Lab Introduction
This practical lab brings together all the concepts from Module 4. You will perform forensic imaging, verify evidence integrity with hash functions, use TestDisk for partition analysis, and recover deleted files with PhotoRec. These hands-on exercises reinforce theoretical knowledge with real-world skills.
🔨 Lab Objectives
- Create a forensic disk image using dd and FTK Imager
- Calculate and verify MD5 and SHA-256 hash values
- Analyze partitions and recover deleted partitions with TestDisk
- Perform file carving with PhotoRec to recover deleted files
- Document findings in a proper forensic format
Prerequisites
Linux VM or Live Boot (CAINE, SIFT)
Sample disk image or USB drive
TestDisk/PhotoRec installed
Sufficient storage space
Lab 1: Creating Forensic Images
Forensic Imaging Exercise
Estimated time: 45-60 minutes
Learning Objectives
- Properly identify and document evidence drives
- Create raw images using the dd command
- Understand imaging parameters and their effects
Exercise Steps
1
Identify Target Device
First, identify the device you want to image. Never image your system drive.
Terminal
# List all block devices lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 500.0G 0 disk ├─sda1 8:1 0 512M 0 part /boot/efi ├─sda2 8:2 0 499.5G 0 part / sdb 8:16 1 14.9G 0 disk <-- Target USB drive └─sdb1 8:17 1 14.9G 0 part # Get detailed information about the target sudo fdisk -l /dev/sdb
2
Document Drive Information
Record serial number, capacity, and model for chain of custody.
Terminal
# Get drive serial number and model sudo hdparm -I /dev/sdb | grep -E "Model|Serial" Model Number: SanDisk Cruzer Blade Serial Number: 4C530001234567891234
3
Calculate Source Hash
Before imaging, calculate hash values of the source device.
Terminal
# Calculate MD5 hash of source sudo md5sum /dev/sdb a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 /dev/sdb # Calculate SHA-256 hash of source sudo sha256sum /dev/sdb 1234567890abcdef... /dev/sdb # Save hashes to file sudo md5sum /dev/sdb > source_hashes.txt sudo sha256sum /dev/sdb >> source_hashes.txt
4
Create Forensic Image
Use dd to create a bit-for-bit copy of the evidence drive.
Terminal
# Create forensic image with dd sudo dd if=/dev/sdb of=/forensics/case001/evidence.raw bs=4M conv=noerror,sync status=progress 3984588800 bytes (4.0 GB, 3.7 GiB) copied, 180 s, 22.1 MB/s 954+0 records in 954+0 records out 4000787456 bytes (4.0 GB, 3.7 GiB) copied, 181.023 s, 22.1 MB/s
5
Verify Image Hash
Calculate hash of the created image and compare to source.
Terminal
# Calculate image hashes md5sum /forensics/case001/evidence.raw a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 /forensics/case001/evidence.raw # Compare hashes diff <(md5sum /dev/sdb | cut -d' ' -f1) <(md5sum evidence.raw | cut -d' ' -f1) # No output = hashes match! # Hashes match - imaging verified successfully!
⚠ Lab Safety
Always double-check device names before running dd. The command if=/dev/sdb reads FROM sdb. If you accidentally swap if and of, you will destroy your evidence!
Lab 2: Hash Verification
Hash Verification Exercise
Estimated time: 20-30 minutes
Learning Objectives
- Use multiple hash algorithms for verification
- Create verification logs for documentation
- Understand the importance of hash verification at each stage
Exercise Steps
1
Create Multiple Hashes
Generate both MD5 and SHA-256 hashes for thorough verification.
Terminal
# Generate comprehensive hash report echo "=== Hash Verification Report ===" > hash_report.txt echo "Date: $(date)" >> hash_report.txt echo "Examiner: [Your Name]" >> hash_report.txt echo "" >> hash_report.txt echo "MD5:" >> hash_report.txt md5sum evidence.raw >> hash_report.txt echo "SHA-256:" >> hash_report.txt sha256sum evidence.raw >> hash_report.txt echo "SHA-512:" >> hash_report.txt sha512sum evidence.raw >> hash_report.txt # View report cat hash_report.txt
2
Verify Working Copy
Create a working copy and verify its integrity before analysis.
Terminal
# Create working copy cp evidence.raw evidence_working.raw # Verify working copy matches original sha256sum evidence.raw evidence_working.raw abc123... evidence.raw abc123... evidence_working.raw # Hashes match - working copy is identical
Lab 3: TestDisk Partition Recovery
Partition Analysis with TestDisk
Estimated time: 45-60 minutes
Learning Objectives
- Analyze disk partition structures
- Recover deleted or damaged partition tables
- Extract files from recovered partitions
Exercise Steps
1
Launch TestDisk
Run TestDisk on the forensic image (not the original evidence!).
Terminal
# Launch TestDisk with the image file testdisk evidence_working.raw TestDisk 7.1, Data Recovery Utility Christophe GRENIER <grenier@cgsecurity.org> Select a media (use arrow keys): Disk evidence_working.raw - 4000 MB / 3814 MiB [Proceed] [Quit]
2
Select Partition Table Type
Choose the appropriate partition table type for the image.
TestDisk Interface
Please select the partition table type: [Intel ] Intel/PC partition [EFI GPT] EFI GPT partition map [Mac ] Apple partition map [None ] Non partitioned media [Sun ] Sun Solaris partition [XBox ] XBox partition # For most USB drives and Windows disks, select [Intel] # For modern systems with large drives, select [EFI GPT]
3
Analyze Partitions
Let TestDisk analyze and search for partitions.
TestDisk Interface
[Analyse] Analyse current partition structure and search for lost partitions [Advanced] Filesystem Utils [Geometry] Change disk geometry [Options] Modify options [MBR Code] Write TestDisk MBR code to first sector [Delete] Delete all data in the partition table [Quit] Return to disk selection # Select [Analyse] then [Quick Search] Partition Start End Size in sectors NTFS 2048 31455231 31453184 [Data] FAT32 31456000 62910463 31454464 [Backup]
4
Browse and Recover Files
Navigate to files and copy them to a recovery folder.
TestDisk Interface
# Press 'P' to list files in a partition # Navigate with arrow keys # Press 'c' to copy selected files # Press 'C' to copy the current directory Directory / .. dr-x------- 0 0 0 4-Jan-2026 10:30 Documents dr-x------- 0 0 0 4-Jan-2026 10:31 Photos dr-x------- 0 0 0 4-Jan-2026 10:32 report.docx -r-x------- 0 0 24576 4-Jan-2026 10:35 budget.xlsx -r-x------- 0 0 18432 4-Jan-2026 10:36 # Files recovered to specified directory
💡 TestDisk Tips
TestDisk can also recover deleted files - look for entries marked with red text or a 'D' prefix. Use the [Advanced] menu for deeper analysis including boot sector recovery and MFT repair options.
Lab 4: PhotoRec File Carving
File Carving with PhotoRec
Estimated time: 45-60 minutes
Learning Objectives
- Configure PhotoRec for targeted file recovery
- Recover deleted files from unallocated space
- Organize and validate carved files
Exercise Steps
1
Launch PhotoRec
Start PhotoRec and select your forensic image.
Terminal
# Launch PhotoRec photorec evidence_working.raw PhotoRec 7.1, Data Recovery Utility Christophe GRENIER <grenier@cgsecurity.org> Select a media:
2
Configure File Types
Select which file types to carve. For efficiency, limit to relevant types.
PhotoRec Interface
# Navigate to [File Opt] to select file types [X] jpg JPG picture [X] png Portable Network Graphics [X] pdf Portable Document Format [X] doc Microsoft Office Document [X] docx MS Office 2007 Document [X] xlsx MS Office 2007 Spreadsheet [ ] mp3 MPEG audio layer 3 [ ] mp4 MPEG-4 video # Use space to toggle, 's' to enable all, 'b' to disable all
3
Select Recovery Source
Choose to search entire disk or only unallocated space.
PhotoRec Interface
Please select where to search: [Free ] Free space only (for deleted files) [Whole ] Whole partition (slower but more thorough) # For deleted file recovery, [Free] is usually sufficient # Use [Whole] if file system is damaged
4
Run Carving and Review Results
Start the carving process and review recovered files.
Terminal
PhotoRec is recovering data... Pass 1 - Reading sector 1234567/31455231 Recovered: 127 files jpg: 45 recovered png: 12 recovered pdf: 8 recovered doc: 15 recovered docx: 32 recovered xlsx: 15 recovered # Files are saved to recup_dir.1, recup_dir.2, etc. # List recovered files ls -la recup_dir.1/ f0000000.jpg f0000001.jpg f0000002.png f0000003.pdf ...
5
Validate and Organize
Verify recovered files open correctly and organize by type.
Terminal
# Count files by type find recup_dir* -name "*.jpg" | wc -l 45 # Organize by file type mkdir -p recovered/{images,documents,other} mv recup_dir*/*.jpg recup_dir*/*.png recovered/images/ mv recup_dir*/*.doc* recup_dir*/*.pdf recovered/documents/ # Calculate hashes of recovered files sha256sum recovered/documents/* > recovered_hashes.txt
⚠ Validation is Critical
PhotoRec will produce false positives - files that match signatures but are corrupted or incomplete. Always open and verify recovered files before relying on them as evidence. Document which files are valid and which are partial/corrupted.
Lab Documentation
Proper documentation is essential for forensic validity. Create a comprehensive report of your lab activities.
Documentation Checklist
- Evidence Details: Device make, model, serial number, capacity
- Imaging Log: Date, time, examiner, tool used, parameters
- Hash Values: Before imaging, after imaging, before/after analysis
- Analysis Steps: Each tool used, settings, observations
- Recovered Files: Count by type, validation status, file hashes
- Findings Summary: Key evidence discovered
💡 Report Template
A standard forensic report should include: case information, evidence description, acquisition details with hashes, examination methodology, findings organized by evidence type, conclusions, and examiner certification. Use screenshots to document tool outputs.
📚 Lab Summary
- Always work on forensic copies, never on original evidence
- Calculate and verify hash values at every stage of the process
- Document device details before beginning acquisition
- Use dd with conv=noerror,sync to handle bad sectors gracefully
- TestDisk can recover deleted partitions and browse file systems
- PhotoRec recovers files by signature without file system metadata
- Always validate carved files - many will be incomplete or corrupted
- Maintain thorough documentation for chain of custody and court presentation