Forensic Simple Imaging of a Device

Ok I’m not the most grammatical person; and I’m not the best writer so bear with me.
I am writing these tutorial just for the randomness of having some down time in between projects.
I will try to format it easy on the eye as best as I can. I may have mistakes in here and will try to fix them if i notice them.

Start
So this is going to be basic, like very basic, due to it being my first tutorial on here.
Now Im going to introduce you to a program called FTK Imager, this product is created by
the good folks at AccessData whom are a big forensic/ediscovery
company. FTK Imager is a free tool that is basically a very dumb down version of FTK.
FTK Imager can be downloaded here.

What FTK Imager Looks like.

1

Ok lets say your a new forensic examiner and you are on a case; you received a flash drive that contains stolen company secrets.
Your first step is to Image the drive, what is meant by image the drive? Well you can read about it here .

So why do we Image the flash drive? if your to lazy to read the above article:

Quote:1. Ensure that disk information is not inadvertantly changed during analysis.

2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.

3. Disk imaging will capture information invisible to the operating system in use (e.g. hidden partitions, ext3 partitions on a Windows machine, etc.)

So your first step as an examiner is to plug in the drive right?
No, first grab your hardware write blocker (Ok your not going to have them so you can skip this).
Some hardware write blockers:
Lonk 1
Lonk 2
Lonk 3

Or if you dont have one and on the job you can get software write blockers like thumbscrew.
What do write blockers do? They allow no data to be written to the devices.

So next after the devices is plugged into the write blocker, or you plug it into your machine using
software write blockers, you can Image the device using FTK. (you dont need write blockers to image but in a
forensic situation you would want them)

In ftk imager we can click this button in the upper left hand corner.
, or
you can go to file -> add evidence item.

Now you will have this popup box appear:

1

You have the option of

  • Physical Drive -refers to the actual organization of data on a storage device
    Physical imaging gets all the zeros and ones possible from the device
  • Logical Drive – refers to how the information appears to a program or user as
    seen through the operating system; misses data from areas not seen
    by the operating system
  • Image- Open an drive that was already imaged into FTK
  • Contents of a Folder – Image just a folder and it’s content.(logical)

We want to do a Physical due to we want everything on the drive to be imaged, some
refer to this a bit by bit image due to it picks up every bit on the drive. So select
the Physical Drive radio button and hit next.

You will come across a Source Drive Selection screen with a drop down. This drop down
will have all drives plugged in on the computer show up, Physicaldrive0 is usually the
user’s OS drive. For me I have a 1gb flash drive plugged in I would like to Image, for me I see

Code:
Physicaldrive3- USB Flash Memory USB Device [1GB USB]

This would be my flash drive.

Now click Finish.
Your drive will be added into FTK Imager; you should see the following.

1

1

Now right click on your drive under the Evidence Tree.
Mine would be \.PHYSICALDRIVE3
Now a menu should pop up, you want to click on

Code:
Export Disk Image
1
 You will now have this Create Image pop up

1
Click Add
Now you can do Raw, Smart, E01, AFF.
You want to Pick Raw or E01(more so for forensic tools such as Encase, Ftk, Ect)
1
Click Next,
Fill in the corresponding text boxes(this is used to keep track of the evidence)
1
Click next
Now Pick a destination to save the Image and give it a Name.
1
Click Finish

Now your back to the Create Image screen,
I like to Have verify Image checked to make sure the
MD5 matches after its images (shows data was not manipulated while imaging)
And Precalculate Progress (this will give you an estimate of time left to image)
Now hit Start and watch it image

1
My Image is now completed, the image MD5 is a match I can close this and start my investigation.

1
Next we can go over recovering deleted data, carving for images, and basic examination steps.
These are going to be very basic for now so some people can see the simple investigation steps,
This is a quick write up and a very basic way to image a device.
Thanks to #кrew

 

 

 

Back to top button
Close