Scribd
Upload
74 views23 pages

Forensic Imaging and Data Acquisition Guide

Uploaded by

Omkar Kamtekar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
74 views23 pages

Forensic Imaging and Data Acquisition Guide

Uploaded by

Omkar Kamtekar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

PRACTICAL NO:01

Aim: Creating a forensic image using FTK imager.

Step1: Open the AccessData FTK Imager→ File→Create Disk Image.

Step2: Select Logical Drive and then click on next.


Step3: Click on D:\-New Volume[NTFS] to select the Source Drive from where the data is to be copied.

Step4: Select image type as Raw(dd) and then click on next.


Step5: Fill the information details→ select the image destination where the data will be [Link] set
the image fragment size to 0 and finish the process.
Step6: Initially we have given our image source info now click on Add→ Click on the checkboxes
below(missing one img) and click on next record the progress.

Step7: After the progress is completed successfully. Go to Files→ Select add evidence item.
Step8: Select the source evidence type as→ Image File.

Step9:
PRACTICAL NO:02

Aim: To perform Data Acquisition using


i) USB write blocker(Pen-drive).
ii)

Step1: Insert external drive (pen-drive).


Step2: press (windows+R) to open the run window →type regedit(Registry
edit).
Step3: HKEYLocalMachine→System→CurrentControlSet→ Control→right
click →new→Key.
Step4: Rename the New Key#1 as StorageDevicePolicies→(Right click
New→DWORD(32 -bit).
Step5: give the name as WriteProtect→ (double click)Modify→ set the value
as 1.
Step6: Eject the external drive and re-eject the drive back.
Step7: Copy a file from another folder in the external drive.
Step8: To make the drive accessible again → modify set the value as [Link]
you will be able to insert and delete the files.

B)
Step1: File→create disk image→select content of the folder→yes→select the
path of external drive(pen-drive).
Step2: Fill the Evidence items information →set destination as D:/
Image file name→ set value as 3 for compression.
Step3: desekect
PRACTICAL NO:03

Aim: Solve the case study(document file) provided in the lab using Autopsy.

Step:1 Open the Autopsy software→Right click and Run as Administrator.


Step2: Create a new folder(cyber) in C drive→ Select New case→fill the information
Case name and browse the folder that you created for selecting the base directory→next.

Step3: Fill the optional information→click on Finish and the progress will be recorded.
Step4: Select the host as generate new host name based on data source name.
Step5: Select data source type as Local Disk.

Step6: Now select the Disk as a new volume disk.


Step7: From the configure ingest select 2-3 options and click on next →finish the
process once all the task are selected.
Step8: On finishing the process Double click on D:// drive.
Step9: From File views→ select anyone file from anyone folder from D: (drive)
Step10: Select deleted file→All.
Step11: Select any file that is to be recovered.

Step12: Right click on the selected file→Extract file and then save the file.
Step14: Click on save button.

Step15: To analyze the test check the File Explorer→Select the location where you
created the file→ View Export.
Step16: Click on tools→ Generate report→ select HTML report and perform the further
steps.
Step17: Once the process of report generation is completed click on the link and analyze
the reports.
Step19: Click on web download(2) → then click on Recycle Bin(1).

You might also like