02 Forensic Image Extraction Demo

Topic Progress:

Before you begin

This lesson is slightly different from the others. While other lessons come with files or links to analyze, we can’t exactly give you a physical USB drive. So instead of giving you a prompt and challenging you to solve it, we’re going to solve it ourselves while you follow along.

Afterward, you can try it yourself: find a drive and image it. For your imaging tool, download AccessData FTK Imager.

Demo

Step 1: Go to File > Create Disk Image.

step1

Step 2: Select Physical Drive, because the USB or hard drive you’re imaging is a physical device or drive.

step2

Step 3: Select the drive you’re imaging. The 1000 GB is my computer hard drive; the 128 MB is the USB that I want to image.

step3

Step 4: Add a new image destination.

step4

Step 5: Select whichever image type you want. Choose Raw (dd) if you’re a beginner, since it’s the most common type.

step5

Step 6: Fill in all the evidence information.

step6

Step 7: Choose where you want to store it.

step7

Step 8: The image destination has been added. Now you can start the image extraction.

step8

Step 9: Wait for the image to be extracted.

step9

Step 10: This is the completed extraction.

step10

Step 11: Add the image you just created so that you can view it.

step11

Step 12: This time, choose image file, since that’s what you just created.

step12

Step 13: Enter the path of the image you just created.

step13

Step 14: View the image.

  1. Evidence tree
    Structure of the drive image
  2. File list
    List of all the files in the drive image folder
  3. Properties
    Properties of the file/folder being examined
  4. Hex viewer
    View of the drive/folders/files in hexadecimal

step14

Step 15: To view files in the USB, go to

> Partition 1 > [USB name] > [root] in the Evidence Tree and look in the File List.

step15

Step 16: Selecting fileA, fileB, fileC, or fileD gives us some properties of the files & a preview of each photo.

step16

Step 17: Extract files of interest for further analysis by selecting, right-clicking and choosing Export Files.

step17