Scribd
Upload
43 views

Assignment 2

The document discusses the forensic duplication process and forensic backup procedure. It explains that imaging is the process of taking an exact copy of a storage device like a hard drive. It details how each sector is copied over individually. The document also provides requirements for forensic acquisition software and describes how to create an image of a storage device using FTK Imager.

Uploaded by

aashish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views

Assignment 2

The document discusses the forensic duplication process and forensic backup procedure. It explains that imaging is the process of taking an exact copy of a storage device like a hard drive. It details how each sector is copied over individually. The document also provides requirements for forensic acquisition software and describes how to create an image of a storage device using FTK Imager.

Uploaded by

aashish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Assignment 2

AIM : Forensic Duplication Process – Forensic Backup Procedure

Imaging is the process of taking an exact copy of a flash drives and is the very foundation of digital
forensics, data recovery and electronic discovery processing. It takes every single 0 and 1 on one
hard drive and puts it on another

The imaging process, for most tools, takes an exact copy of each sector, starting at the first sector,
Sector 0, then continues until the last sector.

Once a sector is read by the imaging tool it is then written down again onto another media.
Depending on the tool, the settings, and the users requirements, will depend on the storage pattern of
data. It is an easy and convenient to use sector by sector data carver for phone dumps or cell phone
image files. Different Image Format

 Hex
 DD
 Bin
 RAW
 DMG
 XRY

Forensic Acquisition
System Requirements :
Hardware:
 Processor: Pentium 4 and above, 1.5 GHz and above.
 RAM: 512 MB RAM.
 Hard Disk: At least 10 GB HDD.
 Monitor: Any size from 15” or above.
 Keyboard And Mouse: Any Keyboard and OS supporting pointing device.
Software:
 Operating System: Microsoft Windows XP and above, Macintosh.
 Software: Access Data FTK Imager ( 3.4.X ), Access Data FTK Imager Lite.
Forensic Imaging :

FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to
determine if further analysis with a forensic tool such as Access Data Forensic Toolkit (FTK) is
warranted. FTK Imager can also create perfect copies (forensic images) of computer data without
making changes to the original evidence. With FTK Imager, you can:

 Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire
folders, or individual files from various places within the media.
 Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs,
and DVDs
 Preview the contents of forensic images stored on the local machine or on a network drive
 Mount an image for a read-only view that leverages Windows Explorer to see the content of the
image exactly as the user saw it on the original drive
 Export files and folders from forensic images.
 See and recover files that have been deleted from the Recycle Bin, but have not yet been
overwritten on the drive.
 Create hashes of files using either of the two hash functions available in FTK Imager: Message
Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)

FTK Imager / Imager Lite

FTK Imager is a Windows acquisition tool included in various forensics toolkit. Its a free ware,
downloaded directly from the AccessData web site (FTK Imager version 3.1.5.0).

Run FTK Imager.exe to start the tool.


From the File menu, select Create a Disk Image and choose the source of your image. In the interest
of a quick demo, I am going to select a 512MB SD card, but you can select any attached
drive. NOTE: FTK Imager does not guarantee data is not written to the drive, so it is important to use
a write blocker like the Tableau T35es.

Click Add... to add the image destination. Check Verify images after they are created soFTK Imager
will calculate MD5 and SHA1 hashes of the acquired image.

Next, select the image type. The type you choose will usually depend on what tools you plan to use
on the image. The dd format will work with more open source tools, but E01 if you will primarily be
working with EnCase, respectively.
If your version of FTK requests evidence information, you can provide it. If you select raw (dd)
format, the image meta data will not be stored in the image file itself.
Select the Image Destination folder and file
name. You can also set the maximum
fragment size of image split files. Click
Finishto complete the wizard.

Click Start to begin the acquisition:

A progress window will appear. Once the


acquisiton is complete, you can view an image summary and
the drive will appear in the evidence list in the left hand side
of the main FTK Imager window. You can right-click on the
drive name to Verify the Image:

FTK Imager also creates a log of the acquisition process and


places it in the same directory as the image,image-name.txt.
This file lists the evidence information, details of the drive,
check sums, and times the image acquisition started and
finished.

You might also like