Part 11 - Using the FTK Imaging Software

Video Activity

This lab based lesson offers step by step instructions in how to use the FTK Imaging Software. This is used to create a disk image of a thumb drive which is an important step in data collection when responding to an incident.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lab based lesson offers step by step instructions in how to use the FTK Imaging Software. This is used to create a disk image of a thumb drive which is an important step in data collection when responding to an incident.

Video Transcription
00:03
>> Now that we know that our
00:03
>> write blocking software works,
00:03
>> we can begin the actual imaging of our device.
00:03
We'll close the drive letter G window
00:03
and we're going to go back to FTK Imager.
00:03
Of course, you can also use EnCase imager.
00:03
Either one of these programs
00:03
will work just fine for imaging device.
00:03
Just for demonstration purposes,
00:03
I'll show you how to use the FTK imaging software.
00:03
Again, just double-click through
00:03
any prompts that you're going to receive.
00:03
From our AccessData FTK Imager screen,
00:03
we're going to click "File",
00:03
and then we're going to create
00:03
a disk image of our thumb drive.
00:03
It is a physical drive.
00:03
We're going to click "Next".
00:03
Then it's going to ask us about
00:03
the source that we want to image.
00:03
Drive letter 0, that is my computer's hard drive.
00:03
Drive 1, that is the device we just formatted.
00:03
Then Drive 2,
00:03
that is our SanDisk U3 Titanium device,
00:03
>> two gigabyte USB.
00:03
>> We're going to click that.
00:03
Then we're going to select "Finish".
00:03
From here you can see where it's
00:03
going to start imaging from.
00:03
We now have to select the image destinations.
00:03
We're going to click "Add",
00:03
it gives you different types of
00:03
file systems that you can create.
00:03
The EO1 file system or the raw file system,
00:03
smart or AFF file system.
00:03
Just for the purposes of this video,
00:03
we're going to use the raw DD format
00:03
because pretty much every piece of forensic software
00:03
out there can at least look at the raw DD format.
00:03
From here, we'll click "Next".
00:03
Then it's going to ask you evidence item information.
00:03
Case number, if you happen to have
00:03
an incident number or case number that you have,
00:03
you can enter that in here.
00:03
For our purposes, we're just going to enter 1234.
00:03
But if you have
00:03
something specific that you're working on,
00:03
you should enter that in that block.
00:03
The next item that you're going to
00:03
come across is your evidence number.
00:03
Depending on what type of
00:03
evidence and how much evidence you have,
00:03
you may have 1, 2, 3, 4 pieces of evidence
00:03
>> and they should be listed in your notes.
00:03
>> The evidence item information
00:03
should correspond to your notes.
00:03
This is the only piece of evidence that we have.
00:03
We're going to select one as our evidence number.
00:03
Then it's going to ask us for a unique description,
00:03
so we can make that description just
00:03
exactly like we saw on our notes.
00:03
It is the SanDisk U3 Titanium,
00:03
two gigabyte, and then the examiner's name,
00:03
and then any other type of notes that you want to take.
00:03
Then from here, we're going to click "Next".
00:03
Then it's going to ask us about
00:03
the image destination folder.
00:03
We're going to browse
00:03
and then we're going to find our forensic thumb drive.
00:03
We'll click "Okay".
00:03
It's going to give you an image file name.
00:03
We can say SanDisk Cruzer,
00:03
or we can call it titanium,
00:03
>> two gigabytes.
00:03
>> Leave the image fragment size at 1500.
00:03
We don't need to use a de-encryption,
00:03
so just leave that unchecked.
00:03
Then from here, click "Finish".
00:03
Then down at the very bottom,
00:03
you want to verify the images after they are created.
00:03
You can leave everything else
00:03
unchecked and then check start.
00:03
Then from here, you can see
00:03
a progress tab of what's going on.
00:03
It will show elapsed time and
00:03
then it will give you an estimated time left.
00:03
Since this is only a two-gigabyte drive,
00:03
it should not take that long.
00:03
But to spare you the waiting process,
00:03
I will pause and we will come back when it is finished.
00:03
From here, we can see that
00:03
our access data FTK imager finished its process.
00:03
The name of the file was
00:03
the SanDisk Titanium two point gigabyte file system.
00:03
It upended the .001,
00:03
is the file name.
00:03
It provides the sector size,
00:03
and then it computes the MD5 hash.
00:03
The computed hash is here,
00:03
and then the reported hash is here.
00:03
This is our device
00:03
that we've ceased and inserted and this is
00:03
the information that is contained on
00:03
our forensic drive and we can see that it does match.
00:03
It also provides SHA-1 and those again match.
00:03
Then if there were any bad sectors requested,
00:03
it would show them here.
00:03
There are in fact no bad sectors.
00:03
Then you can see here down at
00:03
the bottom the verified result,
00:03
the hash computed during acquisition
00:03
matches the hash computed during verification,
00:03
the image data is unchanged.
00:03
Now we have created an exact image of
00:03
the SanDisk Cruzer device
00:03
>> onto our forensic thumb drive.
00:03
>> From this point, we can close out of
00:03
the disk image and verify results.
00:03
We'll click "Close" and then from here,
00:03
if you wanted to see what's on your device,
00:03
you could go back and click "File", add evidence item.
00:03
It is a physical drive,
00:03
or scroll down to our SanDisk Ultra,
00:03
where we have the file, and we'll click "Finish".
00:03
You can see that now we have data on the device.
00:03
We can also navigate back to our forensic thumb drive.
00:03
We will refresh this.
00:03
You can see that we do
00:03
have two file systems on the device.
00:03
Started out with SanDisk titanium,
00:03
the first file system,
00:03
it's 1.46 gigabytes, and then it created
00:03
a second file system, 453 megabytes.
00:03
Those are images of that device.
00:03
Then it gave us a nice text document.
00:03
This text document here, again,
00:03
shows everything from the output
00:03
of the FTK imaging process.
00:03
It will have everything here,
00:03
and you can take this and you can
00:03
copy this and put into your notes.
00:03
It does include the start time,
00:03
the finish time, the segments that it created,
00:03
it has the MD5 hashes.
00:03
All of the pertinent information is here
00:03
>> that you're going to want in your notes
00:03
>> for that acquisition process.
00:03
>> This part of the video covered the acquisition of
00:03
media from a thumb drive
00:03
>> or some type of external device.
00:03
>> The process is pretty similar to doing
00:03
a drive from a PC or some type of computer system.
00:03
However, the process that we left out,
00:03
and it's going to be different from
00:03
acquisition of some type of
00:03
external media source is that a PC,
00:03
especially if it's in a power-on state,
00:03
is going to have some type of
00:03
virtual memory within that PC.
Up Next