Forensic Acquisition in Windows - FTK Imager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone we are continuing on our discussion about data acquisition and acquiring data in a forensic Lee sound manner right now I am in my Windows 10 forensic work station or the workstation that the investigator would normally be using to do their acquisition and analysis and to this forensic workstation I'm going to connect the suspect disk that I want to acquire right now the suspect disk that I have is a relatively small USB disk it's just it's just USB 2.0 so whenever we're connecting the disks we want to think about how fast what's the fastest connection I can get between the the suspect disk and my forensic workstation and that connection will determine basically how fast that connection as well as the speed of the disk itself will determine how fast I can actually transfer data to my computer while I'm acquiring so I have this this USB 2.0 disk and I know that even if I had a faster bus than USB 2.0 the suspect disk itself will not be able to go faster than that so that's kind of my my bottleneck here or I want that to be my bottleneck I don't want to have any connection in between the slower than that so I have my suspect 2 USB 2.0 disk and I have it connected to a tableau right blocker and then I have the right blocker connected via USB 3.0 into my forensic workstation so I know that the bottleneck here or the limiting factor is going to be the suspect disk so I can kind of go as fast as that disk can go whenever I'm transferring data whenever I connect the suspect disk in to my to my workstation in this case Windows 10 if Windows 10 understands the if a partition exists on the suspect disk and Windows 10 understands the file system on that partition then it will attempt to mount that partition just like a normal just like a normal USB stick for example so here there is this is my test USB disk so this is my test USB it is mounted this partition is mounted on a drive and I can now see all of the the data on the suspect disk and it is currently right protected okay so if I right click on this test us test USB I go to properties I can see how big the disk is or at least this gives me a general view of how big it is for this partition I can see that there's a there's a fat32 file system on this partition or II drive and the partition itself is capacity of three point seven seven gigabytes and it's mostly unused so this is kind of what we would normally expect so whenever I connect a drive via a write blocker it will still show up like a normal disk and in this case because it was fat32 Windows recognizes it so it automatically mounted it if it was something like an ESD xt3 or ext4 filesystem Windows would not mount or even show the partition if we just view using Explorer now Windows has another tool if we type MMC in Windows we should get this management console Microsoft management console it's not in every versions of Windows they there's a couple like home versions that might not have this but you should be able to get in most versions in Windows 10 it's there so if we click file go to add/remove snap-in scroll down we can find disk management if we click Add for this computer click finish ok MMC is actually very powerful way for local and remote management of computers but this I just wanted to show you gives you a better overview of the actual disks that we have in this some so for example if I if I pull this out a little bit here we have my disc one and this is the main disc in my forensic workstation and I have our sorry disc 0 and then I have disc 1 we see disc this kind of test USB II Drive simple basic fat32 healthy etc so it kind of gives me the capacity of the of the partition and I can see the overall physical disk here so disc 13.7 gigabytes online and it tells me a little bit more or at least it gives me a in my opinion a little bit better view of the actual disc rather than just the partitioned information it gives me a little bit of everything but I can't access the files directly from here so we can use Microsoft management console to see the discs and windows from our forensic workstation so I'm going to go ahead and close them these are the files that are inside I can see that they're mostly JPEG images there's also a Python script and what looks like emails so so yeah that's pretty much all the data that's in the disc to acquire this disc we are going to use access datas ftk imager whenever i double-click on ftk imager i click yes to give it administrative privileges I tend to use on Windows at least I'm if I'm acquiring data on Windows systems I tend to use access data's ftk imager on my forensic workstation I will install ftk imager if I'm doing a live acquisition then there's a version of ftk imager that you can put on a USB stick and you do not need to install on the suspect system so if we're doing live investigations or live forensics then I would probably use access data ftk imager on a USB stick basically just because it's extremely easy to use and I've never really had any problems with it so once we start up ftk excess data's ftk imager if we want to acquire the disk first off we go to file and we go to create disk image now there's a couple other options we can do but I'm going to focus on creating a disk image right now so create disk image and now we have a few options physical Drive logical Drive image file contents of a folder and basically DVDs or CDs well DVDs if we have this device we most of the time especially if you're just starting out you should normally go for physical drive because you will be able to recover more information if you go for logical Drive remember this is like a partition basically and there could be some hidden information that we miss if there's logical Drive we might also not be able to carve out as much data if we collect only the partition information or the logical drive we get physical drive we're copying all of the data for the entire disk even parts of the discs that are not used by the partition we will still copy them so we tend or you should try to go for physical drive if you can if you have the space to to go for physical drive you should logical drive we tend to use more whenever the disks are either way too big or well there's a couple different situations we might talk about later image file we can also use ftk imager to make forensic copies of image files remember we should never work with the original copy that we make so once we acquire data we have this this image file that we of containing all of the suspect data and we do not want to work with this original file so we want to make copies of it well ftk imager can make a copy a forensic copy of your image file so you can work with the copy instead of the original contents of a folder can be used for a lot of different things for example if you're acquiring data from I don't know a cloud and the disk in the cloud is just way too big you'll never be able to copy everything you might want to copy only the contents of a folder and this will copy all of the data in that folder into basically like a forensic disk image type of file so rather than actually just copying files out you're putting the files into a container that's treated then like a forensic disk image so contents of a folder sometimes we're also restricted in what we can copy maybe on a on a disk there might only be maybe there's a maybe there's many directories that have a bunch of different users information in it so a lot of different people have data on this computer and we can only collect legally only collect the data from one person in that case we might need to go contents of a folder instead of a logical drive or a physical drive because if we copy the physical drive or logical drive we might be copying private information of many different people and we only have the authority to collect data on one person so contents of a folder might be useful in cases some cases like that okay so in this case because I know I have enough space to hold my my disk image I'm going to choose physical drive click Next and then it lists all of the physical drives that we currently see in the system and I know I know my physical drive is basically this four gigabyte USB and it's not this 68 gigabyte ID so the IDE drive is the type of connector USB is the type of connector so I know that this four gigabyte disk is my connector and we see this slash slash dot slash physical drive one and this is how Windows identifies physical disks in your system okay so the slash slash slash physical drive and then a number is how Windows identifies physical disks in the system it's like click on my USB Drive click finish now we've selected it has the image source and we know that this is the drive that we wanted and it's saying image destinations okay so we need to click Add ok and now it's telling us the destination image type destination image type so basically there's a few different image types that are used basically raw didi is just an exact copy of the disk smart actually I don't think is used too much anymore so we won't really cover that I've never seen anyone who's actively using this in the field easy row one is the expert witness format and this is basically the in case standard let's say now it has the raw data all of the raw data from the suspect system and it also has checksums within the raw data as well as a file header and footer and it also has some support for encryption and things like that basically e01 has all of the raw data and also some extra features built in for for all kind of checking checking to make sure the data is okay aff has a lot of different features as well but I don't really see a lot of tools supporting it and then I heard for a while that this file format was no longer supported by the developers even so we won't really talk about this one the two main ones are raw just copying the data bit for bit to make an exact copy of the data and easier one is kind of the de facto standard that a lot of different organizations tend to use that copies all of the original data plus has some extra features like error checking built into the file type I'm going to go ahead and choose raw DD just for example and then it's going to ask me for a case number and case number has probably if you're already at this stage you probably already have a case number assigned from your organization and then we need to assign an evidence number now this evidence number if it hasn't already been assigned by the time it comes to you you need to give it an evidence number that's relevant and orderly to the case so in this case let's let's assume that this is the first hard drive or the first artifact that I've I've received from the suspect so I might also call this something like zero zero 1 and then a unique description here it is a gold USB with black case and red LED something like that something that is descriptive that describes the the device that you're looking at even this is probably too general because there might be another USB stick like that if there's any markings on the disk that are somewhat unique you want to make sure that you actually describe them this will help you determine which which one is which later if there's a serial number on the disk definitely put that in there ok and then the examiner basically just put your own name or whoever is examining or collecting this and then notes put any relevant notes and this information will be saved or created with your disk image so you want to make sure that all of this information is provided at the time at the same time that you're imaging that way whoever looks at the image knows who created this image why was it created what is the evidence number what is the case number and you have all this all this documented at the same time you should also be keeping case notes with all of this information in it so you can refer back to your case notes if anyone asks you in the future ok so we click Next and then it's going to ask me the image destination folder now this I'm currently working in a virtual machine I would normally 1:1 before I before I get into that one thing you need to definitely be aware of is I have this test USB II Drive right here we never want to save the suspect data back on to the disk that we're trying to copy from you never want to copy data or copy data back on to the disk that we're trying say from so we do not save any data to this suspect disk make sure you know what your suspect is because disk is called make sure you know what drive letter it's been assigned all of this should be in your case notes and we do not want to try to save anything back so I would go to this PC and I'm currently working in a virtual box guest VM so I only have one disk and I would go to users I would normally have a separate disk specifically for working with are doing acquisitions and I would have a separate space specifically for specifically for my cases so I would have a case in this case let's say that our case number is 0 0 1 so actually under documents sorry under documents let's do new I know that is ruining ok under let's say desktop never put anything on the desktop but well we just will do this for just for an example I would make a new folder called cases oops new folder called cases and then normally this cases folder would be on a separate disk like a D Drive or something like that and then inside the cases folder I would make a new folder with the case name or the case number and then possibly the date but at least at least some unique case number ok and then so let's browse to that Desktop cases case number and then I also want to create a new folder called images ok and inside this images folder or so in the case folder for example in case 0 0 1 I would probably have a folder called images I would probably have another folder called DOX I would probably have another another folder called let's see temp like a temporary working space whenever I'm trying to do my analysis so I would have a couple different folders by default I would just create in my case folder that was would at least be Doc's which would be documentation and then images folder for all of the image files that I would acquire and then a temporary working space to do different types of extraction analysis I might yeah okay so in the images folder now I want to create another folder which is the exhibit number so right now this is my first disk that I am working with so I'm going to put 0 0 1 ok and then this is where I want to save an image of disk or exhibit number 0 0 1 so I click OK so now we're in C Drive users test Desktop cases 0 0 1 this is the case number images so I'm making an image of exhibit number 0 0 1 again this would normally be so instead of C Drive users test desktop it would be something like D Drive cases 0 0 1 and that D Drive would be specifically and only for this case data so now this disc I would say is for example the exhibit number if the USB had a serial number or if they if the exhibit has a serial number I would also put the serial number I might also put for example the date so I'll just put 2016 here and then it says insert file name excluding extension so we don't need to give it an extension here and I'll just say in this case exhibit number and a date to make it a little bit more unique but I don't have to put them ok image fragment size so what this is going to do is if we have well if we have a disk in this case over one thousand five hundred megabytes then it will split it into one thousand five hundred megabyte chunks and we will get different sizes that's usually used so we can save different pieces of the data onto DVD or maybe a disc that is formatted with an older version of fat32 and they have a four gigabyte limit to the the files that can be saved on there so we can use this to split up the data and make it a little bit more manageable imagine that we had a one terabyte hard drive we probably would don't want to create a one terabyte file because it will be difficult to move that file around or work with that file so I'm going to leave a fragment image size fragmentation on if we set it to zero then it will not be fragmented in this case my USB stick is only 4 gigabytes so I don't need to fragment it but I will just just to show you and then use encryption we can create an encrypted disk but honestly I never really use this okay so next finish so now we come back to this image destinations it shows where I'm going to save the image and what what type of a image it is it also lets me add if I want to it lets me add another location a different format another location so we can use this feature to write the disc or write the image to let's say multiple hard drives or maybe a local disk and a centralized server so think about redundancy here save yourself some save some time basically and think about all the places where you want to make a copy of the data remember we want to make at least a couple copies of the data that way we don't have to access the original disk basically ever again so some other features verify images after they are created so this just creates the well while it's while it's copying it will create sha-1 and md5 hashes and it will use those hashes and verify the image once it's done this take this makes the whole process takes a little bit longer but that's ok for us precalculate progress statistics also makes it takes a little bit long take a little bit longer I don't usually do this create directory listing of all the files again this is kind of pre-processing we won't worry about that for now so if I click start so now we can see the image source physical drive one destination is the destination that I said 0:01 2016 it's creating the image I can see on my right blocker the right blocker is flashing with activity now and the USB stick too is also flashing with activity ok so if we go into our cases folder while that's running ok so just to show you estimated time left because we did not pre calculate estimated time left will not show here basically you'll just get this for 4 gigabytes you're looking at probably 4 gigabyte USB 2.0 maybe 10 minutes or so I think so we'll let that run and if I go into my cases folder case is 0 0 1 in the images folder and then exhibit 0 0 1 now I see this what's called a 0 0 1 file and if you choose raw or DD image then the file extension will be 0 0 1 if you choose an e 0 1 file then the extension will be e 0 1 and then if you have multiple parts you'll have 0 0 1 once it gets to 1,500 megabytes then we will have 0 0 1 - 2 2016 dot 0 0 2 and that will be the second part so the extension is actually really really important that you keep the extensions for multi-part files because you'll have basically 0 0 1 that's the first part 0 0 2 that's the second part 0 0 3 that's the third part and if you're missing any of those parts then you basically can't reconstruct the entire image again for easier 1 files it's basically easier one easier to Easy Row 3 and so on and kind of the same idea you won't be able to reconstruct the entire image if you're missing certain parts okay so I'm going to let this run and speed it up and come back to you whenever it is done you okay so now we have our disk image so I'm going to close em and you see that we have these this three part disk image where the extension the file extension is 0 0 1 0 0 2 0 0 3 and it basically just says 0 0 1 file to file 3 file you notice that it's 1,000 basically 1500 Meg 4 1 and 2 and then about 900 Meg for the third part and basically these are split up into one thousand five hundred megabyte chunks and then number three just couldn't fill out the the last of it because it the disk ran out of essentially ran out of space so we couldn't copy more because the end we found essentially the end of the disk so here we have a three part image and then we also have this text document here and if we open up the text document then this tells us some interesting information about it about our entire image process basically so we have created by X estate ftk imager 3 4 to 6 now this number this version number for ftk imager is going to be very important for us case information acquired using access data 3 4 2 6 case number like we put in earlier 0 0 1 case number against number 0 0 1 some sort of description a unique description and this is like this is what I typed in earlier examiner and notes so this is all of the information that I typed in earlier identifying our suspect disk plus the version of the software that we used and then information for basically the image that I created and it gives the full path where I save the image and then this is giving us information about the disc itself including the model the serial number which I did not see on the disc but there is a identifier inside Drive interface USB remove we'll drive true source data size which is very important sector account also very important and probably the most important on this are these md5 and sha-1 checksums the this is the information that I need to be able to verify my disk later once I create these numbers every time I check the data again from now on these numbers should always be the same the data should always produce the same number every time I calculate an md5 checksum or a sha-1 checksum these numbers should always be the same image information specifically acquisitions started at 9:55 acquisition finished at 1004 so you see it took about about 10 minutes for 4 gigabytes over USB 2 and then segment list basically says the full path name the full path plus the name and extension of each of the parts of the image now this md5 and sha-1 checksum is the hash value for the entire disk the hash value for the entire disk so that means that all of these three parts have to be recombined if I want to calculate the hash of the entire disk again and there are a few ways to do that and we'll will show you that later so this is the acquisition parts of this lesson we've done acquisition in Windows using ftk imager next we'll show you acquisition in other operating systems thank you very much

Info

Channel: DFIRScience

Views: 98,410

Rating: 4.9157896 out of 5

Keywords: Forensic Acquisition, FTK Imager, ftk imager tutorial, how to use ftk imager, how to use ftk, using ftk imager, ftk image, ftk imaging, ftk tutorial, accessdata ftk imager, access data ftk imager, ftk toolkit tutorial, ftk imager lite, ftk forensics, ftk forensic toolkit tutorial, ftk forensic, forensic image, Forensically Sound Acquisition, forensic toolkit, Digital Forensics, Digital Forensic Tools, DFIR, introduction to computer forensics, computer forensics

Id: TkG4JqUcx_U

Channel Id: undefined

Length: 29min 3sec (1743 seconds)

Published: Mon Oct 03 2016