Hard Drive Image Acquisition
HARD DRIVE IMAGE ACQUISITION
One hard-drive was removed from the desktop computer that was brought to the Colorado Technical University Computer Forensic Lab. The drive was a Fujitsu MPA3035ATU model and had a storage capacity of 3.2 Gigabytes. I connected the drive to a computer running Windows 8 Professional 64bit using a Kingwin EZ-connect USI-2535 (IDE/SATA-300-ATA storage controller). This is a USB to IDE/SATA storage controller with SATA and IDE connectors. The software used to create a bit-stream image was AccessData's Forensic Toolkit Imager version 3.1.2.0 (FTK Imager). This tool was chosen because it is one of the tools that has been tested and reviewed by the National Institute of Standards and Technology (NIST), and is a court accepted digital investigations platform. Below are the steps that were performed to acquire the image of the hard-drive;
Step 1. I Installed FTK Imager after downloading the free version from AccessData's website here http://www.accessdata.com/support/product-downloads. I then started the application after the installation was over and below is a screen shot.
Step 2. Next I went to File → Create Disk Image, a menu prompting the user to select a source drive popped up and I selected Physical Drive as shown below.
The Fujitsu Hard-drive was selected in the next step,
After selecting the source hard-drive to be imaged the next step is to choose a destination where the image will be stored. The next window also has check boxes that allow the user to verify the image after it is created and there is also an option to create directory listings of all files in the image.
The window shown above is where you choose what format you want to save the image in, you have a choice of Raw (dd), SMART, E01, or AFF. For this case Raw (dd) image format was chosen because this format is supported by most forensic analysis tools including EnCase, and FTK.
The next screen prompts the user to enter information about
One hard-drive was removed from the desktop computer that was brought to the Colorado Technical University Computer Forensic Lab. The drive was a Fujitsu MPA3035ATU model and had a storage capacity of 3.2 Gigabytes. I connected the drive to a computer running Windows 8 Professional 64bit using a Kingwin EZ-connect USI-2535 (IDE/SATA-300-ATA storage controller). This is a USB to IDE/SATA storage controller with SATA and IDE connectors. The software used to create a bit-stream image was AccessData's Forensic Toolkit Imager version 3.1.2.0 (FTK Imager). This tool was chosen because it is one of the tools that has been tested and reviewed by the National Institute of Standards and Technology (NIST), and is a court accepted digital investigations platform. Below are the steps that were performed to acquire the image of the hard-drive;
Step 1. I Installed FTK Imager after downloading the free version from AccessData's website here http://www.accessdata.com/support/product-downloads. I then started the application after the installation was over and below is a screen shot.
Step 2. Next I went to File → Create Disk Image, a menu prompting the user to select a source drive popped up and I selected Physical Drive as shown below.
The Fujitsu Hard-drive was selected in the next step,
After selecting the source hard-drive to be imaged the next step is to choose a destination where the image will be stored. The next window also has check boxes that allow the user to verify the image after it is created and there is also an option to create directory listings of all files in the image.
The window shown above is where you choose what format you want to save the image in, you have a choice of Raw (dd), SMART, E01, or AFF. For this case Raw (dd) image format was chosen because this format is supported by most forensic analysis tools including EnCase, and FTK.
The next screen prompts the user to enter information about