Friday, August 31, 2012

Lab & Lesson:Collecting Forensic Evidence using FTK Imager

 Before you start investigating a suspect drive, you need to make an exact copy of the drive.  Such an exact copy of a drive is called a forensic image of the drive. When you try to create a forensic image of a drive, it is important to make sure that you don’t alter the data on the source hard drive. There are hardware-based write-blocking devices available for this purpose. We will not discuss hardware-based write-blocking devices here.

To create forensic images, we will use a program called FTK Imager. FTK Imager comes as an integral part of FTK installation or you can install it as a standalone program.  To prevent accidental or intentional manipulation of the original evidence, FTK Imager makes a bit-for-bit duplicate image of the media. The forensic image is identical in every way to the original. This allows you to store the original media away, safe from harm while the investigation proceeds using the image.

After you create an image of the data, you can then use AccessData Forensic Toolkit (FTK) to perform a complete and thorough forensic examination and create a report of your findings.

With FTK Imager, you can create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or individual files from various places within the media.

FTK Imager comes with several interesting features. We will examine some of them later these notes.

1. Starting FTK Imager
It is important to use a USB flash drive with a small capacity.  If you select a large sized flash drive, it takes a very long time for the FTK Imager to create a forensic image. So select a small flash drive (say of size 128KB). FTK Imager is available to you in two ways: (1) built-into FTK and (2) standalone version.  You can start either one.  They are the same program.

Let us use the standalone version. Double click the FTK Imager icon on your desktop after downloaded: 

There are four items on the Menu Bar: File, View, Mode and Help. Become familiar with these menu items by clicking each. Just below the Manu Bar, you will see Tool Bar, which contains several items. Again, click each one and become familiar with each. Most of them will be active when there a file (called evidence) is loaded, which we will see soon.

2. Creating a flash drive forensic image

I suggest that you do all these steps hands-on. As mentioned earlier, use a small sized flash drive for this.

Prepare your flash drive. To start afresh, format the flash drive. Let us now save some files in the flash drive. 
Download and save a zip file you create with some files on your computer. Unzip it, and copy all the files in it to your flash drive. See the contents of the flash drive. Delete these files (use 4 for example) from the flash drive: See the list of files on the flash drive. You will not see the deleted files.

We will now create a forensic image of the flash drive. Start FTK Imager. Click the Create Disk Image button on the toolbar:

On the next Select Source dialog window,

Select Physical Drive and click Next. In the next dialog window,

Use the pull down menu and select the flash drive.  Click Finish. Next you will see Create Image dialog window:

Click Add… button. 

You have four options here. Let us select E01. Click Next. In the next screen, fill appropriate text in the boxes:

I completed it  (the numbers are just arbitrary):

In the next dialog window, you need to identify a place for the forensic image to be saved and a file name for the image.

I have selected Desktop to save the image and FirstExampleImage as the name of the file. Click

You will see the Create Image dialog window again. Click Start button. FTK Imager starts working. You will see the progress:

When FTK Imager is done creating the image, you will see the final screen:

The forensic image is saved in the location specified earlier. FTK Imager also creates a text file that
contains the properties of the evidence and the verification information.

3. Explanation of some of the steps in detail

Select Source dialog window

There are five options here.  You can create a forensic image of any of these source types.

Physical Drive: This is one of the drives (hardware) attached your computer such as C drive, floppy drive, flash drive and so on.

Logical drive: A physical drive can be partitioned into several independent units. Once done, each partition functions as a separate drive with an identifying label (F, G,..). Each of these units is called a logical drive. You can create a forensic image of each logical drive.

Image File: You can create a forensic image of a regular image file.

Contents of a Folder: You can create a forensic image of a folder. This image will not capture deleted files, unallocated space and son on.

Fernico Device: The Fernico Forensic Archive and Acquisition (FAR) line of products are CD/DVD imaging robots that allow the imaging of CD and DVD media in batches. Imager supports Fernico devices.  For more information on Fernico devices, see

Create Image dialog window:

By clicking the Add button, you can specify what type of image is to be created. This dialog box has other features:

Verify images after they are created:
First a brief explanation of hash values: A hash value is a number (generally expressed in headecimal format)
obtained by applying an algorithm on a string of text, a file or an entire hard drive contents. The length of a hash is always the same for a given hashing algorithm. Two of the most commonly used hashing algorithms are MD5 (Message-Digest) and SHA1 (secure hash algorithm). For example, MD5 hashes are always 32 hexadecimal characters whether it’s a single character in a text file or an entire hard drive. Hash values are used in various places. For example, if you download a file, how do you know you have downloaded the original file published by the author (and not a file which is somehow modified – may be a virus infected). To verify the authenticity of the file, you compute the hash (say MD5) of the downloaded file and compare that value to the published hash value of the original. If they are identical, you have a good copy of the file.

By default, FTK Imager does not verify hash values of the image created and the original drive. If you select  this option, Verify images after they are created, in the dialog window, FTK imager will compare the hash values of the newly created image and the source. It uses MD5 and SHA1 hashes. In fact, the hash values are displayed at the end.

Precalculate Progress Statistics:
If you check this option, Precalculate Progress Statistics, on the dialog window, FTK imager will show “Estimated time left” in the Creating Image dialog window. Default is, it does not show this estimate.

Create directory listings of all files in the image after they are created:
If you check this option, Create directory listings of all files in the image after they are created, on the dialog window, FTK imager will create an Excel file containing the list of files in the image with file name, size, date created and so on. Default is, it does not create this Excel file.

Select Image Type dialog window:

Raw (dd):
The Raw format is just a data dump. This is basically from Unix. The letters “dd” stand for Data Description (from Unix). The raw image type is not compressed. If you select the Raw (dd) type, be sure to have adequate available drive space for the resulting image. Because it is just a data dump, it is faster than SMART or E01.

Smart is a commercial forensics software package distributed by ASR Data. SMART is a Smart image file format.

EnCase is a family of all-in-one computer forensics suites sold by Guidance Software. E01 is an Encase image file format.

AFF is an open and extensible file format to store disk images and associated metadata. This is not a proprietary
format and therefore you are not limited to any propriety tools for analysis. You have the flexibility of using any tools convenient to the you.

Select Image Destination dialog window

This is where you specify the location to save the image file and the file name.
In the Image Fragment Size field, specify the maximum size (in MB) for each fragment of the image file. Type 0 for no fragment. FTK Imager places a default value (1500) here.

In the Compression field, select a level of desired compression. 0=none, 1=fastest to 9 = smallest. The RAW format does not permit compression. The higher the compression level, the smaller the image but the longer it will take to complete. AccessData suggests level 6 compression (default).

Checking the AD Encryption box will give you the ability to encrypt data during export to an image. Skip it for now

4. Examining the evidence

Once a forensic image is created, we can examine the evidence in FTK Imager itself. For much deeper analysis, we need FTK (not FTK Imager). We will use FTK in later weeks.

Let us examine the image, FirstExampleImage.E01 (the image we created just now).
Start FTK Imager. Click File and then select Add Evidence Item…

In the next Select Source dialog box,

Select Image file and click Next. In the next dialog window,

Click Browse and select the image file we created earlier (FirstExampleImage.E01).
Click Finish.

Our image file is now loaded into FTK Imager and we are ready to examine the evidence.
The FTK Imager interface has four panes: Evidence Tree Pane, File List Pane, Properties Pane and Viewer Pane:

Write the following observations for fun:

Highlight FirstExampleImage.E01 in Evidence Tree Pane.  Write the following (from Properties
Bytes per sector

Sector Count


Acquire Date

MD5 Verification Hash

Highlight KINGSTON [FAT16] in Evidence Tree Pane. Write the following (from Properties Pane):
Cluster Size

Cluster Count

Volume Label

Highlight [root] in Evidence Tree Pane. From the File List, write the list of deleted files (notice x on filenames):

Notice these three icons on the toolbar:                                   . Click each one and see how contents in the Viewer
Pane changes.
Write the first line in the following deleted files:

Retrieve two deleted jpg files.

No comments:

Post a Comment