取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.

联系 订阅 管理
  132 Posts :: 0 Stories :: 64 Comments :: 0 Trackbacks

Someone ask me how to image a CD/DVD ROM and generate hash value in the same time. A small tool called "dcfldd" could achieve this goal. Compared to dd, dcfldd allows for more than one output file, supports simultaneous multiple checksum calculations, provides a verification mode for file matching, and can display the percentage progress of an operation.


Download dcfldd and install in your Linux workstation. The if(input file) is /dev/sr0. If you're not sure about this, all you need to do is take a look at mount result as below.



What about of(output file)? You could create any output filename you want. My output file name is cd.iso. Also specify the hash method and block size. Here we go. When finished you could see the md5 hash value.


Of course you could use another forensic tool to verify the hash value of this evidence file. I use FTK Imager Lite to add cd.iso as evidence. The verification result is as below.


posted on 2017-05-08 21:40 Pieces0310 阅读(...) 评论(...) 编辑 收藏