Your marks on your hard drive. Part 1 - Getting the Image

Many users naively believe that it is very difficult and sometimes impossible to track what they were doing at the computer. Some office users launch toys or "forbidden" programs from flash drives, watch movies from removable media, listen to music, edit "unwanted" documents, thinking that if the management suddenly suspects something and decides to check the computer, it will not find anything. You can isolate yourself from your boss with a wall, partition, or distance, but you cannot hide from a hostile system like Windows !!! She constantly spies on you !!! Be vigilant !!!


About all the actions of Windows probably does not even know Bill Gates, what can we say about the end user. And it performs dozens of obscure operations every second, creates heaps of temporary files, writes who, when, what launched, what devices it connected, etc.
In order to describe what traces the user leaves and where to look for them, more than one post will be required ... ... And first I wanted to tell you how to create an exact bitwise copy of a hard disk (you can make a copy of any storage media in the same way). You can certainly explore the disk itself, but very often this raises a number of problems:

• access to a computer is available only for a couple of hours (it is difficult to conduct a full study during this time);
• during the study, you can make changes to the hard disk that will not go unnoticed by the user;
• computer is sealed or sealed, it is impossible to open the case.

When creating an image using Acronis True Image, Norton Ghost or something like that, not all data from the hard disk is saved (unless you use “detailed” modes), as a rule, there are no deleted (logically) files, in some cases also temporary, hidden disk partitions may be skipped. In my opinion, the easiest way to use full disk-by-bit copying is to use the utility that is found in any Linux distribution kit - dd . (by the way, there is also for Windows). The program is good, although it does not display the statistics of copied, remaining and erroneous blocks. This lack lack dcfldd, dd_rescue, ddrescue. The command syntax is almost the same.

So, we load the computer with a LiveCD with a Unix system, connect an external hard disk and create an exact bitmap image on it.
')
1) create a sector image in the current directory in the hda.img file

#dd if = / dev / hda of = <directory on mounted external drive> /hda.img conv = noerror, sync
conv = noerror, sync tell dd to continue reading the information, even if the disk has bad sectors.
Do not forget when writing a file-image on the FAT-32 system, that this file system supports files of only 4Gb in size, and NTFS is mounted read-only by default, you need to mount it for writing, for example:
#mount –t ntfs-3g / dev / sdb / mnt / sdb –o force

2) create an exact copy of the disk to another hard disk (cloning)

#dd if = / dev / hda of = / dev / sdb conv = noerror, sync

3) create an exact copy of the disk on the computer over the network

Rarely enough, but there are still computers with USB 1.0, copying information on this interface will take a long time (tens of hours), so it is more convenient and faster to copy the image over the network.
On a computer connected to the network (ip: 192.168.1.100) (on which we will copy the image) we launch the Netcat program, this program exists for both Unix-systems and Windows (preferably admin's rights:

#nc -L –p 5555> ./hda.img

The netcat program will wait for the connection to open on port 5555. Data received over the network will go to the hda.img file in the current directory.
On the computer whose image we will copy over the network, we write the command

#dd if = / dev / hda bs = 1M | nc 192.168.1.100 5555

When copying over a network, it is necessary to take into account that netcat decently clogs the network.

The image was obtained, now you can safely proceed to the study of information on it and the search for traces of work ...

The study should be continued ...