Having an exact copy of the disk of machines is important for forensics and potential legal proceedings. It’s important to note that if you do not feel comfortable imaging and a machine, taking notes, ensuring integrity data, and auditing your response, you should pass this task to an Incident Response provider.
At this point, the problem/target machine has been infiltrated by some sort of actor and they have likely dropped some way to gain access to it and/or a worm like ransomware that is impacting the environment. Additionally, the machine has been powered off, otherwise, you should perform Live Capture of Volatile Information for Incident Response first! It’s also possible you have your own in-house solution for imaging which is OK as well.
Just keep in mind that the image must be exact, whereas many enterprise imaging solutions may make modifications to the image and filesystem to keep image size down. In this case, we want to preserve every single piece of data associated with the machine due methods associated with hiding data through anti-forensic techniques.
As this write up will hit on, you do not need fancy forensics distributions for basic imaging and copying. However, if you want to perform any analysis on the resulting images, they can be very helpful thanks to the built-in toolset.
Blumira recommends using SANS SIFT unless you have a preferred solution for forensic actions on an image. SIFT is a rather well built solution by SANS and it will provide you with all of the tools you need to complete your task here. It does require a free SANS account that only takes a few minutes to set up.
You have two choices depending on your goal for forensic actions on images, if this is a virtual environment we recommend using the first option, the OVA file that’s already been set up. If this is a metal box or you require an ISO that you can to load a live environment, use Option 2 from the link above. In Blumira testing it works without an issue on Ubuntu 18 Desktop following the installation directions found here on GitHub. Once you’ve completed Option 2 steps, you should now have a full SIFT workstation. Please refer to the “Building SIFT” section below for any gotchas.
There are other tools out there that work just as well as SIFT that will likely solve your needs as well. If you have any tools you want added to this list of reviewed, shoot us a message at [email protected]
Now that you have a working tool, here are your steps to image the disk on your target machine. Keep in mind, you should never image back to the disk you’re currently imaging. You should always image to an external source such as an external drive or network share.
[email protected]:~$ sudo fdisk -l
Disk /dev/sda: 60 GiB, 64424509440 bytes, 125829120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xd8ed2960
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 1126399 1124352 549M 7 HPFS/NTFS/exFAT
/dev/sda2 1126400 125827071 124700672 59.5G 7 HPFS/NTFS/exFAT
dd if=/dev/ of=/mnt/external/__YYYYMMDDhhmm.dd bs=1M conv=noerror,sync status=progress
# For example, if your drive was /dev/sda and it was May 13th, 2019 at 8AM EST.
dd if=/dev/sda of=/mnt/external/targetHostname_sda_201905130800.dd bs=1M conv=noerror,sync status=progress
Depending on where you’re installing Ubuntu and how you retrieve the base ISO, the repos available can be wildly different than others. This can cause issues while building the SIFT workstation that their documentation does not state. Blumira recommends replacing your /etc/apt/sources.list with the following to ensure you have the correct dependencies available for installation.
deb http://archive.ubuntu.com/ubuntu bionic main restricted
deb-src http://archive.ubuntu.com/ubuntu bionic main restricted
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu bionic-updates main restricted
deb http://archive.ubuntu.com/ubuntu bionic universe
deb-src http://archive.ubuntu.com/ubuntu bionic universe
deb http://archive.ubuntu.com/ubuntu bionic-updates universe
deb-src http://archive.ubuntu.com/ubuntu bionic-updates universe
deb http://archive.ubuntu.com/ubuntu bionic multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-updates multiverse
deb http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb-src http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb-src http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse
You will need to run the following apt-get command previous to installing SIFT. You should follow the SIFT writeups to get the executable in the correct place /usr/local/bin, however.
sudo apt-get install -y --allow-change-held-packages salt-common salt-minion
Then run SIFT installer and follow the SIFT install process. When completed, you will have a full SIFT workstation that can be used to plug the drive from the device into.