Skip to content

    How to Image Machines for Forensic Use

    Having an exact copy of the disk of machines is important for forensics and potential legal proceedings. It’s important to note that if you do not feel comfortable imaging and a machine, taking notes, ensuring integrity data, and auditing your response, you should pass this task to an Incident Response provider.

    Imaging The Problem Machine Overview

    At this point, the problem/target machine has been infiltrated by some sort of actor and they have likely dropped some way to gain access to it and/or a worm like ransomware that is impacting the environment. Additionally, the machine has been powered off, otherwise, you should perform Live Capture of Volatile Information for Incident Response first! It's also possible you have your own in-house solution for imaging which is OK as well.

    Just keep in mind that the image must be exact, whereas many enterprise imaging solutions may make modifications to the image and filesystem to keep image size down. In this case, we want to preserve every single piece of data associated with the machine due methods associated with hiding data through anti-forensic techniques.

     

    Imaging Tools

    As this write up will hit on, you do not need fancy forensics distributions for basic imaging and copying. However, if you want to perform any analysis on the resulting images, they can be very helpful thanks to the built-in toolset.

    Blumira recommends using SANS SIFT unless you have a preferred solution for forensic actions on an image. SIFT is a rather well built solution by SANS and it will provide you with all of the tools you need to complete your task here. It does require a free SANS account that only takes a few minutes to set up.

    You have two choices depending on your goal for forensic actions on images, if this is a virtual environment we recommend using the first option, the OVA file that's already been set up. If this is a metal box or you require an ISO that you can to load a live environment, use Option 2 from the link above. In Blumira testing it works without an issue on Ubuntu 18 Desktop following the installation directions found here on GitHub. Once you've completed Option 2 steps, you should now have a full SIFT workstation. Please refer to the "Building SIFT" section below for any gotchas.

    ---

    There are other tools out there that work just as well as SIFT that will likely solve your needs as well. If you have any tools you want added to this list of reviewed, shoot us a message at support@blumira.com.

     

    Imaging Steps

    Now that you have a working tool, here are your steps to image the disk on your target machine. Keep in mind, you should never image back to the disk you're currently imaging. You should always image to an external source such as an external drive or network share.
    1. At this point, you've on the SIFT workstation or *Nix distro (Ubuntu 18 Desktop for example) either in a live CD or in the VM and you have access to the drive associated with the machine. In this example, we're assuming you're on a Live CD or have direct access to the /dev/ devices on the target machine via some sort of mounting.
    2. Determine which device you want to clone, you can do this with a number of tools such as gparted or fdisk. You are looking for disks such as /dev/sda seen below that match the target device that is intended to be imaged. ubuntu@ubuntu:~$ sudo fdisk -l
      ...
      Disk /dev/sda: 60 GiB, 64424509440 bytes, 125829120 sectors
      Units: sectors of 1 * 512 = 512 bytes
      Sector size (logical/physical): 512 bytes / 512 bytes
      I/O size (minimum/optimal): 512 bytes / 512 bytes
      Disklabel type: dos
      Disk identifier: 0xd8ed2960
      Device Boot Start End Sectors Size Id Type
      /dev/sda1 * 2048 1126399 1124352 549M 7 HPFS/NTFS/exFAT
      /dev/sda2 1126400 125827071 124700672 59.5G 7 HPFS/NTFS/exFAT
    3. You can also use gparted, an application installed on most UI-based *Nix distros to sort out which disk you should copy.
      imaging-machines
    4. Run dd to clone the disk(s) you need, this can be a slow process unless your drives are quite small. Keep in mind, you should not be writing it out to your main drive. It should be an external drive. dd if=/dev/ of=/mnt/external/__YYYYMMDDhhmm.dd bs=1M conv=noerror,sync
      status=progress
      # For example, if your drive was /dev/sda and it was May 13th, 2019 at 8AM EST.
      dd if=/dev/sda of=/mnt/external/targetHostname_sda_201905130800.dd bs=1M conv=noerror,sync status=progress
    5. Repeat this for all devices that are not devices that you're copying, e.g., if the target device had two drives, sda and sdb when you ran fdisk at the beginning. You should be copying these to sbc or an NFS share, those two should be copied, but not the last in the last.
    6. You're all set! You now have a exact copy of the drive saved and the machine can be torn down now unless further forensics associated with the BIOS and other on-board chips are to be performed.

     

    Building SIFT

    Depending on where you're installing Ubuntu and how you retrieve the base ISO, the repos available can be wildly different than others. This can cause issues while building the SIFT workstation that their documentation does not state. Blumira recommends replacing your /etc/apt/sources.list with the following to ensure you have the correct dependencies available for installation.
    deb http://archive.ubuntu.com/ubuntu bionic main restricted
    deb-src http://archive.ubuntu.com/ubuntu bionic main restricted
    deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted
    deb-src http://archive.ubuntu.com/ubuntu bionic-updates main restricted
    deb http://archive.ubuntu.com/ubuntu bionic universe
    deb-src http://archive.ubuntu.com/ubuntu bionic universe
    deb http://archive.ubuntu.com/ubuntu bionic-updates universe
    deb-src http://archive.ubuntu.com/ubuntu bionic-updates universe
    deb http://archive.ubuntu.com/ubuntu bionic multiverse
    deb-src http://archive.ubuntu.com/ubuntu bionic multiverse
    deb http://archive.ubuntu.com/ubuntu bionic-updates multiverse
    deb-src http://archive.ubuntu.com/ubuntu bionic-updates multiverse
    deb http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse
    deb-src http://archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse
    deb http://security.ubuntu.com/ubuntu bionic-security main restricted
    deb-src http://security.ubuntu.com/ubuntu bionic-security main restricted
    deb http://security.ubuntu.com/ubuntu bionic-security universe
    deb-src http://security.ubuntu.com/ubuntu bionic-security universe
    deb http://security.ubuntu.com/ubuntu bionic-security multiverse
    deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse

    You will need to run the following apt-get command previous to installing SIFT. You should follow the SIFT writeups to get the executable in the correct place /usr/local/bin, however.

    sudo apt-get install -y --allow-change-held-packages salt-common salt-minion

    Then run SIFT installer and follow the SIFT install process. When completed, you will have a full SIFT workstation that can be used to plug the drive from the device into.

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors, forever.

    Sign up