Scribd
Upload
88 views10 pages

Experiment-1 Digital Forensics AIM-Using FTK Imager DATE: 21-01-2021

FTK Imager is used to create a forensic image of a USB drive. The document describes imaging a 7GB SanDisk USB drive using FTK Imager. It details the steps to add the drive as evidence, select the image destination, start the imaging process, and verify the image using MD5 and SHA1 hashes. The report generated provides information on the physical drive, imaging details like time and path, and verification results showing the hashes matched.

Uploaded by

TANISHA PATHAK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
88 views10 pages

Experiment-1 Digital Forensics AIM-Using FTK Imager DATE: 21-01-2021

FTK Imager is used to create a forensic image of a USB drive. The document describes imaging a 7GB SanDisk USB drive using FTK Imager. It details the steps to add the drive as evidence, select the image destination, start the imaging process, and verify the image using MD5 and SHA1 hashes. The report generated provides information on the physical drive, imaging details like time and path, and verification results showing the hashes matched.

Uploaded by

TANISHA PATHAK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

EXPERIMENT-1

DIGITAL FORENSICS
AIM- Using FTK Imager
DATE: 21-01-2021
_______________________________________________
FTK Imager is a tool for creating disk image. It was developed by The Access Data Group. It
is a tool that helps to preview data and for imaging.

TASK 1-(HASHING)
Step 1- Download and install the FTK imager on your machine.
Step 2- Select File on the navigation bar and then select Add Evidence Item.

Step 3- Then select Image File and add the image.


Step 4- Below Evidence Tree, right click your image and select Verify Drive/Image.
Step 5- Compare the hash value calculated to the known hash value

_______________________________________________________________________________________

TASK 2- (IMAGING)
Step 1- Select the application FTK Imager, then right click on it and run as an
Administrator.
Step 2- The application will get opened as shown below

Then click on the icon shown in the below image, to create an Image.
Note: In this experiment we have use San Disk USB Device of 7 GB to create an
Image.
Step 3- After clicking on the icon, the following page will get opened-

Step 4- Select the device type and then click on Next button to proceed. The following page
will get opened.

Select the drive to which you want to create an Image as shown below-
Step 5- Click on Add button as shown above to add the destination location to save the
image-

Step 6- After clicking on Add button, the page will be opened as shown above. Select the
image type you want to create and click on Next button as shown below.

Step 7- After clicking on Next button, the following page will be displayed.

Fill the evidence item information and click on Next button as shown above.
Step 8- Fill the image destination folder location details and Image File name details and
Click on Finish button.

Step 9- After clicking on Finish button, all the details will be added as shown below

Click on Start button as shown above to start imaging process. This can be observed
from the below image.
Step 10-
After completion of imaging, the hash value of the image will be calculated using MD5
and SHA1 algorithm and will be displayed as shown below.
Step 11- If you require a details report of the Pendrive like Pendrive Model, Serial Number,
Number of Sectors, Cylinders etc. we have to click on Image Summary as shown below.

REPORT
Created By AccessData® FTK® Imager 3.4.3.3

Case Information:
Acquired using: ADI3.4.3.3
Case Number: 1
Evidence Number: 1
Unique description: SanDisk USB 7GB data Image
Examiner: NPA
Notes: Imaging of 7GB SanDisk USB data

--------------------------------------------------------------

Information for C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB:

Physical Evidentiary Item (Source) Information:


[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 948
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 15,232,000
[Physical Drive Information]
Drive Model: SanDisk Cruzer Blade USB Device
Drive Serial Number: 4C530001310928109293
Drive Interface Type: USB
Removable drive: True
Source data size: 7437 MB
Sector count: 15232000
[Computed Hashes]
MD5 checksum: 6afe34c55bc22fcc31e7f9983c6406f3
SHA1 checksum: 2ef25b3f1f2ba684fe0f3655e1fc2e7507bd5439

Image Information:
Acquisition started: Thu Jan 21 18:53:20 2021
Acquisition finished: Thu Jan 21 19:03:10 2021
Segment list:
C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB.001
C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB.002
C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB.003
C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB.004
C:\Users\tanis\Desktop\FTK_Imager\SanDisk7gbUSB.005

Image Verification Results:


Verification started: Thu Jan 21 19:03:16 2021
Verification finished: Thu Jan 21 19:05:33 2021
MD5 checksum: 6afe34c55bc22fcc31e7f9983c6406f3 : verified
SHA1 checksum: 2ef25b3f1f2ba684fe0f3655e1fc2e7507bd5439 : verified

You might also like