Digital Forensics Tutorial [Part 1] - Basics & FTK IMAGER Lab

Image via kali linux os. (Screenshot of forensics tools list)

By : Bijay Acharya / studentvideotutorial

Hello and welcome to this new series of Student Video Tutorial. This series is basically related Digital Forensics. I’ll cover wide range of Digital Forensics.

Ok now, let’s get started. We’ll cover:
Digital Forensics: We’ll see some theories behind digital forensics. This will include what it does and what tools it involves. After covering theory part, we’ll do some lab and demonstration, using those forensic tools.
Digital Forensics with ‘Kali Linux’: Kali Linux is Operating System that’s widely used by Ethical Hackers and Penetration testers. It involves wide range of tools, which can be used for digital forensics. Most of us are already familiar with large collection of hacking tools available in Kali Linux, and now it’s a time for playing with forensic tools. I’ll give a complete tutorial on how to use those tools for Digital Forensics later in this tutorial series.
 Here are some of the examples that we’ll be seeing through out this series. They include:
  • Creating a Disk Image with Free open source tools known as FTK Imager.
  • Hashing a disk imager with FTK Imager and WinHex.
  • Write Blocking the Disk Image with WinHex & DiskExplore.
  • Viewing and analyzing the disk image contents.
Together, with these tools, we will be using the Kali Linux OS and its forensics toolkits. I’ll pick up some of the best tools from Kali Linux, and give a in-depth using process of those tools.

Digital Forensics:
  • “Digital forensics deals with determining who was responsible for a digital intrusion or other computer/cyber crime”
  • “A large part of digital forensics is working on cases to process and analyze digital evidence collected from crime scenes”
  • “The process of working on a digital forensics case include creating disk image (copies of the original suspect’s drive), hashing or verifying the integrity of the disk image, write blocking the disk image (setting it to read-only to verify disk image integrity), and analyzing the drive and its contents.”
Forensics Tools (Categories) in Kali Linux:
– Anti-Virus Forensics Tool, Digital Anti-Forensics, Digital Forensics, Forensics Analysis Tools, Forensics Carving Tools, Forensics Hashing Tools, Forensics Imaging Tools, Forensics Suites, Network Forensics, Password Forensics Tool, PDF Forensics Tool and RAM Forensics Tool.

Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
  1. “Creating a disk image file of a target is the first step of any digital forensic investigation. In any investigation, analysis is not done on the original data storage device (target), but instead on the exact copy taken.”
  2. “A disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device. This differs from a normal backup in that the integrity of the exact storage structure remains intact, which is pivotal in maintaining the integrity of a forensic investigation.”
  3. “An image may be taken locally or remotely. In the case that a disk image is taken locally, the data storage target is physically available, such as a USB key or hard drive on an acquired machine. In the case of remote acquisition, the target storage device is not present (i.e. a computer in a suspect’s office at their place of work).”
Now, we’ll be making an image of a local drive using FTK Imager. FTK Imager is a software created by the company AccessData for the purpose of creating both local and remote images. However, the free version only allows for local imaging. This software can acquire images of locally available storage devices, such as USB, hard drives, CD drives, or even individual files.
We’ll create an exact replica of a local drive (F: Cybrary) that will be used in the scope of a digital forensic investigation, later.
(Note: I’m incuding only an Article Format on process. If you want to follow the demo, then please refer to video link provided at the bottom of this article.

Assuming you have installed FTK imager, follow these steps 🙂
  1. Launch FTK Imager by clicking on the ‘AccessData FTK Imager’ icon.
  2. Click File and look over the various options for creating images. We’ll be using the ‘Create Disk Image’ option. It’s good to note that you can also capture from memory, and image individual items. 
  3. Click ‘Create Disk Image’. A window will appear. Select the correct drive type for the situation. In this case, we’re imaging a logical drive. Note: it’s possible to select individual folders and CD/DVD. Select logical drive and click Next. 
  4. Select the desired drive in the resulting ‘Select Drive’ window. In this case, the drive we wish to image is ‘F: Cybrary’. Click Finish. 
  5. The ‘Create Image’ window will appear. Note that the appropriate Image Source has been selected. Click Add to select the image type and choose the Image Destination. 
  6. Select the desired image format. We’ll be using dd. dd (disk dump) is the raw image file format. It’s used not only in Windows, but also in Linux. Select ‘Raw (dd)’ and click Next.
  7. In following window, give case info.
  8. Select the folder in which the image file will be placed (H: BJ). Also, give the image file a specific name if desired. Click Finish.
  9. Note that the image destination has been changed to H:. The disk image will be saved to the  BJ Drive. Note: the disk image will be created in raw/dd. Make sure that ‘Verify images after they are created’ is checked – this will automatically create a hash for the image. The hash is used to verify that no changes have been made to the image file. Click Start to create the image file.
  10. The image will be created. This may take some time depending on the file size.
  11. The following window will appear once the image has been completed. Note that both an MD5 and SHA1 hash have been created and verified. The hash is the fingerprint of the disk image. If the disk image is altered, the hash values will change. Keeping track of these hashes will allow you to continually verify the hash of the image file during your investigative process. Any other investigator should be able to replicate this hash; this maintains integrity in the eyes of the court. 
  12. Click on ‘Image Summary’ to view the following results pertaining to the image that has just been created. This information should verify what was entered in the creation process. It will also verify the created hashes. Also, for your reference, this information has been printed out into a text file in the location to which the image file was saved.
  13. Note that the image file (Thanks Cybrary.001) as well as the image summary file from above (Thanks Cybrary.001.txt) have been saved onto the ‘H: BJ Drive’. The .001 extension may be left as is, or can be changed to .dd. The .001 extension is used due to the fact that many times the file to be imaged is very large and must be split into multiple chunks. In that case, you would have Thanks Cybrary.001, Thanks Cybrary.002, etc.
At this point, the disk image has been created. This is essential for analyzing the contents without touching the original drive. In a following tutorials, we’ll cover viewing the contents of this disk image file.
The disk image is completely intact and untouched at this point. It’s imperative that the hashes be recorded and kept for reference, as they must be rechecked during the course of your investigation.
Additionally, it’s imperative that a form of write blocking be put in place to prevent changes to the disk image. Write blocking will be covered in a future tutorial.
I want to thank following 3 (references):
OTW null-byte wonder how to 

Video link of this part is here : )