Step 1: Create an Image in FTK Image
One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics evidence can be found in operating systems, disk drives, network traffic, emails, and in software applications. To help the detectives in your department to better understand the digital forensics investigation process, you have offered to show them how you create an image using FTK Imager. Media investigations of digital storage devices can include audio files, pictures, videos, words, portions of files, graphic files, and information about a file. Graphics files can be a rich source of forensic evidence.
Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (DFC620_Lab1_Name.ad1) that document your imaging process with information such as hash values.
Submit your report for review and ungraded feedback from the detectives (your instructor). Incorporate any suggested changes; you will include your report in the Use of Access Data Tools paper that you submit in Step 4.
Now that you have demonstrated the imaging process and investigative techniques to detectives, you are ready to proceed to the next step in which you demonstrate the use of Registry Viewer.
Forensic Imaging La
Introduction
The first step in conducting a forensic investigation is to create images of the evidence. This involves capturing operating systems, network traffic, emails and software evidence, and other files. You are a special agent and forensic examiner for the University Bureau of Investigation (UBI) Cyber Division assigned to a cyber action team. Your supervisor has asked you to show others how to create an image using FTK Imager. This tool is used to analyze media such as audio, pictures, and video. These types of files can be a great source of evidence for forensic investigators.
Goal of the La
Show users how to create images of digital evidence.
Lab Overview
You will need to access the virtual lab environment and start the CST 640 lab virtual machines (VMs). You will be using the WINFOR01 VM for this lab. You will create a digital image of the "My Pictures" directory on your computer. This is very similar to making a full image of the computer. The process should take only minutes instead of hours.
Task
You are to complete each of the following steps as part of the lab. The data collected and screenshots will be used in your project deliverables. Make sure you capture screenshots to help in supporting your answers to the questions.
Start the lab VM.
1. Start the CST 640 lab, and then allocate and start WINFOR01 VM. Log in to the VM.
2. Once in the WINFOR01 desktop, select Lab Resources, then Applications, and then AccessData FTK Imager to start FTK Imager.
3. In FTK Imager, select File, and then Create Disk Image to start creating an image.
4. Next, in the Select Source window, select "Contents of a Folder" and click Next.
5. Next, you get an FTK Imager window about creating an image of the folder’s contents. Click Yes to proceed.
6. Now, you need to select the source of where the evidence is located. For the evidence source selection, click Browse and navigate to:
Li
aries > Pictures > Public Pictures > Sample Pictures
The source path should show as C:\Users\Public\Pictures\Sample Pictures
Then, click Finish.
7. Next, in the Create Image window, click Add.
8. Now, you need to enter information about the evidence. Enter the information as shown in the screenshot. The Case Number should follow [year][month][day]. Take a screenshot for your report.
9. Click the Next button.
10. Now,
owse for the destination folder > Desktop. Click OK.
Note: You should also verify the image files. Choose “Verify Image Integrity” under the Tools menu. Just click the Verify button for each of the images you want to verify.
11. Then make sure the Image Filename is entered as CST640_Project4_first initial lastname.
12. Then, click Finish.
13. After clicking Finish, you will see a Create Image window. Click Start to proceed.
14. Click Close.
15. In the Drive/Image Verify Results window that appears, click Close.
16. Going back to the File window, select Add Evidence Item.
17. This time, select "Image File" from the Select Source window and then click Next.
18. You should see the Select File window. Enter the Evidence Source Selection by clicking Browse and navigating to Desktop CST640_Project4_first initial lastname.ad1. Then, click Finish.
19. Click Add image.
20. Now expand the evidence tree by selecting the "Chrysanthemum.jpg" file. Take a screenshot of the VM window and include it in your report.
21. Close FTK Imager and open "CST640_Project4_[first initial lastname].ad1.txt." Take a screenshot of the VM window and include it in your report.
You have now completed all tasks in the lab.
Note: Be sure to collect information for your analysis. Add screenshots to your report.
Forensic Imaging La