Image Forensics Capstone Lab: Creating an Image with FTK Imager

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours
Video Transcription
hi and welcome to everyday digital forensics. I'm your host just then, you said. And in today's mantra, we're gonna be using the image forensics capsule up promoted by a cyberia dot i t. In order to create an image with after K imager.
So in today's video, we're gonna go over the image forensics capsule lap talk about the F D K image your product. Go over the initial steps of from the start of the lab to the point of which the demo starts, and they were gonna image a partition and then perform verification on the image.
So the demo today comes from the image Forensics capsule NAB available in Siberia that I t. The purpose of the lab is to create a life disk image using FCK and then verifying the image was created successfully. I speed through the process and kind of cut
the time short on the lab. As you can see, the lab is 45 minutes. I will be reviewing the imaging process, so I had to recommend that you go and performed lab yourself as I do not fully go into details of the lab, and there's valuable information that is missing from
that lab in this lecture.
So the Educate Imager software is created by access data Abdicate imagers, a whole suite of different tools. It has data previewing of data source and then imaging tools used to acquire data evidence. In a forensically sound matter. It creates copies of the data without making changes to the original data, which is very important
in a forensic investigation.
Some of the features that you confine enough to *** are the creation of forensic images, ability to view files and folders. Review the contents within these files and folders, mountain image for read only view and then generate hash values of files and generate your hash reports
in the demo. I skipped the initial steps, which is why it's very important to go into 11 yourself and prefer me sepsis e with the full processes before the lab starts in the Windows seven Virtual Machine. I used this image to create a partition of the C drive and create a new partition of you.
I extract the image light on, move out into the E drive,
and then I open up abdicate imager within the E drive.
So here we are in our Windows virtual machine. I've opened up the E drive to the F Decayed Imager folder, and I'm gonna proceed with opening up the F D k image or application.
So now the applications open. This is your first view off abdicate imager. When you open the application for version 3.1 point 1.8, we're gonna go to the top left and add a new data source.
So now we're gonna go to file and click on create Disc of it.
Once he opened up the create disk image wizard, we're gonna get a pop up that asked to select our source evidence type. We're going to select image. I move on to the next,
I move on to the next screen in which we select our C drive, which is our and CFS
click finish.
And now we've identified our image sores, and we're gonna set to where the image is
going to be created. So this is gonna be our destination. We're gonna collect.
We're gonna select add,
And this time we're gonna use easier one
click next.
If you were doing an actual investigation, you would have these values for this demo. I'm not populating any of these values, but you'll see later how popping these values image summary report that you get. You can just copy and paste that into your investigation report.
This helps kind of format the day they were about to get and allows you to section off your report if you use different. If you're using different forensics tools that you can talk about your different steps for each tool.
So we're just going to use values Bank and set the destination folder Toothy E Drive
within the Image Investigation Directory.
We're gonna name the file
we named the Fallacy Drive and click finish, leaving everything else default, and we're to start the process.
Once the image processing start, it could take a few minutes to a couple of hours. Nothing should be written during this time, so we're gonna go ahead and using video editing skip to the ends.
So here we are towards the end of the process. As you can see, the elapsed time is five minutes and 22 with six seconds remaining.
We can see that the time remaining drops
and once the imaging process complete, it pops up a window with your verification results, so you don't have to actually go searching for these.
The application reveals this kind of information at the end so you can get your hash values such as your empty five in your show one.
And then there's more information below
for this report. It's storing a verified hash and then the computer hash. These values typically the same and your verification results. So it shows that the one that we stored, the one we're reporting and the one we computed are all the same,
and you're in this final results. You also get name
the number of sectors for this drive
and, if available, a bad sector lists.
Go ahead and close on before we close this window. If you see on the left, we have image summary.
So now you're image summary. As I said earlier, if we had populated the case number
evidence number, the house those values would have been to spade above.
This could have been copied and pasted over to your report,
and it even tells within the image summary what application used. How was it acquired? Version. Number of the application. You have information of where the destination was,
so we had set the destination to be E Dr Image Investigation. And then we named the Foul See Drive some of the more physical evidence of that device. It gives device information, such as what the source type is
the geometry of the drive. Sword bites per sector, and our sector counts some of the computer hash. Some of the more physical information, such as removable drive if it's available source, data size and sector account.
Screaming at the bottom we get are computed hash and some of the image information. Based on the breakdown of this image, it gives you a compressed object of the image. However, the image is composed of five different dot ee zero files, as you can see within the segment list.
And then the report also gives you a start and finish
of when this was performed. So in today's lecture, we talked about the image forensics Capstone Lab available in Siberia that I t
reviewed the abdicate image. Your product
went over the initial steps off thesis I bury lab before the point before the start of the demo. Within the demo, we've imaged a partition using F. D. K and verified the image hashes matched at the end. I hope you enjoyed today's video end. I'll catch the next one
Up Next