Trying Basic Procedure

Try Disk Acquisition

...

Written by Vitaly Kamluk

1 minute read

Try Basic Procedure

Disk Acquisition

Below is the description of a remote disk image acquisition process using Bitscout, where the system owner is non-experienced commandline user (relies on Bitscout management tool only).

The owner

  1. Maps the evidence drive from host to the experts container using Bitscout management tool (see Disk Operations above). Let’s assume that it was mapped as evidence0.
  2. Attaches output storage device (can be removable USB hdd) to the host system.
  3. Maps the attached output storage partition to writable device on the container. Lets assume it is mapped as storage0.

    The expert

  4. Mounts the attached output drive filesystem on local directory (i.e. /mnt/storage0).
  5. Acquires disk image using dd or it’s clone. For example: # dc3dd if=/dev/host/evidence0 of=/mnt/storage0/image.dd bs=4k hash=md5 log=/mnt/storage0/image.dd.log progress=on
  6. Unmounts the output filesystem.

    The owner

  7. Unmaps evidence0 and storage0.
  8. Disconnects the output storage device.

Still Need Help?

Bitscout Bugs

If you find any bugs or problems with the project, please open an issue over on Github.

Github
Twitter

Feel free to tweet at me if you have suggestions for Bitscout. Or if you just want to say hi.

Twitter

© 2023 All rights reserved.