How would you go about preparing a forensic copy of a disk? Would your procedure change if it was a RAID device? How about if it was a SSD? How would you do it if you were using a Unix or Linux computer?

 

Part-1:

Preparing a forensic copy of a disk:

To create the forensic copy of a disk will create the full disks and its partitioned and it can go to create a copy through any of the disks such as HDD, SSD, USB, etc. The following command will be typing through in terminal and follow the procedure steps

1.  Enter the command in the command prompt like lsblk and execute the command, it will show the disk as SDA and partition of SDA1, SDA2, and SDA3 of the disks also included in the output

2.  In that the label of the SDA denotes a disk as D and the label of P denotes the partitions of that disk of SDA1, SDA2, and SDA3.

3. Its simply to change if = to/dev/sda and to the suitable partition disk name

4. For example if the user want to back up the whole disk and need to back with 'sda' with the file name of disk-forensic-1.img and the following command of the sda will look like

       dc3dd if=/dev/sda hof=./forensic-copies/disk-forensic-1.img

       hash=md5 hash=sha256 log=. /file-log verb=on ssz=512

Part-2:-

The procedure of forensic copy of the disk in Raid device: The procedure of the forensic copy of the disk in raid device is to the device identification and gaining the digital data and the forensic copy of the disk in raid device have two procedure as follows-

1. Acquiring an accurate disk image: The computer forensic copy of the disk in raid device and to get the disk image, the computer forensic is to detect using the disk imaging tool. This disk imaging tool is making full complete changes to get the accurate copy of the source and in case if any tool is used to make the replica of the data that it will not be changed and also not making any changes in the source data.
2. Acquiring a Complete Disk Image: In the computer forensic copy of the disk in the source will verify the tool and it will copy all the data in the source. It will be authorized normally by validating each bit of the data in the copying drive. The RAID will show a transparent view without affecting the present forensic tool. The use of a hash function guarantees that all the data have been copied.

Part-3:

About if it was an SSD: The solid-state drive is like a hard drive without moving the hard drive and it's like a memory card will be used in digital cameras, desktop, and laptop computers. Without moving the parts will allow the data to be transferred with maximum speeds.

The five things about if it was an SSD procedure as follows as

1. Expectations of the Speedy performance
2. OS and application movement
3. The prices will not burn the pocket
4. Storage limitations
5. Installation and warranty

Part:-4:

If the user were using a Unix or Linux computer: If the user is using the Linux operating system is like a kernel and the operating system will collect the information of which are working as fully functional and with the complete product. The kernel is a small piece for the OS in Linux and the Linux having a group of drivers that will be handling the hardware uses.

Step-by-step explanation

Part-1:

Preparing a forensic copy of a disk:

To prepare to create the copy of a disk will have various options while running the dc3dd and the following options are as follows

1. if = to copy the file or disk
2. hof= the hashed output file
3. hash= the hash types to use for example md5, sha-256 and it is the exact copy of the file.
4. log = to create the location of the log
5. verb = to show the current progress
6. Don't use the if and hof at the same time because it deletes the data

Part-2:

The procedure of forensic copy of the disk in Raid device: This procedure of the source drive will be verified through the computing of the hash value for the whole drive which implies to be applied before the duplication and after the duplication. The source drive will have the same data after the duplication so that it is considered as unchanged and if the data was duplicated in the same drive, the result of the hash value and result of the hash value should have the same value through the drive.

Acquiring a Complete Disk Image: The computer forensic copy of a disk while using the imagine disk tool will correct the RAID  volume and it will not copy all the information in a drive and it has the two cases of imaging tool will meet that needs a volume to be an image by a RAID controller and it's removing the drive.

Part-3:

About if it was an SSD:

The five things about if it was an SSD procedure as follows as

1. Expectations of the Speedy performance: Due to having the SSD on the laptop, digital cameras, video games while playing on PC and it will make less electrical power and also provide longer battery life for the laptop and the computer.
2. OS and application movement: The operating system movement for the current operating system in the application has the SSD work is including with the disk copying and with the software that it will copy the entire OS drive. The device will allow the process to connect with the SSD through the PC.
3. The prices will not burn the pocket: The pricing of the SSD will decrease and some of the customers of the SSD will provide cheaper SSD with good performance.
4. Storage limitations: The storage limitations of the operating system 128 GB is enough for the systems as well as programs and games when the SSD gets full it becomes slow while it runs the system, but in file transferring the speed will be high and it's used while installing the OS and its apps.
5. Installation and warranty: The solid-state drive will be installed on the system and also having the warranty for more number of years from Microsoft to get a life long lifespan with the speedy performance.

Part:-4:

If the user were using a Unix or Linux computer: The Linux and Unix have some little difference and the Unix will consist of three main parts as the kernel in Linux, the shell, and at last the program. Unix has either a file and a process. The process of the Unix is used to run the program that will identify with a unique PID. The file is defined as a collection of the data and created through the users of using the editors and compilers.