Forensic Acquisition in Windows - FTK Imager

DFIRScience

3 Oct 201629:03

Summary

TLDRThis video tutorial covers the process of acquiring a disk image using FTK Imager. It walks through the steps of creating a disk image, explaining how the image is split into multiple parts due to file size limits. The tutorial highlights important metadata, including the software version, case information, disk details, and crucial checksums (MD5 and SHA1) to verify the integrity of the image. The video also discusses how to recombine the image parts to validate the disk's data and sets the stage for similar procedures in different operating systems.

Takeaways

😀 FTK Imager is used for acquiring a disk image, which involves creating a copy of the entire disk to ensure data integrity and security.
😀 A disk image can be split into multiple parts when its size exceeds storage capacity, ensuring manageable file sizes for handling.
😀 The image file names are usually formatted with sequential numbering (e.g., .001, .002, .003), corresponding to the segments of the disk image.
😀 Each disk image segment is typically around 1,500 MB, except for the last segment, which may be smaller depending on the disk's size.
😀 FTK Imager generates a text document containing essential case and disk information, including software version, disk model, serial number, and acquisition details.
😀 The document also includes MD5 and SHA-1 checksum values, which are critical for later verifying the image's integrity.
😀 The checksums (MD5 and SHA-1) should always match the original disk to ensure that the data has not been altered or corrupted.
😀 The disk image creation process over USB 2.0 typically takes several minutes to complete, depending on the size of the disk being imaged.
😀 The segment list in the text file provides the full paths to each of the disk image parts, which are necessary for recombining the image.
😀 Once the image segments are recombined, the MD5 or SHA-1 checksum can be recalculated for the entire disk image to verify data integrity.
😀 The case number, evidence number, and examiner's notes in the text file help to document and identify the disk image for forensic purposes.

Q & A

What is the first step in creating a disk image using FTK Imager?
-The first step is launching FTK Imager and selecting 'Create Disk Image' to begin the imaging process. The user needs to select the source drive and configure the settings for the disk image.
How does FTK Imager split the disk image into parts?
-FTK Imager splits the disk image into multiple parts if the total size exceeds the file size limit. In this case, the disk image was split into three parts, each with a .001, .002, and .003 extension. The first two parts are about 1.5 GB, while the third part is smaller because it didn’t fill the disk space entirely.
What is the significance of the MD5 and SHA1 checksums in the disk imaging process?
-The MD5 and SHA1 checksums are used to verify the integrity of the disk image. They provide unique hash values that should remain the same every time the image is checked. This ensures the data has not been altered or corrupted.
Why is it important to use checksums like MD5 and SHA1 in forensic imaging?
-In forensic imaging, checksums are crucial for maintaining data integrity and proving that the image is a true and unaltered copy of the original disk. If the checksums match in subsequent checks, it confirms that no data has been modified.
What details are included in the text document accompanying the disk image?
-The text document contains critical metadata such as the FTK Imager version used, case number, evidence number, examiner's notes, disk model and serial number, drive type, source data size, sector count, and the MD5 and SHA1 checksums for the disk image.
How long did the disk acquisition process take?
-The disk acquisition process took approximately 10 minutes to complete, during which 4 GB of data was imaged over a USB 2.0 connection.
What does the segment list in the text document indicate?
-The segment list in the text document provides the full path and name of each part of the disk image, including the file extensions (.001, .002, .003) to help users locate and manage the split parts of the image.
What would happen if the disk image was not split into parts?
-If the disk image wasn't split, it could exceed the file system's file size limit (e.g., FAT32's 4 GB limit), making it impossible to store the entire image in a single file. Splitting ensures that the image can be properly stored and managed.
What role does the 'acquisition started' and 'acquisition finished' timestamps play in the imaging process?
-These timestamps are important for documenting the exact time the disk image was created. They provide a timeline for forensic investigators to establish when the imaging process took place, which can be important for the chain of custody and legal purposes.
Why is it important for the disk image to include the serial number and model of the source disk?
-Including the serial number and model of the source disk helps in verifying the authenticity of the image. It ensures that the image is indeed from the correct source disk and is essential for identifying the device in forensic investigations.