Scribd Logo
Upload

Welcome to Scribd!

  • Lab 2 - Forensic Imaging

    Uploaded by

    Carlos Alberto Mendes Betinho
    34 views2 pages
    This document provides instructions for a computer forensics lab involving acquiring memory and disk images using forensic tools. The objectives are to capture memory using DumpIt, create a forensic disk image of a USB drive using FTK Imager, and examine files within the disk image. Specific steps include using DumpIt to capture volatile memory, installing and using FTK Imager to create a disk image of a USB drive, recording metadata about the image, and exploring the image file structure to find previously copied files.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for a computer forensics lab involving acquiring memory and disk images using forensic tools. The objectives are to capture memory using DumpIt, create a forensic disk image of a USB drive using FTK Imager, and examine files within the disk image. Specific steps include using DumpIt to capture volatile memory, installing and using FTK Imager to create a disk image of a USB drive, recording metadata about the image, and exploring the image file structure to find previously copied files.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views2 pages

    Lab 2 - Forensic Imaging

    Uploaded by

    Carlos Alberto Mendes Betinho
    This document provides instructions for a computer forensics lab involving acquiring memory and disk images using forensic tools. The objectives are to capture memory using DumpIt, create a forensic disk image of a USB drive using FTK Imager, and examine files within the disk image. Specific steps include using DumpIt to capture volatile memory, installing and using FTK Imager to create a disk image of a USB drive, recording metadata about the image, and exploring the image file structure to find previously copied files.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    IFCI – Cybercrime Investigator Computer Forensics Course

    Lab #2 – Forensic Acquisitions

    Objectives:
     Use DumpIt.exe to capture memory from a live system
     Use FTK Imager to make a live forensic image of a USB drive
     Practice navigating and exporting files from a forensic image using FTK Imager.

    1. Put the executable DumpIt in a directory that will serve as the storage location for the volatile
    memory evidence. *Note: This location would normally be an external device because you
    never want to write to your own evidence drive. However, for the purposes of this lab, feel free
    to store the volatile memory on the host system.

    2. Double click DumpIt and respond to the program’s question.


    3. Install FTK Imager 3.01
    4. Take a small USB drive (Preferably less than 1GB) and insert it into your computer.
    5. Copy a folder containing some files of your choice onto the USB drive.
    6. Open FTK imager.
    7. Select File > Create Disk Image, choose Physical Image and click next.
    8. Select the Physical Device that represents your USB device. (Likely \\.\PHYSICALDRIVE1). Click
    Finish.
    9. Under the Image Destination(s) box, click the Add… button.
    10. Choose Raw (dd) and click Next.
    11. Add case information of your own choosing.
    12. Choose a Destination folder to save your forensic image in and give the image a file name.
    13. Click Finish.
    14. Remove the checkmark from Verify images after they are created. This will run a second hash of
    your image file. In the real world, this is a good idea but it would increase the time it takes to do
    this lab in class, so we will not verify the image.
    15. Once your forensic image is completed, click the image summary box. Record the following
    information:
    MD5 Hash:
    Source Data Size:
    Sector Count:

    w w w. c y b e r c r i m e i n v e s t i g a t o r s . c o m
    1
    IFCI – Cybercrime Investigator Computer Forensics Course
    Lab #2 – Forensic Acquisitions

    16. Select File > Add Evidence Item.


    17. Check Image File and select Next.
    18. Browse to your forensic image file. If it is multi‐segmented, then only select the first one (.001)
    19. Explore the folder structure of the image, note the files that you saved there previously.

    w w w. c y b e r c r i m e i n v e s t i g a t o r s . c o m
    2

    You might also like