The Imaging Process

OVERVIEW: This lab is part of a series of lab exercises intended to support courseware for Ethical Hacker training. Thedevelopment of this document is funded by the Department of Labor (DOL) Trade Adjustment AssistanceCommunity College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

In this lab, students will enumerate hosts on the network using various tools.

This lab includes the following tasks:

1 – Using FTK Imager

2 – Using HELIX to image a system

3 – Using Kali 2 to image a system

KeyTerm Description

FTKImager

FTK Imager is a GUI Program that will allow a user to create a disk image from within Windows.You can run into complications imaging a disk while in Windows because certain files are lockedby the OS. FTK Imager allows you to image a disk or a logical drive.

dd a Unix/Linux program that allows you to backup media. You can create a bit-by-bit copy of theoriginal media, one that is forensically equivalent to the original source.

dcfldd an improved version of the dd program that includes a hashing function

HELIXHELIX is a combination of a Live CD and an Incident Response CD. The free version, also knownas HELIX 3, is available from e-fense at http://www.e-fense.com/products.php. The newest versionis based off the Ubuntu CD. When you boot to the HELIX Live CD, it will not automatically mountdrives so disk contamination can be avoided.

MD5Message Digest 5 is a 128 bit hashing algorithm that aids forensic examiners by “proving” thatthe copy of the media they are working on is ‘equivalent’ to the original. Other hashes, such asSHA-160, which is 160 bits, are more accurate than the 128 bit MD5.

Reading AssignmentIntroductionIn this lab, students will image disks using various tools in Windows and Linux. Figure 1 shows the labtopology.

FIGURE 1 – LAB TOPOLOGY

This lab includes the following tasks:

Using Forensics Toolkit (FTK) Imager

Using dd to image a system

Using Kali 2 and the dd command to image a system

The Digital Forensic ProcessThe digital forensic process involves four steps: collection, examination, analysis, and reporting. Figure 2illustrates the process.

FIGURE 2 – DIGITAL FORENSIC PROCESS (SOURCE: LINK)

A critical first step in digital forensics is the chain of custody. It is essentially documenting the way wehandle digital evidence, so it is “trusted” in court. It requires the custodian of the digital evidence todocument when we secure, transport, and verify items digital forensic specialist secured for aninvestigation.

Digital evidence includes some of the following:

E-mails

User accounts

Digital videos, audio, and photos

Instant messages (IM)

Web browsing history

Files

An image of RAM

Registry

Backups

Logs

Video recordings

The process of digital forensics has four steps:

Collection1.

Identify, label, record, and acquire the data from relevant sources to be used by investigators.Care must be taken to preserve the integrity of the evidence for chain-of-custody reasons. Thedata custodian must document every step to preserve chain-of-custody.

Examination2.

Use forensically sound ways to collect data to help support the investigation. Again, preservingthe integrity of evidence is critical here.

Analysis3.

Analysis is the result of the investigation using legally justifiable methods and techniques. Thecomputer forensic examiner documents every step to preserve chain of custody.

Reporting4.

Reporting is the documentation of the examination and analysis of the investigation whichincludes explanation of the use of tools, description of the analysis of the different data sources,issues and vulnerabilities identified, and recommendations. The examiner will document everystep to preserve chain of custody.

The Imaging ProcessDigital forensic imaging is defined as a process for copying physical storage without modifying its contentsused in gathering evidence and conducting digital forensic investigation after an organization’s system hasbeen compromised. The examination could be related to a crime, network instruction, or other reason. Theimage is a complete bit-by-bit replica of the original. Hashing is used to make sure that images are exactcopies of the original and the copies are forensically equivalent.

Digital Forensic Imaging MethodsThere are different methods in which copies can be secured from a storage device.

Windows Copy and PasteWindows copy and paste is the process of copy and pasting copies of folders and files from one location toanother. This process does not allow for exact copies of storage devices and should not be used in creatingimages for digital forensic investigations.

Disk Cloning MethodDisk cloning is the process of creating an exact copy of the target drive including the operating system andfiles of the original. The disk cloning process allows for the exact copy to be used in case of a main drivefailure and will work just like the original. Disk Cloning Software is not typically used to make a forensiccopy because of the lack of built-in hashing functionality.

Disk Imaging MethodsDisk imaging is the process of copying a hard drive. It is stored as a single file unlike a cloned disk. But itcontains all the information on the disk, including free space and slack space (unlike a cloned drive). Youwould need the disk imaging software to be able to examine the image with forensic software such asEnCase or Autopsy.

Disk Forensic Imaging SoftwareThere are different disk imaging software available to digital forensic specialist. We will investigate threedifferent ways to create images.

FTK ImagerFTK Imager is a Graphical User Interface (GUI) Program that will allow a user to create or convert a diskimage from within Windows. You can run into complications imaging a disk while in Windows becausecertain files are locked by the operating system (OS). FTK Imager allows you to image a disk or a logicaldrive. Figure 3 shows the FTK Imager.

FIGURE 3 – FTK IMAGER

ddThe dd command is a Unix/Linux command-line program that allows you to back up media. You can createa bit-by-bit copy of the original media, one that is forensically equivalent to the original source. It worksboth in Windows and Kali Linux. In this lab, you will use Windows dd and also the dd command in Linux tomake bit-by-bit replicas of a storage system. Figures 4 and 5 show the output of the dd command inWindows and Kali Linux.

FIGURE 4 – DD COMMAND IN WINDOWS

FIGURE 5 – DD COMMAND IN LINUX

CONCLUSION: In this lab, you will use the FTK Imager application and the dd command to make images of storagedevices in both Windows and Linux.

Using FTK ImagerDisks are imaged, or copied, so that an examiner can work on a copy of the disk as opposed to analyzingthe actual drive. A disk can be imaged from within Windows using a Graphical User Interface (GUI)-basedtool such as FTK Imager. You can run into complications imaging a disk while in Windows because certainfiles are locked by the OS.

Imaging a Disk within WindowsClick the START button in the adjoining window.1.

INITIALIZING THE VIRTUAL ENVIRONMENT

Click the Windows 7 Machine from the topology.2.

WINDOWS 7 MACHINE

Logon as student with the password of password. Press Enter.3.

Note: The password of password will not be displayed when you type it for security purposes.

Double-click the Tools folder on the desktop.4.

THE TOOLS FOLDER

Double-click the flag2.txt file.5.

Challenge #Double-click the AccessData FTK Imager 3.1.3.exe file.5.

ACCESSDATA FTK IMAGER 3.1.3.EXE

Click Next at the Welcome to the InstallShield Wizard for AccessData FTK Imager.6.

INSTALLSHIELD

Click I accept the terms in the license agreement and click Next.7.

ACCEPTING THE TERMS

Accept the default Destination Folder and click Next.8.

DEFAULT FOLDER

Click Install to install AccessData FTK Imager.9.

CLICK INSTALL

Click Finish at the InstallShield Wizard Completed screen.10.

FINISHING THE INSTALLATION

Click the close button.11.

CLOSING THE TOOLS DIRECTORY

From the File Menu, select Create Disk Image.12.

CREATE A DISK IMAGE

At the Select the Source Evidence Type screen, select Logical Drive. If a disk is chosen, the entire13.disk will be copied. If logical drive is selected, a drive letter list will be available from a drop downbox where the user can choose a drive letter. Click Next.

LOGICAL DRIVE

Select the C:\ - [NTFS] drive and click Finish.14.

THE C: DRIVE (NTFS)

At the Create Image screen of FTK Imager, click the Add button.15.

SELECTING THE IMAGE SOURCE

Select Raw (dd) as the Destination Image Type. Click Next.16.

RAW FORMAT

Put the following values in for the Evidence Item Information field. Then click Next.17.

Case Number: Lab05Evidence Number: 01Unique Description:win7driveExaminer: studentNotes: leave blank

VIEWING THE EVENT LOGS

Put image.dd for the Image Filename and 0 for the Image Fragment Size. Click Browse.18.

VIEWING THE EVENT LOGS

Note: FAT32 has a file limitation of 4 GB files. When imaging disks larger than 4 GB, you will haveto change the Image Fragment Size if your destination disk is FAT32.

In the Browse For Folder, select Computer, NTFS (H:), Backup. Click OK.19.

BACKUP FOLDER

Click Finish to close the Select Image Destination screen.20.

CLICKING FINISH

Verify that the Image Destination path is set to H:\Backup\image.dd. Click the Start button to21.create the disk image of the logical drive.

START THE IMAGE PROCESS

Note: The disk image process will take about 20 minutes to complete. In the real world, logicaldrives can be several terabytes, and the imaging process can take several hours.

All hashes should match. Click Close to the Drive/Image Verify Results.22.

DRIVE/IMAGE VERIFY RESULTS

Click Close to close the Creating Image screen of Access Data’s FTK Imager.23.

CLOSING CREATING IMAGE

Select File from the menu bar and go down to Exit.24.

EXIT FTK IMAGER

Click on the Start button and select Computer from the menu bar.25.

SELECTING COMPUTER

Double-click on the NTFS (H:) drive where the destination image was sent.26.

THE H: DRIVE

Double-click the flag3.txt file on the NTFS (H:) drive.27.

Challenge #Double-click on Backup folder where the image file is stored.27.

THE BACKUP FOLDER

Challenge #View image.dd.001 and image.dd.001.txt. Notice the dd image file size.28.

DD IMAGE AND CORRESPONDING TEXT FILE

Double-click on image.dd.001.txt. View the summary of the image process. Close the file and29.close Windows explorer.

IMAGE PROCESS SUMMARY

CONCLUSION: FTK Imager is a GUI Program that will allow a user to create a disk image from within Windows. You canrun into complications imaging a disk while in Windows because certain files are locked by the OS. FTKImager allows you to image a disk or a logical drive.

DISCUSSION QUESTIONS: What company makes FTK Imager?1.

Why can issues arise when you image a disk within the Windows OS?2.

What is the largest file that can be stored on a disk with the FAT32 file system?3.

What needs to done if you image a large drive and the destination disk is FAT32?4.

Using dd to Image a SystemSometimes, you do not have time to install a program or run a slow GUI program. You need a quick image,and using the command line to perform certain tasks can be quick and efficient. dd is a native Unix/Linuxtool that has been ported for Windows systems. It is available for download from the following site:

http://www.chrysocome.net/downloads/dd-0.3.zip

Using ddDouble-click on the shortcut to the Command Prompt on the desktop.1.

COMMAND PROMPT SHORTCUT

Type the following command to see the disk partitions. Press Enter.2.

C:\>more flag5.txt

Challenge #Type the following command to see the disk partitions. Press Enter.2.

C:\>dd --list

DD TOOL

Type the following command to see the disk partitions. Press Enter.3.

C:\>dd if=\\.\e: of="h:\image.dd" --progress bs=1024

IMAGING

Click on the Start button and select Computer from the menu bar.4.

SELECTING COMPUTER

Double-click on the NTFS (H:) drive where the destination image was sent.5.

THE H: DRIVE

View the image.dd image. Notice the dd image file size.6.

DD IMAGE

CONCLUSION: dd is a native Unix/Linux tool that has been ported for Windows systems. It is available for download fromthe following site: http://www.chrysocome.net/downloads/dd-0.3.zip

Sometimes, you do not have time to install a program or run a slow GUI program. You need a quick image,and using the command line to perform certain tasks can be quick and efficient.

DISCUSSION QUESTIONS: The dd tool was designed for which two Operating Systems?1.

Where can you get the dd tool for Windows?2.

Why could it be disadvantageous to use a GUI tool?3.

What can be the benefit of using command line tools?4.

Using Kali to Image a SystemIn the first two exercises, we used a GUI and a command line tool to image a drive while Windows wasrunning. It does not always work well to image a disk while the operating system is up and runningbecause certain files are locked by the Windows operating system. However, if disk encryption is beingutilized, it is best to image the device while the operating system is up and running. In cases where diskencryption is not being utilized, it may be best to shut the system down completely and image thesystem’s disk.

Booting to the Live DVD Environment

Note: Perform the following steps on the Windows 7 Machine.

Click Start, click the arrow to the right of Shut down and click Restart.1.

RESTARTING THE SYSTEM

Press ESC to enter the virtual machine’s boot menu.2.

SETUP SCREEN

Use the arrow keys to scroll over to CD-ROM Drive and hit Enter.3.

BOOT MENU

Hit Enter for the first Kali Boot menu choice.4.

KALI

Click the black and white icon (second from the top) to launch the Linux terminal.5.

OPENING THE KALI 2 TERMINAL

Type the following command if you would like to increase the screen resolution. Press Enter.6.

root@kali:~# xrandr –s 1680x1050

THE XRANDR COMMAND

You can adjust the terminal’s resolution by selecting View from the menu bar and selecting Zoom7.In.

ZOOM IN

Type the following to display the disks and their corresponding partitions. Press Enter.8.

root@kali:~# fdisk –l | grep sd

DISKS AND PARTITIONS

Note: We need to mount our destination media so we can send images to it.

Type the following to make a directory called sda4 in the mnt directory. Press Enter.9.

root@kali:~# mkdir /mnt/sde1

MAKING A DIRECTORY

Note: Next, we will mount the sdd1 partition to the /mnt/sde1 directory we created.

Type the following command to mount the NTFS partition. Press Enter.10.

root@kali:~# ntfs-3g /dev/sde1 /mnt/sde1

MOUNTING THE DESTINATION DRIVE

Type the following command to view the newly mounted partition. Press Enter.11.

root@kali:~# mount | grep sde

VIEWING THE MOUNTED DISK

The Linux/Unix program dd will allow you to make a backup copy of media. Many network administratorsare familiar with the program Norton Ghost. This commercial product from Symantec, which is widely usedin the industry, is used to back up all of a drive’s data, including the operating system. The dd program isopen source and allows you to make an exact (bit-by-bit) copy of your original media. This will includeitems like all of the deleted files and folders, as well as any slack space that existed on this disk.

COMMERCIAL PRODUCT NORTON GHOST

Note: In the next step, we will make an image of the disk and send it to our destination drive, themounted NTFS data drive.

To make a copy of the third drive using dd, type the following and press Enter.12.

root@kali:~# dd if=/dev/sdc of=/mnt/sde1/satadrive2img.dd

USING THE DD COMMAND

Note: This time we make a forensic copy of the disk, not just the partition (logical drive).

The dcfldd command is an enhanced version of dd that provides status updates and allows the user tohave the hash value of the image calculated during imaging.

To make a copy of the third drive using dd, type the following and press Enter.13.

root@kali:~# dcfldd if=/dev/sdd of=/mnt/sde1/satadrive2img.dd

USING THE DCFLDD COMMAND

Type the Make Directory command below and press Enter to capture the last flag.14.

root@kali:~# mkdir /mnt/sda1 && mount /dev/sda1 /mnt/sda1 && cat /mnt/sda1/1

Challenge #Click the close button on the VM window.14.

CLOSING VM WINDOW

Note: Press the STOP button to complete the lab.

LAB COMPLETE

CONCLUSION: While imaging disk is possible within the Microsoft Windows operating system with a GUI tool such as FTKImager or HELIX, it is not always advised because certain operating system files are locked. However, if adisk is using encryption, you do not want to shut it down and take an image. If disk encryption is not inuse, you may want to shut the system down and image it with a Linux Live CD/DVD like Kali.

DISCUSSION QUESTIONS: What is a Live CD/DVD?1.

What is Norton Ghost?2.

What does the dd command allow you to do?3.

What is the difference between using dd and the dcfldd command?4.

References: HELIX 31.http://www.e-fense.com/products.php

FTK Imager2.http://www.accessdata.com/support/product-downloads

The dd command3.http://www.computerhope.com/unix/dd.htm

The dcfldd command4.http://dcfldd.sourceforge.net/

MD5 Hash Explained5.http://www.makeuseof.com/tag/md5-hash-stuff-means-technology-explained/

Organization: Moraine Valley Community College

Author: Jesse Varsalone

Copyright © National Information Security, Geospatial Technologies Consortium (NISGTC)

The development of this document is funded by the Department of Labor (DOL) Trade AdjustmentAssistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. TheNational Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin Collegeof Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del MarCollege of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt LakeCommunity College of Utah. This work is licensed under the Creative Commons Attribution 3.0 UnportedLicense. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter toCreative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

© Infosec Learning, LLC. All rights reserved.