Before you begin
This lesson is slightly different from the others. While other lessons come with files or links to analyze, we can’t exactly give you a physical USB drive. So instead of giving you a prompt and challenging you to solve it, we’re going to solve it ourselves while you follow along.
Afterward, you can try it yourself: find a drive and image it. For your imaging tool, download AccessData FTK Imager.
Step 1: Go to File > Create Disk Image.
Step 2: Select Physical Drive, because the USB or hard drive you’re imaging is a physical device or drive.
Step 3: Select the drive you’re imaging. The 1000 GB is my computer hard drive; the 128 MB is the USB that I want to image.
Step 4: Add a new image destination.
Step 5: Select whichever image type you want. Choose Raw (dd) if you’re a beginner, since it’s the most common type.
Step 6: Fill in all the evidence information.
Step 7: Choose where you want to store it.
Step 8: The image destination has been added. Now you can start the image extraction.
Step 9: Wait for the image to be extracted.
Step 10: This is the completed extraction.
Step 11: Add the image you just created so that you can view it.
Step 12: This time, choose image file, since that’s what you just created.
Step 13: Enter the path of the image you just created.
Step 14: View the image.
- Evidence tree
Structure of the drive image
- File list
List of all the files in the drive image folder
Properties of the file/folder being examined
- Hex viewer
View of the drive/folders/files in hexadecimal
Step 15: To view files in the USB, go to
Step 16: Selecting fileA, fileB, fileC, or fileD gives us some properties of the files & a preview of each photo.
Step 17: Extract files of interest for further analysis by selecting, right-clicking and choosing Export Files.