Scribd
Upload
179 views

Csol590-Module 2 - Assignment - Forensic Imaging

The document provides instructions for imaging a flash drive using FTK Imager software. It details steps to take screenshots, copy files to the flash drive, create folders, download a file, and take the drive offline before creating forensic images with specific case details. It then has questions about the imaging process, including acquisition and verification times, number of file fragments, whether hash values matched between images, and if total fragment sizes equaled the flash drive size.

Uploaded by

api-694098467
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
179 views

Csol590-Module 2 - Assignment - Forensic Imaging

The document provides instructions for imaging a flash drive using FTK Imager software. It details steps to take screenshots, copy files to the flash drive, create folders, download a file, and take the drive offline before creating forensic images with specific case details. It then has questions about the imaging process, including acquisition and verification times, number of file fragments, whether hash values matched between images, and if total fragment sizes equaled the flash drive size.

Uploaded by

api-694098467
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Forensic Imaging

Quincey Jackson

CSOL-560-03-SP23: Secure Software Design Development

Professor Erik Schmidt

May 22, 2023


1. Download and install FTK Imager (https://www.exterro.com/ftk-imager)
2. Connect the flash drive to your computer
3. From the start menu, run the command “diskmgr”
a. This is the disk management console for Windows
4. Take a screenshot of the Disk Management window that shows your connected flash drive.

5. Save the screenshot to your flash drive and name it “DiskManagement”

6. Make note of the disk number for your flash drive

a. If you have no other disks connected besides your C: drive it will likely be Disk 1
7. Copy or create at least 10 but no more than 20 other files to the flash drive.

a. These files should all be greater than 1KB in size and not exceed 2MB in size
b. This will help keep the size of your image to a minimum yet still provide good data to
examine
8. Create a folder on the flash drive named “CSOL590”

9. Download and save the syllabus for this course in the “CSOL590” folder you have created on
the
flash drive.
10. Go back to the Disk Management console and take your flash drive offline. This will
effectively
● I did not have the option to take my flash drive offline!
write-block it.
a. In the bottom half of the window, you will see your flash drive designated as “Disk 1” or
another larger number, on the left side of the window.
b. Right-click on that area to get a drop down list
c. Select “Offline”
d. If your computer does not allow you to do this step, it is OK, just make a note of it

11. Create these folders on your TARGET drive, this may be your computer or another external
disk

a. \CSOL590\
b. \CSOL590\CSOL590-01\
c. \CSOL590\CSOL590-02\
d. This is where you will save your images

12. Open FTK Imager and follow the instructions to export an image with the following
specifications:
a. Image Type: E01
b. Case Number: CSOL590M2
c. Evidence Number CSOL590-01
d. Unique Description: Make and Model of your flash drive
e. Examiner: First and Last Name
f. Notes: Mod2 Ex2
g. Image destination: Wherever you created your “CSOL590-01” folder in step 11 above
h. Image Filename: Mod2_YourName-01
i. Fragment size: 50 MB
i. Note that with large disks the fragment size is usually 2GB or 4GB
ii. We are keeping this small to ensure you have several fragments
j. Compression: 7
13. Once the image is complete and verified, go back to your flash drive and delete the syllabus
file from the CSOL590 folder

14. Repeat the imaging process of your flash drive with the following changes:
a. Evidence Number: CSOL590-01-A
b. Image destination: Wherever you created your “CSOL590-02” folder in step 11 above
c. Image Filename: Mod2_YourName-02

15. Once the imaging process is complete, review the reports for each of the images and
answer the following questions in Word Document to be submitted on Blackboard:

a. How long did it take for the image acquisition process to complete:
i. Image 1: 8 Minutes, 57 seconds
ii. Image 2: 7 Minutes, 10 seconds
b. How long did the verification process take to complete:
i. Image 1: 1 minute, 56 seconds
ii. Image 2: 50 seconds

c. How many file fragments did FTK produce?


i. Image 1: 15728640
ii. Image 2: 15728640
d. Were the hash values the same for both images?
i. Why or why not?- The hashes were not the same for both images since one image had
the CSOL590 Syllabus saved to it and the other image had one less file stored on it.

Image 1:

Image 2:

e. Does the total size of all the image fragments add up to the size of your flash drive?
i. Image 1:

ii. Image 2:

You might also like