Live Acquisition

I came across a Forensic Consultancy job that taught me how to perform a live acquisition with Kali Linux using a forensic tool called dd on the suspect hard drive. I was hired by a client to help them perform a Digital forensic Investigation on their employees who they suspected of doing fraudulent activities in the company. At that time I was more familiar in performing a dead forensic acquisition rather than live. I was faced with a bottleneck which had forced me to perform a live acquisition rather than the dead acquisition. 

The challenge I had faced with dead acquisition was that I had no sufficient tools to aid me to perform dead forensic acquisition. A thought crossed my mind that perhaps I should try and remove the hard drive from the PC, place it on an external drive case and then connect it to my forensic work station for acquisition but this caused a problem cause at that time I didn’t have an external hard drive case nor didn’t I want to take the risk of removing the hard drive from the suspect PC, this resulted in me heading for live acquisition as my solution on imaging the hard drive.

After doing my research I begun the process by changing my USB flash drive into a bootable drive using a software called rufus. Rufus is used to create and format a bootable USB flash drive or a live USB.

After installing rufus on my machine, I opened it, on the device pane I selected the device I want to make bootable, then on boot selection you choose the ISO you want the flash to be for my case I selected the Kali Linux ISO, after that click on start. A pop up will appear just click ok and then proceed to the next step.

Note: if there is only one usb device connected to your machine then rufus will automatically detect it and you will see it appear in the device section.

After finishing making the USB device to be bootable the next step is to restart the PC, once the PC begin the restart process immediately start pressing the F9 key to get to the boot menu of Kali Linux. A pop up will appear that will ask you where do you want to boot from, here you select your USB flash disk and after loading, a boot menu will appear and then select live system

Once Kali Linux has loaded the next step is to open terminal and type the command dd –help to get the options to use along with dd

The next step was to connect another usb drive for storing the image, make sure the second USB drive should be larger that the hard drive your trying to image. First I had to see the block name of the USB that I was going to store the image where I typed the command lsblk (means list block) and saw that my storage USB was sdc. Then I changed directory to media/root then changed directory to the name of your USB drive where in my case it was Transcend and that’s where I stored my Image file.

This technique is very useful when you have limited resources, As a result, I managed to acquire the forensic image of the suspect drive and proceeded with my Investigation.

Download Live Acquisition

Leave a Reply

Your email address will not be published. Required fields are marked *