Friday, January 11, 2013

Backtrack Forensics: air-imager

Menu: Forensics -> Forensic Imaging Tools
Directory: /pentest/forensics/air-imager

From the official website:

"AIR is a GUI front-end to dd/dc3dd designed for easily creating forensic images. by Steve Gibson and Nanni Bassetti Features:

  • auto-detection of IDE and SCSI drives, CD-ROMs, and tape drives
  • choice of using either dd or dc3dd (Note: dc3dd v7.0 not currently supported)
  • image verification between source and copy via MD5 or SHA1/256/384/512
  • image compression/decompression via gzip/bzip2
  • image over a TCP/IP network via netcat/cryptcat
  • supports SCSI tape drives
  • wiping (zeroing) drives or partitions
  • splitting images into multiple segments
  • detailed logging with date/times and complete command-line used"
When we start it from the menu it will install the application. After that we can start it with the command "air", and we get the window. As Backtrack 5 R3 is having dc3dd v7.1.164 installed, which is not supported by the tool, as noted above, we need to set dd (unset dc3dd).


This is the main window:

I think it's pretty straightforward to use, but let me go through a few steps.
Selecting devices:

Get information on devices, and setting them as source if we want:

We can also set a directory or file as a source at the "source device/file" box.

Setting compression:

Setting hashes:

Finally we can see logs, any output in the status window:

