TINAELLIS\Cybersecurity

Welcome to my blog!

Home Projects .py TI Linux DFED Networks Community

Creating Forensic Images

Back

Memory Forensics

Memory forensics is the process of capturing the running memory of< a device then analyzing the memory for evidence. Memory forensics is valuable during incident response when evidence of malicious code can still be found in the computer RAM. Memory dumps provide a snapshot of the memory which can be used to identify the running processes that were occurring when the capture was taken.

Capture a Memory Dump

Source Evidence Type:

Volatile Memory, anything stored in RAM.

AccessData FTK Imager

  • Open AccessData FTK Imager
  • File > Capture Memory
  • Select the location where you want to save the output
  • Select 'Capture Memory'

Storage Forensics

A forensics image created with FTK imager, is an identical copy of a hard-drive. This includes all of the data stored in sectors, partitions, files, folders, deleted files, unallocated spaces and master boot records.

Create a Forensics Image - FTK Imager

Source Evidence Type:

Hard drives, Partitioned Drives (C: D: E:), Removable Storage, Folders, Files, CDs, and DVDs.

Steps for Creating a Forensics Image:

From FTK Imager:
  • Open AccessData FTK Imager (You can run FTK Imager from a thumb drive (or a CD) to create a disk image or to image certain folders of a live system.)
  • Create Disk Image
  • Select Source see notes below
  • Select Finish
  • Image Destination > Select Add..
  • Select Raw (dd) see notes below
  • Input Case Information
  • Select the Save Destination Folder
  • Input Filename
  • Select Finish

When FTK Imager finishes, a summary screen will appear that includes the hash digest information. After your analysis is completed, you can create a second hash digest to determine if the drive or file was changed during your forensics investigation.

Image Source Options
  • Physical Drive: physical hard drives
  • Logical Drive: logical (partitions)
  • Image File
  • Contents of Folder
  • Fernico Device: CDs/DVDs
Image Type Explanation
  • Raw (dd): Image format most commonly used by modern analysis tools. Raw file is not compressed / format keeps data integrity.
  • SMART: This format is designed for Linux file systems. Keeps disk image as pure bitstreams with optional compression.
  • E01: This format is proprietary to EnCase. Compresses the image. Adds header with case information.
  • AFF: Format doesn't lock user into proprietary format which might prevent analysis.

Create a Forensics Image - NotMyFault

Source Evidence Type:

Encrypted technologies such as Bitlocker drives. Can also be used with Hardrives, Partitioned Drives (C: D: E:), Removable Storage, Folders, Files, CDs, and DVDs.

Download NotMyFault from Microsoft

Steps for Creating a Forensics Image:

From System Settings

Configure where your system failure files are saved:

  • System Settings > Advanced > Startup and Recovery > Settings
  • Under System Failure, select "Complete Memory Dump" or Kernel
  • Check "Automatically Restart"
From NotMyFault
  • Go to folder where NotMyFault is downloaded > x64 > NotMyFault
  • Select Crash

This will crash your system and restart your computer. An image will be created and saved in the Settings file specified above. This method is useful when performing digital forensics on encrypted Bitlocker drives. To decrypt a Bitlocker drive, open the image file with a software tool such as Elcomsoft Forensic Disk Decryptor.

NotMyFault is a tool that can be downloaded directly from Microsoft. To create a memory dump from NotMyFault, you will need to tailor these instructions according to the Windows OS version you have installed. Here are the instructions for creating a Windows 7 memory dump.