In this article, by Oleg Skulkin and Scar de Courcier, authors of Windows Forensics Cookbook, we will cover drive acquisition in E01 format with FTK Imager, drive acquisition in RAW Format with DC3DD, and mounting forensic images with Arsenal Image Mounter.
(For more resources related to this topic, see here.)
Before you can begin analysing evidence from a source, it first of all, needs to be imaged. This describes a forensic process in which an exact copy of a drive is taken. This is an important step, especially if evidence needs to be taken to court because forensic investigators must be able to demonstrate that they have not altered the evidence in any way.
The term forensic image can refer to either a physical or a logical image. Physical images are precise replicas of the drive they are referencing, whereas a logical image is a copy of a certain volume within that drive. In general, logical images show what the machine’s user will have seen and dealt with, whereas physical images give a more comprehensive overview of how the device works at a higher level.
A hash value is generated to verify the authenticity of the acquired image. Hash values are essentially cryptographic digital fingerprints which show whether a particular item is an exact copy of another. Altering even the smallest bit of data will generate a completely new hash value, thus demonstrating that the two items are not the same. When a forensic investigator images a drive, they should generate a hash value for both the original drive and the acquired image. Some pieces of forensic software will do this for you.
There are a number of tools available for imaging hard drives, some of which are free and open source. However, the most popular way for forensic analysts to image hard drives is by using one of the more well-known forensic software vendors solutions. This is because it is imperative to be able to explain how the image was acquired and its integrity, especially if you are working on a case that will be taken to court.
Once you have your image, you will then be able to analyse the digital evidence from a device without directly interfering with the device itself.
In this chapter, we will be looking at various tools that can help you to image a Windows drive, and taking you through the process of acquisition.
Drive acquisition in E01 format with FTK Imager
FTK Imager is an imaging and data preview tool by AccessData, which allows an examiner not only to create forensic images in different formats, including RAW, SMART, E01 and AFF, but also to preview data sources in a forensically sound manner. In the first recipe of this article, we will show you how to create a forensic image of a hard drive from a Windows system in E01 format.
E01 or EnCase’s Evidence File is a standard format for forensic images in law enforcement. Such images consist of a header with case info, including acquisition date and time, examiner’s name, acquisition notes, and password (optional), bit-by-bit copy of an acquired drive (consists of data blocks, each is verified with its own CRC or Cyclical Redundancy Check), and a footer with MD5 hash for the bitstream.
First of all, let’s download FTK Imager from AccessData website. To do it, go to SOLUTIONS tab, and after – to Product Downloads. Now choose DIGITAL FORENSICS, and after – FTK Imager. At the time of this writing, the most up-to-date version is 3.4.3, so click DOWNLOAD PAGE green button on the right. Ok, now you should be at the download page. Click on DOWNLOAD NOW button and fill in the form, after this you’ll get the download link to the email you provided.
The installation process is quite straightforward, all you need is just click Next a few times, so we won’t cover it in the recipe.
How to do it…
There are two ways of initiating drive imaging process:
- Using Create Disk Image button from the Toolbar as shown in the following figure:
- Use Create Disk Image option from the File menu as shown in the following
You can choose any option you like.
The first window you see is Select Source. Here you have five options:
- Physical Drive: This allows you to choose a physical drive as the source, with all partitions and unallocated space
- Logical Drive: This allows you to choose a logical drive as the source, for example, E: drive
- Image File: This allows you to choose an image file as the source, for example, if you need to convert you forensic image from one format to another
- Contents of a Folder: This allows you to choose a folder as the source, of course, no deleted files, and so on will be included
- Fernico Device: This allows you to restore images from multiple CD/DVD
Of course, we want to image the whole drive to be able to work with deleted data and unallocated space, so:
- Let’s choose Physical Drive option.
Evidence source mustn’t be altered in any way, so make sure you are using a hardware write blocker, you can use the one from Tableau, for example. These devices allow acquisition of drive contents without creating the possibility of modifying the data.
- Click Next and you’ll see the next window – Select Drive.
- Now you should choose the source drive from the drop down menu, in our case it’s .PHYSICALDRIVE2.
- Ok, the source drive is chosen, click Finish.
- Next window – Create Image. We’ll get back to this window soon, but for now, just click Add…
- It’s time to choose the destination image type. As we decided to create our image in EnCase’s Evidence File format, let’s choose E01.
- Click Next and you’ll see Evidence Item Information window.
Here we have five fields to fill in: Case Number, Evidence Number, Unique Description, Examiner and Notes. All fields are optional.
- Filled the fields or not, click Next.
- Now choose image destination. You can use Browse button for it.
- Also, you should fill in image filename.
If you want your forensic image to be split, choose fragment size (in megabytes). E01 format supports compression, so if you want to reduce the image size, you can use this feature, as you can see in the following figure, we have chosen 6. And if you want the data in the image to be secured, use AD Encryption feature.
AD Encryption is a whole image encryption, so not only is the raw data encrypted, but also any metadata. Each segment or file of the image is encrypted with a randomly generated image key using AES-256.
Ok, we are almost done.
- Click Finish and you’ll see Create Image window again.
- Now, look at three options at the bottom of the window.
The verification process is very important, so make sure Verify images after they are created option is ticked, it helps you to be sure that the source and the image are equal. Precalculate Progress Statistics option is also very useful: it will show you estimated time of arrival during the imaging process. The last option will create directory listings of all files in the image for you, but of course, it takes time, so use it only if you need it.
- All you need to do now is to click Start.
Great, the imaging process has been started! When the image is created, the verification process starts.
- Finally, you’ll get Drive/Image Verify Results window, like the one in the following figure:
As you can see, in our case the source and the image are identical: both hashes matched. In the folder with the image, you will also find an info file with valuable information such as drive model, serial number, source data size, sector count, MD5 and SHA1 checksums, and so on.
How it works…
FTK Imager uses the physical drive of your choice as the source and creates a bit-by-bit image of it in EnCase’s Evidence File format. During the verification process, MD5 and SHA1 hashes of the image and the source are being compared.
FTK Imager download page:
FTK Imager User Guide:
Drive acquisition in RAW format with DC3DD
DC3DD is a patched (by Jesse Kornblum) version of classic GNU DD utility with some computer forensics features. For example, the fly hashing with a number of algorithms, such as MD5, SHA-1, SHA-256, and SHA-512, showing the progress of the acquisition process, and so on.
You can find a compiled stand alone 64 bit version of DC3DD for Windows at Sourceforge. Just download the ZIP or 7z archive, unpack it, and you are ready to go.
How to do it…
- Open Windows Command Prompt and change directory (you can use cd command to do it) to the one with dc3dd.exe, and type the following command:
dc3dd.exe if=.PHYSICALDRIVE2 of=X:147-2017.dd hash=sha256 log=X:147-2017.log
- Press Enter and the acquisition process will start.
Of course, your command will be a bit different, so let’s find out what each part of it means:
- if: It stands for input file, yes, originally DD is a Linux utility, and, if you don’t know, everything is a file in Linux, as you can see in our command, we put physical drive 2 here (this is the drive we wanted to image, but in your case it can be another drive, depend on the number of drives connected to your workstation).
- of: It stands for output file, here you should type the destination of your image, as you remember, in RAW format, in our case it’s X: drive and 147-2017.dd file.
- hash: As it’s already been said, DC3DD supports four hashing algorithms: MD5, SHA-1, SHA-256, and SHA-512, we chose SHA-256, but you can choose the one you like.
- log: Here you should type the destination for the logs, you will find the image version, image hash, and so on in this file after acquisition is completed.
How it works…
DC3DD creates bit-by-bit image of the source drive n RAW format, so the size of the image will be the same as source, and calculates the image hash using the algorithm of the examiner’s choice, in our case SHA-256.
DC3DD download page:
Mounting forensic images with Arsenal Image Mounter
Arsenal Image Mounter is an open source tool developed by Arsenal Recon. It can help a digital forensic examiner to mount a forensic image or virtual machine disk in Windows. It supports both E01 (and Ex01) and RAW forensic images, so you can use it with any of the images we created in the previous recipes.
It’s very important to note, that Arsenal Image Mounter mounts the contents of disk images as complete disks. The tool supports all file systems you can find on Windows drives: NTFS, ReFS, FAT32 and exFAT. Also, it has temporary write support for images and it’s very useful feature, for example, if you want to boot system from the image you are examining.
Go to Arsenal Image Mounter web page at Arsenal Recon website and click on Download button to download the ZIP archive. At the time of this writing the latest version of the tool is 2.0.010, so in our case, the archive has the name Arsenal_Image_Mounter_v2.0.010.0_x64.zip. Extract it to a location of your choice and you are ready to go, no installation is needed.
How to do it…
There two ways to choose an image for mounting in Arsenal Image Mounter:
- You can use File menu and choose Mount image.
- Use the Mount image button as shown in the following figure:
- When you choose Mount image option from File menu or click on Mount image button, Open window will popup – here you should choose an image for mounting.
- The next windows you will see – Mount options, like the one in the following figure:
- As you can see, there are a few options here:
Read only: If you choose this option, the image is mounted in read-only mode, so no write operations are allowed (Do you still remember that you mustn’t alter the evidence in any way? Of course, it’s already an image, not the original drive, but nevertheless).Fake disk signatures: If an all-zero disk signature is found on the image, Arsenal Image Mounter reports a random disk signature to Windows, so it’s mounted properly.
Write temporary: If you choose this option, the image is mounted in read-write mode, but all modifications are written not in the original image file, but to a temporary differential file.
Write original: Again, this option mounts the image in read-write mode, but this time the original image file will be modified.
Sector size: This option allows you to choose sector size.
Create “removable” disk device: This option emulates the attachment of a USB thumb drive.
- Choose the options you think you need and click OK.
We decided to mount our image as read only. Now you can see a hard drive icon on the main windows of the tool – the image is mounted.
If you mounted only one image and want to unmount it- select the image and click on Remove selected button. If you have a few mounted images and want to unmount all of them – click on Remove all button.
How it works…
Arsenal Image Mounter mounts forensic images or virtual machine disks as complete disks in read-only or read-write mode. Later, a digital forensics examiner can access their contents even with Windows Explorer.
Arsenal Image Mounter page at Arsenal Recon website:
In this article, the author has explained about the process and importance of drive acquisition using imaging software’s which are available with well-known forensic software vendors such as FTK Imager and DC3DD. Drive acquisition being the first step in the analysis of digital evidence, need to be carried out with utmost care which in turn will make the analysis process smooth.
Resources for Article:
- Forensics Recovery [article]
- Digital and Mobile Forensics [article]
- Mobile Forensics and Its Challanges [article]