Windows Drive Acquisition
by Oleg Skulkin & Scar de Courcier
The term forensic image can refer to either a physical or a logical image. Physical images are precise replicas of the drives they reference, whereas a logical image is a copy of a certain volume within that drive. In general, logical images show what the machine’s user will have seen and dealt with, whereas physical images give a more comprehensive overview of how the device works at a higher level.
A hash value is generated to verify the authenticity of the acquired image. Hash values are essentially cryptographic digital fingerprints which show whether a particular item is an exact copy of another. Altering even the smallest bit of data will generate a completely new hash value, thus demonstrating that the two items are not the same. When a forensic investigator images a drive, they should generate a hash value for both the original drive and the acquired image. Some pieces of forensic software will do this for you.
There are a number of tools available for imaging hard drives, some of which are free and open source. However, the most popular way for forensic analysts to image hard drives is by using one of the more well-known forensic software vendors’ solutions. This is because it is imperative to be able to explain how the image was acquired and its integrity, especially if you are working on a case that will be taken to court.
Once you have your image, you will then be able to analyse the digital evidence from a device without directly interfering with the device itself.
In this article, we will be looking at various tools that can help you to image a Windows drive, and taking you through the process of acquisition.
Drive acquisition in E01 format with FTK Imager
FTK Imager is an imaging and data preview tool by AccessData which allows an examiner not only to create forensic images in different formats, including RAW, SMART, E01, and AFF, but also to preview data sources in a forensically sound manner. In the first recipe of this chapter, we will show you how to create a forensic image of a hard drive from a Windows system in E01 format.
First of all, let’s download FTK Imager from AccessData’s website. To do this, go to the SOLUTIONS tab, and after that, to Product Downloads. Now choose DIGITAL FORENSICS, and then FTK Imager. At the time of writing, the most up-to-date version is 3.4.3, so click the green DOWNLOAD PAGE button on the right. Now, you should be able to see the download page. Click on DOWNLOAD NOW and fill in the form. After this, the download link will be sent to the email address that you provided.
The installation process is quite straightforward; all you need to do is just click Next a few times, so we won’t cover it in the recipe.
How to do it
There are two ways of initiating the drive imaging process:
- Using the Create Disk Image button from the toolbar (Figure 3.1)
2. Using the Create Disk Image… option from the File menu (Figure 3.2)
You can choose whichever option you prefer.
The first window you see is Select Source. Here, you have five options:
- Physical Drive:This allows you to choose a physical drive as the source, with all partitions and unallocated space.
- Logical Drive:This allows you to choose a logical drive as the source, for example E:\ drive.
- Image File:This allows you to choose an image file as the source, for example if you need to convert your forensic image from one format to another.
- Contents of a Folder:This allows you to choose a folder as the source. Of course, no deleted files will be included.
- Fernico Device:This allows you to restore images from multiple CD/DVDs.
Of course we want to image the whole drive to be able to work with deleted data and unallocated space, so:
1. Let’s choose the Physical Drive option.
2. Click Next and you’ll see the next window – Select Drive.
3. Now you should choose the source drive from the drop-down menu, in our case it’s \\.\PHYSICALDRIVE2.
4. Now that the source drive has been chosen, click Finish.
5. The next window is Create Image. We’ll get back to this window soon, but for now, just click Add…
6. It’s time to choose the destination image type. As we decided to create our image in EnCase’s Evidence File format, let’s choose E01.
7. Click Next and you’ll see the Evidence Item Information window.
Here, we have five fields to fill in: Case Number, Evidence Number, Unique Description, Examiner, and Notes. All fields are optional.
8. Fill in the fields, or skip them if you prefer, then click Next.
9. Now choose the image destination. You can use the Browse button for this.
10. Also, you should fill in the image filename.
If you want your forensic image to be split, choose a fragment size (in megabytes). E01 format supports compression, so if you want to reduce the image size, you can use this feature. As you can see in figure 3.7, we have chosen 6. And if you want the data in the image to be secured, use the AD Encryption feature.
AD Encryption is a whole image encryption, so not only is the raw data encrypted, but also any metadata. Each segment or file of the image is encrypted with a randomly generated image key using AES-256.
We are almost done.
11. Click Finish and you’ll see the Create Image window again.
12. Now look at the three options at the bottom of the window.
The verification process is very important, so make sure the ‘Verify images after they are created’ option is ticked; it helps you to be sure that the source and the image are equal. The Precalculate Progress Statistics option is also very useful: it will show you the estimated time of arrival during the imaging process. The last option will create directory listings of all files in the image for you, but of course, it takes time, so use it only if you need to.
13. All you need to do now is click Start.
Great, the imaging process has been started! Once the image has been created, the verification process starts.
14. Finally, you’ll get a Drive/Image Verify Results window, like the one shown in figure 3.9.
As you can see, in our case the source and the image are identical: both hashes matched. In the folder with the image, you will also find an info file with valuable information such as the drive model, serial number, source data size, sector count, MD5 and SHA1 checksums, and so on.
How it works
FTK Imager uses the physical drive of your choice as the source and creates a bit-by-bit image of it in EnCase’s Evidence File format. During the verification process, MD5 and SHA1 hashes of the image and the source are compared.
Drive acquisition in RAW format with dc3dd
DC3DD (by Jesse Kornblum) is a patched version of the classic GNU dd utility with some computer forensics features. For example, the fly hashing with a number of algorithms, such as MD5, SHA-1, SHA-256, and SHA-512, showing the progress of the acquisition process, and so on.
You can find a compiled standalone version of DC3DD for Windows at SourceForge. Just download the ZIP or 7z archive, unpack it, and you are ready to go.
How to do it
1. Open Windows Command Prompt, change directory (you can use cd command to do it) to the one with dc3dd.exe, and type the following command:
2. Press Enter and the acquisition process will start.
Of course, your command will be a bit different, so let’s find out what each part of it means:
if– stands for input file. Originally, dd was a Linux utility, and in case you didn’t know, everything is a file in Linux. As you can see in our command, we put the physical drive 2 here (this is the drive we wanted to image, but in your case it may be another drive, depending on the number of drives connected to your workstation).
of– stands for output file. Here, you should type the destination of your image in RAW format. In our case, it’s X:\ drive and 147-2017.dd file.
hash– as has already been said, DC3DD supports four hashing algorithms: MD5, SHA-1, SHA-256, and SHA-512. We chose SHA-256, but you can choose whichever one you like.
log– here, you should type the destination for the logs. You will find the image version, image hash, and so on in this file once acquisition is completed.
How it works
DC3DD creates a bit-by-bit image of the source drive in RAW format, so the size of the image will be the same as the source, and it calculates the image hash using an algorithm of the examiner’s choice, in our case SHA-256.
Mounting forensic images with Arsenal Image Mounter
Arsenal Image Mounter is an open source tool developed by Arsenal Recon. It can help a digital forensic examiner to mount a forensic image or virtual machine disk in Windows. It supports both E01 (and EX01) and RAW forensic images, so you can use it with any of the images we created in the previous recipes.
It’s very important to note that Arsenal Image Mounter mounts the contents of disk images as complete disks. The tool supports all file systems you can find on Windows drives: NTFS, ReFS, FAT32, and exFAT. Also, it has temporary write support for images, which is a very useful feature, for example, if you want to boot the system from the image you are examining.
Go to the Arsenal Image Mounter web page on the Arsenal Recon website and click on the download button to download the ZIP archive. At the time of writing, the latest version of the tool is 2.0.010, so in our case, the archive has the name Arsenal_Image_Mounter_v2.0.010.0_x64.zip. Extract it to a location of your choice and you are ready to go, no installation is required.
How to do it
There two ways to choose an image for mounting in Arsenal Image Mounter.
- You can use the File menu (and choose Mount image…) or
- The Mount image button, as shown in figure 3.10
1. When you choose the Mount image… option from the File menu or click on the Mount image button, the Open window will pop up – here you should choose an image for mounting.
2. The next window you will see is Mount options, like the one in figure 3.11.
As you can see, there are a few options here:
Read only– if you choose this option, the image is mounted in read-only mode, so no write operations are allowed. (Do you still remember that you mustn’t alter the evidence in any way? Of course, it’s already an image, not the original drive, but nevertheless.)
Fake disk signature– if an all-zero disk signature is found on the image, Arsenal Image Mounter reports a random disk signature to Windows, so it’s mounted properly.
Write temporary– if you choose this option, the image is mounted in read-write mode, but all modifications are written not in the original image file, but to a temporary differential file instead.
Write original– again, this option mounts the image in read-write mode, but this time the original image file will be modified.
Sector size– this option allows you to choose the sector size.
Create “removable” disk device– this option emulates the attachment of a USB thumb drive.
3. Choose the options you think you need and click OK.
We decided to mount our image as Read Only. Now you can see a hard drive icon on the main window of the tool – the image is mounted.
If you mounted only one image and want to unmount it, select the image and click on Remove selected. If you have a few mounted images and want to unmount all of them, click on the Remove All button.
How it works
Arsenal Image Mounter mounts forensic images or virtual machine disks as complete disks in read-only or read-write mode. Later, a digital forensics examiner can access their contents with Windows Explorer.
This article is a sample chapter from Windows Forensics Cookbook by Oleg Skulkin & Scar de Courcier, published by Packt. You can find out more and buy a copy of the book here.
About the authors
Oleg Skulkin is a digital forensic enthusional (enthusiast and professional) from Sochi, Russia. Having more than 5 years of experience, he solves lots of different cases involving digital evidence for the Ministry of Internal Affairs of Russia. Also, you can find his articles both in Russian and foreign magazines. Finally, Oleg is a very active blogger, and he updates Cyber Forensicator’s blog daily.
Scar de Courcier is Senior Editor at Forensic Focus. She also works as an independent consultant on online and offline child protection projects. In her spare time she enjoys swimming, pretending she lives on the USS Voyager, and hanging out with her cat.