What is a Forensic Image in digital forensics ?

A forensic image or a forensic copy is a bit-by-bit direct copy of a physical storage device (hard disk, USB, etc.). It includes:

  • Files and folders
  • Unallocated space, free space, slack space
  • Deleted files and files left in the slack and free space

USB devices are often related to the most common security incidents such as data theft and malware propagation. The main goal of forensic image analysis is to help forensic investigators reconstruct the attack scenario.
We will be discussing in this article the steps of analyzing the image of a USB drive using AccessData FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-2-1.

Forensic image analysis tutorial with FTK

Step 1: Add the evidence to FTK Imager

Go to ''File'' > ''Add Evidence Item''.
FTK Imager add evidence
Step 2: Select the source evidence type

Select ''Image file''.
FTK Imager select image file
Step 3: Enter the path of the source evidence

FTK Imager select evidence source path
Step 4: Verify image integrity

If the integrity check information was provided with the image of USB device, you can check on FTK whether the image was changed or modified before receiving it. Tampered image: MD5 Hash & SHA1 Hash Information provided MD5 Hash & SHA1 Hash on FTK Imager.
Go to the image name, right click and select ''Verify Drive/Image''.

FTK Imager verify image integrity
Step 5: Export files to the system

Go to the file name, right click and select ''Export Files''. Then choose a destination path to store the files.
FTK Imager export files FTK Imager files exported to the system

Analyzing an USB Drive image: Some Tips

When exploring the image content, it is important to analyze all data in all formats. Thus, you need to prepare the recommended tools for analyzing each format:

  • Archive files (ZIP, TGZ)
  • Image file formats (PNG, JPG, GIF, BMP)
  • PDF
  • Video (MP4) or Audio (WAV, MP3)
  • Microsoft's Office formats (RTF, OLE, OOXML)

Here are some tips that may help you during your investigation:
- Check the image file’s metadata fields: comments, copyright strings, GPS location, etc. Example of a tool: exiftools
- Check if there is a barcode in the form of QR Code. Generally, it is a PNG file that contains a URL or a password. To read barcodes, use zbarimg command line. Example of a tool: zbar
- Display the structure of PDF to check if there are scripting languages like JavaScript. Example of a tool: PDF Stream Dumper
- Always unzip OOXML documents (DOCX, XLSX, PPTX) and ODT documents. They actually contain Objects and hide statistic data. Also, search for VBA macro and extract it with a tool. On Windows, a typical macro downloads a PowerShell script to %TEMP% and execute it. Example of tools: oletools, OfficeDissector, 7-Zip. Command line: unzip.
- Kdbx file is a crypted file containing passwords. Try to open it using Keepass.exe. The password may be stored in another location in the USB device (QR Code, Text file, etc.) or can be cracked using a wordllist (rockyou.txt) and libkeepass tool.