Your footprints on your hard drive. Part 1 - Getting the image
Many users naively believe that tracking what they were doing at the computer is very difficult, and sometimes simply impossible. Some office users launch toys or “forbidden” programs from flash drives, watch movies from removable media, listen to music, edit “unwanted” documents, thinking that if management suddenly suspects something and decides to check the computer, it won’t find anything on it. You can fence yourself off the boss with a wall, partition, or distance, but you can't hide from a hostile system like Windows !!! She constantly spies on you !!! Be vigilant !!!
Even Bill Gates probably does not know about all the actions of Windows, to say nothing about the end user. And every second it performs dozens of obscure operations, creates heaps of temporary files, who writes, when, what it launched, what devices it connected, etc.
In order to describe what traces the user leaves and where to look for them, more than one post will be required ....... But first I wanted to tell how to create an exact bitwise copy of the hard drive (in the same way you can make a copy of any information carrier). You can, of course, examine the disk itself, but very often a number of problems arise with this:
- access to the computer is only available for a couple of hours (it is difficult to conduct a full study during this time);
- during the study, you can make changes to the hard drive, which will not go unnoticed by the user;
- the computer is sealed or sealed, it is impossible to open the case.
When creating an image using Acronis True Image, Norton Ghost or something similar, not all data is saved from the hard drive (if you do not use “detailed” modes), as a rule, there are no deleted (logically) files, in some cases also temporary, hidden disk partitions may be skipped. For a complete bitwise copy of the disk, in my opinion, the easiest way is to use the utility that is available in any Linux distribution - dd . (By the way, there is also for Windows). The program is good, although it does not display statistics on copied, remaining and erroneous blocks. This disadvantage is deprived of dcfldd, dd_rescue, ddrescue. The syntax of the commands is almost the same.
So we load the computer with a LiveCD with the Unix system, connect the external hard drive and create an exact bitmap on it.
1) create a sector-by-sector image in the current directory in the file hda.img
#dd if = / dev / hda of = <directory on the mounted external drive> /hda.img conv = noerror, sync
conv = noerror, sync tell dd to continue reading information, even if bad sectors are encountered.
Do not forget when writing the image file to the FAT-32 system that this file system supports only 4Gb files, and NTFS is mounted as read-only by default, you need to mount it for writing for example like this:
#mount –t ntfs-3g / dev / sdb / mnt / sdb –o force
2) create an exact copy of the disk to another hard drive (cloning)
#dd if = / dev / hda of = / dev / sdb conv = noerror, sync
3) create an exact copy of the disk on computer over network
Rarely enough, but there are still computers with USB 1.0, copying information on this interface will take a lot of time (tens of hours), so it’s more convenient and faster to copy the image over the network.
On a computer connected to the network (ip: 192.168.1.100) (to which we will copy the image), run the Netcat program, this program exists for both Unix-systems and Windows (preferably admin rights:
#nc -L –p 5555> ./ hda.img
netcat will wait for the connection to open on port 5555. Data received over the network will go to the hda.img file in the current directory
On the computer whose image we will copy over the network, write the command
#dd if = / dev / hda bs = 1M | nc 192.168.1.100 5555
When copying over a network, it must be borne in mind that netcat decently clogs the network.
The image has been obtained, now you can safely begin to study the information on it and search for traces of work ...
To continue the study follows ....