WEBVTT

0:00:03.020000 --> 0:00:07.080000
 In this video, you will learn how
 to add evidence to FTK Eminger.

0:00:07.080000 --> 0:00:09.860000
 We will also explore the tool a bit
 so you can see how the evidence is

0:00:09.860000 --> 0:00:13.800000
 presented as well as give you an idea
 of what you may want to collect.

0:00:13.800000 --> 0:00:16.920000
 We can use FTK Eminger
 to add items to it.

0:00:16.920000 --> 0:00:20.320000
 We can also preserve any action, as
 messing with evidence, whether it

0:00:20.320000 --> 0:00:24.920000
 was done on purpose or by mistake,
 could tamper with our evidence.

0:00:24.920000 --> 0:00:27.620000
 Let's say you just want to take a preview
 of the available evidence without

0:00:27.620000 --> 0:00:29.860000
 modifying or corrupting it.

0:00:29.860000 --> 0:00:31.860000
 Think of it like window shopping.

0:00:31.860000 --> 0:00:35.480000
 You can walk up to the glass and look
 at an item without touching it.

0:00:35.480000 --> 0:00:37.120000
 This is the same with
 the evidence.

0:00:37.120000 --> 0:00:38.960000
 We can see it without touching it.


0:00:38.960000 --> 0:00:43.440000
 Let's get an idea of what we have,
 and navigate to manage, and then go

0:00:43.440000 --> 0:00:45.400000
 to disk management.

0:00:45.400000 --> 0:00:51.700000
 Here we see disk 0, which
 has two partitions.

0:00:51.700000 --> 0:00:57.300000
 We also see a disk 1, which has three
 partitions and some empty space.

0:00:57.300000 --> 0:01:00.740000
 Let's see how we can browse this
 evidence using FTK Eminger.

0:01:00.740000 --> 0:01:03.440000
 Let's go to file.

0:01:03.440000 --> 0:01:05.620000
 The first option is
 to add evidence.

0:01:05.620000 --> 0:01:07.640000
 Let's go ahead and select that.

0:01:07.640000 --> 0:01:13.520000
 We have four different options, physical
 drive, logical drive, image,

0:01:13.520000 --> 0:01:17.120000
 and directory. Let me
 briefly explain each.

0:01:17.120000 --> 0:01:20.280000
 If you select physical drive, you will
 be selecting based on the physical

0:01:20.280000 --> 0:01:23.240000
 layer, which means that you
 will be dealing with disks.

0:01:23.240000 --> 0:01:26.480000
 If you select logical drive, then you
 will be dealing with partitions

0:01:26.480000 --> 0:01:28.420000
 at the logical layer.

0:01:28.420000 --> 0:01:34.380000
 If you choose image, this is where
 you will have a forensic image and

0:01:34.380000 --> 0:01:37.360000
 you want to attach it,
 so you can look at it.

0:01:37.360000 --> 0:01:40.720000
 Lastly, you may have a directory and
 simply want to see what files are

0:01:40.720000 --> 0:01:43.540000
 in it. Perhaps there's
 a case that has photos.

0:01:43.540000 --> 0:01:45.660000
 It could be pornography
 or child abuse.

0:01:45.660000 --> 0:01:49.700000
 You can use the content as a folder
 to navigate through the data.

0:01:49.700000 --> 0:01:53.460000
 Let's have the physical
 drive and click next.

0:01:53.460000 --> 0:01:56.800000
 We now see two drives.

0:01:56.800000 --> 0:02:02.260000
 Drive zero is this one and
 drive one is this one here.

0:02:02.260000 --> 0:02:06.240000
 Let's go ahead and select drive
 one and click finish.

0:02:06.240000 --> 0:02:08.260000
 Let's maximize this.

0:02:08.260000 --> 0:02:11.940000
 As you can see, we have attached
 all three partitions.

0:02:11.940000 --> 0:02:19.420000
 We have one NTFS, one FAT32,
 and another NTFS.

0:02:19.420000 --> 0:02:23.360000
 And here they are in
 disk management.

0:02:23.360000 --> 0:02:27.260000
 And here we see another unallocated
 space, which is this one.

0:02:27.260000 --> 0:02:32.840000
 So, as you can see here, we have attached
 the physical drive and all partitions

0:02:32.840000 --> 0:02:38.700000
 are beneath it. We can expand this and
 click on root to see this drive.

0:02:38.700000 --> 0:02:41.660000
 Let's do the same for another two partitions
 so we can see what's in their

0:02:41.660000 --> 0:02:48.400000
 drives. We are also unable
 to modify which is good.

0:02:48.400000 --> 0:02:51.820000
 This allows us to look at the evidence
 without tampering with it.

0:02:51.820000 --> 0:02:55.740000
 Let's go ahead and add another,
 a logical drive.

0:02:55.740000 --> 0:02:59.580000
 And this time we are dealing with the
 logical layer, which means we are

0:02:59.580000 --> 0:03:01.340000
 dealing with partitions.

0:03:01.340000 --> 0:03:05.700000
 Let's select C, which is the main file
 system that is running the operating

0:03:05.700000 --> 0:03:11.280000
 system itself. So, here we can see
 that the partition is attached as a

0:03:11.280000 --> 0:03:15.460000
 logical layer. We can also
 see all of its files too.

0:03:15.460000 --> 0:03:21.100000
 Let's go back to attach and choose
 image, which allows us to select an

0:03:21.100000 --> 0:03:24.440000
 image by browsing and
 then clicking open.

0:03:24.440000 --> 0:03:33.320000
 When the image is attached, we are
 able to navigate the image itself.

0:03:33.320000 --> 0:03:37.200000
 As you can see here, when you go to the
 partition, it gives you the details

0:03:37.200000 --> 0:03:38.620000
 of the partition.

0:03:38.620000 --> 0:03:43.940000
 We will be going through all these files,
 FAT1, FAT2, etc., when we reach

0:03:43.940000 --> 0:03:46.100000
 the file system module.

0:03:46.100000 --> 0:03:49.660000
 The final option is contents
 of a folder.

0:03:49.660000 --> 0:03:57.160000
 This option will give us an idea of what's
 in this drive or say this drive.

0:03:57.160000 --> 0:04:02.520000
 Let's go ahead and select
 it and click finish.

0:04:02.520000 --> 0:04:04.780000
 Here we have content
 of the directory.

0:04:04.780000 --> 0:04:07.800000
 The benefit of this option is that it
 allows us to navigate through the

0:04:07.800000 --> 0:04:10.720000
 data without modifying or tampering
 with the content.

0:04:10.720000 --> 0:04:14.880000
 We have a few more ways
 we can remove content.

0:04:14.880000 --> 0:04:18.280000
 We can select content and click on the
 remove a single evidence button,

0:04:18.280000 --> 0:04:22.740000
 or we can remove all evidence by clicking
 on the remove all evidence button.

0:04:22.740000 --> 0:04:26.160000
 We also have the same options by going
 to file and selecting to remove

0:04:26.160000 --> 0:04:28.800000
 either a single piece of
 evidence or all of them.

0:04:28.800000 --> 0:04:32.520000
 Let's go ahead and select the
 remove all evidence option.

0:04:32.520000 --> 0:04:34.440000
 Let me show you another
 great feature.

0:04:34.440000 --> 0:04:36.900000
 You can press this button
 here to attach all.

0:04:36.900000 --> 0:04:42.000000
 Or you can go to the file and select
 add all attached devices.

0:04:42.000000 --> 0:04:45.240000
 This option scans the system and checks
 for all drives and partitions

0:04:45.240000 --> 0:04:47.160000
 that are found on the system.

0:04:47.160000 --> 0:04:49.080000
 It will then attach them
 to the FTK image.

0:04:49.080000 --> 0:04:53.300000
 Let's browse the content in this
 drive by selecting root.

0:04:53.300000 --> 0:05:02.020000
 Let's then select wallpaper here.

0:05:02.020000 --> 0:05:04.960000
 We are presented with several
 different files.

0:05:04.960000 --> 0:05:09.560000
 Now, if we go here, which is also under
 the first drive, let's expand

0:05:09.560000 --> 0:05:12.000000
 root and also go to wallpaper.

0:05:12.000000 --> 0:05:14.980000
 We are now presented with
 the exact same files.

0:05:14.980000 --> 0:05:18.700000
 Why? Because it's attached here as
 a physical layer and attached here

0:05:18.700000 --> 0:05:20.660000
 as a logical layer.

0:05:20.660000 --> 0:05:24.340000
 Same thing goes for all these partitions
 that FTK managed to add.

0:05:24.340000 --> 0:05:28.540000
 As mentioned earlier, we can remove all
 evidence by clicking on the remove

0:05:28.540000 --> 0:05:29.780000
 all evidence button.

0:05:29.780000 --> 0:05:32.320000
 Let's go ahead and do that now.

0:05:32.320000 --> 0:05:34.080000
 And this button here.

0:05:34.080000 --> 0:05:37.840000
 The add all attached evidence is very
 useful as it attaches everything

0:05:37.840000 --> 0:05:40.600000
 and then you can selectively start
 removing whatever evidence you are

0:05:40.600000 --> 0:05:42.200000
 not interested in.

0:05:42.200000 --> 0:05:44.340000
 One final note is a recap.

0:05:44.340000 --> 0:05:47.420000
 When attaching all these drives, we may
 want to simply preview the evidence

0:05:47.420000 --> 0:05:49.720000
 to get an idea of what's here.

0:05:49.720000 --> 0:05:53.400000
 Once you decide what to do, you can
 then export the disk image, mount

0:05:53.400000 --> 0:05:56.220000
 the image, or export
 directory listing.

0:05:56.220000 --> 0:06:01.540000
 Let's go ahead and select export directory
 listing and call it list files.

0:06:01.540000 --> 0:06:08.260000
 Now, if we open or edit it, it went
 ahead and extracted all the files

0:06:08.260000 --> 0:06:10.240000
 that I found in this drive.

0:06:10.240000 --> 0:06:15.720000
 So as you can see here, using FTK Imager
 and adding evidence, especially

0:06:15.720000 --> 0:06:20.580000
 before really taking the evidence, the
 forensic image is really useful.

0:06:20.580000 --> 0:06:21.980000
 It's a good practice.

0:06:21.980000 --> 0:06:24.720000
 I highly recommend you do it.

0:06:24.720000 --> 0:06:29.700000
 This concludes this video lesson on
 adding evidence to the FTK Imager.

0:06:29.700000 --> 0:06:30.540000
 Thank you for joining us.