NOTE: This exercise is to gain an understanding of what a forensic image is, and how they are created. We strongly recommend that you contact a certified forensic examiner to create images that will be introduced as evidence.
Not long ago, I was speaking with an attorney over a case which involved dates of creation and dates of access. They told me how concerned they were that when they copied these files to a flash drive, all of the creation dates changed to the day that they copied them! What could possibly be wrong?
A simple misunderstanding of how to acquire information was all that was at stake. Well, that and the case. For anyone needing to preserve the state of information of, say a hard drive, it is important to seek the assistance of a certified forensic examiner. They will be able to make an accurate bit-by-bit “image” of the data source, so that it can be referenced, viewed, extracted, etc., without the risk of altering the state of the data. Now some of you might wonder why I put the word Image in quotes. This is a term of art. Many attorneys refer to an image as a photograph, or a graphic. In the scope of forensic acquisition, it means a bit-by-bit duplicate of the media, created is such a way that it can be verified, and not altered.
Can anyone make a forensic image? Well, this part isn’t very difficult. But you do want to be certain that you document what you are doing, and can explain how you were able to authenticate that the image was correctly produced. At the very least, it is an EXCELLENT exercise for an attorney to do a forensic acquisition so that when you have to speak with an examiner, you will have more of an idea of what they are going to do for you and your case.
First, you will need forensic acquisition software. Not to fear, it is free from my friends at Access Data. The link for the Windows version that is current as of this writing is here: http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.3 . Once it is downloaded, go ahead and install it. It is quite small. I’ll wait.
The next thing we will need are two flash drives. Smaller is better for our example. One however should be slightly larger than the other. So a 1GB and a 2GB flash drive would be great. (It is important that you use different size flash drives – your destination should always be larger than your source) Format the larger of the two devices (your destination media) so that there is no data on it. (A forensic examiner would do a ‘wipe’ to make certain that the media is completely erased before beginning, but that is not necessary for this exercise). Take the 1GB flash drive (this will become our SOURCE media), and copy some files from your computer onto the drive. Browse the flash drive to make certain that your newly copied files made it safely to our source media. Next we start FTK imager. Once you start FTK, Your screen should look like this:
At the top of the screen, on the left side are two small green icons. The first one allows us to pick a single device that we want to image. When you click that, a screen will pop up to ask you what it is that you want to create a forensic image of. In this instance we want to take an image of a PHYSICAL DRIVE. Select that. Your screen should look like this:
You will now be presented with a drop down box asking you WHICH physical drive you want to image. Remember when I told you to use different sized drives? The drop down box identifies the devices that are currently attached to your computer. Since FTK doesn’t recognize drive letters here, you should pick the device that is the size of your source media. In this image you can see that I have two devices attached to my computer: my hard drive, and the 1GB flash drive:
When you click finish at the bottom of the screen, your source drive should be listed on the left hand side of the screen in FTK.
Now it is time to create our forensic image. While leaving the source drive plugged into your computer, now add your DESTINATION flash drive. PLEASE be careful at this juncture to select the correct drives – we don’t want you to overwrite something important.
Right click on the drive that is in the evidence tree. Using the above example, you would right-click on \\PHYSICAL DRIVE1. A small menu should pop up – please select EXPORT DISK IMAGE.
So far, so good. We aren’t done yet though …
When you click the EXPORT DISK IMAGE menu item, you will get a screen asking for the DESTINATION MEDIA information. It should look like this:
Please take care to tick the box at the bottom that says “VERIFY IMAGES AFTER THEY ARE CREATED”. This is of paramount importance. Then click the ADD button. You will be asked what type of image to create. These are different formats that are readable by different systems. The most universally accepted are DD and E01 images. You should not concern yourself with the other two types at this time. Just so we can all be on the same page, please select E01 and click NEXT. On this screen you can identify the information relevant to your case. None of this is mandatory, but it is all a really good idea. Go ahead and populate this information – you will see why in a few minutes. When you are ready click NEXT for the image destination screen.
First let’s click the BROWSE button, and find the DESTINATION flash drive that you plugged in. (Note, there shouldn’t be any files on it – if there ARE files, you either did not format the drive, or you have selected the WRONG drive. So, using my example, my destination flash drive is drive Y and the image filename I have chosen is “DemoImage”.
For the purposes of this exercise, we won’t go onto the other settings on this page. After you have these items properly populated, then click FINISH. Now you are returned to the CREATE IMAGE screen. Since we have no more source media to add, double-check that the box is ticked at the bottom that says “Verify images after they are created”, and click START. Since the source media is only 1GB in size, this will only take less than 5 minutes to create the image and to verify it. When the process is finished you will see “Image Created Successfully” in the STATUS field of the progress box. A new box should have popped up on your screen that says “Drive/Image Verify Results”
Mine looks like this:
This is a really important screen. When you see the word HASH, this is another term of art. It is a method of positively identifying a file, folder, or drive, so that it can be verified that it has not been altered. FTK Imager calculated two different types of HASH before it imaged your source drive. After it completed the process, it calculated those HASHES again, and they both matched. THAT means that you have authenticated your image and can be certain that it is an accurate representation of the source drive. If anyone were to alter anything it this image, even a comma, the HASH that would be calculated would NOT match.
So, you have successfully created your first forensic image of a drive. Congratulations!
Now …. What can you do with it?
Lets go ahead and close the FTK windows that are up. Let’s pretend that an attorney gave you this destination drive with the image on it for you to examine.
When you look at the drive itself, you will see lots of files that have the same filename, but a different extension. You can’t use Word or Excel, or notepad to read this. What can you use? FTK Imager. FTK Imager will not only CREATE images, it will also READ them.
Start FTK imager again. Click the little green icon on the left to Add Evidence Item. This time when it asks the source type, select IMAGE FILE. Click next and browse to the image that you created on your destination flash drive.
My screen looks like this:
Click on the DemoImage.E01 file. Hey! There are TWO of those. Well, not really. One it a TEXT file that will have the case information and the hash information of the image, and the other one is the E01 file that you created. Note the extension difference in the TYPE column. Select the E01 file named DemoImage.E01, then click OPEN, and FINISH.
You have NOW opened your forensic image of the source media that you created. In the column on the left, you will see the file DemoImage in the Evidence Window. If you click the + sign next to the items in the list, you will drill down to the files that are on your source device.
The next article will talk about all the things you can see in an image that you may not be able to see on the source media.