Hey,
I'm new to the forum and relatively new to the subject of computer forensics as I've only recently began a college course in it.
Over Christmas I was given an assignment to do which, simply put, requires me to utilise various forensic tools. So I've downloaded FAU (Forensic Acquisition Utilities) and after attempting to run the dd.exe program the DOS or command prompt screen (not too sure what it's called but it's a black window) pops up briefly before closing again. It doesn't give me the chance to type commands, etc. I've also tried just opening the command prompt and typing in a dd command but I just get the error saying something along the lines of 'dd' is not a recognized command.
I'm using a Windows 7 laptop if that has significant relevance and I need to create a forensic image of a folder and some files as part of the assignment which is why I'm using dd.
Sorry again for my lack of knowledge on the matter and I would greatly appreciate any suggestions as I've got precious little time left to finish my work and can't seem to figure out whats wrong.
Cheers
This is not an FAU problem, it is a problem with running commands.
dd.exe is not a Windows program and thus needs to be run from a command prompt. If it is not in your path statement* you will need to browse to the folder where dd.exe resides or you will get the error you are seeing.
*
Thanks a million for that reply, helped a lot.
Based on what you said, I would appear that you attempted to run dd.exe by double-clicking it. dd.exe is a command line tool…you type in the command and options to launch it at the command line.
You might consider downloading FTK Imager for what you want to do…it's GUI, and free.
Thanks for the suggestion, however I think I've to use dd to do it in this particular assignment as our course leader wants us to familiarise with different tools, I have FTK but will only be using that to recover deleted files for this.
I am still having troubles with the dd command though. I'm pretty sure copying a few files is one of the most basic commands yet I somehow can't figure it out. So far I've tried this command
..and some other similar variations. I get an error saying 'Invalid command line argument'.
If anybody can point me in the right direction again it would be much appreciated.
So far I've tried this command
dd.exe –localwrt if=C\Evidence\"Folder 1" of=C\Evidence\"Folder 1".dd..and some other similar variations. I get an error saying 'Invalid command line argument'.
Well, from the looks of it, you're trying to create a dd image back into the same location, and you may have the quotes in the wrong locations…try something like
dd.exe –localwrt if="C\Evidence\Folder 1" of="C\Evidence\Folder 2\image.dd"
Thanks again for the help, but brace yourselves for another (probably silly) problem. Using the code you gave me, keydet89, I'm getting this response
'The VistaFirewall Firewall is active with exceptions'
I've turned off my Norton360 smart Firewall and my windows defender wall isn't on either …and I'm on Windows 7 not Vista so this is rather confusing.
I'm beginning to lose hope.
You may have gotten the response because some of the APIs from Vista still exist on Win7..
Have you tried going into your Security Center and ensuring that the built-in firewall is turned off?
Hmm, good news is that the Firewall error is gone. Bad news is that now nothing whatsoever happens when I press enter. Didn't think I'd have so much trouble copying a folder ?
Have you tried going into your Security Center and ensuring that the built-in firewall is turned off?
No!!! Don't do that. The log entry is informational, it is not an error. DD (and the other FAU utilities) will add an exception to the Windows firewall (both inbound and outbound) if need be; the exception is dynamic and closed before DD exits. While I realize that this is only an academic exercise, it is never too soon to learn sound forensic/IR practice. Taking down the entire firewall would render your (future) customers more vulnerable to compromise while you are gathering evidence. In some corporate environments in which I have been exploitation may occur in as little as 30 seconds. Don't forget that the computer that you are investigating might not already be compromised. Computer forensic/IR specialists should follow the hypocratic oath and "do no harm."