Muhammad Arman

Fa-2020-BS DFCS-049

Topic: How to make forensic image

Before creating image, we need to make changes in registry so when we input removable drive no
changes occurs in the removable drive. To maintain integrity we do this. In following I showed with
screenshot of every step that how to do this.

1. Open run and run the commond “gpedit.msc” and hit enter

2. After hitting enter we will see following interface(Local group policy editor)
3. After this select “Administrative Templates”

4. Then “System”
5. Then Select “Removable Storage Access”

6. And now select “Removable Disks:Deny write write access” and right click and select “Edit”

7. After step “6”,we will get following window and that window default settings are set to not
configure,change it to “Enable” and then apply and ok it.
8. After all these step restart your system.After restart input your removable drive and delete
any file from it or copy something from you system to removable drive.You will find
following prompt that means that you cannot make changes to removable drive which
insure integrity of removable drive:

9. Now its time to make forensic image of the removable drive(in our case USB).We can use
different tools for this.You can find many free and paid tools to do this.I am using
AccessData FTK imager. Now its time to open FTK imager.First I am going to do pre-hashes
verifying.For this select File>Add Evidence item
10. After this select physical drive

11. Then in second window we will see different drives that we are going to make image.Select
that one which we are going to make image(USB) and hit finish
12. After clicking finish, select physical drive and right click>Verify Drive/image.

13. After step “12”,the process of verifying will start. It will take time depending on size of the
removable drive
14. After completing step “13”,we will get hashes of the removable drive:

15. After this,now its time to create image. For this follow this step:Select File>Create Disk image
16. Select physical drive

17. Select that drive that we are going to use it to make image(in my case USB)
18. After this click on finish. After clicking finish you will get following prompt in which in which
we will on Add

19. Now its time to set image distination.After clicking on “Add” we will get different prompts in
which we have to select format of image,evidence information and destination where we
want to save the image file.
20. After this click on finish and then start. Then FTK imager will start its work that is creating
image:
21. After completion it will verify hashes and then it will show the completion prompt:
 22. We will get following files.

Now its time to create image of a logical drive or a folder of a logical drive. The process is same as
physical drive but instead of choosing physical drive, we will choose logical drive and then select a
folder. The whole process is shown below in the screenshots.