FTK-Imager-and-Forensic-Imaging-Analysis-using-FTK-Imager

Activity 1: Adding some evidence:

  1. Open a USB Drive
  2. From an online source of your own choice, download and save 5 images (file type such as jpg, gif, bmp, png, etc) that represent an interest or hobby that you have and save them to your USB drive.
  3. Create a text document, add some text and save it to your USB drive.
  4. Now, delete all of the content that you created, using your mouse (i.e. right click, delete).
  5. Remove the USB drive from your workstation.

Activity 2: Creating a forensic image:

  1. Login to your workstation in the cyber lab.
  2. Double click on the AccessData FTK Imager icon. FTK imager requires administrator privilege to run. When opening the executable, the following screen will appear. image
  3. Click on file and then “Create Disk Image”. This will open a window where you can select the media source
  4. For this Lab select Physical Drive so the entire drive, will be captured for further analysis, then click Next. image
  5. In the next window select the drive that will be imaged. Please make sure that you are selecting the correct device. image Here you need to pay attention to the drives, in this case the drive 2 is the correct suspect drive and press Finish.
  6. Once the suspect drive has been selected, set the destination drive, click Add… Then a new window will open where you can select image type. image
  7. Select the type of image file you want to create. Choose E01 and click Next. image
  8. In the next window, enter information specific to the image and click Next. image
  9. In the next window, verify that the image destination (e.g. desktop or OneDrive) and filename (select filename as E_01_Physical_Image_yourname). In addition to this, set the Image Fragment size to 0 since this is where the entire disk image will be contained within a single file. Once you have entered the relevant information click Finish.
  10. Now the Create Image window will open. This is the final stage. Here we will enable FTK Imager verifying the image after it’s been created. Hence, in the future FTK Imager will verify that no changes have been made and that the image file is complete and without errors. Also, it will create a list of all files on the image by enabling the option of “Create directory listings of all files in the image after they are created”. This option is useful as the investigation will be able to determine whether the file is on this system. Finally click Start.
  11. Now FTK Imager will begin the process of imaging the drive.
  12. Once FTK Imager has completed the imaging process, a window will open which provide detailed information including hashes. Are the hashes match? If yes then no changes have been made to the evidence. Take a note of the MD5 and SHA1. image
  13. FTK Imager provides a text file with detailed information about the image