So now that we know that our right blocking software works,
we can begin the actual imaging of our device will close the drive letter G
window, and we're going to go back to F T K imager. Of course, you can also use in case imager. Either one of these programs will work just fine for imaging device. So just for demonstration purposes, I'll show you how to use the
F t K imaging saw again. Just double click through any props that you're going to receive
from her access data. FBK image your screen.
We're going to click file
and then we're going to create a disk image.
our thumb drive. So it is a physical Dr
and we're going to click next.
And then it's going to ask us about the source that we want to image. So, Dr Letter Zero, that is my computer's hard drive,
Dr One. That is the device we just formatted
and then drive to that is our sand desk. You three titanium device,
So we're going to click that
and then we're going to select then.
So from here, you can see where it's going to start emerging from. We now have to select the image destinations we're going to click. Add
gives you different types of file systems that you can create. So the EOE one file system are the raw file system smarter FF file system. Just for the purposes of this video, we're going to use the raw, needy format because pretty much
every piece of forensic software out there,
can at least look at the raw DVD format.
So from the here will collect next.
And then it's going to ask you evidence item information. So case number. If you happen to have an incident number, case number that you have, you can enter that in here. So for our purposes, we're just going to enter 1234 But if you have something specific that you're working on, you should enter that
The next item that you're going to come across is your evidence number.
So depending on what type of
evidence of how much evidence you have, uh, you may have 1234 pieces of evidence and they should be listed in your notes, and the evidence item information should correspond to your notes This is the only piece of evidence that we have.
We're going to select
one is our evidence number.
And then it's going to ask us for a unique description so we can make that description just exactly what, like we saw on our notes. So it is the sand
and then the examiners name
and then any other type of notes that you want to take
And then from here, we're going to click next.
And then it's going to ask us about the image destination Boulder.
So we're going to browse,
and then we're going to find our forensic thumb drive.
is going to give you an image file name
cruiser. We can call it titanium.
Leave the image fragments size at 1500. We don't need to use a d. Encryptions have just leave that unchecked.
And then from here, click finish
down at the very bottom. You want to verify the images after they are created,
you can leave everything else checked
and then check Stark.
Then, from here, you can see a progress tab of what's going on
and then it will give you an estimated time left. Since this is only a two gigabyte drive, it should not take that one.
But to spare you the waiting process, I will pause and we will come back when it is finished.
So from here we can see that our access data f t k image you're finished its process.
So the name of the file was the sand disk titanium, two point gigabyte
It upended the 0.1 eyes, the file name.
It provides thesent ter size,
and then it computes the MD five hash. So the computed hash is here,
and then the reported hash is here. So this is our,
ah device that we've ceased and inserted. And this is the information that is contained
on our forensic drive, and you can see that it does match.
It also provides a shot one
and those again match on. If there were any bad sectors, lest it would show them here. And there are in fact, no bad sectors.
And then you can see here down at the bottom. The verify results the hash computed during acquisition matches the hash computer during verification, the image data is unchanged. So now we have created an exact image
of the SanDisk cruiser device onto our forensic thumb drive.
So from this point, we can close out
this image and verify results,
and then from here, if you wanted to see what's on your device, you could go back and file
It is a physical Dr Scribble down to our SanDisk ultra, where we have the file and finish and you can see that. Now we have
and we can also navigate back to our
forensic thumb dry. We will refresh this,
and you can see that we do have to file systems on the device. Started out with SanDisk titanium, the first file system, one point
46 gigabytes. And then it created a second file system
453 megabytes. So those are images
of that device, and then it gave us a nice text document,
and this text document here again shows everything from the output
of the F T K imaging process.
So it will have everything here and you can take this and you can copy this and put into your notes. Eso it does include the start time, the finish time. The segments that it created has the MD five hashes.
So all of the pertinent information is here that you're going to want in your notes for the acquisition process.
So this part of the video
covered the acquisition of media from a
thumb drive or some type of external device. Umm, the process is pretty similar
a drive from a PC or some type of computer system.
However, the process that we left out it's going to be different from acquisition of some type of external media sources that a PC, especially if it's in a power on ST,
is going to have some type of virtual memory within that PC.