Showing posts with label FTK Imager. Show all posts
Showing posts with label FTK Imager. Show all posts

Sunday, January 23, 2022

Making Image of A Laptop (Summary)

1.      Summary

A Forensic image is an exact copy of the hard drive. The objective is to capture the image of a hard disk bit by bit without changing even a shred of data. It should also copy the deleted data, including files that are left behind in swap and free space.

 

There are 2 types of the making image of a suspicious system.

1)    Cold copy: The system will be booted from USB sticker or DVD. And run the imager tool from the customized Linux system.

2)    Hot copy: The system installs the imager tool to make the image.

 

It is recommended to use “Cold copy” because the less changes on the suspicious system, the better.

However, in some circumstance, it is not possible to get a cold copy, hot copy can be used. And hot copy can also capture the volatile memory for analysis purpose.

 

Below introduces 3 tools. The first 2 tools are for “Cold Copy” and the last tool is for “Hot Copy”.

1)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

2)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

3)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )

Posted by at No comments:
Labels: , , , ,

Making Image of A Laptop (Part 3)

 

1.      Making image with FTK Imager

1.1      Description

FTK Imager is a Windows acquisition tool utilized by SANS forensics toolkits. FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose.

 

1.2      Requirement

1)    USB External hard drive. Recommend 1T or greater. It will be used to save the image.

2)    Download FTK Imager (https://accessdata.com/product-download)

 

1.3      Make Image of the suspicious system

1)    Install FTK Imager and open it.

2)    Click Menu “File” > “Create Disk Image”

       


 

3)    Choose the option “Physical Drive” click in “Next”, select the drive and click "finish".



 

4)    Click “add”, Select Image Type: “Raw(dd)”. Click “Next”.



 

5)    Leave “Evidence Information” blank, click “next”



 

6)    Select the destination folder and add the name (Excluding Extension) entry with value zero for Raw, E01 and AFF Formats.



 

7)    Click “Start” and wait until the Progress finish.

 

Also refer to:

1)    Making Image of a laptop – Summary (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-summary.html )

2)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

3)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

4)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)