 Hello, everyone. We are continuing on our discussion about data acquisition and acquiring data in a forensically sound manner. Right now, I am in my Windows 10 forensic workstation or the workstation that the investigator would normally be using to do their acquisition and analysis. And to this forensic workstation, I'm going to connect the suspect disk that I want to acquire. Right now, the suspect disk that I have is a relatively small USB disk. It's just USB 2.0. So whenever we're connecting the disks, we want to think about how fast, what's the fastest connection I can get between the suspect disk and my forensic workstation. And that connection will determine basically how fast that connection as well as the speed of the disk itself will determine how fast I can actually transfer data to my computer while I'm acquiring. So I have this USB 2.0 disk. And I know that even if I had a faster bus than USB 2.0, the suspect disk itself will not be able to go faster than that. So that's kind of my bottleneck here. Or I want that to be my bottleneck. I don't want to have any connection in between the slower than that. So I have my suspect to USB 2.0 disk, and I have it connected to a Tableau right blocker. And then I have the right blocker connected via USB 3.0 into my forensic workstation. So I know that the bottleneck here or the limiting factor is going to be the suspect disk. So I can kind of go as fast as that disk can go whenever I'm transferring data. Whenever I connect the suspect disk in to my to my workstation, in this case, Windows 10, if Windows 10 understands the, if a partition exists on the suspect disk, and Windows 10 understands the file system on that partition, then it will attempt to mount that partition, just like a normal, just like a normal USB stick, for example. So here there is, this is my test USB disk. So this is my test USB, it is mounted, this partition is mounted on eDrive, and I can now see all of the the data on this suspect disk, and it is currently right protected. Okay, so if I right click on this test US test USB, I go to properties, I can see how big the disk is, or at least this gives me a general view of how big it is. For this partition, I can see that there's a there's a fat 32 file system on this partition or eDrive. And the partition itself is capacity of 3.77 gigabytes, and it's mostly unused. So this is kind of what we would normally expect. So whenever I connect a drive via a right blocker, it will still show up like a normal disk. And in this case, because it was fat 32, Windows recognizes it, so it automatically mounted it. If it was something like an ex ex t three or ex t four file system, Windows would not mount or even show the partition. If we just view using explore. Now Windows has another tool, if we type MMC in Windows, we should get this management console, Microsoft Management Console. It's not in every versions of Windows, they there's a couple like home versions that might not have this, but you should be able to get it in most versions in Windows 10. It's there. So if we click file, go to add, remove, snap in, scroll down, we can find disk management. If we click add for this computer, click finish. Okay. MMC is actually very powerful way for local and remote management of computers. But this I just wanted to show you gives you a better overview of the actual disks that we have in the system. So for example, if I if I pull this out a little bit, here we have my disk one, and this is the main disk in my forensic workstation. And I have our sorry, disk zero. And then I have disk one, we see disk, this kind of test USB eDrive, simple basic fat 32, healthy, etc. So it kind of gives me the capacity of the, of the partition. And I can see the overall physical disk here. So disk one, 3.7 gigabytes online. And it tells me a little bit more, or at least it gives me a, in my opinion, a little bit better view of the actual disk rather than just the partition information, it gives me a little bit of everything, but I can't access the files directly from here. So we can use Microsoft Management Console to see the disks in Windows from our forensic workstation. So I'm going to go ahead and close that. These are the files that are inside, I can see that they're mostly JPEG images. There's also a Python script and what looks like emails. So, so yeah, that's pretty much all the data that's in the disk. To acquire this disk, we are going to use access data's FTK imager, whatever I double click on FTK imager, click yes to give it administrative privileges. I tend to use on Windows at least, if I'm if I'm acquiring data on Windows systems, I tend to use access data's FTK imager. On my forensic workstation, I will install FTK imager. If I'm doing live acquisition, then there's a version of FTK imager that you can put on a USB stick, and you do not need to install on the suspect system. So if we're doing live investigations or live forensics, then I would probably use access data FTK imager on a USB stick. Basically, just because it's extremely easy to use, and I've never really had any problems with it. So once we start up FTK access data's FTK imager, if we want to acquire the disk, first off, we go to file, and we go to create disk image. Now there's a couple other options we can do, but I'm going to focus on creating a disk image right now. So create disk image. And now we have a few options physical drive logical drive image file contents of a folder and basically dvds or CDs multiple dvds if we have this device, we most of the time, especially if you're just starting out, you should normally go for physical drive because you will be able to recover more information if you go for logical drive. Remember, this is like a partition, basically. And there could be some hidden information that we miss if there's logical drive. We might also not be able to carve out as much data if we collect only the partition information or the logical drive, we get physical drive, we're copying all of the data for the entire disk, even parts of the disks that are not used by the partition, we will still copy them. So we tend or you should try to go for physical drive if you can if you have the space to to go for physical drive, you should logical drive. We tend to use more whenever the disks are either way too big, or, well, there's a couple different situations we might talk about later. Image file, we can also use FDK imager to make forensic copies of image files. Remember, we should never work with the original copy that we make. So once we acquire data, we have this this image file that we have containing all of the suspect data, and we do not want to work with this original file. So we want to make copies of it. Well, FDK imager can make a copy, a forensic copy of your image file. So you can work with the copy instead of the original. Contents of a folder can be used for a lot of different things. For example, if you're acquiring data from, I don't know, a cloud, and the disk in the cloud is just way too big, you'll never be able to copy everything, you might want to copy only the contents of a folder. And this will copy all of the data in that folder into basically like a forensic disk image type of file. So rather than actually just copying files out, you're putting the files into a container that's treated then like a forensic disk image. So contents of a folder sometimes were also restricted in what we can copy. Maybe on a on a disk, there might only be maybe there's maybe there's many directories that have a bunch of different users information in it. So a lot of different people have data on this computer. And we can only collect legally only collect the data from one person. In that case, we might need to go contents of a folder instead of a logical drive or a physical drive because if we copied the physical drive or logical drive, we might be copying private information of many different people. And we only have the authority to collect data on one person. So contents of a folder might be useful in cases, some cases like that. Okay. So in this case, because I know I have enough space to hold my my disk image, I'm going to choose physical drive, click next. And then it lists all of the physical drives that we currently see in the system. And I know, I know my physical drive is basically this four gigabyte USB. And it's not this 68 gigabyte ID. So the ID drive is the type of connector USB is the type of connector. So I know that this four gigabyte disk is my connector. And we see this slash slash dot slash physical drive one. And this is how Windows identifies physical disks in your system. Okay, so the slash slash dot slash physical drive. And then a number is how Windows identifies physical disks in the system. So I click on my USB drive, click finish. Now, we've selected it has the image source. And we know that this is the drive that we wanted. And it's saying image destinations. Okay, so we need to click add. Okay. And now it's telling us the destination image type, destination image type. So basically, there's a few different image types that are used, basically raw DD is just an exact copy of the disk smart. Actually, I don't think it's used too much anymore. So we won't really cover that. I've never seen anyone who's actively using this in the field. Easy row one is the expert witness format. And this is basically the in case standard, let's say, not it has the raw data, all of the raw data from the suspect system. And it also has check sums within the raw data, as well as a file header and footer. And it also has some support for encryption and things like that. Basically, easy row one has all of the raw data, and also some extra features built in for, for all kind of checking checking to make sure the data is okay. AFF has a lot of different features as well. But I don't really see a lot of tools supporting it. And then I heard for a while that this file format was no longer supported by the developers even. So we won't really talk about this one. The two main ones are raw, just copying the data bit for bit to make an exact copy of the data. And easy row one is kind of the de facto standard that a lot of different organizations tend to use that copies all of the original data plus has some extra features like air checking built into the file type. So I'm going to go ahead and choose raw DD, just for example. And then it's going to ask me for a case number. And case number has probably, if you're already at this stage, you probably already have a case number assigned from your organization. And then we need to assign an evidence number. Now this evidence number, if it hasn't already been assigned by the time it comes to you, you need to give it an evidence number that's relevant and orderly to the case. So in this case, let's assume that this is the first hard drive or the first artifact that I've received from the suspect. So I might also call this something like 001. And then a unique description. Here it is a gold USB with black case and red LED, something like that, something that is descriptive that describes the device that you're looking at. Even this is probably too general because there might be another USB stick like that. If there's any markings on the disk that are somewhat unique, you want to make sure that you actually describe them. This will help you determine which one is which later. If there's a serial number on the disk, definitely put that in there. And then the examiner, basically just put your own name or whoever is examining or collecting this. And then notes put any relevant notes. And this information will be saved or created with your disk image. So you want to make sure that all of this information is provided at the time. At the same time that you're imaging that way, whoever looks at the image knows who created this image, why was it created, what is the evidence number, what is the case number, and you have all of this documented. At the same time, you should also be keeping case notes with all of this information in it. So you can refer back to your case notes if anyone asks you in the future. So we click next, and then it's going to ask me the image destination folder. Now this, I'm currently working in a virtual machine. I would normally, before I get into that, one thing you need to definitely be aware of is I have this test USB drive right here. We never want to save the suspect data back onto the disk that we're trying to copy from. You never want to copy data or copy data back onto the disk that we're trying to save from. So we do not save any data to this suspect disk. Make sure you know what your suspect disk is called. Make sure you know what drive letter it's been assigned, all of this should be in your case notes. And we do not want to try to save anything back. So I would go to this PC, and I'm currently working in a virtual box guest VM. So I only have one disk. And I would go to users. I would normally have a separate disk specifically for working with or doing acquisitions. And I would have a separate space specifically for or specifically for my cases. So I would have a case in this case, let's say that our case number is 001. So actually under documents, sorry, under documents, let's do new. I know that is true in it. Okay, under, let's say desktop, never put anything on the desktop, but we just will do this for just for an example. I would make a new folder called cases. New folder called cases. And then normally this cases folder would be on a separate disk, like a D drive or something like that. And then inside the cases folder, I would make a new folder with the case name or the case number. And then possibly the date, but at least at least some unique case number. Okay, and then so let's browse to that desktop cases, case number. And then I also want to create a new folder called images. Okay, and inside this images folder. So in the case folder, for example, in case 001, I would probably have a folder called images, I would probably have another folder called docs, I would probably have another, another folder called, let's see, temp, like a temporary working space whenever I'm trying to do my analysis. So I would have a couple different folders by default, I would just create in my case folder. Those would at least be docs, which would be documentation. And then images folder for all of the image files that I would acquire, and then a temporary working space to do different types of extraction analysis. I might, yeah, okay. So in the images folder, now I want to create another folder, which is the exhibit number. So right now this is my first disk that I am working with. So I'm going to put 001. Okay. And then this is where I want to save an image of disk or exhibit number 001. So I click okay. So now we're in C drive users test desktop cases 001. This is the case number images. So I'm making an image of exhibit number 001. Again, this would normally be so instead of C drive users test desktop, it would be something like D drive cases 001. And that D drive would be specifically and only for this case data. So now this disk, I would say is for example, the exhibit number. If the USB had a serial number, or if the exhibit has a serial number, I would also put the serial number. I might also put for example, the date. So I'll just put 2016 here. And then it says insert file name excluding extension. So we don't need to give it an extension here. And I'll just say, in this case exhibit number and a date to make it a little bit more unique, but I don't have to put them. Okay. Image fragment size. So what this is going to do is if we have, well, if we have a disk in this case over 1500 megabytes, then it will split it into 1500 megabyte chunks, and we will get different sizes. That's usually used so we can save different pieces of the data on to DVD or maybe a disk that is formatted with an older version of fat 32, and they have a four gigabyte limit to the files that can be saved on there. So we can use this to split up the data and make it a little bit more manageable. Imagine that we had a one terabyte hard drive, we probably would don't want to create a one terabyte file because it will be difficult to move that file around or work with that file. So I'm going to leave fragment image size fragmentation on. If we set it to zero, then it will not be fragmented. In this case, my USB stick is only four gigabytes. So I don't need to fragment it, but I will just to just to show you and then use encryption. We can create an encrypted disk, but honestly, I never really use this. So next finish. So now we come back to this image destinations. It shows where I'm going to save the image and what type of image it is. It also lets me add, if I want to, it lets me add another location, a different format, another location. So we can use this feature to write the disk or write the image to, let's say multiple hard drives or maybe a local disk and a centralized server. So think about redundancy here. Save yourself some save some time basically and and think about all the places where you want to make a copy of the data. Remember, we want to make at least a couple copies of the data. That way we don't have to access the original disk basically ever again. Okay, so some other features verify images after they are created. So this just creates the, well, while it's while it's copying, it will create sha one and MD five hashes. And it will use those hashes and verify the image. Once it's done, this take this makes the whole process takes a little bit longer, but that's okay for us. Pre calculate progress statistics also makes it takes a little bit long take a little bit longer. I don't usually do this and create directory listing of all the files. Again, this is kind of pre processing. We won't worry about that for now. So if I click start. So now we can see the image source physical drive one destination is the destination that I said 001 2016 and it's creating the image. I can see on my right blocker, the right blocker is flashing with activity now, and the USB stick to is also flashing with activity. Okay, so if we go into our cases folder, well, that's running. Okay, so just to show you estimated time left, because we did not pre calculate, estimated time left will not show here. Basically, you'll just get this for four gigabytes, you're looking at probably four gigabyte USB 2.0, maybe 10 minutes or so, I think. So we'll let that run. And if I go into my cases folder, case is 001 in the images folder and then exhibit 001. Now I see this, what's called a 001 file. And if you choose raw or DD image, then the file extension will be 001. If you choose an easy row one file, then the extension will be easy row one. And then if you have multiple parts, you'll have 001. Once it gets to 1500 megabytes, then we will have 001 dash 2016 dot 002. And that will be the second part. So the extension is actually really, really important that you keep the extensions for multi part files, because you'll have basically 001, that's the first part 002, that's the second part 003, that's the third part. And if you're missing any of those parts, then you basically can't reconstruct the entire image again, for easy row one files, basically easier one easier two easier three and so on. And kind of the same idea. You won't be able to reconstruct the entire image if you're missing certain parts. Okay, so I'm going to let this run and speed it up and come back to you whenever it is done. Okay, so now we have our disk image. So I'm going to close FTK imager. And you see that we have these this three part disk images, where the extension the file extension is 001, 002, 003. And it basically just says 001 file to file three file. You notice that it's 1000, basically 1500 meg for one and two, and then about 900 meg for the third part. And basically, these are split up into 1500 megabyte chunks. And then number three just couldn't fill out the the last of it because it the disk ran out of essentially ran out of space. So we couldn't copy more because the end of we found essentially the end of the disk. So here we have a three part image. And then we also have this text document here. And if we open up the test text document, then this tells us some interesting information about about our entire image process, basically, so we have created by access data FTK imager 3426. Now this number, this version number for FTK imager is going to be very important for us. Case information acquired using access data 3426 case number, like we put in earlier 001 case number, evidence number 001, some sort of description, a unique description. And this is like, this is what I typed in earlier, examiner, and notes. So this is all of the information that I typed in earlier, identifying our suspect disk, plus the version of the software that we used. And then information for basically the image that I created, and it gives the full path where I save the image. And then this is giving us information about the disk itself, including the model, the serial number, which I did not see on the disk, but there is a identifier inside, drive interface, usb, removable drive true, source data size, which is very important sector count also very important. And probably the most important on this are these MD five and shall one checksums the this is the information that I need to be able to verify my desk later once I create these numbers. Every time I check the data again from now on, these numbers should always be the same, the data should always produce the same number. Every time I calculate an MD five checksum or a shall one checksum, these numbers should always be the same image information specifically acquisition started at 955 acquisition finished at 1004. So you see it took about about 10 minutes for four gigabytes over usb two. And then segment list basically says the the full path name the full path plus the name and extension of each of the parts of the image. Now, this MD five and shall one checksum is the hash value for the entire disk, the hash value for the entire disk. So that means that all of these three parts have to be recombined. If I want to calculate the hash of the entire disk again, and there are a few ways to do that. And we'll we'll show you that later. So this is the acquisition parts of this lesson. We've done acquisition in windows using FTK imager. Next, we'll show you acquisition in other operating systems. Thank you very much.