Subscribe

CyberShield

USB forensics lab using Kali Linux

USB Forensics Lab Using KaliLinux – Full Walkthrough withdd and Autopsy

Black Wolf

Writer & Blogger

Share this blog

Facebook Linkedin Youtube Link

Signup for our newsletter

Stay ahead with our latest tech updates.

Related Posts:

Author: Cyber Secret Society

Updated: 2025

Category: Digital Forensics / Cybersecurity Labs

Overview

In this hands-on digital forensics lab, we’ll learn how to:

  • Wipe and delete files from a USB drive
  • Create a forensic disk image using the dd command in Kali Linux
  • Analyze the image using Autopsy, a powerful open-source forensic tool
    This lab is perfect for cybersecurity students, digital forensic analysts, and anyone
    interested in understanding how deleted and wiped data behaves on USB devices.

Tools Required

  • Kali Linux (Virtual Machine)
  • USB flash drive
  • Autopsy (installed on Kali)
  • dd, lsblk, mount, shred (Linux terminal tools)

Lab Steps

Step 1: Prepare the USB Drive

Wipe all existing data on the USB using dd:

sudo dd if=/dev/zero of=/dev/sdX bs=1M status=progress

Replace /dev/sdX with your actual USB device (check with lsblk).

Step 2: Copy Files to USB

Create a new mount point and copy sample files:

sudo mkdir /mnt/usb

sudo mount /dev/sdX1 /mnt/usb

Copy files:

echo “Confidential Report” > /mnt/usb/report.txt
cp ~/Downloads/sample.docx /mnt/usb/
cp ~/Pictures/image.jpg /mnt/usb/

Record the list of copied files.

Step 3: Delete & Wipe Some Files

Delete some files:
rm /mnt/usb/report.txt

Wipe others using shred:
shred -u /mnt/usb/image.jpg

Unmount USB:
sudo umount /mnt/usb

Step 4: Create a Forensic Image of the USB with dd

Use dd to create a bit-by-bit image:

sudo dd if=/dev/sdX of=~/usb_lab_image.dd bs=1M status=progress

Step 5: Analyze with Autopsy

Start Autopsy:
autopsy

Open in browser: http://127.0.0.1:9999/autopsy

  1. Create a new case
  2. Add a host
  3. Add data source → select your usb_lab_image.dd
  4. Let Autopsy process and analyze the image

Questions & Observations

  • Can you see all the originally copied files?
    Yes, except those that were deleted or wiped.
  • Were deleted files recovered?
    Yes, most deleted files were recoverable.
  • Were the wiped files recovered?
    No. Wiped files (e.g., with shred) were not recoverable — only metadata remained.

Key Takeaways

  • Deleting ≠ Wiping: Deleted files are recoverable unless securely wiped.
  • An autopsy is powerful for recovering deleted files and analyzing disk images.
  • dd is a reliable alternative to commercial imaging tools like FTK Imager.

Sample Commands Reference

#Check USB device

lsblk

#Wipe USB

sudo dd if=/dev/zero of=/dev/sdX bs=1M

#Mount USB

sudo mount /dev/sdX1 /mnt/usb

#Delete vs Wipe

rm file.txt
shred -u file.jpg

#Create image

sudo dd if=/dev/sdX of=~/usb_lab_image.dd bs=1M

#Start Autopsy

autopsy

Watch the Lab Tutorial on YouTube

Cyber Secret Society – Full Video USB Forensics with Kali Linux

Leave a Reply

Your email address will not be published. Required fields are marked *

🛡️ Tools 📅 Cyber Community 📚 Blogs 🔐 Cybersecurity 101 🧰 Tools
🛡️ Tools 📅 Cyber Community 📚 Blogs 🔐 Cybersecurity 101 🧰 Tools

CyberShield

Facebook Linkedin Youtube

CyberShield