ComputerSecurityStudent (CSS) [Login] [Join Now]


|FORENSICS >> FTK >> FTK Imager >> Imager 3.1.x >> Current Page |Views: 22913

(FTK Imager: Lesson 3)

{ Create Disk Image after Deleting a Picture  }

Section 0. Background Information
  1. What is FTK Imager?
    • The FTK toolkit includes a standalone disk imaging program called FTK Imager. The FTK Imager has the ability to save an image of a hard disk in one file or in segments that may be later reconstructed.
    • It calculates MD5 hash values and confirms the integrity of the data before closing the files.
    • In addition to the FTK Imager tool can mount devices (e.g., drives) and recover deleted files.

  2. Pre-Requisite
    1. FTK Imager: Lesson 1: Install FTK Imager
    2. FTK Imager: Lesson 2: Create Virtual Hard Drive, Delete File, Recover File
      • Note: This lab is necessary, because you will need to create a Virtual Hard Drive.

  3. Lab Notes
    • In this lab we will do the following:
      1. Download a Picture to the Virtual Hard Drive
      2. Delete a Picture from the Virtual Hard Drive
      3. Delete the Picture from the Recycle Bin
      4. Create an image of the Virtual Hard Drive with FTK Imager

  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Log into Damn Vulnerable WXP-SP2
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  4. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine

     

  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Administrator
      2. Password: Supply Password
      3. Press <Enter> or Click the Arrow

     

  6. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
      • Record your Damn Vulnerable WXP-SP2's IP Address.
    • .

 

Section 2: Download Test Picture
  1. Start Firefox
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Mozilla Firefox

     

  2. Start Test Picture Download
    • Instructions:
      1. Place the following URL in the Firefox Address Textbox
        • http://www.computersecuritystudent.com/FORENSICS/FTK/IMAGER/FTK_IMG_313/lesson3/whistle.jpg
      2. Right Click on the image
      3. Click on "Save Image As..."

     

  3. Save Test Picture Download
    • Instructions:
      1. Save in: Select the FTK (Z:) Drive
      2. Filename: whistle
      3. Save as type: JPEG Image
      4. Click the Save Button

     

  4. Open My Computer
    • Instructions:
      1. Click the Start Button
      2. All Programs --> My Computer

     

  5. Open your FTK(Z:) Drive
    • Instructions:
      1. Navigate to your FTK(Z:) Drive

     

  6. Delete the Test Image
    • Instructions:
      1. Right Click on whistle.jpg
      2. Click Delete
      3. Click the OK Button in the "Confirm Deletion" warning window.

     

  7. Open the Recycle Bin
    • Instructions:
      1. Double Click on the Recycle Bin

     

  8. Delete Test Picture From the Recycle Bin
    • Instructions:
      1. Right Click on whistle.jpg
      2. Click Delete
      3. Confirm File Delete Windows: Click the Yes Button.

 

Section 3: Forensics Directory
  1. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  2. Create a Forensics Directory
    • Instructions:
      1. mkdir C:\FORENSICS
      2. dir C:\FORENSICS
    • Note(FYI):
      1. If you completed the previously lab you will receive an error that states "A subdirectory or file C:\FORENSICS already exists."
      2. In Addition, the directory listing might list remnant files (eg., horse.jpg) from the previous lab.

 

Section 4: Start FTK Imager
  1. Start FTK Imager
    • Instructions:
      1. Click on the Start Button
      2. All Programs --> AccessData --> FTK Imager --> FTK Imager
     
Section 5: FTK Imager: Create Disk Image...
  1. Add Evidence
    • Instructions:
      1. File --> Create Desk Image...

     

  2. Select Source
    • Instructions:
      1. Select the "Physical Drive" Radio Button
      2. Click the Next Button

     

  3. Select Drive
    • Instructions:
      1. Select \\PHYSICAL DRIVE1 ... (106MB SCSI)
      2. Click the Finish Button

     

  4. Create Image
    • Instructions:
      1. Check the "Verify images after they are created" checkbox
      2. Click the Add... Button

     

  5. Select Image Type
    • Instructions:
      1. Select the Raw(dd) Radio Button
      2. Click the Next Button

     

  6. Evidence Item Information
    • Instructions:
      1. Case Number: 00001
      2. Evidence Number: 001
      3. Unique Description: Practice Image
      4. Examiner: Your Name
        • For Proof of Lab purposes, replace the string "Your Name" with your actual name.
      5. Contains a delete Captain Crunch Whistle
      6. Click the Next Button

     

  7. Select Image Destination
    • Instructions:
      1. Image Destination Folder: C:\FORENSICS
      2. Image Filename (Excluding Extension): practice-01
      3. Image Fragment Size(MB): 1500
      4. Click the Finish Button

     

  8. Create Image
    • Instructions:
      1. Check "Verify images after they are created"
      2. Click the Start Button

     

  9. Drive/Image Verify Results
    • Instructions:
      1. View MD5 Matching Hashes
      2. View MD5 Matching Hashes
      3. Click the Close Button

     

  10. Image created successfully
    • Instructions:
      1. Click the Close Button

 

Section 6: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd C:\FORENSICS
      2. dir | findstr "practice"
      3. type practice-01.001.txt | findstr "Examiner"
      4. date /t
      5. echo "Your Name"
        • This should be your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth