Live Image Imaging with FTK Imager and Data Recovery with Autopsy
1. Provide a brief summary of the lab. What did you do in the lab? How did it work? What did you look for/find?
In this lab I was tasked with the investigation of windows 8 drive. I created an Image of the suspected drive using FTK, then compared the hash value of the image with that of the original drive. To do this autopsy tool came in handy. The next step entailed using an autopsy tool to ingest the created image then selecting and extracting user’s files. From the captured information I established the hash value to be similar.
2. Briefly describe the specific practices or resources that were most important in supporting the investigation and maintaining evidentiary integrity in this lab. For example:
a) Chain of custody practices
To ensure the integrity of the evidence collected it is essential to observe the chain of custody. A proper documentation of the steps used in collecting and analyzing the evidence will help in ensuring its validity in the court of law. Since a serious crime had been committed, and the outcome of my investigation would have a great impact, I documented all the physical devices obtained and tools used to analyze them. Additionally, I was able to capture each step done with various tools using a screenshot.
b) Digital forensic tools
To analyze the suspect drive I used both FTK Imager and autopsy tool to create and analyze drive’s image.
· MD5 file creation with FTK Imager
Generated Text Files Details
Creating a new case with autopsy
Adding Source
Ingesting Created Image
Opening User’s Directory
Extracting User’s Files
Exported content
c) Incident response tactics
To ensure no hiccups were experienced, it was important to establish a series of procedures that would be used in event of an unexpected incident occurring. It is essential for the investigation to be completed with the given time and guarantee the evidence obtained will be valid.
3. Briefly describe best practices or resources necessary in terms of next steps in this lab scenario.
Before the actual investigation begins, it is important to establish the investigation objectives. A plan on how to achieve these objectives is also important. Since we are dealing with a case of theft of data, I will be analyzing the suspected data to establish if the allegations being made are true. In this case, FTK Image and Autopsy tool will be the necessary tools to achieve this.