DIGITAL FORENSICS

Running head: DIGITAL FORENSICS
(Title)
Student’s Name
Academic Institution
DIGITAL FORENSICS 2
Introduction
Digital forensics is a branch of forensic science that deals with investigations and
recovery of useful materials found in digital devices particularly in cases of computer crime. In
our experiment we will concentrate in different methods of creating disk images for forensic
purposes.
The purpose of this experiment is to demonstrate how to use the dd command and the
FTK Imager tools for the purpose of creating “forensically sound” disk images using windows 7
x86 platform as well as using Hex editor to analyze differences in image parameters.
This will be achieved through the usage of several Imaging tools, comparing them after
the images are created. The images will then be compared using a Hex editor HxD so as to bring
out the offset differences.
Materials / Tools Used
1. Computer with Windows 7 x86 bit platform.
2. Helix bootable CD (Version 2009 R1)
3. FTK Imager ver. 2.9.0
4. The dd.exe program from the Forensic Acquisition Utilities (FAU)
5. USB Thumb Drive
6. Hex Editor HxD
DIGITAL FORENSICS 3
METHODOLOGY
Part I: Using the Helix CD FTK Imager to image a USB thumb drive
a. The registry fix disableUSBwrite was run so as to write protect the device
b. The Windows 7 x86 platform was then started and the USB thumb drive was inserted
c. The Helix CD was inserted and the “live” Windows system was started.
d. Under Quick Launch, the FTK Imager was chosen.
e. Under the file menu, I chose “create disk image” where I chose the physical drive as the
evidence source since I was using a USB thumb drive. The appropriate USB thumb drive
was then selected and I clicked finish.
f. Under the image destination, I clicked add, chose the raw (dd) format, entered the case
number – 001, evidence number 001, chose the destination folder to be c:\Digital
Forensics and gave the file name as “forensics” and the image creation was started
g. After the image creation was complete, an image file with the name “Forensics1.001”
and a text file with the name Forensics.txt containing MD5 and SHA1 has values was
seen.
DIGITAL FORENSICS 4
Part II: Using the FTK Imager ver. 2.9.0 to image a USB thumb drive
a. FTK Imager ver. 2.9.0 was installed
b. Under the file menu, I chose “create disk image” where I chose the physical drive as the
evidence source since I was using a USB thumb drive. The appropriate USB thumb drive
was then selected and I clicked finish.
c. Under the image destination, I clicked add, chose the raw (dd) format, entered the case
number – 001, evidence number 001, chose the destination folder to be c:\Digital
Forensics and gave the file name as “forensics” and the image creation was started.
d. After the image creation was complete, an image file with the name “Forensics2.001”
and a text file with the name Forensics.txt containing MD5 and SHA1 has values was
seen.
DIGITAL FORENSICS 5
Part III: Using the Forensic Acquisition Utility (FAU) to image a USB thumb drive
a. The Forensic Acquisition Utility (FAU) Latest ver. FAU-1.3.0.2390a was installed.
b. The Folder C:\CGS5131HW1 was created on the computer where the downloaded FAu
software was uncompressed and saved at. This created a series of subfolders which are;
C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.
c. The command line window was opened by accessing the folder C:\Windows\system32
and then right-clicking the cmd.exe application then selecting “Run as administrator” as
shown below.
DIGITAL FORENSICS 6
d. The following commands were put so as to navigate to the directory where the dd.exe and
volume_dump.exe are located. cd C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86
(Followed by the enter key) and then followed by the “dir” command (followed by the
enter key).
e. Note: “cd” refers to “change directory” while “dir” lists the file named of that directory.
The FAU.x86 folder was chosen because i was using a windows 7 x86 bit platform PC.
f. The command “volume_dump.exe” was run by typing volume_dump.exe (followed by
the enter key) and the following output was recorded.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>cd C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86.
C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86>volume_dump.exe
C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86\volume_dump.exe
Forensic Acquisition Utilities, 1, 3, 1, 2390
Volume Dump Utility, 1, 3, 1, 2390
Copyright (C) 2002-2009 GMG Systems, Inc.
Command Line: volume_dump.exe
Windows 7 Ultimate 6.1.7600 Multiprocessor Free(, 7600.win7_gdr.100618-1621)
9/11/2010 7:18:11 AM (UTC)
9/11/2010 10:18:11 AM (local time)
Current User: Edgar-PC\Administrator
Current Locale: English_United States.437
User Default Locale Language: 0x0409
Disk0: ST9160823AS (S/N 4e35304b44444343202020202020202020202020)
HWDetect: \\?\ide#diskst9160823as_____________________________3.bhd___#5&737
3962&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Geometry:
Cylinders: 20673
Tracks per Cylinder: 240
Sectors per Track: 63
Bytes per Sector: 512
Total Size: 160041885696
DCO Size: 160041885696
Media Type: Fixed hard disk media
48-bit LBA enabled
DIGITAL FORENSICS 7
Disk1: USB2.0 Flash Disk (S/N ?)
HWDetect: \\?\usbstor#disk&ven_usb2.0&prod_flash_disk&rev_2.60#1000000000008
997&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Geometry:
Cylinders: 257
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Total Size: 2118123520
Media Type: Removable media other than floppy
9/11/2010 7:18:12 AM (UTC)
9/11/2010 10:18:12 AM (local time)
g. The command “dd.exe” was run so as to make a forensic copy of the USB thumb drive.
With the USB thumb drive still write protected, the “dd.exe” command was run by
entering the following command “dd.exe /?” or “dd.exe --help ” so as to see the help
manual. The output that describe the options; if, of, conv, bs, count, skip, --localwrt and –
cryptsum was recorded as follows:
bs=[BYTES] Set 'ibs' and 'obs' equal to BYTES.
conv=[KEYWORDS] Convert the input as per the comma separated keyword list.
The following are valid keywords:
noerror Continue reading after errors.
comp Compress the output.
decomp Decompress the output.
swab Swap each pair of bytes.
notrunc Don't truncate the output file.
resume Resume a broken copy operation (Enterprise
level only).
count=[BLOCKS] Copy only the specified number of input blocks.
if=[SOURCE] Specifies the source for input; the default is stdin.
of=[DESTINATION] Specifies the destination for output; the default is stdout.
--cryptsum [ALGORITHM] Includes one or more cryptographic
checksums in the output. "md2", "md4", "md5""
and "sha" or "sha1" are supported on all platforms
"sha_256", "sha_384" and "sha_512" are supported
on Windows Server 2003 and later.B
--localwrt Enables writing output to a local fixed drive.
--count [BYTES] Stop after acquiring the specified number of bytes.
DIGITAL FORENSICS 8
h. The USB thumb drive name is \\.\PhysicalDrive1. The dd.exe command below was used
to make a USB thumb drive image which was saved to the hard drive while computing
the MD5 and SHA1 hashes concurrently.
dd.exe –localwrt if=\\.\Physicaldrive1 of=C:\Digital Forensics conv=noerror –cryptsum
MD5 – cryptsum SHA1

- 
- 
- 
5005565bf399668d45a7708ba0304e6a

- 
736784f289d0fafb5b936efcc45b156790ac4dc0



It was noted that for all the above software’s and methods used to create an image, the
image log results were the same in Part I, Part II and Part III in terms of the thumbprint algorithm
md5 and sha1.
Part IV
a. Write protection was removed by running enabling the USB write using the
“enableUSBwrite” registry fix.
DIGITAL FORENSICS 9
A text file named CGS5131HW1Q4.txt and it was saved under the USB thumb drive’s
root directory. The date/time stamps were reported as follows;
b. The FTK imager ver. 2.9.0 in part II was used to create a dd image using the procedure
in part 2 while it was not write protected. The image log file results containing MD5 and
SHA1 were as follows;
c. The created text file “CGS5131HW1Q4.txt” was accessed without being modified,
moving, renaming or re-saving it. The date/time stamp were recorded as follows;
DIGITAL FORENSICS 10
d. There were no changes in the date/time stamps reported in (c) compared to those in step
(a). Therefore i opened the saved text file in the USB thumb drive, and saved it back to
itself without modifying it. The Date and time stamps were then recorded as follows;
e. The FTK Imager used in Part II was used to create an image using the procedure in part II
and the Image log file reports were as follows.
f. The Hex editor HxD was used to identify the differences between two images of (b) and
(d).
DIGITAL FORENSICS 11
This was achieved through selecting Analysis > File-Compare > Compare and then
selecting the 2 images to be compared.
There was only one bit offset that had a difference as shown in the figure above.
Offset 000400D0 - 06 was 52 in the image of step (d) while it was A5 in the image of step (b).