Skip to main content

Simple Linux Forensics Workflow (Disk Images)

· Digital Forensics, Incident Response, Linux

Introduction

This is a simple Linux forensics workflow for disk images. All commands are examples, so replace placeholders with your own case paths and use them only in authorized labs or investigations.

1) Clone Evidence and Log Hashes

Create a forensic clone and write a hash log during imaging:

dcfldd if=<source_image.iso> of=<clone_image.iso> hash=sha256 hashlog=<hash_log.txt> bs=4096

Verify integrity between source and clone:

sha256sum <source_image.iso>
sha256sum <clone_image.iso>

2) Open GUI Triage (Optional)

Start Autopsy for quick visual triage:

autopsy

3) Partition and File System Overview

Inspect partition layout:

mmls <clone_image.iso>

Inspect file system details:

fsstat <clone_image.iso>

List files recursively:

fls -r <clone_image.iso>

Read one file by inode (example):

icat <clone_image.iso> <inode_number> > <output_file.txt>

4) Search Unallocated Data

Extract unallocated blocks and scan printable text:

blkls <clone_image.iso> | strings

5) Recover Files with TSK

Recover deleted files only (-e):

tsk_recover -e <clone_image.iso> <output_deleted_dir/>

Recover allocated files only (-a):

tsk_recover -a <clone_image.iso> <output_allocated_dir/>

6) Carve Hidden Tail Data

Carve data starting from an offset (example):

dd if=<clone_image.iso> of=<tail_output.bin> bs=1 skip=<offset>

Inspect extracted text:

strings <tail_output.bin>

Decode Base64 artifacts if found:

echo "<base64_text>" | base64 -d

7) Check and Crack Archives

Identify archive type:

file <archive_file>

Extract ZIP hash and crack with John:

zip2john <archive.zip> > <archive.hash>
john --wordlist=<wordlist.txt> <archive.hash>

Test archive password:

7z t -p"<password>" "<archive_file>"

Extract archive content:

7z x -p"<password>" "<archive_file>"

8) Steganography Checks

Analyze PNG files for hidden data:

zsteg -a <image.png>

Check BMP metadata:

steghide info <image.bmp>

Try seed and wordlist cracking:

stegseek --seed <image.bmp>
stegseek --crack <image.bmp> <wordlist.txt> <stegseek_output.txt>

Extract hidden payload if password is known:

steghide extract -sf <image.bmp> -p "<password>" -xf <extracted_payload.txt>

9) File Carving Tools

Use one or more carving tools:

foremost -t all -i <clone_image.iso> -o <foremost_output_dir/>
photorec /d <photorec_output_dir/> /cmd <clone_image.iso> search
scalpel -c <scalpel.conf> -o <scalpel_output_dir/> <clone_image.iso>

10) Final Partition Validation

Use TestDisk for partition checks:

testdisk /list <clone_image.iso>