Acquiring evidence with Guymager

To begin the acquisition process, right-click on the evidence drive (/dev/sdb in this example) and select Acquire image. Note that the Clone device option is also available should you wish to clone the evidence drive to another. Again, as previously mentioned, when cloning a device, the capacity of the destination device must be equal to or exceed that of the source (original) evidence drive:

Before the actual acquisition process starts, the investigator is prompted to enter details about themselves and the evidence under the following three sections:

  • File format:
    • File extensions: .dd, .xxx, and .Exx
    • Split size: Allows the investigator to choose the size of multiple image parts
    • Case management information: Case number, Evidence number, Examiner name, Description, and Notes
  • Destination:
    • Image directory: The location of the created image file and log (info file)
    • Image filename: The name of the image file
  • Hash calculation / verification:
    • Multiple hashing algorithms can be selected and calculated, allowing the investigator to choose from MD5, SHA-1, and SHA256
    • Re-read source after acquisition for verification: This verifies the source
    • Verify image after acquisition: This verifies the destination
Guymager also adds the convenience of having a Duplicate image... button to create duplicate copies without having to repeat the the data entry process.

For new users, you may want to specify the directory where the image file will be saved. In the destination section, click on the Image directory button and choose your location. For this acquisition, I've chosen the Desktop directory as the location for both the image and the log/info file:

The following screenshot shows the data that I've used for the Guymager acquisition, having chosen the Desktop as the Image directory and MD5 and SHA-1 hashing algorithms:

Once the Start button is clicked, you will notice that the State changes from Idle to Running. The Progress field also now displays a progress bar:

Taking a closer look at the details on the lower left corner of the screen, we see the size, image, and info file paths, names and extensions, current speed, and chosen hash calculations. We also see that Image verification is turned on:

Once the acquisition process is completed, the color of the State field button changes from blue to green, indicating that the acquisition process is finished, and it also displays Finished - Verified & ok, if verification options were selected in the Hash verification/calculation area. The progress bar also displays 100%:

Our output file and info file can be found on the Desktop as this was specified in the Acquire images section earlier. If you have selected a different directory, change to the new directory using the cd command, in a new Terminal. In the following screenshot, I've changed to the Desktop directory using the cd Desktop command and then listed the contents using the ls command:

We can also browse the Desktop, or even the Desktop folder, to open the info file, which presents us with information about the acquisition details:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset