[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Free Show | Home]

How do I do hard drive forensics?

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.
  1. Home
  2. /g/ - Technology
  3. How do I do hard drive forensics?
Thread replies: 24
Thread images: 6

Anonymous
2017-09-15 12:41:03 Post No. 62435895
[Report] Image search: [Google]
File: fEC2cBzKpbVmks24QV2yeP.png (796KB, 1582x889px) Image search: [Google]
fEC2cBzKpbVmks24QV2yeP.png
796KB, 1582x889px
Anonymous 2017-09-15 12:41:03 Post No. 62435895 [Report]
How do I do hard drive forensics?
>>
Anonymous 2017-09-15 12:43:41 Post No.62435925
[Report]
Anonymous 2017-09-15 12:43:41 Post No.62435925 [Report]
>>62435895
You open up the HDD cover and use a magnet to remove the encryption. Then you reformat the drive with easier to read FAT32.
>>
Anonymous 2017-09-15 12:44:08 Post No.62435934
[Report]
Anonymous 2017-09-15 12:44:08 Post No.62435934 [Report]
>>62435895
buy a lot of hardware and software products
>>
Anonymous 2017-09-15 12:44:44 Post No.62435939
[Report]
Anonymous 2017-09-15 12:44:44 Post No.62435939 [Report]
>>62435925
>open the cover

I don't have a positive pressure clean room.
>>
Anonymous 2017-09-15 12:49:01 Post No.62436005
[Report]
Anonymous 2017-09-15 12:49:01 Post No.62436005 [Report]
>>62435895
run
# dd if=/dev/random of=/dev/sda
>>
Anonymous 2017-09-15 12:51:22 Post No.62436047
[Report]
Anonymous 2017-09-15 12:51:22 Post No.62436047 [Report]
>>62436005
it worked thanks
>>
Anonymous 2017-09-15 12:51:56 Post No.62436055
[Report]
Anonymous 2017-09-15 12:51:56 Post No.62436055 [Report]
>>62436005
I'm not trying to put a pedo in jail.
>>
Anonymous 2017-09-15 12:52:47 Post No.62436065
[Report]
Anonymous 2017-09-15 12:52:47 Post No.62436065 [Report]
>>62436055
good to know :^)
>>
Anonymous 2017-09-15 12:53:17 Post No.62436074
[Report]
Anonymous 2017-09-15 12:53:17 Post No.62436074 [Report]
>>62435939
Install a window fan.
>>
Anonymous 2017-09-15 02:07:23 Post No.62436900
[Report] Image search: [Google]
Anonymous 2017-09-15 02:07:23 Post No.62436900 [Report]
File: 1465189990053.gif (302KB, 500x500px) Image search: [Google]
1465189990053.gif
302KB, 500x500px
>>62435895
Depends on what you're trying to do.
Recovery? Forensic analysis?
>>
Anonymous 2017-09-15 02:11:42 Post No.62436958
[Report]
Anonymous 2017-09-15 02:11:42 Post No.62436958 [Report]
>>62435895
Use a LiveCD that supports forensics.
>>
Anonymous 2017-09-15 02:29:30 Post No.62437182
[Report]
Anonymous 2017-09-15 02:29:30 Post No.62437182 [Report]
>>62436900
I don't know what's in it.

I just know there was a bunch of corporate data written on it.
>>
Anonymous 2017-09-15 02:41:12 Post No.62437312
[Report] Image search: [Google]
Anonymous 2017-09-15 02:41:12 Post No.62437312 [Report]
File: IMG_1375.jpg (164KB, 1200x630px) Image search: [Google]
IMG_1375.jpg
164KB, 1200x630px
>>62437182
That's hardly informative. Is it busted or not?
>>
Anonymous 2017-09-15 02:41:36 Post No.62437320
[Report]
Anonymous 2017-09-15 02:41:36 Post No.62437320 [Report]
>>62437312
Not busted, but wiped.
>>
Anonymous 2017-09-15 02:45:52 Post No.62437377
[Report] Image search: [Google]
Anonymous 2017-09-15 02:45:52 Post No.62437377 [Report]
>>62437320
For future reference, this is known as forensic analysis. What happens next largely depends on two factors: if the wipe was up to NIST standards (STFW for "Guttman Wipe") or simply formatted.

I'd use photorec to take a quick look around if you want to do this casually, or you can take the official route of making a proper forensic image.

Choice is yours, really.
>>
Anonymous 2017-09-15 02:47:36 Post No.62437390
[Report]
Anonymous 2017-09-15 02:47:36 Post No.62437390 [Report]
>>62435895
install gentoo
>>
Anonymous 2017-09-15 02:48:24 Post No.62437398
[Report]
Anonymous 2017-09-15 02:48:24 Post No.62437398 [Report]
>>62437377
Thanks, anon.
>>
Anonymous 2017-09-15 02:56:27 Post No.62437513
[Report] Image search: [Google]
Anonymous 2017-09-15 02:56:27 Post No.62437513 [Report]
File: ziNh454.jpg (452KB, 1000x709px) Image search: [Google]
ziNh454.jpg
452KB, 1000x709px
>>62437398
Think nothing of it. A bit of knowledge and usable experience here can be nice when applied properly. What a pity it doesn't happen more often.
>>
Anonymous 2017-09-15 02:58:05 Post No.62437530
[Report]
Anonymous 2017-09-15 02:58:05 Post No.62437530 [Report]
>>62435895
what ya do, is put the HDD under the microscope and read the data.
>>
Anonymous 2017-09-15 03:01:53 Post No.62437565
[Report]
Anonymous 2017-09-15 03:01:53 Post No.62437565 [Report]
>>62437513
Another interested anon here. What is the "official" route? Just clone onto another disk?
>>
Anonymous 2017-09-15 03:08:36 Post No.62437632
[Report] Image search: [Google]
Anonymous 2017-09-15 03:08:36 Post No.62437632 [Report]
File: narcosa.jpg (341KB, 1376x930px) Image search: [Google]
narcosa.jpg
341KB, 1376x930px
>>62437565
In a sense. In forensic acquisition, it is absolutely imperative that the contents of the disk do not become modified while in acquisition, transit or storage. While most would rely on a copy of software like Encase to verify this, I would assume hash sums and a block-for-block copy of the disk may be sufficient.

While working with these forensic images, take great care to throw them through a loopback set as read only- it would be like a detective fudging a crucial piece of evidence in a case!
>>
Anonymous 2017-09-15 04:55:48 Post No.62438643
[Report]
Anonymous 2017-09-15 04:55:48 Post No.62438643 [Report]
>>62435895
You need a really good microscope. Preferably an electron microscope to see all the little electrons
>>
Anonymous 2017-09-15 04:59:42 Post No.62438678
[Report]
Anonymous 2017-09-15 04:59:42 Post No.62438678 [Report]
>>62435895
The tools off kali worked well. I forget the name of the one I used, but it was able to scan a block device for regex strings (SSN, CCN, etc) :^)
>>
Anonymous 2017-09-15 05:32:20 Post No.62438936
[Report]
Anonymous 2017-09-15 05:32:20 Post No.62438936 [Report]
>>62437530
I think u mean telescope
Thread posts: 24
Thread images: 6
[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]

I'm aware that Imgur.com will stop allowing adult images since 15th of May. I'm taking actions to backup as much data as possible.
Read more on this topic here - https://archived.moe/talk/thread/1694/


If you need a post removed click on it's [Report] button and follow the instruction.
DMCA Content Takedown via dmca.com
All images are hosted on imgur.com.
If you like this website please support us by donating with Bitcoins at 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
All trademarks and copyrights on this page are owned by their respective parties.
Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site.
This means that RandomArchive shows their content, archived.
If you need information for a Poster - contact them.