The Imaging Process

GIAC Certified Forensic Examiner Objectives:

Fundamental Digital Forensics

The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, and identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.

Foundations of Digital Forensics Acquisitions

The candidate will demonstrate an understanding of the methodologies and tools used to collect and process digital forensic evidence.

Overview

This lab is part of a series of lab exercises intended to support courseware for ethical hacker training. The development of this document is funded by the Department of Labor's (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

Digital forensic imaging is defined as a process of copying physical storage without modifying its contents used in gathering evidence and conducting a digital forensic investigation after an organization’s system has been compromised. The examination could be related to a crime, network instruction, or other reasons. The image is a complete bit-by-bit replica of the original. Hashing is used to make sure that images are exact copies of the original and the copies are forensically equivalent. In this lab, students will image disks using various tools in Windows and Linux.

outcomes:

In this lab, you will learn to:

Use FTK Imager.
Use HELIX to image a system.
Use Kali 2 to image a system.

Courses

Digital Forensics Fundamentals Skill Lab

Key terms and descriptions

FTK Imager

FTK Imager is a GUI Program that will allow a user to create a disk image from within Windows. You can run into complications imaging a disk while in Windows because certain files are locked by the OS. FTK Imager allows you to image a disk or a logical drive.

A Unix/Linux program that allows you to backup media. You can create a bit-by-bit copy of the original media, one that is forensically equivalent to the original source.

dcfldd

An improved version of the dd program that includes a hashing function.

HELIX

HELIX is a combination of a Live CD and an Incident Response CD. The free version, also known as HELIX 3, is available from e-fense at http://www.e-fense.com/products.php. The newest version is based off the Ubuntu CD. When you boot to the HELIX Live CD, it will not automatically mount drives so disk contamination can be avoided.

MD5

Message Digest 5 is a 128-bit hashing algorithm that aids forensic examiners by “proving” that the copy of the media they are working on is "equivalent" to the original.
Other hashes, such as SHA-160, which is 160 bits, are more accurate than the 128-bit MD5.