Step Action – Create a Forensic Image with a GUI Tool

1. Create a folder on your Desktop and name it “Forensic Image.”
2. Download the Assignment 2 Step Action Template from these assignment directions.
3. Download and install FTK Imager from https://accessdata.com/product-download/ftk-imager-version-4-3-0 . You will be asked some questions before the link to download is sent to your email address.
4. Take a USB (preferably one of smaller storage; 4 or 8 GB) of your choice and place the file you created for Written Assignment #1 in Week 3 (dog.docx) on it. Then, connect the USB to your computer’s USB port.
5. Launch FTK Imager.
6. From the main menu select “File” and then choose “Create Disk Image…”

Create a screenshot of this and paste it here.

7. To perform an acquisition, where all allocated and unallocated space is acquired, select “Physical Drive” (the one for the USB – it will be smaller in size apart from the main disk on your computer) in the “Select Source” window and then click the “Next” button.
8. Identify the source to be acquired (in this case, it is the USB drive) in the pull-down menu and click the “Finish” button.

Create a screenshot of this and paste it here.

9. After the source of the acquisition has been identified, the destination or target for the acquisition must be identified. Click the “Add…” button to provide the specifics for the destination.
10. Select the E01 format for the forensic image in the “Select Image Type” window and click the “Next” button.

Create a screenshot of this and paste it here.

11. In the “Evidence Item Information” window, enter descriptors for the evidence. This information is optional and you can just name it whatever you want. Click the “Next” button, when complete.
12. In the “Select Image Destination” window, identify the destination of the forensic image and the name for the image (where you are going to put this forensic image on your computer; in this case, put it in the folder named “Forensic Image” on the Desktop). By default, FTK Imager will split the forensic image across multiple files once the file size reaches 1,500 MB. This value can be changed. But do not change it for this exercise. Compression is applied to the forensic image by default.
13. If the forensic image will not fit on the target destination, click the “Add Overflow Location” to identify alternate locations for files, which do not fit on the destination media. By default, FTK Imager will hash the original media with the MD5 and SHA1 algorithms and then verify the forensic image with the same algorithms. Click the “Start” button to start the acquisition.

Create a screenshot of this and paste it here.

14. As the forensic image is created, a progress bar will display the results.
15. At the conclusion of the acquisition, FTK Imager will display the results of the verification of the forensic image and compare those results to the original. Note that the “Verify Result” for the MD5and SUA 1 hashes are listed as “Match.” This confirms that the forensic image is an exact copy of the original media.
16. At the conclusion of the acquisition, the time expended to complete the acquisition is displayed.

Create a screenshot of this and paste it here.

17. Within the same directory as the forensic image files will be a text file. This text file contains the details of the forensic image, information regarding the media, the file hashes, and details provided by the forensic examiner. Include the text file with your submission.
18. Download the Autopsy Once installed, follow the prompts to open a case (you can make this information up). Open the .E01 file of the USB with the Autopsy software (File and then Open). Once the image processes, you should be able to “examine” the dog.docx file you placed onto the USB. Use the search function to search for the file or text within the document. Explore the software and its capabilities. Have fun with it. Youtube is full of short tutorials on how to use Autopsy to search forensic images. Here is an example:

https://www.youtube.com/watch?v=v7ZO0AdK4tU