 Hello everyone. Today we're going to be making a multi-part disk image with FTK imager. I'm using FTK imager 3.1.1.8 and I already have my my 2 gigabyte USB stick plugged in and already detected by the system, which in a real case we would already have used a write blocker, either a software write blocker or hardware write blocker on our disk. So I already have everything set up. I already have FTK imager open. Now we just need to add the disk and point FTK imager at it. So one way to do that is to go to file and create disk image. And I have a few options here. I want to select in this case physical disk image and this will create a copy of the entire disk. And this is normally what we want to create whenever we're doing digital forensics. With physical disk image or physical disk, physical drive, we get the entire contents of the disk including some space that you might not get if you were just looking for for example partitions. So the next option you can select is logical drive and that is actually the partitions. Going for in this case it might be like D drive or a E drive something like that. So if I'm going for logical drives these are normally what we call partitions on the disk and I'm potentially missing quite a bit of information. And if I do physical drive then I'm collecting all of the information from this disk. We also have the option to copy an image file. If we select image file here then we are essentially just making a bit for bit copy of the image file that we're putting into it. We can also copy the contents of a folder and multiple CDs, DVD drives if you have this device. So like I said we almost always go for physical drive if we can. If possible select physical drive because you would get a lot more information during later parts of your analysis. So I'm going to click next. Now that I'm in selected drive I'm going to scroll down and my physical drive one I know that this is my disk. It's the right size. It also says flash disk USB device two gigabytes. Make sure you're aware of how big I mean you should you should know how big your suspect disk is. In this case two gigabytes that's it's pretty easy to tell what my my suspect device is but sometimes it's rather confusing. If I had a suspect device that was 64 gigabytes then I might have a hard time differentiating between drive zero and drive one. Normally drive zero is the drive that's actually built into your forensic workstation but your forensics workstation might have multiple drives in it so just make sure you are very well well aware which device is the flash disk. If you don't know the easiest way is to open up FTK imager before you plug in the suspect device and see how many devices you actually have. So how many physical drives do we have connected. And I would only see one. Once I plug in a suspect disk then I would see this physical drive one show up and I'm listing two devices and I can see the size. So make sure you are aware which device is actually the suspect device. Then I click finish and then it's asking me for image destinations. And we could get in a long discussion about how to manage your images how to manage how to manage all of I guess the case the case documents that you could create. I think I'll talk about that in another video but right now we need to select where we actually want to save the image that we are creating of the physical disk. So whenever we click add the first option that we get is the image type that we're interested in. The most common types right now the most common that I see is actually E01. This is what most most investigators are using because most investigators tend to use in case at least the ones that I work with. I quite like raw DDD images because I use a lot of tools that can't process E01s directly. With raw images you can use a lot of other tools to do some very fast processing and write your own scripts and things like that. Some of that can be done with E01 but it's a little bit more complicated. AFF also a very interesting format not used as much as I would expect but yeah. And then SMART I think not really used much anymore unless you have just been using it for a long time. Basically everyone now is using E01 and potentially raw and then sometimes AFF. So for now I'm going to select raw and next and then case number. Now with raw disk images none of this metadata is stored within the image itself. Only the data from the disk is stored inside the disk image. If we select E01 this metadata is stored in the header of the E01 image file. The E01 image file has a different data structure than a raw image format. So this metadata here since we've selected a raw disk image this will be actually saved in a different file other than the disk image file. So case number we'll just say this is E001. Evidence number 001. This would be yeah. So this is essentially what disk what case and potentially what disk in what computer. So if we have multiple computers how are we going to treat each disk inside that computer that needs to be thought out beforehand. Again case management. A unique description so let's say USB blue any serial numbers or any other information you say you see on it red LED something like that. Examiner I'll just put Joshua and then any other notes. So you should fill this out especially especially in a real case you should fill this out as well as possible. Make sure even if you are running a consulting company or something like that make sure you do have case numbers that way you can keep everything straight and the evidence number in cases this really comes in handy whenever you're going back and trying to figure out what cases are what. A unique description this is also not only for you but other for other people that might be looking at your case notes. They might not know which USB this this particular one is and if you say USB blue with a red LED well that's potentially potentially helps in identification and the examiner basically who should we go back to and any other notes. So I normally fill these all out quite thoroughly whenever I'm doing this for a real case. So next now we select where we actually want to save the disk image so I'm going to click browse and I have normally set up a cases folder on on a separate disk just for this tutorial I'm going to put it on the desktop and inside the test test image folder just for convenience I would never do this in a real case at all. I normally have a separate drive specifically for case images and I would definitely never put it on my desktop anyway and then the folder name so normally I do exhibit whatever the exhibit is so if I for example this is the first computer and I'm getting a hard drive out of the first computer the exhibit number might be zero zero one and if it's the first hard drive out of that computer it might also be zero one so the exhibit number would be for example zero zero one which is the exhibit the computer that I that I have and then the first drive or the force first storage device in that so zero zero one zero one and that lets me know okay I'm looking at this exhibit whatever that is and I know that there's some sort of storage device in there and this is the first one. You can I mean as long as you're consistent with your naming basically we're just looking for some consistency there are a few different standards out there that are quite nice some involve dates and things like that but for this for this tutorial I'm just looking at exhibit and disk number. The image fragment size this is where we we specify how big we want each fragment to be and my disk right now is two gigabytes so if I set this at 1500 and 1500 megabytes then that's almost my entire disk I'll get one quite large part and one very small part so I'm gonna go ahead and move this down to 500 now for a real case I would probably be moving it either keep it the same or move it up normally whenever we're doing fragmentation or we're splitting up the disk image we're doing it to store it someplace else like a DVD for example fragment size specifies how big each part of the disk image should be so then we click finish and we see that we've selected the the image type the name the location we can add another location or another another format if we want sometimes that's very useful for for example saving to your local disk as well as a copy to a server or if you want to make a raw plus E01 formats things like that we use it sometimes okay and then we select verify images after they've been created okay and I'm gonna leave those other those others unselected okay so then we click start okay so now our disk image has been created and one of the most important things to look at are these computed hashes at the end because we clicked verify verify just means that FTK is going to make hashes MD5 and shell 1 hashes of our disk image and make sure that they're actually matching so in this case computed hashes basically starts with CA02435 and reported hash CA02435 so okay they match that's very very good right if we see something that doesn't match somehow the data has gotten corrupted or changed while you were imaging if there's a difference here then you need to check your setup and see how that possibly could have changed and most likely create a new image because those need to match so then we click close we can also click image summary but I'm just going to close and it's created successfully how long it took a little bit longer than I expected so in this case for 2 gigabytes if it took 15 minutes I would probably be looking for a different way to connect the device to try to speed it up a little bit so we could close and now if I click if I go into the test image folder you see this multi-part image and we can see that they're basically 500 about 500 megabytes each if we go into here properties 500 megabytes each for each image and it is a multi-part image so we have the extension 001 then 002 then 003 4 etc so for normal normal disks depending on depending on what size you you chose to split them you might have many different images in here this notepad or text document we have here with the same name as the first part is the actual report so if we double click on that then you see our unique description so the description of the physical device the examiner who imaged it evidence number case number version of ftk imager that was used sometimes very important information about the disk itself so it's a flash disk USB device device serial number device serial number is not on the printed on the outside of this particular USB stick so detecting that automatically is very nice and again the most what probably the most important part of this report are the check sums so md5 hash and shall one hash now we have a copy of those hashes we should be documenting them somewhere else to make sure that we have copies of those and that those hashes do not change from from now until the time that we go to court so the judge or prosecutors should be able to verify our disk image the time that I imaged again important for our documentation that's going to court where we stored the image and how many parts there were what the file names were all of that is very important for prosecutors to know how are you actually dealing with the suspect data can we trust this suspect data everything is about establishing trust of your process here so in this case they would probably question why did you put this on the desktop so that's why I say I would never copy this to the desktop because I'm most likely going to have to move it from the desktop to some legitimate place I normally have it on an external D drive that I use specifically for the case that I'm working on at the time so it's kind of a cleared off this right so now we have a multi-part disk image we have hashes or check sums for the overall disk image which means all of this data combined if we were to hash all of the data combined and we should get this hash value okay so what we want to do now we have all of these disk image parts and we do have a report that has all of the data overall if we combined all the data again we should get these hash values but that's what I'm interested now in is actually the the hash values of each of these parts as well so that way if one of the parts gets modified in some way then I can know which one has been changed and potentially can use the rest of the data even if only one part has been modified you don't necessarily have to do this but I tend to make sure that I know the hashes of all of these and one way to do that with fdk a major is to go to a file and add evidence I am again and then select contents of a folder so contents of a folder and then browse and select test image okay and click finish now we've we've added all of the images from the test image folders we see all of our parts here okay so I'm going to select each of these parts and if you right click on those then we can export file hash list okay so I'm gonna export the file hash list in the desktop test image and I'm going to say part I'm gonna call it part hashes part hashes and I'll just a CSV file okay so save and now it's creating the hashes of each of those parts creating the hashes of each of the parts okay so now I have these part hashes if I click on it let's say open with no pad then I get the MD5's hash value the shah hash value and file names for each of these parts so now not only do I have the overall hash value for the entire disk image but each of the separate parts I also have MD5 and shah one hashes for this is this is useful for a number of reasons but the main reason that I do this is imagine that's for example this hash value for the first part got changed if I didn't have the hash value of each of these pieces then the overall hash value for the disk image would be incorrect I wouldn't be able to verify the disk image anymore and I wouldn't know where the error was right so in this case I know now what the hash value of each of the parts are so if I see that one of the hash values changes then I can still potentially use I can still potentially use for example if I know that these three hash values are these four hash values are still valid then I can potentially still use parts two three four and five of the disk image and and still do some analysis obviously I would still have to just find out what caused the first part to change but at least I would have an idea of where my data changed and at the end of the day this all comes back to how much can we trust the data right the more the more hashes the more verification you do on your data the more court is likely to trust and accept what you have what you're submitting so that's that's it in this in this lesson we created a multi part disk image with reporting and verification we got the hash value of the overall disk image and verified that it was correct the verification report is down at the bottom and if you go back and do another verification report will keep adding verification reports the bottom of this report so we have multi part disk image if we combine these back together we would get the overall disk image with the same hash value and we also have the part the hashes of each part of each section of the disk image that we created and that lets us verify each part is correct not only the overall disk image thank you very much I hope you enjoy it thanks for watching if you liked that video subscribe for more