Hello and welcome back to the Windows forensics path. In this course, we're going to be talking about creating a disk image. Throughout this course, we're going to be talking about sterilizing our target media. Making sure our target media is clean before we add our evidence files to it. We'll talk about validating our tools, making sure that the tools we're going to use are functioning properly. We'll talk about write blockers, how we use them, and why we use them. We're going to talk about creating and validating a forensic image. How we create the image, and how we go about validating to show that there were no changes made to the original evidence. We're going to talk about the dd, dcfldd commands which are used to create a disk image. In module 1 of this course, we're going to talk about how we sterilize our target media. Why do we use sterile media for our evidence collection? Well, we want to ensure that there is no pre-existing data on the target drive. We want to make sure that the device we're copying our evidence to is completely free of any other data. We do this to avoid cross-contamination, to make sure that there's no other data on there that does not belong to our forensic disk image. When would we want to use sterile media? We always want to use sterile media when we're collecting evidence. When you're copying your forensic image files to your evidence drives. Now we have to take a few things into consideration. One thing is that deleting a file, as we've seen throughout this path, does not necessarily remove data from the drive so we can't just delete all the data on the drive, we have to actually forensically wipe the drive. Also formatting a drive does not remove all the data from the drive. New drives that you buy at the store, they usually have some data on them, they're going to be formatted with a file system. They also usually have some type of data from the manufacturer. Remember, never trust, always wipe. If somebody gives you a drive and asks you to copy some data on it for them, always tell them that you are going to wipe the drive before you copy the evidence files to the drive, never trust, always wipe. When we're doing our forensic disk wiping, we want to have a constant output and we want something that's going to be reproducible. What we do is we write the disk using all zeros. This will give us the same result every time, and we would verify that with a checksum 64, and we're going to do that in our walk through. The tools we're going to need for our walk-through: we're going to need Kill disk. We're going to need HXD, and we're going to need a small capacity USB flash drive. Okay, we're going to do a sterile media walk-through. We are going to forensically wipe our target media and then verify the wipe. The drive I'm going to wipe is this one I've labeled target media. I highly recommend that you label your target drives something specific so you can ensure you're wiping the correct drive because you don't want to wipe an evidence drive by mistake. Once we've opened up active kill disk, we're going to locate our drive, minus right here, target media drive letter F, physical disk 10, yours may be different and probably will be different, so make sure you're on the correct drive. Once you're there, you just select it, and you can simply select it by clicking on it. Now it's going to describe it over here. On the right-hand side, it'll tell you the size, the free-space, the allocated space. It'll just give you some of the drive geometry. So once you're sure you're wiping the correct drive with kill disk, you're going to select it. You're going to select to wipe the entire drive so you want to make sure the whole thing is yellow over here. The whole thing should be highlighted, the entire drive, and you're going to select ''Erase disk''. Now make sure you're selecting ''Erase disk'', not ''Wipe disk''. Wipe disk does not white the entire drive, it just wipes unused data from partition, so it just cleans up your desk. Want to make sure you're selecting Erase disk. Once you've done that, it's going to show you the drive you're wiping, you're going to select all disk space. We can go with one pass zeros, we're not going to verify the erasure with this program, we're going to use a separate one. We're not going to initialize the disk after erasure because we want to confirm the disk has been completely erased before we initialize it, we're going to hit ''Start''. It's going to ask you to confirm, you have to type this in all caps, erase all data. Once you've done that, you can click ''Okay'' and this is a very small drive so it should wipe fairly quickly. Once the drive is wiped, you will get a message saying either success or that there were some errors. If there are errors, you need to check. It does have a log, and it also have a results pane. Now that we've done that, we can go ahead and get rid of this. Now what we're going to do is use HDX to verify that our driver has been wiped, and we're going to use a checksum 64. If we wipe the disk with all zeros, our checksum 64 should be all zeros. Once we've opened HDX, make sure you are running in as Admin or you won't be able to open disk, and we're going to select our drive. We want to select the physical disk, minus down here, removable disk 1, it has the size but the drive label is gone because we wiped the drive. Select your drive and click ''Okay'' and it will open up. Now what we want to do is we want to perform our checksum 64. So we're going to go to analysis checksums and we're going to select checksum 64, and we're going to click ''Okay'' and because my target drive is small, it will run quickly. This will take a lot longer on a full-size drive. We can see the results, my checksum 64 is all zeros which is what I expected it to be. Now I would want to copy that out or take a screenshot of my checksum results to verify that I've wiped my target drive, I would want to document that somewhere. Now once your target driver is wiped, you can go ahead and format it, and relabel it, something that you will recognize when you plug it into the suspect's computer as being your target drive. That is the end of our walkthrough on how to sterilize our target media before use. In our next section, we are going to be talking about validating our forensic tools in our next module, end of block.
