FTK Imager Lab 3: Step-by-Step Guide for Digital Forensics

IT3072C LAB3 – FTK Imager Instructions Login to the Sandbox environment and access your VM. If your VM is ON, power it OFF. Ensure your VM is powered down via the CECH Sandbox Console. Select the “Actions” icon next to your VM and then “Mount CD-ROM”  Configure the information by selecting “Datastore ISO File” and then “ IT3072C-ImageFiles .iso”.   Click the “Submit” button. You will see the “ Mount CD-ROM Request Has Been Submitted ” message. Please be patient with your VM. LAB 3 Page 1

IT3072C Power ON your VM. After you login, access the sample image files.  Create a “C:\Images” directory on the root of your hard drive.  Click “E:” drive to view the Image Files.   Copy all of the data to the C:\Images directory. Now is a great time to check your “view file” settings in Windows File Explorer (Hint: View  Options  View). Make sure the following options are set, then click [APPLY]:  Show hidden files, folders, and drives (check)  Hide empty drives (un-check)  Hide extensions for known file types (un-check) LAB 3 Page 2

IT3072C FTK Imager Exterro purchased AccessData in 2020. FTK Imager is the first forensic tool that we will use in the course. As the name implies, you can use FTK Imager to create forensic images. It also can be used to verify forensic images, export files and folders, create a hash set, create a custom content image, create a directory and file listing, capture RAM, obtain Windows Registry files, and even perform live searches. One important feature of FTK Imager is the ability to create and view image verification logs. Launch FTK Imager On your desktop, click the “ AccessData FTK Imager ” shortcut. This will open the FTK Imager interface that has the following seven components: Menu Bar, Toolbar, Evidence Tree View, Properties/Hex Value / Custom Content tabs, Status Bar, File List Pane, and Viewer Pane. During this course, you will get proficient with this forensic tool! Access the FTK User Guide From the Menu Bar, click the [Help] button to access the FTK Imager User Guide. LAB 3 Page 3 Status Bar Evidence Tree View File List Pane Viewer Pane Properties / Hex Value / Custom Content tabs Menu Bar Toolbar

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

IT3072C The File Menu Notice that not all File Menu options are available at the start of the program. FTK Imager provides context-sensitive functionality. The View Menu The View Menu allows you to customize your view of the FTK Imager. You can use View Menu to ensure your data is displaying in the appropriate window. Notice the menu option to [Reset Docked Windows]. This will return the displays to their default values. LAB 3 Page 4

IT3072C The Toolbar Menu Notice that not all toolbar menu buttons are available at the start of the program. FTK Imager provides context-sensitive menu buttons. Use your cursor to hover-over each toolbar menu button to get a text description of the function. The User Guide also explains the button function. Take some time to get familiar with the Menus and User Guide Contents. 1. What is the file format of the FTK Imager User Guide? PDF 2. How many total pages are in the User Guide? __57 _____ 3. What is the file system path of the User Guide so you can access it outside of the tool? _C:/Program %20Files/AcessData/FTK%20Imager/Help/ENU/FTKImager_UseGuide.pdf_ Load a Forensic Image of a digital evidence item. From the Menu Bar, select File  Add Evidence item  Image file. Select [Browse] and then traverse to your C:\Images directory. Select the forensic image named “Ext2 Image.e01”. Select [Finish]. LAB 3 Page 5

IT3072C The forensic image file “Ext2 Image.e01” is now loaded in FTK Imager. Select File  Verify Drive/Image LAB 3 Page 6 While selecting the forensic image file name, the PROPERTIES window will populate with information for the forensic image file. Note the Sector Count. Select the VOLUME NAME and [FILE SYSTEM] identifiers to see additional information and to provide additional menu options. In this example, NONAME Volume means the volume was not assigned a name.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

IT3072C When you are finished viewing the information on the forensic image, click the [Close] button. From the Menu Bar, select File  Remove Evidence Item. It is a good forensic practice to remove a forensic image before attempting to load another forensic image file. Complete the chart for the following forensic image files. Filename Secto r Count Volum e Name File System MD5 Hash SHA1 Hash Ext2 Image.e0 1 NoNa me EXT 2 5357414d98936a63de38b9 a82a56710 36e8ab5331b5d2122059273 805e 0f564cf490822 FAT32 Image.e0 1 25697 7 10 Fat32 OLIme Fat 32 E00098c9c6aa828523de48 482d7a40f1 E952f2a4a920e20268f3999f 68f97 8696659d98a nps- 2013- canon1.e 01 25088 0 Partitio n Unallocat3 ed 7e99923ca562ad5afd9e85262 1f29ca A48fce306d8e5655fc6fd67f 836d1 d 6b44b32517 How many Hexadecimal characters is the MD5 hash? _ 32 ______ How many Hexadecimal characters is the SHA1 hash? _ 40 ___ LAB 3 Page 7

IT3072C Create a log file for one of the forensic images  In Windows Explorer, navigate to the C:\Images directory.  Create a new “text document” with Notepad.  Rename the “New Text Document.txt” file to “ ntfs1-gen2.E01.txt ”.  Using FTK Imager, load the image file “ntfs1-gen2.E01”. Verify the image. Check the size of the file “ntfs1-gen2.E01.txt”.  Review the contents of the file.  Notice the MD5 hash is “verified”, but the SHA1 hash is not . This is because the *.E01 forensic images only have the embedded MD5 hash. If the forensic image has an associated log file ( samefilename .E01.txt), you can view the MD5 hash values. If you verify the forensic image file twice with FTK Imager, it will generate and store both the MD5 and SHA1 values for verification. LAB 3 Page 8

IT3072C SUBMISSION: Create a lab submission document with the following name: username _Lab3.doc [or *.txt]. Create a number list from 1 to 20. Answer the questions. Submit your answers. Please make sure the entire hash value is visible in order to receive full credit for the answer. For this submission, only *.doc* or *.txt files will be accepted. [End] LAB 3 Page 9

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

LAB 3 - FTK Imager

Related Documents