DD File Forensics: Extracting Evidence From Image File
DD file is an image file created out of dd commands. dd is a powerful and simple command-line utility to create disk images, copy files etc. seen in Unix or Linux OS. The syntax for running the utility takes the form of;
dd if=”source” of=”destination”
You can find the utility installed in Linux or Unix OS and nowadays it has become the main tool for forensic purposes since creates raw image of drives, folders, file etc. Users can create the output file either in .img or .dd file or other formats by specifying the file type at the “of” part. Windows users can also run the command using “Cygwin” framework or MKS Toolkit and take the disk image. Cygwin gives the same interface as that of command-line in Linux or Unix, enabling the Windows users to work with. When the destination is made as .dd then you will get .dd image file as the Output. One thing to be noted here is if the source and the destination are interchanged then, overwriting of source with the target will take place.
Everyone keeps disk image file so as to verify with future needs; checks for any manipulations. Nowadays, many of the agents depend on .dd file forensics since it reveals some of the roots for their investigation. However, when it comes with the opening of the file to view the structure, things go complicated. The need of perfect platform to view and perform .dd image file forensic is always challenging. Without a proper platform, working on the file is a threat. This challenge can be resolved with MailXaminer, the third party software. The application is an appropriate and simple tool to view .dd file content.
Beyond the software there are methods to view the content of the file but, they are complicated and require much time. Since time has more value and investigation should proceed fast, software platform always helps.
Analyzing .dd File Artifacts Using MailXaminer
The application renders the users to analysis and collects the evidence without tampering the data content. You can view the file content, search for the data and do more, all within few minutes. To examine the file, all you will have to do is, to load the file and scan.
Once when the tool is launched, from the “Image” window of the Scan file option user can select the DD file format. Later, can browse the file from which you want to extract evidence.
During the scanning, user can find the number of files contained in the .dd file since it scans the files contained separately. After scanning the file, it lets the users to view the files separately using the checkbox facility implemented. You can check the box and go for the “View” button. This supports the agent to work on the particular file and saves time.
If all the checkboxes are checked then, you will get the preview of all the files in hierarchical order.
Previews All File Formats Present
During .dd file forensics if, agent need to work on the PST file contained then, can choose the corresponding PST file and view the email contents.
The mail tab will show all the mails listed in the selected folder.
The application has the provision to preview other file format contents such as, Zimbra, Kmail, OST, EDB etc.
DD Image File Forensic – Shows Documents Present
Apart from previewing the email contents, it renders the users to get an overall document list contained in the file from the “Document” tab.
Evidence is the important loophole for the case so, securing them are very important. The application enables the users to export the identified artifacts to any of the 7 outputs such as, EML/PDF/PST/HTML/HTML Reporter/PRINT/TIFF and stored in desired location. Since evidence is submitted to the Court and the appreciated format is PDF, user can export the file to PDF. PDF has recognized the efficient format since it is non-editable and the threat of manipulation no longer exist.
MailXaminer is efficient and effective software for examining .dd files. While carrying out .dd file forensics, users can collect all the data from the file without any loss of information and data integrity.