The following steps show you how to use dd and MD5 to create, restore, and verify forensically sound disk images:
First, we start by creating an MD5 checksum of a disk. To do this, first log in as root, and open a command prompt. Create the MD5 checksom for the disk to be duplicated using the following:
md5sum /dev/fd0 > /tmp/original-md5
This command creates the MD5 checksum of the device, /dev/fd0, and outputs the result to a file named /tmp/ original-md5.
View the checksum with cat /tmp/original-md5.
Now, create an image file of the disk.
Use dd to create a binary copy of the disk:
*Remember to unmount the disk before using dd.
in OS X, use diskutil unmountDisk /dev/disk1
dd if=/dev/fd0 of=/tmp/disk.img bs=1k
The if=/dev/fd0 parameter directs dd to use the device /dev/fd0 as the input file. The of=/tmp/disk.img parameter tells dd to output the data to a file named /tmp/disk.img. The bs=1k tells dd to use a block size of 1024 or 1KB.
Next, we'll use MD5 to verify the accuracy of the image file. First, create the MD5 checksum for the image file with the following:
md5sum /tmp/disk.img > /tmp/image-md5
Compare the checksums of the original disk and the image file using the following:
cat /tmp/*md5
The cat command displays the contents of files that end with md5. Note that the checksums are identical.
Next, you'll restore the image file to a blank disk.
Use dd to copy the image file to the disk:
dd if=/tmp/disk.img of=/dev/fd0 bs= 1k
This command reverses the flow of the data, whereas the command in step 2 created the image file.
Create the checksum for the duplicate disk:
md5sum /dev/fd0 > /tmp/duplicate-md5
Now, use cat to verify the accuracy of the duplicate disk by comparing the checksums of all three versions:
cat /tmp/*md5
Test MD5 against an altered image file. Do this by first adding a single byte of data to the image file:
echo x >> /tmp/disk.img
Then, create a new checksum for the image file:
md5sum /tmp/disk.img > /tmp/corrupt-md5
Finally, compare the checksums for each step of this exercise:
cat /tmp/*md5
Note how a difference of only 1 byte causes the MD5 to change drastically. This demonstrates the value of using and checking the MD5 signatures of files when downloading them from the Internet.
*Taken from http://www.informit.com/articles/article.aspx?p=27203&seqNum=3
No comments:
Post a Comment