Live Imaging using FTK Imager on Windows OS Systems

-

While there are many different methods for disk imaging, one of them is performing this process on a running Windows operating system. During imaging on an active Windows system, there is a risk of unintentionally writing data to the disk. This can compromise the integrity of the data under investigation. Therefore, it is recommended that this method be avoided unless absolutely necessary.

Imaging with FTK Imager:

To perform imaging with the FTK Imager application, the application must be stored on a USB flash drive. After the computer to be imaged is powered on, the FTK Imager application on the USB drive is launched by double-clicking. The application interface that will then appear on the screen is as follows:


To image one of the disks on the computer where the application is running, click on the "File" tab in the top left corner, followed by "Add Evidence Item."


After clicking on the relevant section, the following screen will appear, where you decide whether the image will be taken physically or logically. Then, the disk to be imaged is selected.


Determining the Image Extension and Selecting the Destination for the Image:

Another important aspect of imaging is ensuring that the image is in a format suitable for analysis in EnCase after the process is complete. Therefore, it is crucial that the image has the E01 extension. After clicking the "Finish" button on the previous screen, you can make this selection on the screen that follows.


Similarly, the image details (such as the image number) and the destination where the image will be stored (target disk) are specified in this section.


Selecting the Compression Ratio:

Especially for images of very large disks, compression can reduce their size to some extent. This reduces the amount of space the image will occupy on the target disk, allowing more images to fit into the same target disk. The compression ratio is selected from the section below. However, it is important to note that a higher compression ratio may extend the imaging process.


After selecting the "Finish" option, the imaging process will begin as shown below.


Image Verification:

To ensure the accuracy of the obtained image, it is recommended to perform a verification process. In this context, the option "Verify images after they are created" should be checked on the create image screen, as shown below:


After the imaging process is complete, a screen will appear indicating that the image has been verified, as shown below. This confirms that the imaging process was successfully completed.


If the verify result does not show "match," the imaging process needs to be repeated.

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

Setting up FTK Imager on Ubuntu OS installed USB Drive

-
One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...
Devamı

Extracting hash values from MS Office files using John The Ripper on Linux

-
Resim
Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...
Devamı

Cracking password protected MS Office files using Hashcat

-
Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...
Devamı