Imaging digital media - archived 3/5/2018
- Magnetic media
- Optical media
Magnetic media (3.5" floppy disks, Zip disks)
- TD3 Forensic Imager
- Physical write-protection
Tableau Forensic Imager
The Tableau Forensic Imager (TD3) is a modular forensic imaging system that has an intuitive, easy-to-use interface.
Some Comments on the TD3 disk-to-file outputs
Sample log file output from TD3 attached for our review. Some log entries of note are:
Case ID: The case ID number.
Case Notes: Miscellaneous information about the case or duplication process for future reference.
Regarding TD3 user defined destination naming, the following is a sample of what's possible:
E:\2017009_01_001
└───2017_01_001_diskimage
└───2017-03-31_10-46-25
2017009_01_001_diskimage.E01
2017009_01_001_diskimage.log
2017009_01_001_diskimage.packed_log
Note, the path on the destination disk for a disk-to-file duplication can be set:
\2017009_01_001\2017_01_001_diskimage
The TD3 setting for "Image Dir Naming" cannot be disabled or set to user defined. There are options for date + time, serial number/model number. The sample output is set to date + time:
2017-03-31_10-46-25
The "Image File Naming" setting does allow for user defined, as shown in sample:
2017009_01_001_diskimage.E01
The "_diskimage.packed_log" file can be discarded (not preserved) in my opinion, as it serves machine storage and transfer operational tasks, not intended for human readable, and contains less information than "_diskimage.log".
Write-protecting 3.5" floppies
3.5" floppy disks have small sliding tabs at their lower right-hand corners that control their read-write status. In order to physically ensure that your floppy disks are read-only, check to see whether the tab is closed (i.e., you are unable to see through it) or open (you are able to see through it): if open, the disk is write-protected. The first disk pictured below is read-write, the second is read-only (write-protected).
Optical media (CD-ROMs)
- dd
For optical media, using the dd command is one of the simplest options for capturing a raw image.
The basic anatomy of a dd command:
dd if=path/to/fileinput of=path/to/fileoutput.iso bs=512 conv=noerror
- "if" designates the source media (your CD)
- the command "diskutil list" is helpful, if you want to see the volumes you have mounted (CDs are often "/dev/disk2", but this is an easy way to confirm that)
- "of" designates your target directory/file output
- "bs" refers to "block size" or bit-transfer rate, 512 is the default r/w rate, but can be fairly slow for disks that hold a lot of data – as you can see in my example below, I use a block size of 65536
- "conv=noerror" tells the Terminal not to stop processing if it encounters an input error
Sample command with "tee":
dd if=/dev/disk2 bs=65536 conv=noerror,sync | tee /Volumes/Untitled/2017009_02_001/2017009_02_001_diskimage/2017009_02_001_diskimage.iso | md5 > /Volumes/Untitled/2017009_02_001/2017009_02_001_diskimage_md5.txt
This command is formatted differently to generate multiple outputs. The first segment of the command looks fairly similar to what I've described above (the source media, blocksize, and conv operands are all present); the second segment looks familiar, too – this is where my first output is directed (the target), which is the actual .iso disk image; and the third segment directs the utility to generate an md5 checksum for the .iso file and output it to a text file.
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.