Part 10 - Formatting a disk for Incident Response

Video Activity

This lab based lesson continues where the previous lesson left on. Participants receive step by step instructions in how to format a disk which is used in the process of forensics for incident response.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lab based lesson continues where the previous lesson left on. Participants receive step by step instructions in how to format a disk which is used in the process of forensics for incident response.

Video Transcription
00:03
>> After we finish wiping the device,
00:03
we're going to have to format it.
00:03
The next step of the process is to go
00:03
>> to our file viewer.
00:03
>> We're going to find our thumb drive.
00:03
It's going to tell us we need to
00:03
format it so we can format it.
00:03
From here, you will see that
00:03
it's 57.8 gigabyte capacity.
00:03
The file system it's going to give you
00:03
options between exFat and NTFS.
00:03
Leave it at exFAT, or FAT if given the option,
00:03
that way you can use your device across
00:03
multiple operating systems, and not just
00:03
limit yourself to one operating system.
00:03
You can leave the allocation unit
00:03
as the default setting,
00:03
the volume name, if you want to name your device,
00:03
[NOISE] you can name
00:03
it and then leave the quick format setting as it is.
00:03
Click "Start." [NOISE] It's going to
00:03
tell you that you're going to
00:03
erase all the data on the desk,
00:03
but we've already erased all of the data on
00:03
the desk. We can hit "Okay."
00:03
[NOISE] The format is complete.
00:03
We'll hit "Close."
00:03
We can see here now that we have
00:03
a forensic thumb drive, and
00:03
our drive letter E. From here,
00:03
if you want to verify exactly what is on your device,
00:03
you can go to the access data FTK Imager.
00:03
[NOISE] Just click through those prompts.
00:03
Go to File.
00:03
You're going to add an evidence item.
00:03
It's going to be a physical drive,
00:03
and we're going to scroll to the location of our drive.
00:03
It's going to the SanDisk Ultra USB 62 gigabyte.
00:03
We're going to click "Finish."
00:03
Then it's mounted our device.
00:03
From here, you can see that the first part of
00:03
this is giving you information
00:03
about the file system on the device,
00:03
and then as we scroll down a little bit more,
00:03
you can see that there's actually
00:03
a little bit of data left on there.
00:03
If we'd probably let it run more,
00:03
it would have gotten rid of that.
00:03
But then the rest of the device
00:03
I've actually formatted it
00:03
before is all zeros.
00:03
We can see that the device has been wiped.
00:03
From here, the next part of the process is to
00:03
actually ensure that we have all
00:03
of the write blocking technology setup, and
00:03
ready to go before we start inserting
00:03
any of the seized media
00:03
into our forensic machine, and we began imaging it.
00:03
That way we can ensure that we're not going
00:03
to write data to
00:03
the seized media, and contaminate
00:03
and taint the evidence that we've ceased,
00:03
which would essentially render all of it useless.
00:03
The whole part of forensics and digital forensics
00:03
is to preserve the evidence in its original state.
00:03
That way, we can look at
00:03
an exact copy, and duplicate of that evidence.
00:03
In order to ensure that
00:03
we're going to preserve that evidence,
00:03
we have to install some type of write
00:03
blocking technology on our forensic system.
00:03
That could be that hardware write blocker
00:03
>> that's in line
00:03
>> with that device that you've
00:03
seized, or it could be a software write blocker.
00:03
As we've discussed, we're going to
00:03
use the USB Write Blocker,
00:03
so we will click on that.
00:03
From here you're going to come to
00:03
a screen that says hit one to
00:03
enable the USB write blocker, and hit
00:03
two to disable the USB write blocker,
00:03
>> and three to exit.
00:03
>> We want to enable the write blocker,
00:03
so we're going to type one, and then hit "Enter."
00:03
[NOISE] Then you're going
00:03
to get these pop-ups if you haven't
00:03
turned in this thing off on Windows, just click "Yes."
00:03
Then it's going to tell you to type
00:03
>> any key to continue.
00:03
>> Now we've continued.
00:03
As you can see at the top of the status notification,
00:03
the USB Write Blocker is on.
00:03
Now, we haven't taken out
00:03
the drive that we just forensically wiped.
00:03
You will be able to write to that device.
00:03
However, any other
00:03
device that you insert into the system,
00:03
you will not be able to write to that device.
00:03
Just as an example,
00:03
don't do this in the field.
00:03
But as an example that you can write
00:03
data to your device,
00:03
I'm just going to drag the EnCase Imager over here,
00:03
and just click yes through that.
00:03
As you can see, I was able to copy
00:03
the EnCase Forensic Imager to our drive.
00:03
It is not write block enabled.
00:03
We can get rid of that EnCase program, delete it off.
00:03
Then once we have the write blocking
00:03
>> software turned on,
00:03
>> we are ready to insert our seized media.
00:03
In this case, we're going to be
00:03
using a seized thumb drive.
00:03
However, before we begin inserting the media into
00:03
our forensic machine for capturing the data,
00:03
we want to record any type
00:03
of specifics about this device.
00:03
When you're on the scene of your investigation,
00:03
before you start picking up
00:03
any media and before you start
00:03
doing your actual duplication of the media,
00:03
you're going to want to
00:03
denote in your notes what type of device that you have,
00:03
and you're also going to want to take
00:03
a picture of where the device was
00:03
found, and also record that in your notes.
00:03
That way we're whoever comes behind you,
00:03
if you have to go to court,
00:03
can see exactly what it is that you did.
00:03
If you found this thumb drive beside the laptop,
00:03
you would first want to take a picture
00:03
of where you found it, and then record it in
00:03
your notes that you photographed
00:03
a thumb drive, and
00:03
the exact location of where that drive was located.
00:03
Then you're going to want to record
00:03
the description of the device.
00:03
In our case, I have a gray cruiser,
00:03
titanium 2.0 gigabyte,
00:03
thumb drive created by SanDisk.
00:03
Then of course on the back you're
00:03
going to have a serial number,
00:03
and that's where your magnifying glass
00:03
and flashlight would come in handy.
00:03
This device serial number is Bravo Echo, 0160acbb.
00:03
You would want to put that in your notes that this is
00:03
the device that you
00:03
recovered from the scene
00:03
and the device that you're imaging.
00:03
After you have all of that recorded in your notes,
00:03
you can then begin the imaging process.
00:03
From here we're going to insert
00:03
the device into our forensic machine.
00:03
[NOISE] We're going to get some pop-ups.
00:03
It has popped up as drive letter G. As we can see,
00:03
we've got some files on our drive letter
00:03
G and that write blocking software should be enabled.
00:03
Now just as a test, and
00:03
demonstration purposes for this video,
00:03
I'm going to try and write a file to
00:03
drive letter G. Do not try this in the field again,
00:03
you want to preserve evidence, and not
00:03
taint or destroy the evidence in any way possible.
00:03
But to show you that the write blocker is working,
00:03
we're just going to try and move
00:03
a file or program over to it.
00:03
We'll just drag something over there,
00:03
and then it's going to tell you that
00:03
the desk is write protected.
00:03
Remove the write protection or use
00:03
another disk so we'll just hit cancel.
00:03
As you can see, the write protection is on,
00:03
>> and enabled.
00:03
>> If you have concerns about
00:03
your software or hardware before you actually
00:03
get out to the scene and start doing
00:03
your incident response and forensic examination,
00:03
you should test out your software, or
00:03
hardware to ensure that it works.
00:03
As you can see from this demonstration,
00:03
the write blocking software is on, and we
00:03
cannot alter the data that is on drive letter G.
Up Next