1

00:00:00,320 --> 00:00:02,190

<v ->In this demonstration you're going to learn</v>



2

00:00:02,190 --> 00:00:04,635

how a disk image is created during an instant response



3

00:00:04,635 --> 00:00:07,060

or a forensic investigation.



4

00:00:07,060 --> 00:00:08,580

Now I'm going to show you how we can do this



5

00:00:08,580 --> 00:00:11,710

using the Forensic Toolkit Imager or FTK Imager.



6

00:00:11,710 --> 00:00:15,280

To take a disk image of a hard drive or a USB thumb drive.



7

00:00:15,280 --> 00:00:17,460

In my example, I'm going to take a disk image



8

00:00:17,460 --> 00:00:20,360

of a 2 GB thumb drive with a windows machine



9

00:00:20,360 --> 00:00:23,110

and then I'm going to show you a very basic introduction



10

00:00:23,110 --> 00:00:25,690

to the Forensic Toolkit or FTK Tool



11

00:00:25,690 --> 00:00:28,220

that'll allow you to do a forensic investigation



12

00:00:28,220 --> 00:00:31,380

and find deleted files, hidden files and other things



13

00:00:31,380 --> 00:00:33,300

from the evidence drive that we collected



14

00:00:33,300 --> 00:00:34,930

as part of this instant response.



15

00:00:34,930 --> 00:00:36,540

So, let's get started.



16

00:00:36,540 --> 00:00:37,980

Now, first thing you're going to do is



17

00:00:37,980 --> 00:00:39,890

download and install the FTK Imager.



18

00:00:39,890 --> 00:00:42,380

Once you have that done, you'll go ahead and open it.



19

00:00:42,380 --> 00:00:45,130

You will have to give it administrative permissions



20

00:00:45,130 --> 00:00:48,310

as I did just there and it will open up the program.



21

00:00:48,310 --> 00:00:50,330

Now FTK Imager does allow you to do



22

00:00:50,330 --> 00:00:53,160

some a bit of looking through the files



23

00:00:53,160 --> 00:00:55,110

but in this case we're going to first look at



24

00:00:55,110 --> 00:00:57,800

collecting the image for a forensic image.



25

00:00:57,800 --> 00:00:59,560

So you're going to go to file,



26

00:00:59,560 --> 00:01:03,160

and then go down to create disk image.



27

00:01:03,160 --> 00:01:05,180

Then you'll select whether it's a physical drive,



28

00:01:05,180 --> 00:01:09,160

a logical drive, an image file, the contents of a folder,



29

00:01:09,160 --> 00:01:11,620

or multiple CDs and DVDs.



30

00:01:11,620 --> 00:01:13,580

In my case it is a physical drive



31

00:01:13,580 --> 00:01:16,820

because it's a USB thumb drive and I'll click next.



32

00:01:16,820 --> 00:01:18,540

And then I'm going to select the drive



33

00:01:18,540 --> 00:01:20,680

and in my case it's PHYSICALDRIVE1,



34

00:01:20,680 --> 00:01:23,500

it is a Memorex 2 GB USB thumb stick



35

00:01:23,500 --> 00:01:25,350

and I'll hit finish.



36

00:01:25,350 --> 00:01:27,650

At this point it'll ask where do I want to save



37

00:01:27,650 --> 00:01:29,360

the file that I'm going to create.



38

00:01:29,360 --> 00:01:32,480

So, I'm going to go ahead and do it as a Raw (dd) image



39

00:01:32,480 --> 00:01:35,300

because any forensic tool can use that.



40

00:01:35,300 --> 00:01:38,120

Whereas EO1 is reserved for encase,



41

00:01:38,120 --> 00:01:40,940

and AFF is reserved for FTK.



42

00:01:40,940 --> 00:01:44,230

Then select next, you can give it the information you want,



43

00:01:44,230 --> 00:01:46,517

in my case I'm just going to call this Case01.



44

00:01:47,434 --> 00:01:50,270

Evidence number we'll call that 01.



45

00:01:50,270 --> 00:01:54,790

Unique description USB 2GB Drive.



46

00:01:54,790 --> 00:01:57,610

The examiner was my name, Jason Dion



47

00:01:57,610 --> 00:01:59,180

and any notes you may have.



48

00:01:59,180 --> 00:02:02,890

Then click next, select where you want it to be stored,



49

00:02:02,890 --> 00:02:05,390

in my case I'm just going to save it directly to my desktop



50

00:02:05,390 --> 00:02:06,920

so I can find it easily.



51

00:02:06,920 --> 00:02:08,860

And then what is the file name going to be called?



52

00:02:08,860 --> 00:02:13,530

I'm going to call it USB2GB.dd



53

00:02:13,530 --> 00:02:15,980

for the dd image.



54

00:02:15,980 --> 00:02:19,640

And then I will hit finish and I will start.



55

00:02:19,640 --> 00:02:21,550

And when I'm done it's going to verify images



56

00:02:21,550 --> 00:02:24,359

after they're created which will create the hash for me.



57

00:02:24,359 --> 00:02:26,590

And we will go ahead and hit start,



58

00:02:26,590 --> 00:02:27,960

and off it will go.



59

00:02:27,960 --> 00:02:29,360

Now this will take a couple of minutes



60

00:02:29,360 --> 00:02:31,830

because it is a 2 GB thumb stick,



61

00:02:31,830 --> 00:02:34,420

and 2 GB is quite a bit of data to be imaging.



62

00:02:34,420 --> 00:02:37,710

So it will probably take us about five minutes.



63

00:02:37,710 --> 00:02:39,850

So I will speed up the video so you don't have to sit here



64

00:02:39,850 --> 00:02:41,310

and watch it count for five minutes.



65

00:02:41,310 --> 00:02:43,743

And then I'll come back, and we'll talk about it.



66

00:02:49,288 --> 00:02:51,700

So as you can see, it took about two minutes



67

00:02:51,700 --> 00:02:54,360

for it to copy the 2 GB drive.



68

00:02:54,360 --> 00:02:56,200

And now it's going through a verification



69

00:02:56,200 --> 00:02:58,000

which is creating the hash.



70

00:02:58,000 --> 00:03:01,015

This is going to take us maybe about 20 seconds.



71

00:03:01,015 --> 00:03:04,240

And as soon as it's done, we get our drive results.



72

00:03:04,240 --> 00:03:05,980

So let's scroll up here and we can look at this.



73

00:03:05,980 --> 00:03:07,270

So you'll have the name of the drive



74

00:03:07,270 --> 00:03:11,570

which in my case is USB2GB.dd.001



75

00:03:11,570 --> 00:03:13,630

which is the first file.



76

00:03:13,630 --> 00:03:15,750

The sector count that's going to be involved,



77

00:03:15,750 --> 00:03:16,980

you'll see the hash,



78

00:03:16,980 --> 00:03:19,090

the reported hash, and the computed hash.



79

00:03:19,090 --> 00:03:20,680

And they both match, and they should



80

00:03:20,680 --> 00:03:22,410

because that's what we just did.



81

00:03:22,410 --> 00:03:24,450

And then it'll also give you a SHA1



82

00:03:24,450 --> 00:03:26,550

computed hash and reported hash.



83

00:03:26,550 --> 00:03:28,820

And there were no bad blocks in the image.



84

00:03:28,820 --> 00:03:30,560

So we can go ahead and hit close



85

00:03:30,560 --> 00:03:33,100

and then we can hit close again.



86

00:03:33,100 --> 00:03:34,470

Now let me minimize this



87

00:03:34,470 --> 00:03:36,810

and you'll be able to see the disk image.



88

00:03:36,810 --> 00:03:39,320

It is going to sit here inside the Jason Dion folder,



89

00:03:39,320 --> 00:03:41,950

which is my administrative account, and on the desktop.



90

00:03:41,950 --> 00:03:44,500

You'll see that there are a couple of files here.



91

00:03:44,500 --> 00:03:48,820

There is 001 and 002, now what is the difference?



92

00:03:48,820 --> 00:03:52,350

Well if you'll notice this is only a 1.5 GB image.



93

00:03:52,350 --> 00:03:54,310

That's where the software by default



94

00:03:54,310 --> 00:03:55,810

is going to break these into chunks.



95

00:03:55,810 --> 00:04:00,390

So if you have a 1 TB hard drive, every 1.5 GBs or so,



96

00:04:00,390 --> 00:04:02,900

it's going to chunk that into a separate file.



97

00:04:02,900 --> 00:04:05,410

That's okay because it's going to be able to read that



98

00:04:05,410 --> 00:04:07,220

as I bring that back into the software.



99

00:04:07,220 --> 00:04:08,920

And then you'll see this text file,



100

00:04:08,920 --> 00:04:11,490

which is just going to have the summary contents for us.



101

00:04:11,490 --> 00:04:13,810

So it tells us it was created by FTK.



102

00:04:13,810 --> 00:04:15,810

And this is part of our chain of custody now.



103

00:04:15,810 --> 00:04:17,680

It's going to tell us what the drive looked like,



104

00:04:17,680 --> 00:04:19,460

it's going to tell us what the device looked like,



105

00:04:19,460 --> 00:04:20,720

and it's serial number.



106

00:04:20,720 --> 00:04:22,660

And it's going to give us the computed hashes



107

00:04:22,660 --> 00:04:24,810

and the reported hashes that we did.



108

00:04:24,810 --> 00:04:26,850

As well as our verified hashes.



109

00:04:26,850 --> 00:04:29,470

So this was the hash before we took the image,



110

00:04:29,470 --> 00:04:32,530

and this is the hash after we copy the image.



111

00:04:32,530 --> 00:04:34,493

Now if you want to open this file,



112

00:04:34,493 --> 00:04:38,340

we're going to do that inside of FTK and we can analyze it.



113

00:04:38,340 --> 00:04:41,500

So we'll do file, we'll add evidence item,



114

00:04:41,500 --> 00:04:43,560

it's going to be an image file this time.



115

00:04:43,560 --> 00:04:45,150

Because we just created the image.



116

00:04:45,150 --> 00:04:46,650

And then we're going to find it.



117

00:04:46,650 --> 00:04:48,530

And it is sitting inside



118

00:04:48,530 --> 00:04:50,940

my Jason Dion folder on the desktop.



119

00:04:50,940 --> 00:04:53,520

And you'll open up the first one, 001,



120

00:04:53,520 --> 00:04:56,690

and it'll open 001 and 002 for me.



121

00:04:56,690 --> 00:04:59,670

The drive shows up here in the Evidence Tree.



122

00:04:59,670 --> 00:05:02,560

Now, as you open it, you'll see the partitioned



123

00:05:02,560 --> 00:05:04,490

and the unpartitioned space.



124

00:05:04,490 --> 00:05:06,740

So any files that may have been hidden



125

00:05:06,740 --> 00:05:09,455

would show up in this unallocated space.



126

00:05:09,455 --> 00:05:13,140

Now if I open up the drive itself, it was FAT32.



127

00:05:13,140 --> 00:05:15,810

And I can look at the root of the drive.



128

00:05:15,810 --> 00:05:18,630

And you will see the different types of files on it.



129

00:05:18,630 --> 00:05:21,770

Notice the ones with the X's here, this .mpg.



130

00:05:21,770 --> 00:05:24,560

This is a deleted file but I can see it



131

00:05:24,560 --> 00:05:26,970

because of this forensic techniques that we're using.



132

00:05:26,970 --> 00:05:28,730

And you can see all sorts of different music



133

00:05:28,730 --> 00:05:30,190

that I used to have on this thumb drive



134

00:05:30,190 --> 00:05:32,090

that have been deleted at some point.



135

00:05:32,090 --> 00:05:34,010

And some of these files can be restored



136

00:05:34,010 --> 00:05:36,330

using this forensic software.



137

00:05:36,330 --> 00:05:38,070

The other thing we're going to be looking for here



138

00:05:38,070 --> 00:05:41,270

is we can scroll down and see anything that's been deleted,



139

00:05:41,270 --> 00:05:43,080

you can see all of those files,



140

00:05:43,080 --> 00:05:45,260

and you'll be able to see the ones that are not deleted.



141

00:05:45,260 --> 00:05:47,010

So let's look at the date modified.



142

00:05:47,010 --> 00:05:50,570

What was the most recently touched things on the system?



143

00:05:50,570 --> 00:05:52,400

Well, this deleted folder was.



144

00:05:52,400 --> 00:05:55,680

So maybe the bad guy was trying to hide something from us.



145

00:05:55,680 --> 00:05:56,760

And so I can actually go in



146

00:05:56,760 --> 00:05:59,170

and restore that and look at that.



147

00:05:59,170 --> 00:06:01,630

Then you can see these other files that are sitting here.



148

00:06:01,630 --> 00:06:03,200

Again, these are in the slack space



149

00:06:03,200 --> 00:06:06,350

because they were deleted a long time ago.



150

00:06:06,350 --> 00:06:08,410

Now this again is not a forensics course,



151

00:06:08,410 --> 00:06:10,140

where I'm going to teach you everything, how to do this.



152

00:06:10,140 --> 00:06:11,980

I just want to show you some of the capabilities



153

00:06:11,980 --> 00:06:14,880

that you can go back and pull some of this information.



154

00:06:14,880 --> 00:06:17,300

So if we open this we can see inside this folder.



155

00:06:17,300 --> 00:06:19,440

There was all of these different slides.



156

00:06:19,440 --> 00:06:21,540

And so maybe if I open this slide, oh look.



157

00:06:21,540 --> 00:06:24,810

We can find this deleted folder and see what it looked like.



158

00:06:24,810 --> 00:06:28,560

It looked like an inbrief for some sort of operation.



159

00:06:28,560 --> 00:06:29,870

Now what is this really?



160

00:06:29,870 --> 00:06:31,840

Well, this was something I did for my church.



161

00:06:31,840 --> 00:06:33,870

We did a spy night for the kids



162

00:06:33,870 --> 00:06:35,180

and these are some old files



163

00:06:35,180 --> 00:06:37,930

from that spy night folder that we used.



164

00:06:37,930 --> 00:06:39,820

But that's the idea here, is that you can go back



165

00:06:39,820 --> 00:06:42,315

and restore some of these things



166

00:06:42,315 --> 00:06:45,110

and be able to see what the bad guy was trying to hide



167

00:06:45,110 --> 00:06:47,050

as you go through and do the analysis.



168

00:06:47,050 --> 00:06:48,300

That's the benefit of this.



169

00:06:48,300 --> 00:06:50,230

And we're doing this off the disk image



170

00:06:50,230 --> 00:06:51,960

not the drive we originally collected.



171

00:06:51,960 --> 00:06:53,203

Because that USB drive is not even



172

00:06:53,203 --> 00:06:55,160

plugged in to the computer anymore.



173

00:06:55,160 --> 00:06:56,410

Because we don't need it.