FORENSICS V2 LAB SERIES

Lab 01: Creating a Forensic Image

Document Version: 2021-01-11

Copyright © 2021 Network Development Group, Inc.

www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

Microsoft® and Windows® are registered trademarks of Microsoft Corporation in the United States and other countries. Google is a
registered trademark of Google, LLC. Amazon is a registered trademark of Amazon in the United States and other countries.
Lab 01: Creating a Forensic Image

Contents
Introduction ........................................................................................................................ 3
Objectives............................................................................................................................ 3
Lab Topology....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
Getting Familiar with FTK Imager ............................................................................... 6
Create a Physical Forensic Image.............................................................................. 10
Create a Logical Forensic Image................................................................................ 20
Verify the Image Contents by Reviewing the Image Report..................................... 27
Verify the Image Contents by Opening the Image in FTK Imager ............................ 30

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2

Lab 01: Creating a Forensic Image

Introduction

One of the goals of a digital forensic examination is to maintain the integrity of the
evidence. This can be done through a series of methods such as documentation,
imaging, and hashing. The exercises outlined in this lab will cover the imaging portion of
the digital forensic process. It will teach a user how to use free digital forensic tools to
create a court-admissible forensic image and how to review this imaged data. Let us get
started!!

Objectives

● Getting familiar with FTK Imager

● Creating a forensic image in a windows environment
● Verifying the content of the image to ensure that the capture was successful

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3

Lab 01: Creating a Forensic Image

Lab Topology

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4

Lab 01: Creating a Forensic Image

Lab Settings

The information in the table below will be needed to complete the lab. The task sections
below provide details on the use of this information.

IP Address / Account Password

Virtual Machine
Subnet Mask (if needed) (if needed)

Caine 172.16.16.30 caine Train1ng$

CSI-Linux 172.16.16.40 csi csi

DEFT 172.16.16.20 deft Train1ng$

WinOS 172.16.16.10 Administrator Train1ng$

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5

Lab 01: Creating a Forensic Image

Getting Familiar with FTK Imager

The first thing we will do is get you familiar with the graphical user interface of FTK
Imager.

1. To begin, launch the WinOS virtual machine to access the graphical login screen.
a. Select Send CTRL+ALT+DEL from the dropdown menu to be prompted with the
login screen.

b. Log in as Administrator using the password: Train1ng$

2. Once you are logged into the VM, launch the FTK Imager program from the Windows
menu by navigating to Start Menu > AccessData > FTK Imager as seen in items 1, 2,
and 3 below. Alternatively, you can open it by clicking the icon from the desktop, as
seen in item 4.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6

Lab 01: Creating a Forensic Image

3. The following window will appear. Look at the sections highlighted in red. These are
the different areas of the interface.

1 Evidence Displays evidence item(s) in a tree format

Tree

2 File list Displays the list of files that are selected in the evidence tree pane

3 Properties Contains various details about items selected in either the evidence tree or
the file list panes

4 View pane This is the box located in the bottom right corner of the FTK Imager window
and displays the contents of files selected in the File list pane

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7

Lab 01: Creating a Forensic Image

4. Now let us look at the menus to see some important options. We will start with the
File menu. To access this, select the File button at the top-left corner of the GUI,
seen in item 1 below, which will reveal the menu as seen below.

Allows the user to add a single evidence Item

Allows the user to add all storage devices attached to the

computer (Beware as this option only adds live volumes)

Allows the user to mount an evidence item so that it can be

viewed as an attached storage device

Allows a user to remove a single evidence item

Allows a user to remove all evidence items that are currently

loaded

Allows a user to create a forensic image of a storage device

Allows a user to create a disk image from a storage device

that is already loaded in FTK Imager

Allows a user to perform a hash comparison of a forensic

image

Allows a user to capture an image of the RAM for the host that
FTK Imager is running on

The table on the right outlines the most common options highlighted
in red on the menu. Please refer to the user manual located in the
help tab highlighted in item 2 for definitions on the remainder.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8

Lab 01: Creating a Forensic Image

5. Let us look at another important menu. This is the option called Mode. To get to it,
select the Mode button at the top-left corner of the GUI, seen in item 1 below, to
reveal the menu, as seen below.

Expand Toggles the option to expand compound files such as Zip, tar, etc.
Compound
Files
Automatic Allows the software to choose how to display a file in the view pane
(using IE, Text view, or Hex view)

Text
Switches the view pane to only show selected files in raw text

Hex The Hex option switches the view pane to only show selected files in
Hexadecimal

6. The remaining menus are equally as important, but we will not cover them in this lab.
Now let us move on to the good stuff, creating a forensic image!

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9

Lab 01: Creating a Forensic Image

Create a Physical Forensic Image

A forensic image of original evidence is required to avoid changing valuable data and risk
making the evidence found inadmissible in court. In this task, we will walk through the
steps for creating a forensic image of a physical drive on the lab machine. The best image
for forensic analysis is always a physical image as it contains the most data. There are
cases when a logical image is necessary as well, and we will cover this later in the lab. Let
us get started!

1. FTK Imager should already be open. If not, reopen it and navigate to File > Create
Disk Image as seen in items 1 and 2 below. This will open the Select Source window
that will allow you to choose what type of volume you intend to replicate.

A hardware or software write-blocker must be used when imaging the

original evidence.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10

Lab 01: Creating a Forensic Image

2. Once you see the Select Source window, select the Physical Drive radio button, and
then click Next seen in items 1 and 2 below. This will take you to the Select Drive
window.

FTK Imager may hang right here, please be patient and do NOT click
Next again.

3. The select drive window will allow you to choose which volume you intend to
replicate. Once you are in the Select Drive window, select the drive labeled
PHYSICALDRIVE1 from the dropdown menu and then select Finish as seen in items
1, 2, and 3 below. This will take you to the Create Image window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11

Lab 01: Creating a Forensic Image

4. The Create Image window will give you the option to choose an image destination. It
will also show the image source you selected, as seen in item 1. It also has several
other useful options, such as:

 Verifying your images after they are created, performs a comparison of the
hashes before and after imaging to ensure nothing changed.
 Precalculate Progress Statistics allows you to do a check to see a time estimate
and determine if you have enough storage space for the image.
 Create a directory listing of all files after the image is created, allows you to output
a file containing a tree-style list of directories contained in the image.
 Add Overflow Location, gives you an option to store the image if the destination
is full.

5. For this exercise, only check the Verify images after they are created checkbox, as
seen in item 2 below.
6. In the Create Image window, add the image destination. This can be achieved by
clicking the Add button, seen in item 3, which will open the Select Image Type
window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12

Lab 01: Creating a Forensic Image

7. This Select Image Type window allows you to choose from four (4) types of forensic
image formats:

 Raw (dd) - This is a full image dump that uses no compression and does not store
information about the image within it.
 SMART - This format is used mainly for the SMART tool for Linux. It supports
compression and segmentation but is not widely used anymore.
 Advanced Forensic Format (AFF) - This format creates a raw image and stores the
image metadata in a separate file. It supports compression and segmentation.
 Expert Witness Format (E01) - This format is the most common forensic image
type and supports compression and segmentation. It also stores data within the
image container that can be used to help verify the image.

8. Let us use the E01 format for this exercise. To choose it, select the radio button
beside E01 and then click Next, as seen in items 1 and 2, to go to the Evidence Item
Information window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13

Lab 01: Creating a Forensic Image

9. The Evidence Item Information window is where you will fill in the information that
will be permanently associated with the image. Ensure you fill it out accurately. Let
us put some information in these fields. Use the information highlighted in item 1
below to fill in the fields. Click Next seen in item 2 when you are done. Note, the
Examiner field should contain your name.

10. Now you should be at the Select Image Destination window. This window allows you
to:

 set the storage location for the image.

 create a filename for the image.
 set the size of each image segment in megabytes (MB).
 adjust the level of compression. In this field, zero (0) means no compression
while nine (9) means the highest compression possible; and
 choose whether to use AD Encryption to protect your image.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14

Lab 01: Creating a Forensic Image

11. First, let us focus on setting the storage location for the image. To do this, select the
Browse button seen in item 1 below. This will open the Browse for Folder window,
which allows you to choose a location to store the image.

12. Once you are in the Browse for Folder window, navigate to ThisPC and select the disk
drive labeled Evidence Repository (E:) and then click the Make New Folder option
seen in items 1, 2, and 3 below. This will create a new folder in the Evidence Repository
drive.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15

Lab 01: Creating a Forensic Image

13. Let us give the folder a name to help us keep track of its content. Name the folder
FOR_LAB_001 and then select OK, as seen in items 1 and 2 below, to go back to the
Select Image Destination window.

Check that the image destination path, highlighted in item 1 below, is

correct. It is common for the path to remain as New Folder, even
after you rename it.

14. Once you are back in the Select Image Destination window, create a name for the
image. An example is highlighted in item 2 below. Remember to check that the image
destination path in item 1 is correct.

15. Leave the other settings at their default state and select Finish, seen in item 3
above, to go back to the Create Image window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16

Lab 01: Creating a Forensic Image

16. Now that you are back at the Create Image window, you need to verify that all the
correct paths were selected. This is extremely important. Errors made at this phase
can destroy the very data you aim to replicate. Before moving to the next step:

 Verify that the source is the one you intended to image as highlighted in item 1.
 Ensure that the destination path is the same as the one outlined in item 2.
 Ensure that the Verify images after they are created checkbox is checked as
seen in item 3.

The Add Overflow Location is used ONLY if the image source is

suspected to be greater than the destination. However, forensics
best practices dictate that you ensure the destination has enough
capacity for the source.

If Overflow location is selected, the verify images after they are

created option should be unchecked as FTK imager cannot verify
image segments stored in multiple locations. However, the image
created can be verified later using the Verify Drive/Image option.

17. If you are here, it means that you have done all the verification checks and now you
are good to go. To start the image, click the Start button highlighted in item 4 above.
This will commence the imaging process.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17

Lab 01: Creating a Forensic Image

18. Once the imaging is done, you will see the Drive/Image Verify Results window
appear. This window only appears if you selected Verify Images after they are
created before creating the image. It lists the image name seen in item 1, the MD5
and SHA1 verification hashes seen in items 2 and 3, and any detected bad blocks
seen in item 4. Once you are done reviewing this data, click the Close button seen in
item 5.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18

Lab 01: Creating a Forensic Image

19. The window behind the Drive/Image Verify Results window should appear as below
and will display a message that says Image created successfully. This means that you
have completed the first and most important step of the forensic examination
process. Click Close seen in item 1 below to close the dialogue box.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19

Lab 01: Creating a Forensic Image

Create a Logical Forensic Image

In the previous task, we mentioned that there were times when a logical image is all that
is necessary or all that you can get. In this task, you will learn to create a logical image.

1. Let us go back to the FTK Imager interface and select the options File > Create Disk
Image, as seen in items 1 and 2 below, to open the Select Source window.

2. Once you get to the Select Source window, click the Logical Drive radio button seen
in item 1. The logical drive option will allow you to choose a partition instead of the
entire disk drive. Now click Next, as seen in item 2, to proceed to the Select Drive
window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20

Lab 01: Creating a Forensic Image

3. When you get to the Select Drive window, select G:\ USB 001 [NTFS] from the
dropdown menu and then click Finish, as seen in items 1, 2, and 3 below, to the
Create Image window like you did before.

4. When you get to the Create Image window, verify that the correct drive letter was
selected. The drive letter should match the one seen in item 1 below. Next, select
the Add button, seen in item 2, to open the Select Image Type window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 21

Lab 01: Creating a Forensic Image

5. Let us use the E01 format for this exercise as well. To choose it, select the radio
button beside E01 and then click Next, as seen in items 1 and 2, to go to the
Evidence Item Information window.

6. You are back to the Evidence Item Information window, fill in the information as
seen in the fields below, and then click Next as seen in items 1 and 2. Remember,
the Examiner field should contain your name.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 22

Lab 01: Creating a Forensic Image

7. Wow! You entered all that information already; that was quick. Then, you should
now be seeing the Select Image Destination window. Here, select Browse, seen in
item 1 below, to open the Browse for Folder window, which allows you to choose a
location to store the image.

8. Like you did before, browse to ThisPC > (E:) Evidence Repository and then select the
Make New Folder option as seen in items 1, 2, and 3.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 23

Lab 01: Creating a Forensic Image

9. Name the new folder FOR-LAB-001A and then select OK, as seen in items 1 and 2, to
go back to the Select Image Destination window.

10. Once you are back in the Select Image Destination window, create a name for the
image. An example is highlighted in item 2 below. Remember to check that the
image destination path in item 1 is correct. Next, click Finish, as seen in item 3.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 24

Lab 01: Creating a Forensic Image

11. The Create Image window is your last chance to verify that you have all the correct
paths selected. Remember, errors made at this phase can destroy the very data you
aim to replicate.
12. Before proceeding:

 Verify that the source is the one you intended to image, as highlighted in item 1
below.
 Ensure that the destination path is the same as the one outlined in item 2 below.
 Ensure that the Verify images after they are created checkbox is checked as seen
in item 3.

13. If you are sure that all the correct options were selected, you can click the Start
button highlighted in item 4 below. This will commence the imaging process.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 25

Lab 01: Creating a Forensic Image

14. Now the logical image is complete, and you should see the Drive/Image Verify
Results window appear as seen below. After reviewing the results of the verification,
click Close to close the window.

15. Next, verify that the message Image created successfully is displayed in the Creating
Image window and then click Close as seen in item 1 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 26

Lab 01: Creating a Forensic Image

Verify the Image Contents by Reviewing the Image Report

Once you have created an image, there are two main things you need to check before
packaging for storage. You need to:

 Verify the image process had no errors by reviewing the image report; and
 Ensure that the content you captured is accessible.
Let us begin by reviewing the image report and checking for errors.
1. Open windows explorer and browse to Evidence Repository (E:) > FOR-LAB-001 as
seen in items 1 and 2 below.

2. The folder will contain file(s) with the extension E01. Double-click the file named
1GB_Seagate_SN954321.E01.txt to open it in notepad. This is FTK Imager’s image
report file.

Ordinarily you would see several fragments of the imaged hard drive.
This is determined by the defined Image fragment size, currently the
default is 1500MB which is greater than the total capacity of the hard
drive. So, one fragment was created.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 27

Lab 01: Creating a Forensic Image

3. The image report will look like the text box in the snapshots below.

The case information highlighted below is where you can see the
information you typed about the image and verify whether the
information was accurate.

The Image information category highlighted below is where you can

determine how much data was imaged and review the Drive Model
and Serial Number as well as the disk geometry information.

The Acquisition start and end times highlighted contain the times and
the segment list to know the names and paths of all the segments
created during the imaging process.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 28

Lab 01: Creating a Forensic Image

The Computed Hashes information and the image verification results

highlighted allow you to Compare the hashes from the computed
hashes data with the verification results to determine if they match.

4. Once you have verified that the report seems accurate, proceed to the image report
for the logical image labeled FOR-LAB-001A located at E:\FOR-LAB-001A and
perform the same review.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 29

Lab 01: Creating a Forensic Image

Verify the Image Contents by Opening the Image in FTK Imager

Great, you are here! Since you can verify that the reports look good, let us try to open
each image and see if the file systems are recognized. Let us start with the physical
image.

1. Let us go back to FTK Imager and select the options File > Add Evidence Item, as
seen in items 1 and 2, to open the Select Source window.

2. This time, select the Image File radio button and then select Next, as seen in items 1
and 2, to proceed to the Select File window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 30

Lab 01: Creating a Forensic Image

3. The Select File window will allow you to choose the image you want to open. Click
the Browse button highlighted below. This will open the File Selection window,
which will allow you to browse to the appropriate image file.

4. In the Select File window, browse to Evidence Repository (E:) > FOR-LAB-001 and
select the image file called 1GB_Seagate_SN954321.E01 as seen in items 1, 2, and 3
below. Once the image is selected, click Open as seen in item 4 below.

If multiple image fragments were created during the imaging process,

FTK Imager will automatically add the remaining files when loading.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 31

Lab 01: Creating a Forensic Image

5. Once you are back to the Select File window, verify that the path of the selected file
matches the one highlighted in item 1 below. Once you have verified, click the Finish
button highlighted in item 2. This will take you to the main GUI, where the image will
be loaded in the Evidence Tree Pane.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 32

Lab 01: Creating a Forensic Image

6. In the Evidence Tree pane, click the + signs beside 1GB_Seagate_SN954321.E01, as

seen in item 1 below. This will expand and reveal the partitions of the drive. Next,
click the + sign beside Basic data partition (2) as highlighted in item 2 below. This will
expand and reveal the file system and the volume name, Data. Now click the + sign
beside Data, as seen in item 3, to reveal the root, orphan, and unallocated
directories. The root directory is the main directory on the partition, and all other
directories and files on the volume will appear under root. The orphan folder
contains deleted orphaned files, and the unallocated space folder contains
unallocated space represented as files. The folder we are currently interested in is
root. Click the folder called root, as seen in item 4, to expand it and see the files that
are on the volume in the File List pane seen in item 5.

The hard drive imaged in this lab will not contain any user created files
but feel free to browse the file structure.

7. If you can open the root directory and view its contents, then it means the image was
successfully created and can be opened without issues. Repeat these steps to view
the contents of the logical image stored in the folder named FOR-LAB-001A.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 33

Lab 01: Creating a Forensic Image

8. You have now successfully created and verified two digital forensic images and are
ready to move on to the next phase on the chain-of-custody.
9. The lab is now complete. Please close all open programs by clicking the X at the top-
right corner of the windows, as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 34