Forensic disk images of a Windows system: my own workflow

Posted on by Andrea Fortuna

Every forensic analyst, during his experience, perfects his own workflow for the acquisition of forensic images.

Today I want to propose my own workflow for acquisition of physical disks on Microsoft Windows systems

Required tools

FTK Imager

The Forensic Toolkit Imager (FTK Imager) is a commercial forensic imaging software package distributed by AccessData.

It comes in 2 versions: GUI version, and Command-Line only.

GUI: http://accessdata.com/product-download/ftk-imager-lite-version-3.1.1

Command Line: http://accessdata.com/product-download/windows-32bit-3.1.1

CAINE (Computer Aided INvestigative Environment)

GNU/Linux live distribution that offers a complete forensic environment organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Download: http://www.caine-live.net/

Image acquisition on a running system

Using FTK Imager (on 64 bit Windows Systems)

  1. Login to via local admin account on the target system.
  2. Connect the external HDD into the target system.
  3. Take notes on the information about the affected system: computer name and system characteristics. This can be found at: Start -> Computer -> Properties.

    NOTE: Take a screenshot and put it on the external HDD.

  4. Identify and take notes on the volumes that are currently mounted on the system through the Computer Management console (Start -> right click on Computer -> Manage). Navigate into “Disk Management”.
NOTE: Take a screenshot and put it screenshot on the external HDD
  1. Open Windows Explorer and navigate to the FTK Imager Lite folder within the external HDD.
  2. Run FTK Imager.exe as an administrator (right click -> Run as administrator).

  3. In FTK’s main window, go to File and click on Create Disk Image.

  4. Select Physical Drive as the source evidence type. Click on Next.
  1. Select the actual physical drive from the drop down list and click on Finish.
  1. In the Create Image window click on Add (in the Image Destination(s) section).
  1. Select E01 as the destination image type and click on Next.
  1. Complete the Evidence Item Information and click Next. Here an example:
  1. In the Image Destination Folder browse for the external collection drive (if different from the response drive) and click OK.
  1. Provide a name for the image within the Image Filename box.
    Usually I use this naming convention: DATE_TIME_HOSTNAME. (Example: 08122016_1500_WEB001)
  1. Change the Image Fragment to 2048. Additionally, set the level of compression to 9 (smallest). Click on Finish.
  1. Check Precalculate Progress Statistics” to see how much time and storage space creating the custom image will require before you start.
  1. Click on Start and record the time in your notes.
    The progress of the imaging process will be displayed as well as the elapsed and remaining time.
  1. If the option “Verify images after they are created” was selected in step 16, the verification process starts immediately after the imaging process finishes.
    The verification process might take some time to complete, but do not cancel it as it is important to know if the image was successfully created.
  2. After the image is generated, a log file is created in the same location where the image is saved.

Using command line FTK Imager (for 32 bit Windows System)

If you are trying to image 32 bit Windows System, you will need to use FTK Imager Command Line:

  1. Login with a local admin account on the target system.
  2. Connect the external HDD into the target system that has FTK Imager Command Line folder residing on it.
  3. Take notes on the information about the affected system: computer name and system characteristics. This can be found at: Start -> Computer -> Properties.

    NOTE: Take a screenshot and put it screenshot on the external HDD.

  4. Identify and take notes on the volumes that are currently mounted on the system through the Computer Management console (Start -> right-click on Computer -> Manage). Navigate into ‘Disk Management’.
NOTE: Take a screenshot and put it screenshot on the external HDD
  1. Open a command prompt
  2. Navigate to the location of the FTK Imager Command Line Folder and then run the following command: 
    E:\>ftkimager.exe <HARD DRIVE THAT YOU WANT TO IMAGE> e:\<Destination path of output file with name NOT extension> --e01 –-frag 2G –compress 9 –verify

    Example: 

    E:\>ftkimager.exe \\.\PhysicalDrive0 e:\IMAGE_FOLDER\filename --e01 –-frag 2G –-compress 9 –-verify

    You should be seeing the following type of information:

Image acquisition on a powered off system

  1. Start the system with a Live linux distribution from CD or USB Stick: Ubuntu, Kali or (my suggestion) CAINE.
  2. Connect the external HDD into the target system.
  3. Mount the file system by creating a mount point and then mounting the external disk (ex. /dev/sdb1). 
    [email protected]:~# mkdir /mnt/target
[email protected]:~# mount /dev/sdb1 /mnt/target
  4. Create a cryptographic fingerprint of the original disk (ex. /dev/sda) using MD5. This will be used to verify the integrity of the duplicate. 
    [email protected]:~# md5sum /dev/sda > /mnt/target/08122016_1500_WEB001.md5
  5. Use dd with the input source being the /dev/sda and the output file with chosen name.
    (Example: 08122016_1500_WEB001)
    Other useful options is the conv=sync,noerror to avoid stopping the image creation when founding an unreadable sector.
    If such sector is found with this option, it will skip over the unreadable section (noerror) and pad the output (sync). 
    [email protected]:~#dd if=/dev/sda of=/mnt/target/08122016_1500_WEB001.img conv=sync,noerror bs=8k

19536363+0 records in

19536363+0 records out

160041885696 bytes (160 GB) copied, 5669.92 s, 28.2 MB/s
  6. Finally create the fingerprint of the image created and verify that both fingerprints match and unmount the drive. 
    [email protected]:~#md5sum /mnt/target/08122016_1500_WEB001.img > /mnt/target/08122016_1500_WEB001.img.md5
[email protected]:~# cat /mnt/target/*.md5

6a5346b9425925ed230e32c9a0b510f7  /mnt/target/08122016_1500_WEB001.img

6a5346b9425925ed230e32c9a0b510f7  /dev/sda

[email protected]:~# umount /mnt/target/

Further readings

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.