Lab 1: Acquiring Disk Image with FTK Imager

Lab 1: Acquiring Disk Image with FTK Imager Umesh Timalsina Southern Illinois University Carbondale Course : CS591-Digital Forensics February 3, 2018

1

Process Description

In this lab, we try and obtain a forensic image of a USB drive with by using FTK Imager command line utility by access data. A basic principle in every forensic investigation is to never work with the real evidence, which in our case will be a USB drive and its content, but rather work with a copy of the real evidence. The copy however, which be an exact replica of the original evidence, meaning we need a bit by bit copy of the original evidence. The FTK imager toolkit is available both as a graphical software as well as a command line utility. In this session, we are going to work on the command line utility that serves the purpose of imaging(i.e. making a bit by bit copy) of the evidence we have.

1.1

Acquiring FTK imager

The ftk imager can command line utility can be downloaded from the access data’s webpage. At the time of this writing, the link was the latest version of ftk imager command line utility. Currently, we are working in a 64-bit ubuntu 16.04–Xenail desktop. The tooklit is available to run on debian system. Once downloaded, the ftk imager comes as a tar.gz package that can then be extracted to any of the system’s path directory to use it as a command. The steps involved would be to download ftk-imager from the link above, extracting the tar.gz using either archive manager or tar command. Finally, moving the extracted file to /usr/bin path directory. Upon success, the typing ftkimager in the terminal yeilds the output shown in figure 1: One important thing to note is that, while using ftkimager, it is always recommended to have root privileges. To view a list of available storage drives in the system, we should use the following command. sudo ftkimager -- list - drives The command above will list the available storage drives connected to the system. Similarly, to know the details of a particular drive we can use the following command. sudo ftkimager -- print - info / dev / sdb 1

This is shown in the figure 2 below. In the next section, we dive into the details of creating a disk image in E01 format. For that, we will be using a 1GB USB drive( which I got from SIU), to create the image. E01 is the defacto standard for creating disk images as they support meta–data to be added to disk image.

Figure 1: ftkimager command

Figure 2: Using Options of the ftk–imager command

2

1.2

Diving In

As mentioned earlier for compression purposes, we will be using a 1GB usb drive. As obtained by the sudo ftkimager --list-drives and sudo ftkimager --print-info commands above, we will be obtaining image for /dev/sdb as that is the USB drive connected to the system. Inorder to do that we used the following command. sudo ftkimager / dev / sdb \ / home / umesh / courses - Spring2018 / digital - forensics / labs / lab1 / DiskImage \ -- e01 -- compress 0 -- case - number " 001 " -- evidence - number " 001 " \ -- description " Practice Lab CS591 " -- examiner " Umesh Timalsina " \ -- notes " Lorem Ipsum " -- outpass " lab123 " -- verify \ The process is shown in the figure below:

Figure 3: Creating disk image Every Option used is listed and described below: • Source : /dev/sdb is the source of which the image is to be created • Destination : /home/umesh/courses-Spring2018/digital-forensics/labs/lab1/DiskImage is the destination and file name is DiskImage • output format : --e01 option is used to create the output file in encase’s file format, used in most applications • Compression : 0 is used for no compression, 9 for best • Meta Information: options --evidnence number, --description, --examiner, --notes used to add meta information • Verification: verify is the option used to verify the completion of operation. Now, after sometime, the process will complete. It all depends upon the size of the drive we have. The screen–shot of the process, upon completion, is shown below: At the end, if we do an ls on /home/umesh/courses-Spring2018/digital-forensics/labs/lab1/, we see that the image file DiskImage.E01 as well as DiskImage.E01.txt have been created. The contents of the DiskImage.E01.txt provides the summary of the process.

3

Figure 4: Caption Listing 1: Contents of the file DiskImage.E01.txt Case Information : Acquired using : ADI3 Case Number : 001 Evidence Number : 001 Unique description : Practice Lab CS591 Examiner : Umesh Timalsina Notes : Lorem Ipsum -------------------------------------------------------------Information for / home / umesh / courses - Spring2018 / digital - forensics / labs \ / lab1 / DiskImage : Physical Evidentiary Item ( Source ) Information : [ Device Info ] Source Type : Physical [ Drive Geometry ] Cylinders : 1024 Heads : 31 Sectors per Track : 62 Bytes per Sector : 512 Sector Count : 1968128 Source data size : 961 MB 4

Sector count : 1968128 [ Computed Hashes ] MD5 checksum : c3cef5ce8bfbaf4f6e1ac5e3621e1eae SHA1 checksum : a992e831a12b84b555e7030ca0bca28f6962cd4d Image Information : Acquisition started : Sat Feb 3 16:17:06 2018 Acquisition finished : Sat Feb 3 16:24:37 2018 Segment list : / home / umesh / courses - Spring2018 / digital - forensics / labs / lab1 / DiskImage . E01 Image Verification Results : Verification started : Sat Feb 3 16:24:37 2018 Verification finished : Sat Feb 3 16:24:43 2018 MD5 checksum : c 3 c e f 5 c e 8 b f b a f 4 f 6 e 1 a c 5 e 3 6 2 1 e 1 e a e : verified SHA1 checksum : a 9 9 2 e 8 3 1 a 1 2 b 8 4 b 5 5 5 e 7 0 3 0 c a 0 b c a 2 8 f 6 9 6 2 c d 4 d : verified

2

Conclusion

In this lab, we successfully imaged a USB drive in E01 file format using ftkimager command line utility by access data. Apart from the options used here, there are various other options that one can use in a similar fashion to obtain a different image format(raw dd, s01 etc). Apply passwords to the image obtained to encrypt it as well as fragment the output image into several parts. These options are also easy to follow.

5