? Understanding Forensic DD Image. WhatIsFileExtension. Online. [Accessed 16 September 2022]. Retrieved from: https://www.whatisfileextension.com/dd/
    Feel free to contact me on
    # forensic # mount # dd

    Share button

    You might also enjoy

    Hypergraph and Hypertree - Overview

    Tornado Cash Circuits - Overview

    Recurrent Neural Networks (RNNs) - Overview