This tutorial covers the process of imaging a hard drive that has already been removed from a system with FTK Imager and a write blocker. FTK Imager comes in two versions, one that is installed on a pc and one that can be used during incident response from a thumb drive. We will be using the installed version for this tutorial, but both look and function the same. I will cover the following key steps in the process:
- Attaching the drive with a write blocker
- The acquisition process
- Verification of the image’s integrity
Connecting the Writeblocker
The image acquisition process should ensure the original drive remains completely unaltered, and to make sure a hardware device called a write blocker is normally used. There are several companies that make them with the most popular being Tableau and WiebeTech, ranging from several hundred to several thousand dollars. You can also just mount the disk in read only mode and image that way, but I do not recommend it. I will cover an inexpensive setup that is easy to use and will cover most devices you may run into. A Wiebetech USB Writeblocker can be purchased from Amazon for around two hundred dollars and is the main component in the system. Additionally, you will need a few adapters to connect the drives to the write blocker. I recommend the Thermaltake dual hard drive docking station for attaching 2.5 and 3.5 inch SATA drives and SSD’s to the write blocker, it can be had for about 50 dollars on Amazon. Attaching the drive is straight forward:
- connect the usb cable from the write blocker to the imaging machine
- now connect the usb cable from the dock to the write blocker
- plug in the power cable to the dock
- insert the drive into the dock
- turn on the dock drive bay
Acquiring the Image with FTK Imager
Once the drive is attached to the imaging machine launch FTK Imager. When the application has opened select the file menu and then click create disk image. A dialog box will open allowing you to select the source type, in this example select physical drive and click next. The next dialog box will ask you to select the drive you want to image, select the appropriate drive from the drop down and click finish.
Next the application allows you to select the destination, click add. The next dialog box will ask what type of image type, select E01 and click next. Now we will add some pertinent information about the case we are working. Enter the case number or a unique identifier; example-case-001 is a good choice for this lesson. Next add the evidence number, this is important if you are working a big case with multiple machines that need to be imaged; enter HD-001 in this field since this is the first piece of evidence. In the unique description field enter a description of the evidence, in this case we will enter “subject 1 hard drive from workstation”. The examiner field should be who is examining this case or evidence item, Insert your name here. Enter any notes if you need to, in this example we will leave it blank. Click next.
A image destination dialog box will open, select the destination folder, make sure you have enough space there, images are large. Enter the file name of the image, here we will use example-case-001. Image fragment size indicates how large each piece of the image will be and is used to ease file copy and transfer, leave it at the default size of 1500. Compression is used to make the image smaller. A raw disk image without compression will be the exact same size as the hard drive you are imaging, 500GB hard drive equals 500GB image file. Compression can make this significantly smaller at the expense of speed, compression takes time. If the destination location is larger than the drive being image set to zero and it will be done much quicker; otherwise the default setting of 6 is a good compromise between speed and size. Click finish. Now that you have the destination set it’s about time to start the image acquisition. Make sure the “verify images after they are created” check box IS checked and click start. Now make some popcorn and site back and wait. A long time later, in this case 5 hours and 20 minutes the image was done.
Verifying the Image
Now FTK Imager will automatically start the verification process by getting a MD5 hash of the image, then verifying it matches what the imaging process came up with. Lets manually check ourselves so we understand the process a little better. Open the destination folder for the image, notice there are a lot of files called example-case-001.Exx where the xx is replaced by a number 01, 02, 03, etc. Notice there is an example-case.001.txt, this is the report. Open the report up and see what it contains. Inside are all of the case details, when the image acquisition started and finished, all the drive details and the computed hash. The integrity of the drive, i.e. did we make an identical copy, can be verified by checking the reports computed hash against the computed hash of the finished image. If anything is different, the hashes will be completely different and not match.
Browsing the Image
The image can now be processed in various forensic suites like FTK, Autopsy, Encase, Hexways or Belkasoft. We can even add it to FTK Imager and browse the disks filesystem. To add the evidence to FTK Imager just click the file menu and select add evidence item. When the dialog box opens select image file and click next. Browse to the image file click on the first E01 file and click open, then finish. The image is now available in FTK Imager to examine. The top left area is the Evidence tree, there should be an entry for your image file with a “+” to the left of it, click the plus sign to expand the image and browse the file system. When done click file and remove all evidence items.
That is all there is to creating a forensic image from a hard drive. In future videos I’ll cover memory images and live disk images acquired during incident response scenarios.