What is a Forensic Image in digital forensics ?
A forensic image or a forensic copy is a bit-by-bit direct copy of a physical storage device (hard disk, USB, etc.). It includes:
- Files and folders
- Unallocated space, free space, slack space
- Deleted files and files left in the slack and free space
USB devices are often related to the most common security incidents such as data theft and malware propagation. The main goal of forensic image analysis is to help forensic investigators reconstruct the attack scenario.
We will be discussing in this article the steps of analyzing the image of a USB drive using AccessData FTK Imager : https://accessdata.com/product-download/ftk-imager-version-4-2-1.
Forensic image analysis tutorial with FTK
Step 1: Add the evidence to FTK Imager
Go to ''File'' > ''Add Evidence Item''.
Step 2: Select the source evidence type
Select ''Image file''.
Step 3: Enter the path of the source evidence
Step 4: Verify image integrity
If the integrity check information was provided with the image of USB device, you can check on FTK whether the image was changed or modified before receiving it.
Tampered image: MD5 Hash & SHA1 Hash Information provided ≠ MD5 Hash & SHA1 Hash on FTK Imager.
Go to the image name, right click and select ''Verify Drive/Image''.
Step 5: Export files to the system
Go to the file name, right click and select ''Export Files''. Then choose a destination path to store the files.
Analyzing an USB Drive image: Some Tips
When exploring the image content, it is important to analyze all data in all formats. Thus, you need to prepare the recommended tools for analyzing each format:
- Archive files (ZIP, TGZ)
- Image file formats (PNG, JPG, GIF, BMP)
- Video (MP4) or Audio (WAV, MP3)
- Microsoft's Office formats (RTF, OLE, OOXML)
Here are some tips that may help you during your investigation:
- Check the image file’s metadata fields: comments, copyright strings, GPS location, etc. Example of a tool: exiftools
- Check if there is a barcode in the form of QR Code. Generally, it is a PNG file that contains a URL or a password. To read barcodes, use zbarimg command line. Example of a tool: zbar
- Always unzip OOXML documents (DOCX, XLSX, PPTX) and ODT documents. They actually contain Objects and hide statistic data. Also, search for VBA macro and extract it with a tool. On Windows, a typical macro downloads a PowerShell script to %TEMP% and execute it. Example of tools: oletools, OfficeDissector, 7-Zip. Command line: unzip.
- Kdbx file is a crypted file containing passwords. Try to open it using Keepass.exe. The password may be stored in another location in the USB device (QR Code, Text file, etc.) or can be cracked using a wordllist (rockyou.txt) and libkeepass tool.