Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHFI & Digital Forensics [Part.1] - Basics & FTK Imager

Published byAndra Terry Modified over 6 years ago

Similar presentations

Presentation on theme: "CHFI & Digital Forensics [Part.1] - Basics & FTK Imager"— Presentation transcript:

1 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Slides are available in description box

2 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
What will we cover in this Series of “CHFI & Digital Forensics” ? Digital Forensic : ‘Theory + Tools & Lab Demo’ Digital Forensics with ‘Kali Linux’ (e.g. Creating Disk Image, Hashing a Disk Image, ‘Write Blocking’ a Disk Image e.t.c.) (e.g. FTK Imager, FTK Imager & WinHex, WinHex & DiskExplorer, FTK & ProDiscover) CHFI : ‘Theory + Tools & Lab Demo’ CHFI : ‘Exam Guide, Questions/ Answer Talk Section’

3 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
“Digital forensics deals with determining who was responsible for a digital intrusion or other computer/cyber crime” “A large part of digital forensics is working on cases to process and analyze digital evidence collected from crime scenes” “The process of working on a digital forensics case include creating disk image (copies of the original suspect’s drive), hashing or verifying the integrity of the disk image, write blocking the disk image (setting it to read-only to verify disk image integrity), and analyzing the drive and its contents.”

4 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Kali Linux Forensic Tools : “Kali Linux has a built in tools for Forensics. There are number of tools, divided into categories, as shown in figure” “I will also cover some of the best tools of kali linux, in this tutorial series” Img src : kali linux os screenshot

5 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
What can Digital Forensics do ? - Recovering deleted files, including s - Determine what computer, device, and/or software created the malicious file, software, and/or attack - Trail the source IP and/or MAC address of the attack - Track the source of malware by its signature and components - Determine the time, place, and device that took a picture - Track the location of a cell phone enabled device (with or without GPS enabled) - Determine the time a file was modified, accessed or created (MAC) - Crack passwords on encrypted hard drives, files, or communication - Determine which websites the attacker visited and what files he downloaded These are just FEW

6 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
“Computer Hacking Forensic INVESTIGATOR” “INVESTIGATOR related with Digital Forensics” “Each and Every process involved in Digital Forensics is a key role of CHFI to follow, and solve the cases related to Digital/Computer/Cyber Crime”

7 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER “Creating a disk image file of a target is the first step of any digital forensic investigation. In any investigation analysis is not done on the original data storage device (target), but instead on the exact copy taken” “A disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device. This differs from a normal backup in that the integrity of the exact storage structure remains intact, which is pivotal in maintaining the integrity of a forensic investigation”

8 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER “An image may be taken locally or remotely. In the case that a disk image is taken locally, the data storage target is physically available, such as a USB key or hard drive on an acquired machine. In the case of remote acquisition, the target storage device is not present (i.e. a computer in a suspect’s office at their place of work)” In this tutorial, we will be making an image of a local drive using FTK Imager. FTK Imager is a software created by the company AccessData for the purpose of creating both local and remote images. However, the free version only allows for local imaging. This software can acquire images of locally available storage devices, such as USB, hard drives, CD drives, or even individual files.” “In this tutorial, we will create an exact replica of a local drive (F:\ Cybrary) that will be used in the scope of a digital forensic investigation, later”

9 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER Note the suspect’s drive that we will be imaging ‘F:\ Cybrary’ and the available investigator’s drive, ‘H:\ BJ’. Note : After Explaining this slide, I will provide Lab Demo on this practical

10 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Launch FTK Imager by clicking on the ‘AccessData FTK Imager’ icon. The following screen will appear once the program has been launched.

11 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Click File and look over the various options for creating images. We will be using the ‘Create Disk Image’ option. It is good to note that you can also capture from memory, and image individual items.

12 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Click ‘Create Disk Image’. The following window will appear. Select the correct drive type for the situation. In this case, we are imaging a logical drive. Note that it is also possible to select individual folders and CD/DVD. Select logical drive and click Next.

13 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Select the desired drive in the resulting ‘Select Drive’ window. In this case the drive we wish to image is ‘F:\ Cybrary’. Click Finish.

14 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
The following ‘Create Image’ window will appear. Note that the appropriate Image Source has been selected. Click Add to select the image type and choose the Image Destination.

15 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Select the desired image format. We will be using dd. dd (disk dump) is the raw image file format. It is used not only in Windows, but also in Linux. Select ‘Raw (dd)’ and click Next. *Note that the E01 file format is for EnCase (an enterprise digital forensics program), AFF stores all data and metadata in a single file, and SMART stores the metadata in a separate text file where the contents can be easily viewed.

16 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
The following window will give you the opportunity to enter information about the case for the image. This is useful for organizational purposes. Since keeping track of everything and having detailed notes is pivotal, it is helpful to enter this information. Click Next.

17 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Select the folder in which the image file will be placed (H:\ BJ). Also, give the image file a specific name if desired. Click Finish.

18 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Note that the image destination has been changed to H:\. The disk image will be saved to the BJ Drive. Note also that the disk image will be created in raw/dd. Make sure that ‘Verify images after they are created’ is checked – this will automatically create a hash for the image. The hash is used to verify that no changes have been made to the image file. Click Start to create the image file.

19 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
The image will be created. This may take some time depending on the file size.

20 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
The following window will appear once the image has been completed. Note that both an MD5 and SHA1 hash have been created and verified. The hash is the fingerprint of the disk image – if the disk image is altered, the hash values will change. Keeping track of these hashes will allow you to continually verify the hash of the image file during your investigative process. Any other investigator should be able to replicate this hash; this maintains integrity in the eyes of the court.

21 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Click on ‘Image Summary’ to view the following results pertaining to the image that has just been created. This information should verify what was entered in the creation process. It will also verify the created hashes. Also, for your reference, this information has been printed out into a text file in the location to which the image file was saved.

22 Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER
Note that the image file (Thanks Cybrary.001) as well as the image summary file from above (Thanks Cybrary.001.txt) have been saved onto the ‘H: BJ Drive’. The .001 extension may be left as is, or can be changed to .dd. The .001 extension is used due to the fact that many times the file to be imaged is very large and must be split into multiple chunks. In that case, you would have Thanks Cybrary.001, Thanks Cybrary.002, etc.

23 CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Our First Part in Digital Forensics : Acquiring an Image with FTK IMAGER Conclusion At this point, the disk image has been created. This is essential for analyzing the contents without touching the original drive. In a following tutorial we will cover viewing the contents of this disk image file. The disk image is completely intact and untouched at this point. It is imperative that the hashes be recorded and kept for reference, as they must be rechecked during the course of your investigation. Additionally, it is imperative that a form of write blocking be put in place to prevent changes to the disk image. Write blocking will be covered in future tutorial.

Download ppt "CHFI & Digital Forensics [Part.1] - Basics & FTK Imager"

Similar presentations

 Use the Left and Right arrow keys or the Page Up and Page Down keys to move between the pages. You can also click on the pages to move forward.  To.

 Use the Left and Right arrow keys or the Page Up and Page Down keys to move between the pages. You can also click on the pages to move forward.  To.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
In the top right hand corner you will type in your package code in the box that says “Place Order.” Then you will click “Go.”

In the top right hand corner you will type in your package code in the box that says “Place Order.” Then you will click “Go.”
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Chapter Accreditation Online System Usage Tutorial Department of Member Relations & Grants National Children’s Alliance.

Chapter Accreditation Online System Usage Tutorial Department of Member Relations & Grants National Children’s Alliance.
Word Templates- Email Documents Directly from GP.

Word Templates- Documents Directly from GP.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Windows Tutorial 9 Maintaining Hardware and Software

Windows Tutorial 9 Maintaining Hardware and Software
Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.

Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Created by: Ian Osborn. Possibilities Of Movie Maker Windows Movie Maker allows users to organize and add effects to media clips that ordinarily would.

Created by: Ian Osborn. Possibilities Of Movie Maker Windows Movie Maker allows users to organize and add effects to media clips that ordinarily would.
Microsoft Office 2010 - Illustrated Fundamentals Unit B: Understanding File Management.

Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?

Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?

Similar presentations

Ads by Google