Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lab based lesson offers step by step instructions in how to use the FTK Imaging Software. This is used to create a disk image of a thumb drive which is an important step in data collection when responding to an incident.

Video Transcription

00:04
So now that we know that our right blocking software works,
00:08
we can begin the actual imaging of our device will close the drive letter G
00:15
window, and we're going to go back to F T K imager. Of course, you can also use in case imager. Either one of these programs will work just fine for imaging device. So just for demonstration purposes, I'll show you how to use the
00:32
F t K imaging saw again. Just double click through any props that you're going to receive
00:40
from her access data. FBK image your screen.
00:43
We're going to click file
00:46
and then we're going to create a disk image.
00:49
Um,
00:51
our thumb drive. So it is a physical Dr
00:55
and we're going to click next.
00:59
And then it's going to ask us about the source that we want to image. So, Dr Letter Zero, that is my computer's hard drive,
01:11
Dr One. That is the device we just formatted
01:15
and then drive to that is our sand desk. You three titanium device,
01:19
two gigabyte USB.
01:23
So we're going to click that
01:26
and then we're going to select then.
01:29
So from here, you can see where it's going to start emerging from. We now have to select the image destinations we're going to click. Add
01:40
gives you different types of file systems that you can create. So the EOE one file system are the raw file system smarter FF file system. Just for the purposes of this video, we're going to use the raw, needy format because pretty much
01:57
every piece of forensic software out there,
02:00
uh
02:02
can at least look at the raw DVD format.
02:07
So from the here will collect next.
02:10
And then it's going to ask you evidence item information. So case number. If you happen to have an incident number, case number that you have, you can enter that in here. So for our purposes, we're just going to enter 1234 But if you have something specific that you're working on, you should enter that
02:30
in that block.
02:31
The next item that you're going to come across is your evidence number.
02:36
So depending on what type of
02:38
evidence of how much evidence you have, uh, you may have 1234 pieces of evidence and they should be listed in your notes, and the evidence item information should correspond to your notes This is the only piece of evidence that we have.
02:54
We're going to select
02:57
one is our evidence number.
02:59
And then it's going to ask us for a unique description so we can make that description just exactly what, like we saw on our notes. So it is the sand
03:08
desk, you three
03:12
titanium,
03:16
two gigabytes
03:19
and then the examiners name
03:23
and then any other type of notes that you want to take
03:29
And then from here, we're going to click next.
03:34
And then it's going to ask us about the image destination Boulder.
03:39
So we're going to browse,
03:43
and then we're going to find our forensic thumb drive.
03:46
Look, look, okay,
03:47
is going to give you an image file name
03:51
so we can say
03:53
sand.
03:54
Yes,
03:59
cruiser. We can call it titanium.
04:06
Two gigabytes.
04:11
Leave the image fragments size at 1500. We don't need to use a d. Encryptions have just leave that unchecked.
04:20
And then from here, click finish
04:26
and then
04:27
down at the very bottom. You want to verify the images after they are created,
04:31
you can leave everything else checked
04:34
and then check Stark.
04:39
Then, from here, you can see a progress tab of what's going on
04:44
show elapsed time
04:46
and then it will give you an estimated time left. Since this is only a two gigabyte drive, it should not take that one.
04:56
But to spare you the waiting process, I will pause and we will come back when it is finished.
05:03
So from here we can see that our access data f t k image you're finished its process.
05:12
So the name of the file was the sand disk titanium, two point gigabyte
05:17
file system.
05:18
It upended the 0.1 eyes, the file name.
05:25
It provides thesent ter size,
05:28
and then it computes the MD five hash. So the computed hash is here,
05:34
and then the reported hash is here. So this is our,
05:39
ah device that we've ceased and inserted. And this is the information that is contained
05:45
on our forensic drive, and you can see that it does match.
05:50
It also provides a shot one
05:53
and those again match on. If there were any bad sectors, lest it would show them here. And there are in fact, no bad sectors.
06:04
And then you can see here down at the bottom. The verify results the hash computed during acquisition matches the hash computer during verification, the image data is unchanged. So now we have created an exact image
06:18
of the SanDisk cruiser device onto our forensic thumb drive.
06:26
So from this point, we can close out
06:29
of the, uh,
06:31
this image and verify results,
06:35
clothes, clothes,
06:40
and then from here, if you wanted to see what's on your device, you could go back and file
06:46
ad evidence item.
06:46
It is a physical Dr Scribble down to our SanDisk ultra, where we have the file and finish and you can see that. Now we have
06:59
Dada
07:00
on the device
07:02
and we can also navigate back to our
07:06
forensic thumb dry. We will refresh this,
07:13
and you can see that we do have to file systems on the device. Started out with SanDisk titanium, the first file system, one point
07:25
46 gigabytes. And then it created a second file system
07:29
453 megabytes. So those are images
07:33
of that device, and then it gave us a nice text document,
07:40
and this text document here again shows everything from the output
07:45
of the F T K imaging process.
07:47
So it will have everything here and you can take this and you can copy this and put into your notes. Eso it does include the start time, the finish time. The segments that it created has the MD five hashes.
08:05
So all of the pertinent information is here that you're going to want in your notes for the acquisition process.
08:16
So this part of the video
08:18
covered the acquisition of media from a
08:22
thumb drive or some type of external device. Umm, the process is pretty similar
08:30
to doing a
08:33
a drive from a PC or some type of computer system.
08:37
However, the process that we left out it's going to be different from acquisition of some type of external media sources that a PC, especially if it's in a power on ST,
08:50
is going to have some type of virtual memory within that PC.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor