WEBVTT

0:00:03.080000 --> 0:00:06.700000
 In this video, we are going to create
 a forensic image of a suspect's

0:00:06.700000 --> 0:00:10.180000
 USB drive using Access
 Status FTK Imager.

0:00:10.180000 --> 0:00:13.900000
 When performing a true investigation,
 you should use a right blocker and

0:00:13.900000 --> 0:00:17.260000
 attach the USB to it before
 performing this task.

0:00:17.260000 --> 0:00:20.720000
 In this video, we will explain the
 process, but will not be attaching

0:00:20.720000 --> 0:00:23.180000
 the USB drive to a right blocker.

0:00:23.180000 --> 0:00:26.300000
 Before we start creating our forensic
 image, let me show you the disk

0:00:26.300000 --> 0:00:30.340000
 of interest. We can see that by going
 to the Computer Management Console

0:00:30.340000 --> 0:00:33.260000
 and then click to the Disk
 Management Utility.

0:00:33.260000 --> 0:00:44.420000
 Scrolling down, we see that the suspect
 USB drive is mounted and attached

0:00:44.420000 --> 0:00:48.440000
 to the drive letter Z, and
 it has a FAT32 file system.

0:00:48.440000 --> 0:00:53.500000
 Additionally, the size
 of the USB is 7.31 GB.

0:00:53.500000 --> 0:00:58.600000
 To begin the acquisition process, let's
 start the Access Status FTK Imager.

0:00:58.600000 --> 0:01:04.000000
 Now, let's go to File,
 then create disk image.

0:01:04.000000 --> 0:01:07.040000
 Here's the select source window, where
 we can select the source evidence

0:01:07.040000 --> 0:01:08.800000
 type we'll be dealing with.

0:01:08.800000 --> 0:01:13.240000
 For this scenario, let's choose
 Physical Drive and select Next.

0:01:13.240000 --> 0:01:17.320000
 From the drop-down menu, let's select the
 exact USB drive we want to forensically

0:01:17.320000 --> 0:01:21.280000
 image. Scrolling to the end, let's choose
 the backwards slash backwards

0:01:21.280000 --> 0:01:25.380000
 slash dot backwards slash physical
 drive 3, dash likes our jump drive

0:01:25.380000 --> 0:01:30.500000
 USB device 7 GB USB, and
 then click Finish.

0:01:30.500000 --> 0:01:34.420000
 At the Create Image window, let's click
 the Add button to select the location

0:01:34.420000 --> 0:01:36.760000
 where we want to store
 forensic image.

0:01:36.760000 --> 0:01:40.000000
 Here's the select image type window,
 where we need to select the type

0:01:40.000000 --> 0:01:41.920000
 of image we'll be using.

0:01:41.920000 --> 0:01:45.280000
 Let's select the AFF
 type and click Next.

0:01:45.280000 --> 0:01:49.380000
 Now, we want to add some information to
 go with the evidence we are creating.

0:01:49.380000 --> 0:01:52.120000
 Let's fill out the evidence
 information we see.

0:01:52.120000 --> 0:01:55.180000
 When entering the evidence information,
 you can add your own information

0:01:55.180000 --> 0:01:58.480000
 and prefixes that you find more comfortable
 with, and that is easy to

0:01:58.480000 --> 0:02:00.660000
 explain to your team.

0:02:00.660000 --> 0:02:13.000000
 Now that all the information has been
 input, let's click the Next button.

0:02:13.000000 --> 0:02:15.660000
 Here we have Select
 Image Destination.

0:02:15.660000 --> 0:02:18.480000
 Let's click Browse to navigate to the
 location for storing the evidence

0:02:18.480000 --> 0:02:21.180000
 we are taking and select
 that location.

0:02:21.180000 --> 0:02:26.000000
 Let's select a new directory within
 our cases directory, Case 002.

0:02:26.000000 --> 0:02:29.100000
 Next, let's create a directory
 for the USB.

0:02:29.100000 --> 0:02:33.080000
 We'll name it USB 01, assuming that it's
 the first USB that will be acquired

0:02:33.080000 --> 0:02:35.840000
 and is related to this case.

0:02:35.840000 --> 0:02:39.260000
 Let's create another directory inside
 the USB directory called Images.

0:02:39.260000 --> 0:02:43.400000
 This is where we'll store the forensic
 images for this USB drive.

0:02:43.400000 --> 0:02:47.160000
 After finishing and clicking OK, let's
 go back to the Select Image Type

0:02:47.160000 --> 0:02:51.840000
 window. In the image file name, excluding
 Extension Field, let's name

0:02:51.840000 --> 0:02:56.480000
 this forensic image USB 01 underscore image
 01, which should clearly indicate

0:02:56.480000 --> 0:03:00.620000
 that this is for the first USB evidence
 and the first image for it.

0:03:00.620000 --> 0:03:04.960000
 In the image fragment size megabytes,
 let's change it to zero, as we don't

0:03:04.960000 --> 0:03:06.400000
 want to fragment this image.

0:03:06.400000 --> 0:03:09.280000
 In other words, we're not interested
 in dividing this image into smaller

0:03:09.280000 --> 0:03:14.480000
 parts. Now let's select the Use AFF
 Encryption option and then click on

0:03:14.480000 --> 0:03:19.060000
 Finish. This immediately displays the
 AFF Encryption window, which I will

0:03:19.060000 --> 0:03:21.560000
 use to add my password
 for this image.

0:03:21.560000 --> 0:03:26.460000
 As you can see, I'm going to leave
 these two options selected.

0:03:26.460000 --> 0:03:29.620000
 We already know that the first option
 is for verifying the images after

0:03:29.620000 --> 0:03:34.380000
 creation. In other words, checking
 whether the hashes match or not.

0:03:34.380000 --> 0:03:38.300000
 The other option is to create an Excel
 sheet of all the directories and

0:03:38.300000 --> 0:03:40.940000
 files that are currently in
 the drive we are imaging.

0:03:40.940000 --> 0:03:44.200000
 These are very useful options, so let's
 leave them selected and click

0:03:44.200000 --> 0:03:48.540000
 Start. As you can see the imaging process
 is started now and we can see

0:03:48.540000 --> 0:03:49.940000
 the time elapsed.

0:03:49.940000 --> 0:03:53.480000
 In Estimation of the Time remaining,
 the image source, the destination

0:03:53.480000 --> 0:03:56.860000
 where we are storing this forensic image,
 and the status of the tool we

0:03:56.860000 --> 0:04:01.240000
 are using. The video will be paused
 here as it will take a few minutes

0:04:01.240000 --> 0:04:04.480000
 to process. It won't take too much
 time since we are only forensically

0:04:04.480000 --> 0:04:07.740000
 imaging a 7GB drive.

0:04:07.740000 --> 0:04:15.500000
 The imaging is finished and FTK Imager
 will start the verification process.

0:04:15.500000 --> 0:04:19.300000
 This is done by calculating the hash
 values of the original disk and the

0:04:19.300000 --> 0:04:21.460000
 forensically created image.

0:04:21.460000 --> 0:04:25.220000
 We can see the percentage of megabytes
 verified, the elapsed time, and

0:04:25.220000 --> 0:04:29.040000
 the estimated time remaining
 to finish.

0:04:29.040000 --> 0:04:33.000000
 After the verification process is finished,
 we have a window showing the

0:04:33.000000 --> 0:04:36.220000
 name of the forensic image, the number
 of the sectors, and the computed

0:04:36.220000 --> 0:04:39.640000
 and reported hashes for
 both MD5 and SHA1.

0:04:39.640000 --> 0:04:43.280000
 Let's maximize the window
 so we see the details.

0:04:43.280000 --> 0:04:47.280000
 We can also see that the computed and
 reported hashes match for both hash

0:04:47.280000 --> 0:04:52.640000
 functions used. There are also no bad
 sectors found during our acquisition.

0:04:52.640000 --> 0:04:56.080000
 Let's close this window and the Creating
 Directory Listing window, which

0:04:56.080000 --> 0:05:00.140000
 shows that FTK Imager managed to create
 a directory listing successfully.

0:05:00.140000 --> 0:05:05.800000
 Now let's check what files have been
 created for cases, then Case 002,

0:05:05.800000 --> 0:05:09.700000
 then USB 01, and finally,
 the image directory.

0:05:09.700000 --> 0:05:11.780000
 As you can see, there
 are three files.

0:05:11.780000 --> 0:05:14.540000
 The first one, which has the biggest
 size, is the true forensic image

0:05:14.540000 --> 0:05:16.220000
 of the USB drive.

0:05:16.220000 --> 0:05:19.180000
 The second one is the content of the
 directory listing in it, and the

0:05:19.180000 --> 0:05:22.280000
 final file is a simple text file, with
 the details of the acquisition

0:05:22.280000 --> 0:05:25.040000
 performed, using FTK Imager.

0:05:25.040000 --> 0:05:27.960000
 Let's open it and see
 what's written there.

0:05:27.960000 --> 0:05:31.200000
 On the first line, we can see the name
 of the tool and its version that

0:05:31.200000 --> 0:05:33.140000
 was used to create
 the forensic image.

0:05:33.140000 --> 0:05:35.640000
 We can also see my name
 on the examiner's line.

0:05:35.640000 --> 0:05:38.640000
 Additionally, the details that were
 entered during the acquisition can

0:05:38.640000 --> 0:05:43.060000
 be read here. Further down,
 we can see more information.

0:05:43.060000 --> 0:05:46.840000
 Under the computed hashes section, here
 are the hash values for both the

0:05:46.840000 --> 0:05:50.660000
 MD5 checksum and the
 SHA1 checksum.

0:05:50.660000 --> 0:05:54.120000
 Under image verification results, we
 can see when the verification process

0:05:54.120000 --> 0:05:58.120000
 started, when it finished, and if the
 hash is computed, are verified or

0:05:58.120000 --> 0:06:01.820000
 not, which as you can
 see, are verified.

0:06:01.820000 --> 0:06:05.840000
 Also, on this line, you can see the
 name of the forensic image that was

0:06:05.840000 --> 0:06:10.700000
 used. Here, we can see the number of
 cylinders and bytes per sector that

0:06:10.700000 --> 0:06:14.200000
 has been found on the drive we acquired,
 and finally the sector count,

0:06:14.200000 --> 0:06:17.280000
 which gives us the exact number
 of sectors that was copied.

0:06:17.280000 --> 0:06:19.280000
 Let's close this window.

0:06:19.280000 --> 0:06:23.000000
 Now, let's open the Excel sheet
 and have a look at what's there.

0:06:23.000000 --> 0:06:26.420000
 Let's expand the columns in this document
 so we can see what sort of information

0:06:26.420000 --> 0:06:28.540000
 FTK Imager has stored.

0:06:28.540000 --> 0:06:39.640000
 So, we see a column for the name
 of the file on the disk drive.

0:06:39.640000 --> 0:06:43.300000
 We also have the full path to this file,
 or in other words, its location

0:06:43.300000 --> 0:06:47.420000
 on the disk. We have size of the file,
 the creation date, and the date

0:06:47.420000 --> 0:06:49.280000
 when it was modified.

0:06:49.280000 --> 0:06:52.740000
 There are also two additional things, the
 access column and a column indicating

0:06:52.740000 --> 0:06:55.120000
 whether the file is
 deleted or not.

0:06:55.120000 --> 0:06:58.100000
 Don't worry about this information
 now, we'll come back to this later

0:06:58.100000 --> 0:07:00.660000
 when we go into the
 file system module.

0:07:00.660000 --> 0:07:02.800000
 Let's go ahead and
 close this for now.

0:07:02.800000 --> 0:07:09.960000
 You may notice the size of
 the disk we just acquired.

0:07:09.960000 --> 0:07:16.540000
 If you recall, the USB disk size was
 7GB, and this one is only 336MB.

0:07:16.540000 --> 0:07:19.300000
 If you're wondering why,
 the answer is easy.

0:07:19.300000 --> 0:07:23.160000
 We're using an AFF forensic image format,
 and this type of image has compression

0:07:23.160000 --> 0:07:27.660000
 capabilities. Before I finish this
 video, I'm assuming the suspect had

0:07:27.660000 --> 0:07:31.620000
 a directory on the drive with child pornography
 within one of the directories.

0:07:31.620000 --> 0:07:34.780000
 Let's also assume you don't have the
 time or even space to take a full

0:07:34.780000 --> 0:07:37.000000
 image of the disk drive.

0:07:37.000000 --> 0:07:40.520000
 We can use the FTK image or to create
 a forensically sound image of a

0:07:40.520000 --> 0:07:45.460000
 directory. Let's do that by going
 to File, then create disk image.

0:07:45.460000 --> 0:07:49.380000
 On the Select Source window, let's
 choose the fourth option, Contents

0:07:49.380000 --> 0:07:52.540000
 of a folder, and then click Next.

0:07:52.540000 --> 0:07:55.440000
 Please read this message carefully so
 you're aware of the type of image

0:07:55.440000 --> 0:07:59.160000
 you are creating and what type
 of evidence it will hold.

0:07:59.160000 --> 0:08:02.420000
 I'll explain all of these in the next module
 when we talk about file systems,

0:08:02.420000 --> 0:08:06.000000
 so don't worry. For now, we need to understand
 that there are some limitations

0:08:06.000000 --> 0:08:08.960000
 when considering this type
 of forensic image.

0:08:08.960000 --> 0:08:13.300000
 Finally, before clicking Yes, we can
 see the message also explains which

0:08:13.300000 --> 0:08:16.860000
 versions are supported as well as
 the version of the FTK image.

0:08:16.860000 --> 0:08:20.840000
 We're now presented with a new window that
 is asking us to enter the evidence

0:08:20.840000 --> 0:08:24.980000
 source path. Let's browse to the USB,
 and then select the PIX directory

0:08:24.980000 --> 0:08:38.780000
 and click Finish.

0:08:38.780000 --> 0:08:41.920000
 Now, we need to select the location
 where we'll be storing our forensic

0:08:41.920000 --> 0:08:46.820000
 image. Let's click Add, and then fill
 in all the evidence item information.

0:08:46.820000 --> 0:08:52.000000
 Since this is part of our second case,
 I chose Case 002, but as this is

0:08:52.000000 --> 0:08:55.420000
 the second evidence, we'll
 choose 002 for the number.

0:08:55.420000 --> 0:08:57.480000
 The rest you can fill in
 as you find suitable.

0:08:57.480000 --> 0:09:15.880000
 One important thing, though, is
 not to forget to add your name.

0:09:15.880000 --> 0:09:19.760000
 Let's now add the exact location for storage
 by clicking the Browse button,

0:09:19.760000 --> 0:09:23.300000
 then navigating to the location
 of interest and selecting it.

0:09:23.300000 --> 0:09:26.900000
 This time, since it isn't an image
 for the whole disk drive, we're not

0:09:26.900000 --> 0:09:29.980000
 going to store it in the Images directory,
 but straight beneath the USB

0:09:29.980000 --> 0:09:35.460000
 01 directory. Let's add the name for the
 forensic image, USB 1, Underscore,

0:09:35.460000 --> 0:09:40.860000
 PIX-DIR, Underscore, Image 01, which
 means that this is the first image

0:09:40.860000 --> 0:09:43.940000
 of the PIX directory found
 in the first USB.

0:09:43.940000 --> 0:09:46.100000
 Where you store it
 all is up to you.

0:09:46.100000 --> 0:09:48.220000
 This is not something
 you must stick to.

0:09:48.220000 --> 0:09:52.080000
 We also don't want to fragment the
 image, so let's make sure that the

0:09:52.080000 --> 0:09:55.780000
 image fragment size megabytes
 is set to 0.

0:09:55.780000 --> 0:09:59.320000
 Let's also leave the compression
 ratio as it is, 6.

0:09:59.320000 --> 0:10:04.620000
 Now, if we select the Use AD Encryption
 option and click Finish, we see

0:10:04.620000 --> 0:10:07.540000
 an error message saying that we can't
 use an image fragment for this type

0:10:07.540000 --> 0:10:11.240000
 of image to be 0, where
 0 means no fragment.

0:10:11.240000 --> 0:10:13.780000
 We need to choose
 something greater.

0:10:13.780000 --> 0:10:17.500000
 So, let's use a different number
 here and then press Finish.

0:10:17.500000 --> 0:10:23.840000
 Now let's enter the password for the
 forensic image twice and click OK,

0:10:23.840000 --> 0:10:28.780000
 and then press Start on
 this window to proceed.

0:10:28.780000 --> 0:10:33.600000
 This concludes our video lesson on
 Imaging a Suspects USB Drive using

0:10:33.600000 --> 0:10:36.580000
 AccessData's FTK Imager.

0:10:36.580000 --> 0:10:37.460000
 Thank you for joining us.