WEBVTT 0:00:03.080000 --> 0:00:06.780000 In this video, we are going to create a forensic image for a specific 0:00:06.780000 --> 0:00:08.800000 directory of interest. 0:00:08.800000 --> 0:00:13.460000 The first thing we will do is go to the main menu and then select File. 0:00:13.460000 --> 0:00:17.920000 After that, select Create Disk Image, which will bring up the Select Source 0:00:17.920000 --> 0:00:23.000000 menu. From this menu, we want to choose the fourth option, Contents of 0:00:23.000000 --> 0:00:25.580000 a folder, and then click Next. 0:00:25.580000 --> 0:00:30.160000 At this point, an information message box will appear, explaining that 0:00:30.160000 --> 0:00:33.960000 the image we are about to create will only contain logical files. 0:00:33.960000 --> 0:00:38.020000 That means the image will not include file system metadata, deleted files, 0:00:38.020000 --> 0:00:42.420000 or any unallocated space, like when performing a full forensic image. 0:00:42.420000 --> 0:00:46.660000 Also, the message informs us that the only supported forensic images are 0:00:46.660000 --> 0:00:49.200000 in the AD1 image format. 0:00:49.200000 --> 0:00:53.900000 Let's go ahead and click the Yes button to proceed. 0:00:53.900000 --> 0:00:57.420000 Now, we need to select which directory we want to create a forensic image 0:00:57.420000 --> 0:01:02.180000 for. Let's click the Browse button and proceed to the location of interest. 0:01:02.180000 --> 0:01:08.340000 For this video, let's choose the Z colon backwards slash PIX directory. 0:01:08.340000 --> 0:01:12.080000 Now that we have selected the directory, we can click the Finish button. 0:01:12.080000 --> 0:01:17.680000 Now, we need to choose where we will be storing our forensic image. 0:01:17.680000 --> 0:01:21.280000 Let's click Add and enter the details for the case we are working on. 0:01:21.280000 --> 0:01:28.080000 For this example, let's use case 002 for the case number. 0:01:28.080000 --> 0:01:31.460000 And Evidence Number 002. 0:01:31.460000 --> 0:01:35.640000 In Images for PIX directory for the evidence description, since this is 0:01:35.640000 --> 0:01:48.040000 an image for a directory. 0:01:48.040000 --> 0:01:50.200000 Let's add the examiner's name. 0:01:50.200000 --> 0:01:51.720000 I'll use mine here. 0:01:51.720000 --> 0:01:55.620000 Now, if you want to add any other note to this evidence, then you can 0:01:55.620000 --> 0:01:57.400000 do it in the Notes field. 0:01:57.400000 --> 0:02:06.180000 Once done, click the Next button to continue. 0:02:06.180000 --> 0:02:09.440000 Here we have the Select Image Destination window. 0:02:09.440000 --> 0:02:12.600000 Let's browse to the place where we will be storing the image. 0:02:12.600000 --> 0:02:16.420000 Click the Browse button and select the location for your forensic image. 0:02:16.420000 --> 0:02:23.620000 Let's select the case 002 directory, then the USB 01, and click OK. 0:02:23.620000 --> 0:02:26.120000 Now, we need to specify the image file name. 0:02:26.120000 --> 0:02:31.100000 So, in the image file name, add the name with the prefix you are using. 0:02:31.100000 --> 0:02:35.400000 Since this image will contain sensitive data, images, let's make sure 0:02:35.400000 --> 0:02:39.240000 we have a tick on the Use AD Encryption checkbox to add a password to 0:02:39.240000 --> 0:02:40.960000 the evidence we are collecting. 0:02:40.960000 --> 0:02:43.660000 After that, click Finish. 0:02:43.660000 --> 0:02:48.680000 Now, add the password you want to both fields, password, and re-enter, 0:02:48.680000 --> 0:02:55.120000 and click OK. As you can see, we are now back to the Create Image window. 0:02:55.120000 --> 0:02:59.000000 Since the tool is configured based on our needs, all we need to do now 0:02:59.000000 --> 0:03:01.980000 is click the Start button. 0:03:01.980000 --> 0:03:05.540000 As you can see, the imaging didn't really take too long because the size 0:03:05.540000 --> 0:03:08.880000 of the data we are imaging is not very large. 0:03:08.880000 --> 0:03:13.120000 Here the Drive Image Verify results is displayed, where we can check the 0:03:13.120000 --> 0:03:17.680000 content of the hashes for MD5 or SHA1 and where they are both computed 0:03:17.680000 --> 0:03:22.500000 and reported. You will find that they all match, which means our imaging 0:03:22.500000 --> 0:03:24.380000 finished successfully. 0:03:24.380000 --> 0:03:26.880000 Let's go ahead and close this window. 0:03:26.880000 --> 0:03:30.820000 Since we left the Create Directory Listing option selected, the imaging 0:03:30.820000 --> 0:03:33.980000 process created a directory listing of the content of the PIX directory 0:03:33.980000 --> 0:03:39.300000 we imaged. We can now see that it was created successfully here too. 0:03:39.300000 --> 0:03:43.380000 Let's go ahead and close this window, and this window too, which shows 0:03:43.380000 --> 0:03:46.680000 us the imaging process was successful. 0:03:46.680000 --> 0:03:51.340000 Now, if we go to the location where we have stored our forensic image, 0:03:51.340000 --> 0:03:57.980000 we can see the USB1, Underscore, PIX, Underscore, DIR1.81 Excel Sheet 0:03:57.980000 --> 0:03:59.780000 File, and Text File. 0:03:59.780000 --> 0:04:03.380000 Let's open the text file to check its content. 0:04:03.380000 --> 0:04:07.760000 Here we see the details of the forensic image we just created. 0:04:07.760000 --> 0:04:12.620000 It shows us the case number, the evidence number, unique description, 0:04:12.620000 --> 0:04:15.760000 the examiner's name, as well as the hashes calculated. 0:04:15.760000 --> 0:04:20.940000 MD5 and SHA1. Let's close this, and go back to our evidence. 0:04:20.940000 --> 0:04:23.280000 Now let's check the Excel Sheet File. 0:04:23.280000 --> 0:04:27.440000 Let's expand the column so we can see the content of each column properly. 0:04:27.440000 --> 0:04:29.180000 Here we have the file name. 0:04:29.180000 --> 0:04:32.700000 The location of where this file is located on the disk, and the size and 0:04:32.700000 --> 0:04:34.800000 the timestamps for the file. 0:04:34.800000 --> 0:04:38.180000 You may also notice the listing will tell us if this is a deleted file 0:04:38.180000 --> 0:04:43.460000 or not. Plus, we have the hashes for the file calculated by both MD5 and 0:04:43.460000 --> 0:04:48.120000 SHA1. We will come back to these details later in the File System Forensic 0:04:48.120000 --> 0:04:53.000000 Module. Let's go ahead and close everything. 0:04:53.000000 --> 0:04:59.040000 This concludes this video lesson on creating a forensic image from a directory. 0:04:59.040000 --> 0:04:59.800000 Thanks for joining us.