© thomas computer forensics llc 1 digital forensics examinations what not to do with digital...

•© Thomas Computer Forensics LLC •1

Digital Forensics ExaminationsWhat NOT to do with Digital Evidence

Gary Thomas

AccessData Certified Examiner (ACE)AccessData Certified Mobile Examiner (AME)McAfee Institute Board Certified Cyber Intelligence Investigator (CCII)NC Licensed Private Investigator #4061

•08/14/2013


TCFLLC Disclaimer:

ANY INFORMATION AND/OR OPINIONS CONTAINED IN THIS PRESENTATION SHOULD NOT BE CONSIDERED AS LEGAL ADVICE.

AS ALWAYS, CONSULT WITH AN ATTORNEY AT LAW FOR LEGAL ADVICE.

•© Thomas Computer Forensics LLC

Topics

•1. Digital Forensics Terminology•2. What is a digital evidence?•3. Client contact - Interviews•4. Things NOT to do when gathering digital evidence•5. Basic Questions at Crime Scenes•6. Best Practices when handling digital evidence•7. Following Digital Forensics Protocol •8. Logical vs. Physical Capture•9. Performing a Forensics Digital Exam

•3


Digital Forensics TerminologyDigital Forensics Terminology

•5

Geometry of a Hard Drive Sector Track

Sector

Cluster – Group of Sectors

•512 bytes

•1024 bytes

•2048 bytes

•4096 bytes

•8192 bytes

•16 Kilobytes

•32 Kilobytes

•64 Kilobytes

Allocated Unit sizes

(per sector)


•© Thomas Computer Forensics LLC•6

Allocated SpaceAllocated space is composed of “Clusters,” they may be full or partially filled with digital media that are tracked by the file system. (Allocated Unit Size)

When data is loaded onto a hard drive, it is loaded into clusters. Once the cluster is full, the data is then loaded into another cluster until all of the data is loaded onto the hard drive.

Note that when the last block of data is loaded into a cluster, if the cluster is not filled (which is almost always the case), then the remaining space in that cluster is empty and will NOT be available for data to be loaded into that remaining space.

The empty space at the end of the cluster becomes the “Slack Space.”


Unallocated Space (Free Space)

•All clusters on a drive or media that are NOT currently assigned, and not in use by the file system are referred to as unallocated (Free Space).

•NOTE: These items are part of the “Physical Exam” but NOT part of a “Logical Exam.”

•Clusters that are not assigned will contain file and file fragments (remnants) from previously occupying files.


Files are created in varying lengths depending on their content. Rarely do file sizes exactly match the size of a single cluster.

“The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called Slack Space”

When a file is written to the cluster, the data over-flows into the next cluster (NOT necessarily in sequence) .

The file system chains these clusters together to form the file.

Slack Space

•9•9

Metadata (meta-data)

•Data about data… ( Properties )

•For forensic purposes, documentation inside of the document which may include items such as:

•Time stamps, create date, modified date and time•Author of the document •Userid, Computer Name, Printer information•Other unique user information valuable to forensics.•Owner Security ID (SID) info.•.exif information from a camera (GPS, type of camera)



Data Carving “Carving”

Data Carving is a process of locating files and artifacts that have been deleted or that are embedded in other files.

If the artifact has a valid file header and footer, the custom carvers can be built to perform the analysis on those specific artifacts.

Examples of custom carvers would be items associated with Social Media, Facebook, Gmail, Yahoo, web mail artifacts, and other artifacts that may be located in both allocated, unallocated, and slack space.


•Logical acquisition•Does NOT contain deleted file•Does NOT contain “Unallocated” or “Slack” space items•View of items from a “file system” prospective.•Only contains items in “Allocated Space”

•Physical acquisition•Contents of Allocated Space – (file system)•Contents of previously deleted files and ambient data.•Contents of Unallocated and Slack Space are present.•Most comprehensive type of acquisition.

•Volatile Memory acquisition•Is the acquisition of the “contents in memory” of a “running / live” computer.

Types of acquisitions

•12

What is Digital Evidence ?

Digital Evidence is any information stored or transmitted in a digital form that could be a party to any litigation efforts that may used by either the prosecution or defense at trial.



Before accepting digital evidence to be use at trial, “The Court” must determine whether the digital evidence is:

• Authentic?

• If it is hearsay?

• Whether a copy is acceptable and/or admissible ?

• If the original is required?

• How the digital evidence was acquired?

•13


Lets examine some of the issues PI’s face with digital evidence

Domestic Situation…

Initial Client Contact

•14

Client reveals the following:

“I believe my spouse has been cheating on me!”

“I found some emails on my computer about meeting someone … falling in love with them… and talking about having sex with them.”



“ I found a list of my spouses user names and passwords… I Logged into their Internet e-mail account and saw they were having a relationship”


•16


“I know my spouse is cheating on me…”

“I installed Key logger Spyware on their computer and cell phone to find out what they were doing…”


•17


“I have been looking through the files on the computer for weeks trying to find any evidence of their affair”


•18


Issues with the previous client’s statements?

• Will any of the artifacts be admissible in a court of law ?

•Different jurisdictions / courts (Judges) may approach these issues differently.

o what is their Interpretation (Case Law)o Judicial Arguments (attorney’s) o Quash (SUPRESS) exam efforts

• Is it legal to log into your spouses email account using their credentials? (case law …. all over the map)

•Was the email account password protected? (posted in the open)?

• Did the person have authorization to login to the spouses account?

•19

•20

Stored Communications Act Under 18 U.S.C. § 2701 , an offense is

committed by anyone who: “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains...[an] electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a)(1)-(2). However, it does not apply to an "electronic communication [that] is readily accessible to the general public." 18 U.S.C. § 2511(2)(g). See, e.g. Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1220 (2004).b•© Thomas Computer Forensics LLC

http://www.law.cornell.edu/uscode/18/2701.html

http://www.law.cornell.edu/uscode/18/2511.html


The argument for the attorney’s will be …

Was there a “reasonable expectation of privacy?”


In North Carolina

Is it legal to install Spyware (Capture-Ware)/Key loggers on another person’s

computer or cell phone?

•22


•North Carolina Statute

•Chapter 15A Criminal Procedure Act

Sub chapter II Law-Enforcement and Investigative Procedures

Article 16 Electronic SurveillanceCurrent through 2009 Legislative Session

§ 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited.

This NC Statute states “a person is guilty of a Class H felony”

•23


•North Carolina Statutes•Chapter 15A Criminal Procedure ActSub chapter II Law-Enforcement and Investigative ProceduresArticle 16 Electronic SurveillanceCurrent through 2009 Legislative Session

§ 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited.

(a)Except as otherwise specifically provided in this Article, a person is guilty of a Class H felony if the person:

(1)Manufactures, assembles, possesses, purchases, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or

(2) Places in any newspaper, magazine, handbill, or other publication, any advertisement of:a. Any electronic, mechanical, or other device knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; orb. Any other electronic, mechanical, or other device where the advertisement promotes the use of the device for the purpose of the surreptitious interception of wire, oral, or electronic communications.

(b) It is not unlawful under this section for the following persons to manufacture, assemble, possess, purchase, or sell any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications:

(1)A communications common carrier or an officer, agent, or employee of, or a person under contract with, a communications common carrier, acting in the normal course of the communications common carrier's business, or

(2) An officer, agent, or employee of, or a person under contract with, the State, acting in the course of the activities of the State, and with the written authorization of the Attorney General.

(c) An officer, agent, or employee of, or a person whose normal and customary business is to design, manufacture, assemble, advertise and sell electronic, mechanical and other devices primarily useful for the purpose of the surreptitious interceptions of wire, oral, or electronic communications, exclusively for and restricted to State and federal investigative or law enforcement agencies and departments. (1995, c. 407, s. 1.)

•24


http://www.nccourts.org/Courts/CRS/Councils/spac/Documents/citizenguide2012.pdf

A CITIZEN’S GUIDE TO STRUCTUREDSENTENCING

(Revised 2012)




Class “H” Felony for using Spyware / Capture-ware


Things NOT to do when gathering Digital Evidence(and why)…

You receive a computer as evidence, or you are asked to look at data on the computer to see if there is anything of value on the computer.

THINGS YOU SHOULD NOT DO….

•27


Do NOT boot up and start the OS (power up) the computer.

•28

•If you did start up the system, you changed important registry keys that could have tied the last start up to a specific person.

Check time stamps for “folders” in C:\>windows\system32\config\SAMSecuritySoftwareSystem

These FOLDERS will reflect the last Startup/ last written time

Besides these files, you changed time stamps in start up files, Dll’s, and hundreds of other OS file system and applications files.

•29

Registry keys reveal (subset)

Startup locations at Boot UPLast person (profile) who signed onto the deviceAutomatically Launched Programs at StartupSystem Launched DLL’s at StartupProcesses that were used at startupLINK (.lnk) file Data

All of these (and more) contain “time stamps”



Do NOT start looking through the file system...

If you did, you may have changed important metadata and times stamps that could have been of value to the

case.

Depending upon the Operating System , some files last access time will change just by looking at the file. Other “last written” times will change just by Booting up the system.

If any of the time stamps were changed “after” the time the examiner took possession of the device, then it can be argued that the digital evidence has been tainted.

The reasonable argument could be “the examiner” changed the items and the may “NOT” be in their “original” state…

•31


Forensic Took Kit File List pane


Keep in mind that at some point, the person may become aware that they are being watched.

They may start using “Counter Measures” to avoid getting caught such as installing an “automatic-wiping” utility.

If you boot the computer and it has an “auto-start-up” (auto-start) utility to wipe programs, you would have destroyed important artifacts.

The next slide shows some examples of auto-wiping utilities

•33


•Examples of Auto-wiping utilities


If there was NOT a auto-wiping utility set to run on start-up, there could have been a auto-wiping utility set for Shut-down.

(example of a registry key edit)[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0]"Script"="C:\\script.bat" "Parameters"="" "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

The utility could have deleted/or wiped valuable information from important files, unallocated space, internet system cache, Internet cache, page files, and numerous other locations.

The next slide reveals a popular wiping program that is set to run at “Start-up” automatically.

•35


•36

Notice the number of Options that are available to set upon Start-up


This program executed at Windows Start-up. Note the number of items that were NOT checked in this screen-shot

•38

Lets take a look at ‘Time Stamps’



Viewing digital artifacts on “original media” can cause valuable metadata and time stamps

to be changed.

The Matrix above shows what time stamp elements are changed and under what circumstances.

File Rename or Moved - Metadata changedFile Copy - Accessed, Created, Metadata changedFile Accessed - Accessed time changed (Win XP)File Creation - Modified, Accessed, Created, Metadata changedFile Deletion – Metadata changed (Info2 Record)


Note the imbedded time stamp on this photo11/28/2011 17:14


Name Ext MD5 IMG_0001.JPG jpg 402558E5FCB9E96B393464C7BB160C29Created Date - 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)Accessed Date - 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)Modified Date - 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)

IMG_0001.JPG jpg 402558E5FCB9E96B393464C7BB160C29Created Date - 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)Accessed Date - 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)Modified Date - 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)

Metadata After viewing the same object with a graphic viewer

The photo’s original Create/Accessed/Modified time is:11/28/2011 at 5:14:02 PM

On 1/24/2013 at 04:09:45PM the image was copied from a USB Flash Drive to the computer HD. The copy function caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered.

On 1/26/2013 at 11:13:51AM, the image was viewed using a graphics application. The graphic application caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered.


On the Stand….’if you booted up the original hard drive and reviewed the files on the hard drive’

•Attorney: Mr. Thomas, When you booted up the computer, and started looking at thefiles, did you change any time stamps or original digital data on this computer?

•Mr. Thomas :Yes I did.

•Attorney: Mr. Thomas, When performing a digital examination, Is it correct protocolto perform the exam on the “original hard drive” without first imaging it?

•Attorney: Mr. Thomas, Do you realize that you changed information on this hard drive, thus making any of the information on this hard drive“Questionable” to the court?

•Mr. Thomas :No, the correct protocol is to image the media first.

•42


Do NOT mount the “original” target hard drive into an external drive enclosure and start looking through the files.

If you MUST look at the files, or boot up the operating System (Options are):

•Using a “write-blocker device”• CLONE the original• Build a Data Dump (DD) or .e01 image

•Install the Clone into the device and boot up •Mount the DD/.e01 into an external hard drive enclosure

• Use FTK Imager to review the files• Using FTK Imager mount the DD

• Review the file with Windows File Manager•If it was NOT write protected, you will change

•43


Yes!

You tainted digital evidence !

•44

When did the crime take place?

Who did the crime?

What evidence do you have?

Were there any finger prints?


Answering these “BASIC” questions from any Crime Scene….

•When did the crime take place? (time & date, IP address, GPS Tags, .exif, ISP authentication records, Mail & Social Media authentication records, metadata artifacts (properties)

• Who did the crime? (SID, Profile, Email, Message Post, Social Post), authentication records

• What evidence do you have? (Deleted, Allocated, Unallocated, Slack)

• Were there any finger prints? (HASH Values MD5/SHA1/SHA256, GPS Location Data), authentication records


Crime Scene QuestionsThe “same questions” are asked when applied to

Digital Evidence


TIME

•47


How critical are time stamps ?

•48


“WHAT If” you exam evidence hinged on a “specific time frame”?

•49

•50

“WHAT If” the opposing attorney was able show the times in the digital examination werenot in sync with actual events because thetime stamps in the exam were not correct?


•51

Credibility issue ?


You may step down !


One of the first things to do as an examiner is to check thetarget clock settings in the Registry.

#1 How was the PC Clock set? , Time Zone?, AM vs. PM?

Ref Registry Key : Automatic Time Zone Adjustment

HKEY_Local_Machine\SYSTEM\ControlSet001\Control\TimeZoneInformation\DynamicDaylightTimeDisabled \Value Date: (in Hex)

How is the value set ?0 = Default – ON <Auto Sync with internet>1 = Disabled <Turned off, manually set>



Changing the PC Clock

To change the time, click on the clock at the bottom right:

Select “change date and time settings”(three tabs are displayed)

Date and Time <change time or time zone selections button>

Additional clocks <ability to display two clocks when clicked>

Internet TimeOptions <Checked – Synchronized with Internet Time Server>

<Unchecked> - will NOT sync with the Time Server

NOTE: The default for Internet time is CHECKED


•Event Viewer Items (Start Run EventVWR)•Windows Logs

•System•EventID = 1•Source = Kernal-General

•“The system time has changed…”

Review WEB logs, temporary internet files, e-mail file headers and see if the (imbedded) time in the artifacts is equal to the time on the Access, Created , and Modified time metadata.

Where is a good place to look for clock changes?


Time Stamps – Date and Time Metadata


* (IMPORTANT) Carved items, File Slack items, Unallocated Space items WILL NOT ALWAYS contain time stamps. (Most of the time not) This depends upon if the artifact was carved from deleted or imbedded.

The challenge with these items is to find imbedded time stampswithin the block of data or the artifact.

More times than not, the “Smoking Gun” will be found in unallocated, slack space, or carved items.

•Actual Files “will contain time stamps” •56


Time Stamp Rules•Date Created – the event that created the file at it’s current location

•Date Modified – the event that caused the metadata or the file to be changed (edit metadata or content)

•Date Accessed – the event that caused the file to be read, copied, modified.

•Date Last Written – event that caused the content of the file to change Registry Keys


• Most Recent documents / saved / visited• IE History / Manually entered searches• ICQ History / users / login / passwords• IM History / users / login / passwords• Network / POP3 / passwords / Temp Internet Files• Yahoo! / messaging / passwords / messages• Security / logon info / Passwords/SIDs• Software Install Dates / times• OS info / settings / configurations• Mounted Devices / USB / Flash drives(Registry)• Event Logs and Settings

Registry Hive Elements that will containInternal and external time elements


Who did the crime?


Desktop Icons can be valuable during the Digital Exam. How ?


Profiles … and SID’s

Windows profiles are associated with specific user’s.

The Profile Name, is assigned by the System Administrator, orduring initial system setup .

Profiles are tied to the user’s security access. They are assigneda unique and specific Security Identifier (SID) by the system.

There is a naming convention used by the windows operating system when they SID(s) are created.

Forensically, the SID becomes a invaluable identifier when trackingWhat a user did and where they went during their login.

SID’s are also associated with the Desktop Login Icons.


Security Identifier (SID)Example, the following SID(s) shows up in the

metadata of a document.

S-1-5-21-2777932499-928484944-2849932064-1006S-1-5-21-2777932499-928484944-2849932064-1000

The components of the SID are:Component Description

S A SID always begins with the letter ‘S’1 Revision level of the SID structure, in this case ‘revision

1’5 The authority that issued the SID – ‘5’ is the NT Authority21 The String of numbers up to 500 is the domain identifier2777932499 The relative identifier which is the account or group928484944-28449932064-1006 The last four characters is the ‘specific’ user in

the SAM file i.e.: 10062849932064-1000 Another specific user on this same computer i.e.: 1000

Now…. Why is this important in a investigation ?

•62


•SID - Security Identifier – SAM File

•63


This is a screen shot of a Digital Forensic application (FTK) File List Pane.

Notice the “Owner SID” is appended to each record. Using the SID and Time Stamps, the forensics examiner can build a road map of what was done during a specific time.


What evidence do you have?


This is a “Filtered” view of all graphics associated with the SID ending in 1006 – which is the SID for the User “Brother’s Stuff”There were a total of “652” graphics associated with this SID


Digital Fingerprints

Authenticity & Hash values

Were there any fingerprints?


Hash Values

A Hash value is a mathematical calculation of the composition of the artifact.

FTK and other Forensic Software tools ‘automatically calculate’ the HASH values.

Here are the most common Hash Algorithms (though there are more)

MD-5 (Message Digest 5 - 32 characters)SHA-1 (Secure Hash Algorithm - 40 characters)SHA-256 (Secure Hash Algorithm - 64 characters)

NIST Approved Hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256


(.TIFF days? – Tagged Image File Format – A computer file format used to store images

Until now, the “legal” explanation of two items being similar has been…

“Are they reasonable representations of one another?”


Today, Artifacts can be compared using these HASH values.

The Questions are:

If two (or more) documents, graphics, (artifacts) look similar when viewed , but when Hashed, their HASH values are different, then are they identical?

They are “within a shadow of a doubt” different.

The National Institute Of Standards and Technology (NIST) says they are different.

But will the courts “still say” they are “ A reasonable representation of each other?”

HASH Value Dilemma!

In this screen shot are examples of five HASHED text messages

•Text1 is the simple “the quick brown fox jumped over the lazy dogs back”•Text2 same text in “UPPER CASE”•Text3 same text with extra “spaces” at the end of the text•Text4 same text with the first letter of the first word in “Upper Case”•Text4 renamed same text as Text4 but the “file name” is changed



HASH values

• Can be used to up-hold Authenticity of the Digital Artifacts.

“If the HASH values are different,…. Should it be argued that that one or more are NOT AUTHENTIC?”

If proven to be unauthentic, then should they be admissible?

Even if they appear to be the same on paper they are Forensically different.

Was one of the items “photo-shopped?”


Now that we’ve talked about what NOT to do with Digital Evidence,

Lets look at what should be donewhen approaching a Digital Exam.

Show of hand…How many people Know what the following files are?

•What are Shadow Copy Files?

•What is Pagefile.sys?

•What is Hiberfil.sys?

•What are System Volume Information Files?

•What is Unallocated Space?

•What is Slack Space?

•Are documents always (physically) in one big “cluster” on a hard drive? (all the data grouped together)?



•What are System Volume Information Files?

When attempting to open and view contents of the System Volume Information Folder from Windows File Manager – Logical view

When attempting to open the pagefile.sys file from Windows File Manager – Logical view


The point is …

Many of the key word “hits” resulting in the digital exam are NOT in common files such as word documents, spread-sheets, Adobe PDF files, and e-mail files.

Most are in Internet Cache, unallocated space, slack space, and carved items.

•81

TIME CHECK …….

What time is it… How much time do we have left?


What is a Digital Forensics Examination?

“A set of established, investigative protocols and techniques used to analyze digital media.”

Seizure and preservation can make the difference in the Seizure and preservation can make the difference in the digital evidence being admissible or inadmissible in courtdigital evidence being admissible or inadmissible in court

Data Acquisition & Imaging Analyze Data Report

Seizure &Preservation of allDigital Evidence

Indexing Case DataForensics

Reporting &Testimony

Document theEvidence found

ElectronicDiscovery

Digital Forensics Process(high level)

Ensure Personal Safety

Interviews Interviews


Why Perform a Digital Investigation?Why Perform a Digital Investigation?



•A digital forensic investigation may be initiated for many reasons.A digital forensic investigation may be initiated for many reasons.In respect to civil, or criminal investigations, digital forensics In respect to civil, or criminal investigations, digital forensics investigations may be of value in a wide range of situations.investigations may be of value in a wide range of situations. •Ability to “Ability to “re-trace”re-trace” digital foot printsdigital foot prints, such as , such as whenwhen, , wherewhere, , howhow and and whywhy individuals (suspects) do what they do. individuals (suspects) do what they do.

•With the advent of With the advent of social web sitessocial web sites and people’s ability to share and people’s ability to share information, information, it is not uncommon for people to divulge private it is not uncommon for people to divulge private information to others electronically. Including via cell phones.information to others electronically. Including via cell phones.

•Digital forensics may reveal Digital forensics may reveal peoples emotionspeoples emotions, , reactionsreactions, or , or motivesmotives..

•They may also be able to provide “They may also be able to provide “time lines”time lines”, (, (time stampedtime stamped) to reveal ) to reveal a person’s a person’s innocenceinnocence, , guiltguilt, or , or participationparticipation associated with specific associated with specific events.events.


Evidence found during the digital forensicsinvestigation can provide the interviewer with valuable information when confronting the suspect.

What is the actual process? #1 Document information associated with the

media. (device type/serial#/size..etc)

#2 Complete an evidence inventory document.

#3 Maintain the chain-of-custody document.

#4 Start the imaging/cloning process

#5 Digital forensics examination (FTK/EnCase/Nuix)


•89

How many hard drives do we need to perform a Digital Forensics Exam?


•HD0 – HD0 – Original HD – Sealed after imagingealed after imaging(original evidence)(original evidence)

•HD1HD1 ( (requiredrequired) – ) – Data Dump (DD) image of HD0Data Dump (DD) image of HD0

•HD2 (optional)HD2 (optional) – C – Cloned Copy of HD0loned Copy of HD0

•HD3HD3 ( (requiredrequired) ) – Case Data, Case Index, Evidence– Case Data, Case Index, Evidenceand Reportsand Reports



http://www.accessdata.com/support/product-downloads

On the Internet, select the following URL, then select The item FTK Imager. At the drop-down, select the most current version. Download, save and Install the AccessData FTK Imager Utility.

(it is free)

With the FTK Imager software, and a “write blocker device” you may MOUNT the Digital Image (DD) onto a computer and view the files as they would be see in Windows File Manager.

NOTE: Don’t forget to use a write blocked device or software write-blocker when connecting the DD image to a computer. There is a “BLOCK– Read Only” option in Imager but the write-blocker is just another safeguard for keeping the Image safe.

Mounting and Viewing the Imaged Data


•After FTK Imager is installed

•Select “File”

•Select “Image Mounting”

•On the screen to the rightSelect the file path to theFirst file xxx.001

•Make sure the MountMethod box is set to Block Device / Read Only

•Click the “Mount” button

•The Image will be Mounted (example H drive)

•Go to Windows File Manger

•View the files in the H: drive(whatever your mount driveletter is)

•When you are finished, goback to FTK Imager and UNMOUNT the drive byclicking on the UNMOUNTbutton.


Now you are ready for a Digital Forensics Examiner to start processing the Image.

Questions ?

TCFLLC Contact Information

For a free consultation or to discuss your specific issues, contact:

Gary Thomas ACE AME CCIIGary Thomas ACE AME CCII NC Private Investigator #4061NC Private Investigator #4061

704-668-9671 (cell) 704-668-9671 (cell) Email: [email protected]: gary@thomasforensics.comwww.thomasforensics.comwww.thomasforensics.com
