Hi,
I have a question about imaging a usb drive, or any other drive for that matter. For instance when I stick in a usb drive in my linux box and I do a ls in in dev I see sdb and sdb1. I assume that sdb is the usbkey, but what is sdb1? Do I need to image that as well?
My other question is if I do a mmls -l on the sdb I have the FAT file system, and then some unallocated data. Is it best to image (dd) the allocated then the unallocated and inspect them separately?
Again the main question is, when imaging a drive (in this case a usb key) will I get all the data if I just image sdb or do I need to image sdb1 as well or do they hold different data?
Thanks,
Alan
Greetings,
/dev/sdb is the entire device. /dev/sdb1 is the first partition on the device. You can use
fdisk /dev/sdb
to learn more about the partitions.
Why don't you try imaging /dev/sdb and /dev/sdb1 and compare the results? Look at the sizes, hashes, and how they appear in FTK, or whatever you're using for analysis.
You'll probably want to analyze everything on the device, which includes allocated and unallocated space. How you go about doing the collection and analysis depends on your tools and preferences.
-David
Thanks. Yes I imaged each one and sdc was 3 Megs larger than sdc1. I then ran strings against each one and a lot of the same data was in both.
thanks
Greetings,
An image of the whole device, /dev/sdc in this case, will include everything in each individual partition, /dev/sdc1 in this case, plus unallocated or otherwise unrecognized space.
Your analysis tool will likely show you each of the partitions if you add the /dev/sdc image to it as a single piece of evidence.
-David