WEBVTT 0:00:04.100000 --> 0:00:08.080000 In this video, we are going to create a live forensic image of a suspect's 0:00:08.080000 --> 0:00:11.740000 hard disk drive using AccessData's FTK-Amager. 0:00:11.740000 --> 0:00:14.720000 The tool version I am using in this lab is one that I have pre-installed 0:00:14.720000 --> 0:00:18.780000 on my machine. In a real-life scenario, and assuming that the suspect's 0:00:18.780000 --> 0:00:22.680000 machine won't have FTK-Amager installed, you can use the portable version 0:00:22.680000 --> 0:00:25.680000 found in the reference section of module 2 slides. 0:00:25.680000 --> 0:00:29.440000 All you need to do is copy the portable version to a USB drive. 0:00:29.440000 --> 0:00:33.400000 You can then use that disk drive to run the tool from it and perform the 0:00:33.400000 --> 0:00:37.440000 acquisition. Don't forget to add an external disk too so that you can 0:00:37.440000 --> 0:00:39.740000 save your forensic image to it. 0:00:39.740000 --> 0:00:44.100000 Before we create our forensic image, let's start the FTK-Amager. 0:00:44.100000 --> 0:00:48.580000 As you can see, it is divided into four panes, the evidence tree pane, 0:00:48.580000 --> 0:00:52.640000 the file list pane, the display pane, and the custom content sources pane 0:00:52.640000 --> 0:00:54.360000 at the bottom left. 0:00:54.360000 --> 0:00:57.720000 If we go to the file menu, we can see the available features that we can 0:00:57.720000 --> 0:01:00.600000 use. We have the following options. 0:01:00.600000 --> 0:01:03.060000 Add Evidence Item to Add Evidence. 0:01:03.060000 --> 0:01:06.240000 Add all attached devices to add all the attached devices to the system 0:01:06.240000 --> 0:01:10.720000 to the tool and image mounting, which is for mounting forensic images. 0:01:10.720000 --> 0:01:13.800000 You can also see other features are disabled, like the Remove Evidence 0:01:13.800000 --> 0:01:16.960000 Item, because we don't have any evidence added to the tool. 0:01:16.960000 --> 0:01:20.120000 We'll address this in a later video, so don't worry. 0:01:20.120000 --> 0:01:23.900000 Moving on, we see the Create Disk Image option, which we will be using 0:01:23.900000 --> 0:01:28.840000 shortly. Here's the Capture Memory feature, which allows us to take a 0:01:28.840000 --> 0:01:31.840000 forensic capture of the memory of the running system. 0:01:31.840000 --> 0:01:35.500000 Finally, we have the Obtain Protected Files. 0:01:35.500000 --> 0:01:38.840000 This is used to take a forensic image of files that are related to the 0:01:38.840000 --> 0:01:40.240000 operating system. 0:01:40.240000 --> 0:01:43.380000 These files are protected from being accessed or copied while the system 0:01:43.380000 --> 0:01:47.260000 is running, like the system register your files related to the SAM database, 0:01:47.260000 --> 0:01:50.220000 which stores user credentials on a system. 0:01:50.220000 --> 0:01:54.020000 Before we use the Create Disk Image option, let's review the disks available 0:01:54.020000 --> 0:01:57.420000 and how to do basic checks from within the system. 0:01:57.420000 --> 0:02:01.620000 Let's go to My Computer and right-click on it, then select Manage to bring 0:02:01.620000 --> 0:02:03.920000 up the Computer Management Console. 0:02:03.920000 --> 0:02:09.720000 Now, let's navigate to the Disk Management section of the Computer Management 0:02:09.720000 --> 0:02:13.120000 Console, which displays all drives on the machine. 0:02:13.120000 --> 0:02:16.400000 As you can see, we have a pane that contains details about each volume 0:02:16.400000 --> 0:02:17.980000 seen by the system. 0:02:17.980000 --> 0:02:22.440000 And just below that, there's a pane showing the volumes based on disks. 0:02:22.440000 --> 0:02:24.620000 We have Disk 0, which is Disk No. 0:02:24.620000 --> 0:02:27.320000 1, although the counting here starts with 0. 0:02:27.320000 --> 0:02:31.000000 We then have Disk 1, which is the second and Disk 2, which is the third 0:02:31.000000 --> 0:02:32.920000 disk found on this computer. 0:02:32.920000 --> 0:02:36.240000 The first disk is divided or partitioned into two partitions. 0:02:36.240000 --> 0:02:39.880000 The first is the System Reserve Partition, which Microsoft uses to store 0:02:39.880000 --> 0:02:41.400000 parts of the operating system. 0:02:41.400000 --> 0:02:47.240000 As you can see, it has a size of 350 megabytes and an NTFS file system. 0:02:47.240000 --> 0:02:51.300000 Additionally, this partition is a system partition, as well as an active 0:02:51.300000 --> 0:02:53.060000 primary partition. 0:02:53.060000 --> 0:02:57.700000 The second partition is attached to the C drive and has a 99.66 gigabytes 0:02:57.700000 --> 0:03:01.300000 of capacity, as well as an NTFS file system. 0:03:01.300000 --> 0:03:04.700000 When selecting the partition, we can see the same details displayed in 0:03:04.700000 --> 0:03:09.240000 a column-based detail in the pane above. 0:03:09.240000 --> 0:03:13.600000 Now, if we go to the second disk disk 1, we can see that the disk has 0:03:13.600000 --> 0:03:19.580000 five partitions and the rest is free space, with a capacity of 523 megabytes. 0:03:19.580000 --> 0:03:23.880000 If we select the first partition on the disk, we can see it has a 100 0:03:23.880000 --> 0:03:28.780000 megabyte capacity, a FAT32 file system, it is a primary partition, has 0:03:28.780000 --> 0:03:32.920000 the name FAT32PTA, and is mounted and attached to the drive letter X. 0:03:32.920000 --> 0:03:36.920000 As you can see, the rest of the partitions are all the same size, but 0:03:36.920000 --> 0:03:40.240000 the difference between them and the first is they are all logical drives, 0:03:40.240000 --> 0:03:44.740000 not primary. The first logical partition is a FAT32 with 100 megabytes 0:03:44.740000 --> 0:03:48.380000 of capacity and with a label of FAT32PTB. 0:03:48.380000 --> 0:03:53.180000 The second, third, and fourth logical drives have 100 megabyte capacity, 0:03:53.180000 --> 0:04:03.840000 an NTFS file system, and are named NTFS PTA, NTFS PTB, and NTFS PTC respectively. 0:04:03.840000 --> 0:04:07.940000 NTFS PTA, the second logical drive, is the only one that is mounted and 0:04:07.940000 --> 0:04:10.560000 attached to a drive letter, which is Y. 0:04:10.560000 --> 0:04:14.720000 Looking at the third disk, we can see that it has 992 megabytes of disk 0:04:14.720000 --> 0:04:19.420000 space, but it is completely unallocated, or at least, that is what the 0:04:19.420000 --> 0:04:21.380000 disk management utility says. 0:04:21.380000 --> 0:04:24.820000 As an investigator, you shouldn't only rely on that and do further checks 0:04:24.820000 --> 0:04:28.720000 to ensure that it is not used to hide data in some unknown file system. 0:04:28.720000 --> 0:04:30.920000 Please remember this point. 0:04:30.920000 --> 0:04:34.520000 Let's go back to the FTK image or end starter acquisition process by going 0:04:34.520000 --> 0:04:37.940000 to File, then Create Disk Image. 0:04:37.940000 --> 0:04:41.420000 On the Select Source window, let me first explain the most commonly used 0:04:41.420000 --> 0:04:45.400000 options. First is the Physical Drive option, which allows you to create 0:04:45.400000 --> 0:04:48.060000 a forensic image from a physical disk drive. 0:04:48.060000 --> 0:04:52.060000 This option takes a full copy of the physical drive with all the partitions, 0:04:52.060000 --> 0:04:54.660000 unallocated space, etc. 0:04:54.660000 --> 0:04:58.040000 Second is the logical drive option, which allows you to reach down to 0:04:58.040000 --> 0:05:01.240000 a specific partition and take a forensic image of it. 0:05:01.240000 --> 0:05:03.860000 Here, we are dealing with logical drives. 0:05:03.860000 --> 0:05:06.960000 In other words, partitions, which is very useful when you don't want to 0:05:06.960000 --> 0:05:10.240000 take a full image, especially when you know the exact partition you are 0:05:10.240000 --> 0:05:15.040000 interested in. Third is the Image File option, which allows you to take 0:05:15.040000 --> 0:05:17.300000 a forensic copy of a forensic copy. 0:05:17.300000 --> 0:05:21.460000 It's just like making duplicates of the forensic copy, or you can convert 0:05:21.460000 --> 0:05:24.220000 a forensic image from one format type to another. 0:05:24.220000 --> 0:05:29.300000 For example, raw, DD to Advanced Forensic Format, AFF. 0:05:29.300000 --> 0:05:34.440000 Lastly is the Contents of a folder option, which allows you to make a 0:05:34.440000 --> 0:05:36.860000 forensic image of a specific directory. 0:05:36.860000 --> 0:05:39.640000 You would select this choice when you want to take a forensic copy of 0:05:39.640000 --> 0:05:42.940000 a specific directory or you don't have disk space available for all the 0:05:42.940000 --> 0:05:46.140000 disk, and you're positively sure that a specific directory is all you 0:05:46.140000 --> 0:05:50.280000 need. Let's first take a forensic image of a physical drive. 0:05:50.280000 --> 0:05:53.860000 Let's select the first option, and then click Next. 0:05:53.860000 --> 0:05:56.240000 We can now see the Select Drive window. 0:05:56.240000 --> 0:05:58.920000 From here we can select the required drive we want to take a forensic 0:05:58.920000 --> 0:06:02.740000 copy of. Make sure you know which drive you're interested in, because 0:06:02.740000 --> 0:06:05.040000 you never know if you'll get a second chance. 0:06:05.040000 --> 0:06:08.940000 Let's go back to the Disk Management Utility to make sure which disk we 0:06:08.940000 --> 0:06:10.640000 want to forensically image. 0:06:10.640000 --> 0:06:13.760000 Here, we'll check the drive names with the disk drives found in the Disk 0:06:13.760000 --> 0:06:14.660000 Management Utility. 0:06:14.660000 --> 0:06:18.860000 We can see that backwards slash backwards slash dot backwards slash, physical 0:06:18.860000 --> 0:06:25.800000 drive 1 dash V-box hard disk, 1 gigabyte, IDE is disk 1. 0:06:25.800000 --> 0:06:34.940000 And, backwards slash backwards slash dot backwards slash physical drive 0:06:34.940000 --> 0:06:42.900000 2 dash V-box hard disk 1 gigabyte IDE is actually disk 2. 0:06:42.900000 --> 0:06:46.340000 Take note that here we can see the word V-box in the name of the physical 0:06:46.340000 --> 0:06:49.820000 drive, and the reason for that is because we're doing this video using 0:06:49.820000 --> 0:06:52.400000 a VirtualBox Virtual Machine. 0:06:52.400000 --> 0:06:55.560000 Realistically, we might get a different manufacturer name. 0:06:55.560000 --> 0:06:57.820000 Again, just be careful. 0:06:57.820000 --> 0:07:01.720000 Now, since I'm interested in Disk 1, I will go ahead and select the drive 0:07:01.720000 --> 0:07:05.640000 backwards slash backwards slash dot backwards slash physical drive 1 dash 0:07:05.640000 --> 0:07:11.320000 V-box hard disk 1 gigabyte IDE, and then click Finish. 0:07:11.320000 --> 0:07:15.840000 In the Create Image window, backwards slash backwards slash dot backwards 0:07:15.840000 --> 0:07:20.000000 slash physical drive 1 is selected in the image source field just like 0:07:20.000000 --> 0:07:24.820000 we wanted. Let's click Add to select the image destination. 0:07:24.820000 --> 0:07:29.940000 In the Select Image Type window, we'll select the raw DD image type, which 0:07:29.940000 --> 0:07:34.180000 is the default here, and then click Next. 0:07:34.180000 --> 0:07:37.380000 The Evidence Item Information window can be used to add information to 0:07:37.380000 --> 0:07:39.240000 the evidence we are acquiring. 0:07:39.240000 --> 0:07:42.760000 We can add information like Case Number, Evidence Number, a unique description 0:07:42.760000 --> 0:07:46.760000 for our evidence, the name of the person that did the examination, and 0:07:46.760000 --> 0:07:49.360000 any other notes that could be helpful later. 0:07:49.360000 --> 0:07:52.780000 Let's go ahead and fill in the information here. 0:07:52.780000 --> 0:08:00.100000 For the case, we'll use Case 001, since it's the first. 0:08:00.100000 --> 0:08:04.120000 001 is the evidence number because we're assuming this is the first evidence. 0:08:04.120000 --> 0:08:06.980000 We'll also give the forensic image a unique description. 0:08:06.980000 --> 0:08:11.240000 Let's use Disk Image Number 1, because this is the first disk image we're 0:08:11.240000 --> 0:08:16.340000 doing. In the Examiners field, I'll add my name, so later on we know who 0:08:16.340000 --> 0:08:18.520000 made the acquisition for this evidence. 0:08:18.520000 --> 0:08:22.100000 In the Notes section, let's add that this is a raw image for the first 0:08:22.100000 --> 0:08:30.500000 disk number 1, and then click the Next button. 0:08:30.500000 --> 0:08:34.440000 In the Select Image Destination window, we need to specify where to store 0:08:34.440000 --> 0:08:36.840000 the forensic image we will be creating. 0:08:36.840000 --> 0:08:41.580000 For this video, it will be on the same machine, but in a real-life scenario, 0:08:41.580000 --> 0:08:45.160000 you will usually be copying it to an external drive or location. 0:08:45.160000 --> 0:08:48.400000 Let's click the Browse button to proceed. 0:08:48.400000 --> 0:08:51.300000 All images for the course are on the desktop within a directory named 0:08:51.300000 --> 0:08:56.300000 Cases. Inside the Cases directory, let's create another directory for 0:08:56.300000 --> 0:08:59.900000 this specific case, naming it Case 001. 0:08:59.900000 --> 0:09:05.620000 Also, within the Case 001 directory, we'll create another directory for 0:09:05.620000 --> 0:09:09.620000 this evidence, which will name Disk 01, because it's the first disk we're 0:09:09.620000 --> 0:09:11.840000 going to acquire for evidence gathering. 0:09:11.840000 --> 0:09:15.920000 Within the directory, let's create another directory called Images. 0:09:15.920000 --> 0:09:19.360000 This structure depends on you and how you want to categorize your evidence. 0:09:19.360000 --> 0:09:22.620000 This is only one way to sort and categorize the evidence for a specific 0:09:22.620000 --> 0:09:27.220000 case. Now, let's click OK to proceed. 0:09:27.220000 --> 0:09:31.500000 In the Image File name, excluding Extension field, let's name the forensic 0:09:31.500000 --> 0:09:36.020000 image we're going to acquire, Disk 01 underscore Image 01, because this 0:09:36.020000 --> 0:09:40.180000 image will be long to the first disk, and it is the first image taken. 0:09:40.180000 --> 0:09:44.080000 We can now see a field for Image Fragment Size Megabytes, which can be 0:09:44.080000 --> 0:09:46.880000 used in case the drive you're willing to acquire could not fit on the 0:09:46.880000 --> 0:09:48.320000 destination you have. 0:09:48.320000 --> 0:09:51.400000 As an example, you may not have a disk drive that could hold the whole 0:09:51.400000 --> 0:09:54.880000 image, and you may want to take a forensic image of a disk drive and then 0:09:54.880000 --> 0:09:57.000000 copy them to DVD drives. 0:09:57.000000 --> 0:10:01.400000 Let's make this zero, which means to not fragment the image. 0:10:01.400000 --> 0:10:04.940000 It will leave the forensic image exactly as it is, with no slicing to 0:10:04.940000 --> 0:10:09.100000 it. The Use AD Encryption option can be used to add a password to the 0:10:09.100000 --> 0:10:12.660000 forensic image. With this selected, you will be asked to add a password 0:10:12.660000 --> 0:10:15.980000 for the image, and whenever an investigator wants to mount the forensic 0:10:15.980000 --> 0:10:19.980000 image and access its content, he or she will have to enter the password 0:10:19.980000 --> 0:10:24.120000 open it. It's a way to secure your evidence with a password and is very 0:10:24.120000 --> 0:10:27.880000 useful. Now, let's click Finish. 0:10:27.880000 --> 0:10:30.420000 We're now back at the Create Image window. 0:10:30.420000 --> 0:10:33.560000 Let's unselect the Create Directory listings for all files in the image 0:10:33.560000 --> 0:10:35.840000 after they are created option. 0:10:35.840000 --> 0:10:38.500000 Don't worry, I'll explain why later. 0:10:38.500000 --> 0:10:41.960000 Let's click on the Start button to start the acquisition process. 0:10:41.960000 --> 0:10:45.960000 The Create Image window now shows the source of the image, the destination 0:10:45.960000 --> 0:10:49.900000 where it will be stored, the status that the FTK image is truly creating 0:10:49.900000 --> 0:10:53.860000 the image, a progress bar showing how much progress has been made, and 0:10:53.860000 --> 0:10:56.760000 he lapsed time field to give us an idea of how much time the tool has 0:10:56.760000 --> 0:11:01.340000 taken up until now, and, finally, the estimated time left to complete 0:11:01.340000 --> 0:11:02.720000 the forensic image. 0:11:02.720000 --> 0:11:06.140000 You may be wondering why the copy was extremely fast. 0:11:06.140000 --> 0:11:09.540000 Just remember that this depends on different issues, but one of the most 0:11:09.540000 --> 0:11:11.140000 important factors here is the site. 0:11:11.140000 --> 0:11:14.160000 The size of the disk we are acquiring is not too big. 0:11:14.160000 --> 0:11:18.660000 In the Status field, we can see that it now says Image created successfully, 0:11:18.660000 --> 0:11:22.160000 and immediately after that the Verifying window appears and starts doing 0:11:22.160000 --> 0:11:27.720000 calculations. Now that the imaging process is finished, FTK Image performs 0:11:27.720000 --> 0:11:32.060000 two hashing operations to verify that the acquisition was successful. 0:11:32.060000 --> 0:11:36.700000 In the Drive Forward slash image Verify Results window, we can see the 0:11:36.700000 --> 0:11:40.200000 name of the forensic image that we chose, and the number of sectors in 0:11:40.200000 --> 0:11:45.860000 the disk. Under the MD5 hash section, we see the Computed hash, Reported 0:11:45.860000 --> 0:11:50.020000 hash, and Verify results, showing that both the computed and reported 0:11:50.020000 --> 0:11:55.380000 truly match. Under the SHA1 hash section, we can also see the Computed 0:11:55.380000 --> 0:11:58.980000 hash and reported hash, which shows us that the Verify result for both 0:11:58.980000 --> 0:12:02.000000 the computed and reported also truly match. 0:12:02.000000 --> 0:12:05.940000 Finally, we see the Bad Sector List section, which shows that there are 0:12:05.940000 --> 0:12:09.720000 no bad sectors. Let's go ahead and close this window, and the Create Image 0:12:09.720000 --> 0:12:15.860000 window too. Let's go to the Cases directory and look inside to check that 0:12:15.860000 --> 0:12:17.360000 it was done successfully. 0:12:17.360000 --> 0:12:20.840000 We can see that all the directories we created are there, and inside the 0:12:20.840000 --> 0:12:23.240000 Images directory we see two files. 0:12:23.240000 --> 0:12:26.320000 The first file is the actual raw image of the disk we just forensically 0:12:26.320000 --> 0:12:30.520000 imaged. The second file contains information from when the image was created, 0:12:30.520000 --> 0:12:32.300000 and info was added. 0:12:32.300000 --> 0:12:35.260000 On the first line, we can see the Tool and Tool version used to create 0:12:35.260000 --> 0:12:38.560000 this image. For instance, below. 0:12:38.560000 --> 0:12:43.200000 We see the Case number, Evidence number, and, if you recall, we chose 0:12:43.200000 --> 0:12:46.460000 001 as it was the first evidence. 0:12:46.460000 --> 0:12:50.260000 We also used the Unique Description, My Name on the Examiners line, and 0:12:50.260000 --> 0:12:52.080000 the notes we added too. 0:12:52.080000 --> 0:12:55.800000 Further below, in the Drive Geometry section, we see the number of cylinders 0:12:55.800000 --> 0:12:59.780000 in the drive, the sectors per track, and the bytes per sector, which is 0:12:59.780000 --> 0:13:04.260000 extremely important even though most disks use 512 bytes, but there are 0:13:04.260000 --> 0:13:05.860000 other advanced types. 0:13:05.860000 --> 0:13:10.360000 We also see the number of sectors counted on the sectors count line. 0:13:10.360000 --> 0:13:15.220000 In the computed hashes section, we see the check sums for both MD5 and 0:13:15.220000 --> 0:13:18.320000 SHA1 are calculated. 0:13:18.320000 --> 0:13:21.540000 In the Image Verification Results section, we can see when the verification 0:13:21.540000 --> 0:13:26.640000 started and finished, as well as the MD5 and SHA1 check sums. 0:13:26.640000 --> 0:13:28.660000 Both show is verified. 0:13:28.660000 --> 0:13:30.920000 Before we move on, let's look at this. 0:13:30.920000 --> 0:13:33.980000 It shows the location where we have stored our forensic image and its 0:13:33.980000 --> 0:13:37.700000 name. Let's go ahead and close this now. 0:13:37.700000 --> 0:13:40.980000 Let's now do another forensic image, but this time instead of creating 0:13:40.980000 --> 0:13:45.860000 a forensic image of the raw DD, we will now do one of Type AFF. 0:13:45.860000 --> 0:13:50.060000 Like before, we'll go to File, then Create Disk Image, and before we select 0:13:50.060000 --> 0:13:53.900000 the drive, let's again double check which drive or partition we are interested 0:13:53.900000 --> 0:14:07.180000 in. Let's select the second disk again, disk 1, and click Finish. 0:14:07.180000 --> 0:14:10.620000 Now, let's choose where we want to store this image by clicking on the 0:14:10.620000 --> 0:14:15.240000 Add button. Since we are making a forensic image using an image of Type 0:14:15.240000 --> 0:14:19.060000 AFF, let's select the last option and press Next. 0:14:19.060000 --> 0:14:22.960000 Again, like before, we need to add some information to the evidence we 0:14:22.960000 --> 0:14:27.640000 are acquiring. Let's add this to Case 001, but since this is the second 0:14:27.640000 --> 0:14:29.900000 evidence, I wrote 002. 0:14:29.900000 --> 0:14:35.060000 Let's use Disk Image number 2 for the unique description. 0:14:35.060000 --> 0:14:37.000000 I'll use my name for the examiner. 0:14:37.000000 --> 0:14:49.960000 In the Notes section, let's put AFF image for Disk number 1. 0:14:49.960000 --> 0:14:53.220000 Now that we're all done, let's click Next. 0:14:53.220000 --> 0:14:56.900000 Here, we'll select the destination to store the forensic image. 0:14:56.900000 --> 0:15:00.200000 Let's do that by clicking Browse and going to the directory we created 0:15:00.200000 --> 0:15:05.860000 and select it. Now, let's specify the name for the forensic image. 0:15:05.860000 --> 0:15:10.540000 Let's add the name Disk 1, underscore Image 02 in the image file name 0:15:10.540000 --> 0:15:14.900000 field. Now let's specify that we don't want to fragment the forensic image, 0:15:14.900000 --> 0:15:18.700000 which is why image fragment size was changed to 0. 0:15:18.700000 --> 0:15:21.520000 Next, we'll add a password to this evidence. 0:15:21.520000 --> 0:15:26.280000 So let's select the Use AFF Encryption and then click Finish. 0:15:26.280000 --> 0:15:29.420000 Now we have a small window for the AFF Encryption. 0:15:29.420000 --> 0:15:32.760000 I'll add my password twice and click OK. 0:15:32.760000 --> 0:15:37.800000 We're not done yet. 0:15:37.800000 --> 0:15:40.260000 I still want to show you another feature here. 0:15:40.260000 --> 0:15:43.440000 Let's select the Create Directory listing of all files in the image after 0:15:43.440000 --> 0:15:45.140000 their created option. 0:15:45.140000 --> 0:15:48.220000 Everything is good, so let's start. 0:15:48.220000 --> 0:15:51.280000 We now see the Creating Image window, which shows the details that were 0:15:51.280000 --> 0:15:52.540000 explained earlier. 0:15:52.540000 --> 0:15:55.580000 Also, this won't take too much time because the disk we're imaging is 0:15:55.580000 --> 0:16:04.000000 small. Let's check the results of the verification and make sure all was 0:16:04.000000 --> 0:16:07.340000 done properly. We can see the sector count and the hashes. 0:16:07.340000 --> 0:16:10.340000 They all match and there are no bad sectors, which is good for us. 0:16:10.340000 --> 0:16:13.660000 Let's close the Creating Directory listing window and the Create Image 0:16:13.660000 --> 0:16:15.620000 window and continue. 0:16:15.620000 --> 0:16:28.860000 Again, let's check the files that were created. 0:16:28.860000 --> 0:16:31.060000 We have three files. 0:16:31.060000 --> 0:16:34.220000 The first file is the forensic image of type AFF. 0:16:34.220000 --> 0:16:35.940000 Take note of the file size. 0:16:35.940000 --> 0:16:39.520000 It's only around 20 megabytes compared to the RYM-age, which is more than 0:16:39.520000 --> 0:16:44.100000 1 gigabyte. The reason for the size difference is that AFF supports compression, 0:16:44.100000 --> 0:16:46.580000 while RAW does not compress the image. 0:16:46.580000 --> 0:16:50.300000 Before we check the Excel sheet, let's check the text file. 0:16:50.300000 --> 0:16:52.960000 As you can see, it's the same as before. 0:16:52.960000 --> 0:16:55.680000 The first line shows what tool and version were used to create this forensic 0:16:55.680000 --> 0:16:59.860000 image, while the rest of the lines show the specific details we added 0:16:59.860000 --> 0:17:02.760000 during our forensic image creation. 0:17:02.760000 --> 0:17:08.260000 In the Drive Geometry section, we have the Drive Details, Cylinders, Tracks, 0:17:08.260000 --> 0:17:11.240000 Sector Size, Number of Sectors, etc. 0:17:11.240000 --> 0:17:14.700000 Here we can see the name of the forensic image and the storage location. 0:17:14.700000 --> 0:17:19.160000 Below, near the end of the file, are the computed and reported hashes, 0:17:19.160000 --> 0:17:20.640000 which are verified. 0:17:20.640000 --> 0:17:24.960000 You can check that yourself by comparing the MD5 checksum here with the 0:17:24.960000 --> 0:17:27.060000 one in the computed hashes section. 0:17:27.060000 --> 0:17:29.000000 Okay, let's move on. 0:17:29.000000 --> 0:17:32.720000 Let's now open the Excel sheet and check it out. 0:17:32.720000 --> 0:17:35.080000 Let's expand these columns to see what's there. 0:17:35.080000 --> 0:17:38.500000 First, we have the file name and then the full path to the file on the 0:17:38.500000 --> 0:17:51.620000 disk drive. Some entries show no file name, only numbers. 0:17:51.620000 --> 0:17:55.460000 Don't worry about these entries, we'll discuss it in the next module. 0:17:55.460000 --> 0:17:58.480000 Take note that the file contains a directory listing for each partition 0:17:58.480000 --> 0:18:00.020000 within the whole disk. 0:18:00.020000 --> 0:18:03.720000 Here we have the directory listing for the FAT32 partition. 0:18:03.720000 --> 0:18:06.620000 Let's continue expanding the columns until we see the size of the file 0:18:06.620000 --> 0:18:07.960000 in the time stamps. 0:18:07.960000 --> 0:18:22.620000 As you can see here, we have the directory listing for the NTFS partition. 0:18:22.620000 --> 0:18:25.640000 Again, don't worry about these unusual names and what they are, we'll 0:18:25.640000 --> 0:18:28.240000 discuss this at a later time. 0:18:28.240000 --> 0:18:36.540000 Let's close the Excel sheet and continue. 0:18:36.540000 --> 0:18:40.560000 We have done a forensic image for the full disk drive, but what if we're 0:18:40.560000 --> 0:18:42.580000 interested in only a partition? 0:18:42.580000 --> 0:18:44.480000 Let's see how to do that. 0:18:44.480000 --> 0:18:49.820000 Again, let's go to File, then create disk image, but this time, let's 0:18:49.820000 --> 0:18:53.880000 select the logical drive option and then click Next. 0:18:53.880000 --> 0:18:57.160000 In the Select Drive window, the drop down list does not show physical 0:18:57.160000 --> 0:19:00.680000 drives, but this time shows logical partitions. 0:19:00.680000 --> 0:19:04.600000 We're taking a forensic image for the X partition that has a FAT32 file 0:19:04.600000 --> 0:19:08.240000 system. Now, click Finish. 0:19:08.240000 --> 0:19:12.400000 In the Create Image window, take notice in the Image Source that the partition 0:19:12.400000 --> 0:19:14.080000 we're imaging is X. 0:19:14.080000 --> 0:19:17.840000 Let's go ahead and add a destination by clicking the Add button. 0:19:17.840000 --> 0:19:22.020000 Let's make a raw DD image this time and click Next. 0:19:22.020000 --> 0:19:25.740000 Now, in the Evidence Item Information window, let's add all the details 0:19:25.740000 --> 0:19:27.620000 we need for this case. 0:19:27.620000 --> 0:19:31.840000 We're still working on Case 1, so this is Case 001. 0:19:31.840000 --> 0:19:36.540000 This is our third evidence though, so let's use 003 and Disk 1 Partition 0:19:36.540000 --> 0:19:42.020000 number 1 will be the unique description. 0:19:42.020000 --> 0:19:45.240000 I'll add my name to the Examiners field and make the final note as Raw 0:19:45.240000 --> 0:19:48.680000 Image for Disk at Partition number 1. 0:19:48.680000 --> 0:20:02.440000 Now that that's complete, let's click Next to proceed. 0:20:02.440000 --> 0:20:04.880000 We need to select where to store the forensic image. 0:20:04.880000 --> 0:20:08.600000 Let's click Browse and then navigate to the location I want and click 0:20:08.600000 --> 0:20:15.560000 OK. Now let's give this image a name, Disk 1 Partition 1 underscore FAT32. 0:20:15.560000 --> 0:20:22.540000 Let's change the fragment to 0 so that the FTK Emager does not fragment 0:20:22.540000 --> 0:20:24.180000 the forensic image. 0:20:24.180000 --> 0:20:27.140000 Now, let's click Finish to proceed. 0:20:27.140000 --> 0:20:29.620000 This time we don't want to create a directory listing for their forensic 0:20:29.620000 --> 0:20:33.780000 image. That is, we don't want to create the Excel sheet and can continue 0:20:33.780000 --> 0:20:35.400000 by pressing Start. 0:20:35.400000 --> 0:20:38.500000 Since this is only an image for a single small partition, it will finish 0:20:38.500000 --> 0:20:42.940000 extremely fast. Even the verification won't take too much time to calculate. 0:20:42.940000 --> 0:20:47.300000 Let's check the verification results. 0:20:47.300000 --> 0:20:50.640000 As you can see, the computed MD5 hashes match. 0:20:50.640000 --> 0:20:55.060000 The computed SHA1 hashes also match and there are no bad sectors. 0:20:55.060000 --> 0:20:58.760000 We seem to be lucky, right? 0:20:58.760000 --> 0:21:03.020000 Before we close this window, we can see the number of sectors found here. 0:21:03.020000 --> 0:21:07.020000 If you multiply this number with 512, which is the number of bytes, you 0:21:07.020000 --> 0:21:11.120000 will get 104,857,600 bytes. 0:21:11.120000 --> 0:21:17.100000 And by dividing it by 1,024, we get 102,400 kilobytes. 0:21:17.100000 --> 0:21:22.140000 If we divide it again by 1,024, we get 100 megabytes, which is the exact 0:21:22.140000 --> 0:21:24.100000 size of the partition. 0:21:24.100000 --> 0:21:27.540000 We'll be doing lots of calculations later on, so it's good to get used 0:21:27.540000 --> 0:21:30.780000 to it early. Let's close all open windows. 0:21:30.780000 --> 0:21:33.980000 Let's now make sure the directory listing was done successfully, as well 0:21:33.980000 --> 0:21:35.300000 as the image too. 0:21:35.300000 --> 0:21:39.800000 Let's check the directory where we store the forensic image. 0:21:39.800000 --> 0:21:42.820000 As you can see, we have three files. 0:21:42.820000 --> 0:21:45.880000 One file is for the image, which is 100 megabytes. 0:21:45.880000 --> 0:21:49.160000 Another file is for the Excel sheet for the directory listing, and another 0:21:49.160000 --> 0:21:52.420000 is the text file that holds the metadata information about our forensic 0:21:52.420000 --> 0:21:55.800000 image and how it was created. 0:21:55.800000 --> 0:21:59.120000 If we bring back the disk management window, we can see that the partition 0:21:59.120000 --> 0:22:02.920000 we acquired is attached to the drive letter X. 0:22:02.920000 --> 0:22:07.640000 The partition has a FAT32 file system and a capacity of 100 megabytes. 0:22:07.640000 --> 0:22:14.320000 Let's open the text file and double check it. 0:22:14.320000 --> 0:22:19.420000 As you can see, the forensic image was created using Access Data FTK Emager, 0:22:19.420000 --> 0:22:21.500000 and the version numbers on the first line. 0:22:21.500000 --> 0:22:23.940000 All the rest of the image information we added during the acquisition 0:22:23.940000 --> 0:22:32.800000 is here too. If we scroll down, we can see the image name and its location. 0:22:32.800000 --> 0:22:36.880000 In the Image Verification Results section, we can see when the verification 0:22:36.880000 --> 0:22:41.540000 started and ended, as well as the calculated check sums for both MD5 and 0:22:41.540000 --> 0:22:45.140000 SHA1, which was verified successfully. 0:22:45.140000 --> 0:22:48.620000 In the Physical Drive Information section, we'll find the source data 0:22:48.620000 --> 0:22:53.160000 size reported as 100 megabytes, just like what we calculated earlier. 0:22:53.160000 --> 0:22:56.600000 The sector count is also 204,800. 0:22:56.600000 --> 0:23:01.360000 Great. One final note to mention here, when looking at the source type, 0:23:01.360000 --> 0:23:05.140000 you see that it is a logical drive and not what we will get when we select 0:23:05.140000 --> 0:23:07.940000 to image the full physical disk drive. 0:23:07.940000 --> 0:23:11.200000 Let's open the text file for the disk image we created and double check 0:23:11.200000 --> 0:23:19.200000 this. As you can see, the source type for the disk is physical while it 0:23:19.200000 --> 0:23:22.380000 shows logical for the partition we just acquired. 0:23:22.380000 --> 0:23:26.860000 Before closing the text file for the partition, let's look at the Image 0:23:26.860000 --> 0:23:28.660000 Information section. 0:23:28.660000 --> 0:23:32.100000 We can see the date and time when the acquisition started and ended. 0:23:32.100000 --> 0:23:33.740000 Okay, that's it here. 0:23:33.740000 --> 0:23:36.300000 Let's close this file. 0:23:36.300000 --> 0:23:38.860000 Now, let's open the Excel sheet. 0:23:38.860000 --> 0:23:43.080000 Again, let's expand the columns just to see what's there. 0:23:43.080000 --> 0:23:51.280000 As you can see, we have a column for the file name, the full path, the 0:23:51.280000 --> 0:23:56.100000 size and bytes, the creation modification and access timestamps, and finally, 0:23:56.100000 --> 0:23:57.680000 the deleted column. 0:23:57.680000 --> 0:24:00.540000 Let's close this. 0:24:00.540000 --> 0:24:04.600000 In this video, we went through creating a forensic image for a full disk, 0:24:04.600000 --> 0:24:09.060000 which was disk 1, as well as how to create a forensic image of a partition. 0:24:09.060000 --> 0:24:13.100000 We also showed how to make a raw DD image and an AFF image, and briefly 0:24:13.100000 --> 0:24:17.060000 explained the benefits of using an AFF over the DD type. 0:24:17.060000 --> 0:24:20.660000 By watching this video, you should now know how to identify disks and 0:24:20.660000 --> 0:24:24.580000 partitions from the disk management utility. 0:24:24.580000 --> 0:24:28.360000 And this concludes our training video on creating a forensic image using 0:24:28.360000 --> 0:24:30.680000 AccessData's FTK Imager. 0:24:30.680000 --> 0:24:31.640000 Thank you for joining us.