Oct 21, 2021 by Georgi Nikolov | 4888 views
In the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.
First of all we need a flash drive on which we can set up the FTK Imager tool and a Windows machine where we can initially install the imagining tool. Once we have all the devices we need, we can follow the set-up procedure:
C:Program FilesAccessDataFTK Imageror
C:Program Files (x86)AccessDataFTK Imager) to the usb device.
mfc140*files found in the
After we have set up our flash device with FTK Imager, we can insert it into the system we would want to image. An important thing we need to keep in mind is that anything we do on a machine, brings changes to the system we want to image. In the case of a Windows OS, any programs we install or run, multiple places will be updated with information about our actions on the machine. Examples of places where the OS will save information about our actions are:
This means that we need to be very careful about how we image a suspicious machine, so we don't bring too many changes to it and maybe pollute or change the available evidences. It is of vital importance to document extensively everything with do, starting with at what time we insert the flash drive, what exactly we run from the flash drive and when we remove the external device.
Inserting our newly configured flash drive in the machine to be imagined, we can navigate to the folder where we copied the tool and run it. We are welcomed by the FTK Imager window and we can start our imaging.
From here we have multiple options to what we can capture. In most cases, we should follow the order of volatility, first and foremost target the data that will be removed on system shutdown. FTK Imager gives us the option to capture the memory of a running system and choose where to store it.
Once we have finished capturing the memory, we can focus on imaging the hard disk of the machine.
When imaging the hard disk, we have different options present on exactly what we want to image:
After the imaging is finished, the FTK Imager tool will present you with the verification results, used in checking that the image was made without any errors.
Now we have a flash drive, which we can use to image any machine we need to analyze. We also need a device to save the image itself, so it is recommended to use a flash drive with enough space not only for copying the FTK Imager folder, but also to store the Memory dump and the Hard Disk image of the machine we have imaged.