Scribd
Upload
19 views8 pages

DIgital Forensics DA 3

The document outlines a laboratory exercise for digital forensics using FTK Imager and ProDiscover Basic. It details the steps to create a RAW image from a USB drive, analyze it for multimedia files, and generate a comprehensive forensic report. The exercise aims to capture unaltered data, identify hidden or deleted files, and interpret findings to support investigative hypotheses.

Uploaded by

Aaditya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views8 pages

DIgital Forensics DA 3

The document outlines a laboratory exercise for digital forensics using FTK Imager and ProDiscover Basic. It details the steps to create a RAW image from a USB drive, analyze it for multimedia files, and generate a comprehensive forensic report. The exercise aims to capture unaltered data, identify hidden or deleted files, and interpret findings to support investigative hypotheses.

Uploaded by

Aaditya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

School of Computer Science and Engineering

BCSE322P Digital Forensics Laboratory

Exercise No: 3

FTK Images | Forensic Analysis using ProDiscover Basic

21BCI0383
Register Number

Yashita Mittal
Name

19 Sept, 2024
Submission Date

FALL SEMESTER 2024-25

Lab Slot: L51+L52 Venue:

SJT 317
Exercise No: 3 FTK Images | Forensic Analysis using ProDiscover Basic

Problem Statement

You are asked to install both FTK Imager and ProDiscover Basic for carrying out this
exercise.
Create RAW images (Logical | Drives | USB) using FTK Imager and utilize the created RAW image
in the ProDiscover Basic for the Investigative Analysis.
Create the RAW image (minimum of 100MB of multimedia files) to work with ProDiscover Basic.
Analyze the respective data and generate a detailed report and its interpretation.

Aim
To capture and examine a RAW image of a logical drive or USB using FTK Imager, focusing on
multimedia files. This image will be imported into ProDiscover Basic for further investigation.
The goal is to explore the image's contents, extract important data, and produce a
comprehensive report interpreting the findings through forensic techniques.

Procedure / Steps
1. Insert the USB Drive:
• Attach the USB drive to your computer via a write blocker to safeguard the data from being
modified during the process. A write blocker ensures the device is accessed in read-only
mode, preventing any unintentional or deliberate alterations to the drive's contents.
2. Launch FTK Imager:
• Open FTK Imager, a forensic software used to capture images of storage devices.
• Click on “File” > “Create Disk Image”.

3. Select Source:
• In the dialog box, choose “Physical Drive” if you are imaging the entire USB drive or “Logical
Drive” for specific partitions.
4. Choose Image Type:
• FTK Imager will ask you to choose the image format. Select from options like Raw (dd),
SMART, E01, or AFF, depending on the analysis software you'll be using. Various forensic
tools support different formats, whether standard or proprietary.

5. Configure Destination for Image Storage:


• Choose a folder on your hard drive to save the image file.
• Optionally, add case metadata, including examiner name and case number.

6. Capture the Image:


• Start the imaging process and wait for FTK Imager to finish creating the RAW image. This
process may take some time depending on the size of the USB drive.

7. Verify the Image:


• After the image is created, FTK Imager will calculate and display a hash value (MD5 or SHA1)
to verify the integrity of the captured image later when analyzing.
9. Launch ProDiscover Basic:
• Open ProDiscover Basic and create a new project by clicking “File” > “New Project”.
• Enter the project details, such as name, investigator name, and case number.

10. Add the RAW Image:


• Click “Action” > “Add Image File” and select the RAW image file created by FTK Imager.
• The image will be added to the project and mounted for analysis.
11. Investigate the Image:
• Use ProDiscover Basic’s file tree view to explore the contents of the image.
• Focus on the multimedia files (e.g., images, videos) and other data types to identify any
relevant evidence.

12. Generate the Report:


• After analyzing the image, generate a detailed forensic report by clicking “Report” in the
sidebar.
• The report should include the high level overview of this whole image.
13. Interpretation:
• Based on the analyzed data, interpret the findings. For example, identify hidden files, deleted
data, or metadata that provides insights into the creation or modification of files.
• Write a detailed interpretation of the findings based on the analysis, explaining how the
evidence supports or contradicts the investigative hypothesis

Interpretation / Conclusion

The RAW image created from the USB drive with FTK Imager provided an unaltered copy of the data.
After importing it into ProDiscover Basic, analysis uncovered multimedia files and metadata.
Techniques like file carving and keyword search revealed hidden or deleted files, offering key
evidence.

Metadata analysis showed file creation and modification dates, helping trace activity on the drive.
Suspicious files, altered headers, and tampered timestamps were also identified.

The ProDiscover Basic report consolidates all extracted data, including file details and metadata,
offering a clear view of the USB's contents. This method ensured data integrity and provided valuable
insights for further investigation or legal action.

You might also like