Setup

Install the provided forensic imaging program FTK Imager

$($in the tools folder$)$ on your Windows computer.

Copy the Target $1$ folder onto your thumb drive.

a$.$ The thumb drive need not be brand new or empty for

this exercise.

b$.$ Copy the folder onto the root of your thumb drive.

Eject the thumb drive $-$ this is now your evidence.

Creating Forensic Images

Before we proceed with the imaging, we need to do some

documentation of our evidence. Provide the following

information, if available.

a$.$ Make, Model, serial number, and size of the thumb

drive as printed or marked on the device. $($Note$,$ serial

number is not always printed on the thumb drive$)$

Q$1$ Click or tap here to enter text.

b$.$ Digital photographs of the thumb drive should be

recorded. Photographs should include all visible

markings on the thumb drive, front and back.

Install and activate a write blocker.

a$.$ I have provided a simple software USB write blocking

program called thumbscrew $($in the tools folder$).$

b$.$ See the tool guide for tips and tricks on using

thumbscrew properly.

Run the program FTK Imager

Run the program FTK Imager

Make sure the write block is activated and insert the

evidence thumb drive.

Review the tool guide for FTK Imager

Create a forensic image with the following parameters:

a$.$ E$01$ format

b$.$ No fragmentation $($set to $0)$

c$.$ No compression $($set to $0)$

d$.$ File name: USB$1$

Answer the following questions about the imaging process:

a$.$ How many sectors are on the device?

Q$3$ Click or tap here to enter text.

b$.$ What is the MD$5$ hash value of the device?

Q$4$ Click or tap here to enter text.

c$.$ How long did the acquisition take?

Q$5$ Click or tap here to enter text.

d$.$ How big is the image file that was created?

Q$6$ Click or tap here to enter text.

Create another forensic image of the same device with the

following parameters:

a$.$ E$01$ format

b$.$ No fragmentation $($set to $0)$

c$.$ Max compression $($set to $9)$

d$.$ File name: USB$2$

Answer the following questions about the imaging process:

a$.$ How many sectors are on the device?

Q$7$ Click or tap here to enter text.

b$.$ What is the MD$5$ hash value of the device?

Q$8$ Click or tap here to enter text.

c$.$ How long did the acquisition take?

Q$9$ Click or tap here to enter text.

d$.$ How big is the image file that was created?

Q$10$ Click or tap here to enter text.

What effect does compression have on the MD$5$ hash

value of the data contained in the forensic image?

Q$11$ Click or tap here to enter text.

What is the size difference between the image files created

with no compression and max compression? $($USB$1.$E$01$

versus USB$2.$E$01)$

Q$12$ Click or tap here to enter text.

Examine Physical Drives with FTK Imager

Close FTK Imager, eject the thumb drive and disable the

write blocker.

Re$-$insert the thumb drive and deleted the Target $1$ folder.

Start FTK Imager again and add the thumb drive as an

evidence item.

Using the Tree pane, navigate to the root of the thumb

drive.

$$ AccessData FTK Imager $3\mathrm{.}4\mathrm{.}0\mathrm{.}1$

What do you notice about the "deleted" folders$/$files$?$

Using the Tree pane, navigate to the root of the thumb

drive.

What do you notice about the "deleted" folders$/$files$?$

Q$13$ Click or tap here to enter text.

Creating Forensic Images $-$ Part $2$

Copy the Target $2$ folder onto your thumb drive.

a$.$ The thumb drive need not be brand new or empty for

this exercise.

b$.$ Copy the folder onto the root of your thumb drive.

Eject the thumb drive $-$ this is now your evidence.

Activate write blocker.

Create a forensic image with the following parameters:

a$.$ E$01$ format

b$.$ No fragmentation $($set to $0)$

c$.$ Compression $($set to $6)$

d$.$ File name: USB$3$

Answer the following questions about the imaging process:

a$.$ How many sectors are on the device?

Q$14$ Click or tap here to enter text.

b$.$ What is the MD$5$ hash value of the device?

Q$15$ Click or tap here to enter text.

c$.$ How long did the acquisition take?

Q$16$ Click or tap here to enter text.

d$.$ How big is the image file that was created?

Q$17$ Click or tap here to enter text.

Mounting Forensic Images

Remove all evidence items from FTK Imager.

Using the Image Mounting feature in FTK Imager, mount

the forensic image as an emulated drive.

a$.$ What drive letter was your virtual$/$emulated drive

assigned?

Q$18$ Click or tap here to enter text.

Using whichever anti$-$virus program you have installed, run

a virus scan on the mounted drive.

a$.$ Which file was identified as malware?

Q$19$ Click or tap here to enter text.

Capturing RAM

Unmount any mounted images and remove any evidence

items from within FTK Imager.

Locate and open the file HenryV.txt and leave it open. It

should open in notepad, or a similar program.

Use the capture memory function in FTK Imager to create a

RAM dump into a folder on your desktop.

a$.$ Keep in mind, the size of this file will be the size of

your entire RAM, make sure you have enough room.

b$.$ The default file extension is $".$mem"

Once complete, open the file as though it were an Image

file.

Using the Find command $($ctrl$-$F or right click on the Data

pane and select Find$),$ search for the term "Swill'd"

$($obviously witho