Guymager

Guymager is an open source forensic disk imager tool for media acquisition. This tool is only
available only on Linux, and it comes pre-installed with Kali Linux. Guymager is created by
Dutch developer Guy Voncken.

Image acquisition is a must need process in digital forensic researches. With this process we
can clone an entire disk like pen drives or hard disks or memory cards. We can copy a total
disk with guymager.

Choosing the proper format and verification function when image acquisition affects
the steps in the research process. Using this method we can clone a disk and do
research on multiple systems using multiple software and solve the case faster.
Guymager is based on libewf and libguytools. The features of guymager is following:

 Very easy GUI user interface in different language.

 Really fast process due to multi-threaded, pipelined design and multi-threaded data
compression.
 makes full usage of multi-processor machines.
 Generates flat (dd), EWF(E01) and AFF images, supports disk cloning.
 For becoming open source it is completely free of charges.
 Now we run guymager in our Kali Linux system. To run this tool we simply
use guymager command in our terminal window.

 sudo guymager

 Providing command will open it's window as following:

:
We can use the "Rescan" option to scan newly attached devices.
Now we connect our pen drive and click on Rescan or simply press F5 button.

Here we can see the serial Number and other information of our pen drive. Now we
can acquire image and clone our pen drive by right click on the disk. For cloning our
pen drive we click on clone and another window will open.
 Here we can see that we can clone the pen drive on our hard disks or any other
flash drives. To acquire image we need to right click on the disk and select the
acquire option and a new window will pop up.
Here we can choose the file format and provide the case number and evidence
number, examiner, descriptions and notes. Here we can also choose the image
directory. We can also split the size of disk. We can calculate MD% and SHA1 and
SHA-256.
Then we must check the verification process, because if the image acquisition was
not valid then it can't be an evidence. So verification is a good habit. Here we have
done everything, and set the acquired image directory in our desktop, and we did not
used the split image because we are not acquiring large image. Following
screenshot shows the process.
Then we just click on start option and the process will start.

After finishing this process we will get a dd image file in our Desktop.
 The dd file is equivalent of our pen drive. Now we can run foremost or any
other forensic tools on this image.