This blog is NOT OFFICIAL website of Kali Linux. We just share Tutorials to learn Cybersecurity.

Guymager -- Forensic Disk Imager

Guymager is an open source forensic disk imager tool for media acquisition. This tool is only available only on Linux, and it comes pre-installed with Kali Linux. Guymager is created by Dutch developer Guy Voncken.

Image acquisition is a must need process in digital forensic researches. With this process we can clone an entire disk like pen drives or hard disks or memory cards. We can copy a total disk with guymager.

In the previous tutorial we have learned about Foremost tool to recover permanently deleted items. But before recovering data using foremost we should copy the drive using guymager.

gaymager kali linux

For solving cyber crimes on digital materials, they have to be cloned. An evidence must be copied in a valid and proper method that provides legal availability. If we do not copied in a valid way, it can not be used as an evidence. Image acquisition of the materials from the crime scene by using the proper hardware and software tools makes the obtained data legal evidence.

Choosing the proper format and verification function when image acquisition affects the steps in the research process. Using this method we can clone a disk and do research on multiple systems using multiple software and solve the case faster. Guymager is based on libewf and libguytools. The features of guymager is following:
  • Very easy GUI user interface in different language.
  • Really fast process due to multi-threaded, pipelined design and multi-threaded data compression.
  • makes full usage of multi-processor machines.
  • Generates flat (dd), EWF(E01) and AFF images, supports disk cloning.
  • For becoming open source it is completely free of charges.
Now we run guymager in our Kali Linux system. To run this tool we simply use guymager command in our terminal window.

sudo guymager
Providing command will open it's window as following:


We can use the "Rescan" option to scan newly attached devices.
Now we connect our pen drive and click on Rescan or simply press F5 button.

scanning in guymager

Here we can see the serial Number and other information of our pen drive. Now we can acquire image and clone our pen drive by right click on the disk. For cloning our pen drive we click on clone and anther window will opens.

cloning a drive

 Here we can see that we can clone the pen drive on our hard disks or any other flash drives. To acquire image we need to right click on the disk and select the acquire option and a new window will pop up.

disk clonning using guymager

Here we can choose the file format and provide the case number and evidence number, examiner, descriptions and notes. Here we can also choose the image directory. We can also split the size of disk. We can calculate MD% and SHA1 and SHA-256. Then we must check the verification process, because if the image acquisition was not valid then it can't be an evidence. So verification is a good habit. Here we have done everything, and set the acquired image directory in our desktop, and we did not used the split image because we are not acquiring large image. Following screenshot shows the process.

image acquire with guymager

Then we just click on start option and the process will started.

guymager running

After finishing this process we will get a dd image file in our Desktop.

our accquired image
The dd file is equivalent of our pen drive. Now we can run foremost or any other forensic tools on this image. Forensic testing will very fast because the dd file is in our system hard drive. To know how to recover permanently deleted data read our foremost tutorial.
Kali Linux


No comments
Post a Comment