Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • FTK Worksheet

    Încărcat de

    Jake McIntyre
    160 vizualizări5 pagini
    trr

    Titlu original

    Ftk Worksheet

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    trr

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    160 vizualizări5 pagini

    FTK Worksheet

    Încărcat de

    Jake McIntyre
    trr

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 5

    FTK IMAGER ASSIGNMENT

    OBJECTIVE

    1.
    2.
    3.
    4.
    5.
    6.

    Become familiar with the operation and functionality of a FTK Imager.


    Image a USB device that you attach.
    Mount an image file to a drive letter.
    Recover data from an image.
    Mount an image and observe files on that image.
    Documentation of methodology used.

    RESOURCES

    1. PowerPoint slides from lecture.


    2. FTK Imager Walk thru.
    3. Sample Imaging Report.
    TOOLS
    1.

    FTK Imager.

    ASSIGNMENT FILES

    1. Files for assignment


    a. Ftk_Floppy_Copy.001
    b. Ftk_Floppy_Copy.E01
    c. Ftk_Floppy_Copy2.001
    d. FTK_Mount_Drive.ad1
    BACKGROUND
    FTK Imager is a very versatile tool that can do many things. In the assignment you will perform
    several tasks using FTK Imager that a typical forensic analyst will have to do. This assignment
    will provide you with the basic usage of FTK Imager.
    SCENARIO 1 IMAGING A USB DRIVE

    Copyright 2015 Mark McKinnon

    FTK IMAGER ASSIGNMENT


    Use any portable USB device that you have. Connect it to your computer and image it using
    FTK Imager. Fill out the case information for the image. Create both an E01 and a Raw DD
    image. Document what you did and include portions of your log files in your report describing
    what you imaged and any hash values. Be sure to describe the device you are imaging, if there
    are any distinguishing marks, color, size, make, model, etc.. You do not need to include the
    images created but you do need to include the log files.
    SCENARIO 2 CONVERTING IMAGES
    1. Image the file Ftk_Floppy_Copy.001 and convert it to an E01 file (name it whatever you
    want to). Fill out the case information and use a compression ratio of 6. Verify that the
    file is an exact duplicate of the file. Get a directory listing of the image.
    a. What is the SHA1 Hash?
    b. 7418c7af4f2bd9599b5f12fb0ced291c538e1bc5
    c. What is the MD5 Hash?
    d. 288f3010c93817698d9f82595954b823
    e. Did you create an exact duplicate of the original image? How do you know you
    did? Yes. Once you image the file it tells you if its a match or not
    f. What is the size of the E01 File?
    g. 2kb
    h. How many files are there on the disk?
    i. 19
    j. How many files are deleted?
    k. 12
    l. How many files are not deleted?
    m. 7
    2. Image the File FTK_Floppy_Image.E01 and convert it to an DD file (name it whatever
    you want to). Fill out the case information. Verify that the file is an exact duplicate of
    the file. Get a directory listing of the image.
    a. What is the SHA1 Hash?
    b. 7418c7af4f2bd9599b5f12fb0ced291c538e1bc5
    c. What is the MD5 Hash?
    d. 288f3010c93817698d9f82595954b823
    e. Did you create an exact duplicate of the original image? How do you know you
    did? Yes. The verify files are a match
    f. What is the size of the 001 File?
    g. 1440 kb
    h. How many bytes per sector are there in this image file?
    i. 2880
    j. How big is the image file?
    k. 368KB
    Copyright 2015 Mark McKinnon

    FTK IMAGER ASSIGNMENT


    l. How many sectors are in the image file?
    m. 2880

    Copyright 2015 Mark McKinnon

    FTK IMAGER ASSIGNMENT


    SCENARIO 3 VALIDATING AN IMAGE
    1. Image the file Ftk_Floppy_Copy2.001 and convert to an E01 file (name it whatever you
    want to). Fill out the case information and use a compression ratio of 9. Verify that the
    file is an exact duplicate of the file. Get a directory listing of the image.
    a. What is the SHA1 Hash?
    b. b14e56d95b161b1d67c17d3a3d73d8402d8d9216
    c. What is the MD5 Hash?
    d. d9250180d41680673f8a29dabc013cb9
    e. Did you create an exact duplicate of the original image? How do you know you
    did? Yes. The very results are a match
    f. What is the size of the E01 File?
    g. 388 kb
    h. How many files are there on the disk?
    i. 19
    j. How many files are deleted?
    k. 11
    l. How many files are not deleted?
    m. 8

    SCENARIO 4 RECOVERING DATA


    1.

    Open up the file FTK_Floppy_Image.E01 in FTK Imager and recover all the deleted
    files on the image including directories. Zip up the files in the directory and submit them
    with your assignment.

    SCENARIO 5 MOUNT AN IMAGE


    1. Using FTK Imager mount the image file FTK_Mount_Drive.ad1. Look at the file on the
    mounted drive. Answer the following questions about the file.
    a. Line Count.
    b. Word Count.
    c. Character Count.
    d. Paragraph Count.
    e. Pages.

    Copyright 2015 Mark McKinnon

    FTK IMAGER ASSIGNMENT


    RESULTS
    1. Do all 5 scenarios, answer any questions asked in the scenario.
    2. Provide a report of the following, do not include screenshots in your report.
    a. Answers to each scenario.
    b. The methodology used for each scenario.
    3. Include all files created in the scenarios except the image files, compress the files into 1
    file.
    4. Submit your compressed file and report to Black Board

    Copyright 2015 Mark McKinnon

    S-ar putea să vă placă și