1

CYB 610

Project 6 Workspace Exercise

I. Digital Forensics Lab (Introduction to FTK Imager)

a. Lab Rules: ● Each student has to do the lab individually. No content directly quoted from Internet or

other sources is allowed ● Include your results in your deliverables.

b. Lab Objectives:

• To familiarize the student with the use of forensic tools such as FTK imager in order to better understand the purpose and importance of this type of tool when performing forensic analysis.

c. Competencies: Forensic analysis, Systems thinking, hands-on

d. Lab Overview: The hands-on exercises for this lab will help you understand digital forensics

concepts using tools such as the Forensic Tool Kit (FTK). Digital Forensics concepts are explained throughout the steps of Project 6 ELM classroom.

You will use the UMUC Digital Lab environment to access the tools for this project. The lab environment has 4 VMs (Virtual Machines) available, connected as depicted in the figure below. Two of the machines run Linux OS, and two run Windows OS as follows:

VM1= Linux = NIXATK01 VM2= Linux = NIXTGT01 VM3= Windows = WINATK01 (Use this system to run the FTK Imager for this project) VM4= Windows = WINTGT01

2

e. Important Lab Information:

1) Appendix A contains all the detailed Lab Instructions. After reading all the information in this section, use Appendix A to perform the lab exercises.

2) Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open source links that help you understand the FTK tool you will use in this lab.

3) Connect to the lab environment following the connect instructions provided in your

classroom (let your instructor know if you cannot locate the connect instructions). Contact lab support if you need general technical support related to your virtual lab environment and associated lab exercises. After you have successfully connected to the lab environment, proceed to next step in order to run the tools associated with this project.

4) FTK Imager (Forensics Tool Kit Imager):

• Use FTK Imager to create an “image” of a directory on your VM • Follow the instructions provided for FTK Imager in Appendix A.

5) Compile your findings and incorporate what you have learned in your deliverables for

this project.

3

II. Lab Resources

Lab Credentials:

User: StudentFirst Pass: Cyb3rl@b

Application websites

● Access Data: http://accessdata.com/ ● EnCase: https://www.guidancesoftware.com/

Lab Reference Information

Application documentation ● Access Data FTK Imager: http://nest.unm.edu/files/5513/9251/4756/Tutorial_1_-

_FTK_Imager_-_Imaging.pdf

• EnCase: o http://www.thecybercrimeinvestigator.com/crj455/EnCase%20Forensic%20Versi

on%206.11%20User's%20Guide.pdf o http://www.cis.gsu.edu/rbaskerville/cis8630/labs/cis8630lab4-encase.pdf

Application videos online ● Access Data FTK Imager:

o https://www.youtube.com/watch?v=TMuOCCvUnhw o https://www.youtube.com/watch?v=_lDDD645TbQ

● EnCase o https://www.youtube.com/watch?v=g3gpPwdYAjc o https://www.youtube.com/watch?v=O4ce74q2zqM

4

APPENDIX A (Lab Instructions)

(Return to Important Lab Information)

FTK Imager (Forensic Tool Kit) – Imaging a directory on your VM In this experiment, you will use FTK Imager to image a directory folder on your machine. Usually investigators will image (i.e. make a bit by bit copy) a whole drive to make a duplicate of it. In this case we only want to image a single directory folder and its contents due to time (faster) and disk space considerations. In the following example of doing imaging with FTK Imager, keep in mind that as a student, you will only select to image a disk directory, choose the directory in the tool interface options, and then select the output of that image. You could then mount the resulting image and explore its contents to verify that it was in fact a captured image of the directory you had specified. Here is an example of use of the imaging features of FTK in the video you can watch at the following Internet URL: FTK Imager Lite Tutorial and Example: https://www.youtube.com/watch?v=OUORBch0zaE FTK Imager Example: https://www.youtube.com/watch?v=5Y_ZB0l9NgY Creating an Image File: https://www.youtube.com/watch?v=TvRQGoT0PZk Opening an Image File: https://www.youtube.com/watch?v=TMuOCCvUnhw

Step by step instructions:

1. On the desktop of the VM WINATK01 à Lab Resources à Applications àlocate and launch FTK Imager.

2. Once the program starts, select File -> Create Disk Image.

5

3. In the Select Source dialog, select ‘Contents of a Folder’. For this exercise, we are going to create a bit by bit image of a folder due to size and time constraints. Click Next.

4. Click ‘Yes’ to continue. Note the information provided in the message.

6

5. We are going to create an image of the Sample Pictures folder located in the Public Pictures

folder as shown below. Click finish

7

6. Check the box that says ‘Create directory listings of all files in the image…’ and click ‘Add’ to indicate the location where the image will be stored

7. Fill out the Evidence Item Information as you wish and click Next

8

8. Select a destination location in the Select Image Destination dialog and click Finish. Then, click start on the Create Image dialog. The image creation starts and a dialog will follow indicating the hashes that have been created. The hashes are the values that ensure the integrity of this image. Later on, (possibly during litigation) these values can be used to prove that the image was not altered after the time of initial capture. Click Close.

9

9. View the Image Summary and note the information given. Click Close.

10

10. Your image should be found in the desktop of your VM

11. Now, we are going to read the image back into FTK Imager to verify the image is stored. In a real investigation, the above steps are performed to capture the information of a system that is being investigated. The image is usually stored in a separate storage device such as thumb drive or an external hard drive. The forensic investigator then takes the evidence and loads it into a separate system for analysis. To load your copy on FTK, click File -> Add Evidence Item

11

12. In the Select Source dialog, choose Contents of a Folder (i.e. where the “FTK image” was stored) and click Next.

12

13. Select the location where the FTK image was stored and click Finish.

14. As in the image below, you should see the files created by imaging process using FTK

13

15. For a digital forensic investigator, the next step after obtaining a forensic image of the evidence, is to analyze the evidence using other type of tools such as the main FTK tool or EnCase. This is outside the scope of this lab, however, you have learned the concepts associated with it.