Welcome back to the computer forensics path course 11. We're talking about creating a forensic disk image. And in module four we're going to talk about creating and validating our forensic disk image so far we've covered sterile media. We've talked about how important it is to write our evidence files to media that is free of any other data. We've also talked about validating our tools in this module. We're going to talk about how we actually create the forensic image itself and validated. Now copying versus imaging a full forensic copy otherwise known as an image will contain allocated files. It's going to contain files lack deleted files. All are unallocated space, unused space and an H P A And the D O C. If there is one H P A. Stands for host protected area and D O C. Is an area that is used to resize the drive and they are done by the manufacturer of the drive. But you want to make sure that your forensic tool is able to read that area. All modern forensic software will cover the H P A And the D O C. Now if we just copy a file like in the Windows Explorer re right click and copy of file, all we're getting is the allocated file and the file slack. You're not getting any of the unallocated space, deleted files or unused space on that disk or any of the operating system. Yeah. When you make a full forensic image you are copying from Physical bytes zero all the way through to the end of that drive everything forensic copying versus cloning. The difference between making a forensic copy our cloning it dry. When you clone a drive it is a bit by the copy of the original drive onto a drive of the same size or larger. So you're physically copying that dear. You're cloning that drive. You could put that drive in your computer and boot it. If the target drive is larger, it should be filled with all zeros. The remaining space that is not taken up should be back filled with zeros. And if you thoroughly wipe your media it will automatically be filled with zeros. And this is creating a clone of the original drive, not creating a forensic copy, forensic evidence files. They also contain a bit by bit, a copy of the original evidence. Everything will still be there. But these are container files and they're actually files. So they may contain some extra data like a header or a check song. For error checking. This will not affect our hash value because when we hash it is only going to hash the data, it's not hashing the header and the check zones. You can have compression with these forensic image files And you know, one is a compressed file. So we could put that on media that is smaller than the original evidence. And you may want to use that format to save space. But remember these are forensic evidence files. There are container file, it is really hard to alter them. You would actually have to go into a hex editor and physically alter them. Whereas when you're doing the forensic copy cloning it is very easy to damage the original evidence. So you want to be very careful types of evidence files? Well we have the DD which is actually the same. It will be the same size. There's no compression in a DVD so it will be the same size as the original evidence Like I said before. The EO one is compressed, so is the A F, F and the smart. And there are many more types of forensic evidence files. Remember our target drive, we're going to use sterile media, it must be at least the same size or larger than the original evidence drive. If we're using a non compressed image, your target dry, you have to think about the format. And this becomes important when say your taking a forensic image of a mac computer and you're going to examine that on a Windows computer You need a file system that can cross platforms and that would be expat ex fat will work in Mac or Windows or even Lennox. So if you have a target drive four minute X Fat, you could use it on any of those file systems. So when you have your target drives, make sure you have them formatted in different file systems. You probably want to Windows, you probably want to expat, you may want to A PFS depending on what you routinely examining and what your examination machine is. If you're examining a Mac computer, you want to use a Mac computer. You don't want to try to examine a MAC on a Windows machine because you may miss some important data. When we're creating our forensic evidence files, we're going to create an image of a drive and this would be traditional forensics dead box. We would remove the evidence drive from the computer. We would use our target drive that we've already prepared. We would have already validated our write blocker. We validated our imaging software, We're going to connect our hardware write blocker to our evidence drive and we're going to connect that to the computer. This is showing you what a hardware write blocker looks like. And you can see here the evidence drive is connected to it and you can see it's an intel solid state drive and the wire that is red, black and yellow that is the power connector. The wire that is solid black going from the right blocker to the evidence. That is our say to this is a state of Dr and you can see on the left hand side we have a blue cord that is a U S B. Cord and that needs to be connected to our forensic station. And then the black court above that is the power cord. You can see here I have my target drive label target drive, we have our write blocker and over to the right we can see it is connected to our evidence and that is connected to our computer. And this is how the setup would look for a hardware write blocker. This one happens to be a tableau but there are many other brands out there on the market, the imaging process. Once we've got our write blocker connected and we're ready to go, we're going to pre hash, we're going to take a hash value with some type of imaging software, whichever you choose. And we're going to pre hash the original evidence. Then we're going to create a forensic image of the original evidence. Once the image is completed, we're going to validate the image, we're going to take a hash value of the image and the hash value of the image file that we just created should match the hash value of the original evidence that we took before. Once we've done that, we're going to do a post hash of the original evidence. We're going to hash that original evidence drive one more time just to show we have not made any changes to the original evidence. Once you've done that, you're going to shut your write blocker off, disconnect your evidence drive and you're going to put it away. We're not touching the original evidence again, we're going to work off of our image file. We're going to do a walkthrough of imaging and the items we're going to need. We're going to need R N T F S B H D And F T K. Immature. We're going to make a forensic image of R N T F S B HD using F D K. Immature in this walkthrough. We're going to create a disk image using R N T F S V H D And F T K Imager. We're going to use images to create a forensic image of the V H D. Go to disk management and attach your PHD again, if you don't remember how to do that actions attached Bhd browse to where the virtual hard drive is stored. Select it, click open, click OK. And the V H D will mount once your phds mount and note the disk number because we're going to be imaging the physical drive. The entire desk mayan is disk 11. Yours will probably be different. Now we're going to launch F D k Imager. Once Imager opens, we're going to go to file, Create a disk image. It's going to be a physical drive and we're going to click next. Now we're going to use the drop down arrow to select our drive. Mine was Dr 11. Select it. Once you've done that, click finish first we select the type. I'm going to pick Roddy D because that is the quickest but we could go with an E 01 A smart or an AFF. I'm going to click next. Then you give it your case number and evidence, item number, you describe it, you put your name in as the examiner and you can add any notes if you'd like. Then hit next. Now it's asking for the image destination folder. So I'm going to browse out to my desktop and I'm going to make a new folder and I'm going to call it N T F S V HD image. I'm going to go ahead and select that folder, click OK, now give it a file name but don't put a file extension and I'm going to call it class image. You can call it whatever you want. You normally name it something like the case number for fragment size. I'm going to put none and compression since I'm doing a raw DD there is none. If I was doing any 01 or another type of image there would be some compression. I'm going to click finish. I'm going to click verify image after they are created. I'm not going to check any of these other boxes, but you could create a directory listing of all the files in the image after they're created. Which may be helpful in some cases. We can talk about that throughout this path, but for now I'm going to hit start and you can see that it's processing very quickly because it's small and now it is verifying the image now an image or finishes. You're going to have information on the screen and let's take a look at that. We have our sector count, we have the name of the image, We have the MD five and Sha 1 # values. Now what FBK immature is doing is it is hashing the source and passing the image. It's happening. My source, passing the image of created and it's telling me that they match and no bad sectors were found. Now you can go ahead and close this because Imager does keep a record of this. If you click on image summary, we could see the record and it has the case information that I added in. It tells you the name of the software that created it in the version and it gives you some drive geometry bytes, per sector and the total sector count. And it shows you the MD five and sha one check sums. It also tells you the time you started your acquisition and the time you finished your acquisition. And it also tells you the time the verification started. That is the MD five and sha one hashes being created and when the verification finished and this is all saved out to a text file so you can go ahead and close that. Now let's go ahead and look at our image. I say that out on my system in a folder called N T F S underscore V H D underscore image and we look there, we can see we have the one file and we have the text file. If you look at the text file, it opens up in note pad and it has all that information that we talked about. It shows the case number, the item number and all the information that I put in. It tells you the sources physical. And again we see the hash values and all the information we looked at in the image summer that was on the screen is safe to this nice text file for us. So we have it including when we started and when we finished with both the acquisition and the verification. So this is going to be important information that you want documented and FDK does provide that documentation for you when you're creating an image. If you're just doing a hash value or verifying an image, it does not save the file and that's when we need to save that information ourselves either through a screenshot or snip or wherever you want to document that. Now I'm going to take a look at my image so I'm going to go to file at evidence item. It is a image file. I'm going to browse store, I saved it which was out of my desktop in that folder. I'm going to select the 0.1 file and click open and then I'm going to click finish and we can see all our partitions laid out. We can see our file system is fat 32. We have another one that's NTFS and we could see our extended partition also and the extended logical partitions within it. You can drill down further and we see some of the documents we've seen throughout this path and you can scroll through and look at the information. We see all the files and folders have been working with throughout the path on RN T F S V H D. So we've successfully created our first forensic image in the next module. We're going to talk about using the Lennox D D D D D C F L D D and D C three D D commands to create a forensic image end of walk through.
