![accessdata ftk imager device model accessdata ftk imager device model](https://eforensicsmag.com/wp-content/uploads/2014/04/m1.png)
- #Accessdata ftk imager device model how to
- #Accessdata ftk imager device model windows 10
- #Accessdata ftk imager device model verification
What is the difference between physical and logical acquisitions? The contents of Document 10.rtf are displayed in the lower right window.įigure 9 reflects the contents of the original file Document 10.rtf. In figure 8 below, FTK Imager was able to retrieve file artifacts for all ten files after they have been deleted as referenced by the red X. SHA1 checksum: 83da2d1b0b75478fe6e56af89e8213303558c5f3 : verifiedįigure 6 below is the hashed output of all ten files resident on the USB drive.įigure 7 below shows a snapshot of what the files look like using FTK Imager.
#Accessdata ftk imager device model verification
Verification finished: Sat Apr 08 12:15:51 2017 Information for C:\Users\mbigueur\Desktop\USB Drive Image 2: It should be noted that both of the MD5 and SHA-1 hash values have changed subsequent to the addition of the aforementioned ten files.īelow is the output from the Image Summary screen from FTK Imager revealing more details of the drives metadata. The new hash values for the USB drive after adding the ten files are seen below in figure 5.
![accessdata ftk imager device model accessdata ftk imager device model](https://www.researchgate.net/profile/Mehnaz-Tabassum/publication/323771450/figure/fig1/AS:631593597157378@1527595056135/Steps-of-the-working-procedure_Q640.jpg)
I then created ten test files as seen below in figure 4 and copied them to the USB drive. Verification finished: Sat Apr 08 12:05:10 2017
![accessdata ftk imager device model accessdata ftk imager device model](https://online.anyflip.com/upza/zeox/files/mobile/2.jpg)
Physical Evidentiary Item (Source) Information: Information for C:\Users\mbigueur\Desktop\USB Drive Image: NOTE: MD5 and SHA-1 Hashes were performed simultaneously providing two hash values adding an extra layer of integrity checking.īelow is the Image Summary output from FTK Imager, which is a more detailed data output.Ĭreated By AccessData® FTK® Imager 3.4.3.3 The hash and details of the forensic image acquisition is displayed as well in figure 3. Next, I performed physical acquisition using FTK Imager as seen in figure 3 below. Step two is to ensure that we have a forensically sound environment by enabling USB write block, which I had performed using a quick registry hack as seen below in figure 2. For the sake of time, I decided to wipe the USB drive using the one pass zero option, which basically write a pattern of zeroes across the entire drive’s files system ensuring that no remnants of any prior data remains.
![accessdata ftk imager device model accessdata ftk imager device model](https://www.researchgate.net/profile/Gary-Kessler/publication/254591932/figure/fig4/AS:297875654365185@1448030498087/FTK-Imager-Drive-Selection-screen.png)
After a short search, I decided to use a freeware program called “Disk Wipe v1.7”. The first step is to wipe the hard drive clean in order to achieve uncontaminated results during our experiment.
#Accessdata ftk imager device model windows 10
This assignment was performed using Windows 10 running as a virtual machine inside of VMware Fusion 8 hypervisor on macOS Sierra as the host operating system.
#Accessdata ftk imager device model how to
This assignment will walk through the basic forensic examination process of how to examine USB drive artifacts. This is why having the ability to examine USB device history and files are critical to digital forensic investigations. The proliferation of USB devices not only is an added convenience to users but also a hindrance to network and information security and as a result can be used for nefarious purposes.