Multiple Ways to Create Image file for Forensics Investigation

In this article, we will learn how to capture the forensic image of the victim’s hard drives and systems to get help in the investigation. There are multiple ways to do that work and these tools will help us a lot in the process of an investigation so let’s start this process.

Table of Content

  • Introduction
  • What is a Forensic image?
  • FTK Imager
  • Belkasoft Acquisition Tool
  • Encase Imager
  • Forensic Imager

Introduction

In today’s digital era, the indulgence of devices is increasing more and more and with-it cybercrime is also on the rise. When such a crime occurs, the hard drive becomes an important part as it is crucial evidence. Therefore, during investigation one cannot directly perform various tasks on the hard drive as it is considered tempered. Also, one can lose data by mistake while performing tasks on it. Hence, the necessity of disk image. Now that we have understood the importance and use of disk image, let us now understand that what exactly a forensic image is.

What is a Forensic image?

A Forensic image is an exact copy of hard drive. This image is created using various third-party tools which can easily capture the image of a hard drive bit by bit without changing even a shred of data. Forensic software copies data by creating a bitstream which is an exact duplicate. The best thing about creating a forensic image is that it also copies the deleted data, including files that are left behind in swap and free spaces. Now that we have understood all about the forensic imaging, let us now focus on the practical side of it. We will learn and understand how to create such image by using five different tools which are:

  1. FTK Imager
  2. Belkasoft acquisition tool
  3. Encase imager
  4. Forensic imager

FTK Imager

FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose.

We can download FTK imager from here

After installing the FTK imager we can start by creating an image and to do so, we have to go to the file button and from the drop-down menu, select the Create Disk Image option.

After selecting the create disk image it will ask you the evidence type whether i.e. physical drive, logical drive, etc. and once you have selected the evidence type then press the next button to move further in the process.

Now it will ask for the drive of which you want to create the image. Select that drive and click on Finish button.

Now, we need to provide the image destination i.e. where we want our image to be saved. And to give the path for the destination, click on Add button.

Then select the type you want your image to be i.e. raw or E01, etc. Then click on Next button.

Further it will ask you to provide details for the image such as case number, evidence number, unique description, examiner, notes about the evidence or investigation. Click on Next button after providing all the details.

After this, it will ask you for the destination folder i.e. where you want your image to be saved along with its name and fragment size. Once you fill up all the details, click on the Finish button.

And now the process to create the image will start and it will simultaneously inform you about the elapsed time, estimated time left, image source, destination and status.

After the progress bar completes and status shows Image created successfully then it means our forensic image is created successfully .

And so, after the creation of the image you can go to the destination folder and verify the image as shown in the picture below :

Belkasoft Acquisition

Belkasoft Acquisitiontool formally known as BAT. This tool can create images of hard drives, Removable drives, Mobile devices, Computer RAM memory, cloud data. The acquired image can be analyzed with any third-party tool.

We can download the belkasoft Acquisitiontool from here

Once the dialogue box opens, click on Drive option.

Now, it will show you all the drives available. From these options select the one drive whose image you want to create and then click on Next button.

After selecting the drive, we need to provide the destination path along with the format of image and hash algorithm for the checksum. We can also choose whether to split image or not. And then click on the Next button.

The process of creating the image will start as you can see from the picture below :

Once the process is complete and the image is created, click on the Exit button.

To verify the image, go to the destination folder and access it as shown in the picture below :

Encase Imager

Another way to capture image is by using Encase tool. We can download Encase imager from here

To start the process, firstly, we need to give all the details about the case. And then click on Finish button.

After that, we need to choose the hard drive whose image we want to create. Once you have selected the drive, click on Next button.

Now, select the specific drive whose image you want to create as shown in the picture below and click on Next button.

Then after selecting all the things it asking us to review all the details which were given. Once review is done, click on Finish Button.

After that, right-click on the chosen driven and then select the Acquire option from the drop-down menu.

After this select the add to case option and then click on Next button.

After this, give the name, number and other details for your image. Then click the finish button.

After clicking on the finish button, you can observe that on the right-hand side, the lower section of the encase window will show the status of the process.

 

After everything is done, it will show you all the details like status, start time, name, process id, destination path, the total time for the whole acquiring image, images hashes. And then at last, you can click on OK.

 

Once the image is created, you can see that Encase uses E01 format while creating an image and further splits it into multiple parts as shown in the picture below:

Forensics Imager

Another way to capture an image is by using forensic imager. We can download Forensic imager from here.

To start the process, click on Acquire button as shown in the image.

Next, it will ask you the source to acquire image.

As you have given the source for the image, then it will ask you the destination details i.e. the path, format, checksum and other evidence related details. Once you fill all these up, click on Start button.

After clicking on start, you can observe that the process has begun as shown in the picture below :

After completing the process, it will show you a pop-up message saying acquisition completed. It means that our forensic image is created. In order to check we need to check the destination path to verify our forensic image.

We checked at the destination our image is successfully created and ready to be analyzed as a piece of evidence for the forensic investigation.

So, these were the five ways to capture a forensic image of a Hard drive. One should always the various ways to create an image as various times calls for various measures.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Multiple ways to Capture Memory for Analysis

In this article we will be going to learn the how to capture the RAM memory for analysis, there are various ways to do it and let take some time and learn all those different circumstances call for a different measure.

What is RAM?

RAM is short for Random Access Memory. It is referred to as the main memory of a computer which makes it quite important for a computer to run. RAM allows the user to temporarily store data in the system which one is using or is about to use. But as RAM is volatile, all the data stored in RAM will be lost as soon as the power goes out. RAM is both readable and writable which make it easy to access and user-friendly. The importance of RAM is that it makes your system faster as storing in your hard drive takes a lot of time as well as a toll on your system. RAM is also useful to save and redeem data from the system. All in all, you can conclude that RAM helps to improve the performance of your device.

Benefits for capture the memory

Capturing RAM important task as over the time investigators have realized that many types of facts can be covered in volatile memory and evidence can beneficial in an investigation and which can further allow an investigator to understand what applications were being used by a suspect or at the time of the attack. It can also be possible that remote attackers would have some stored data, tools in RAM rather than on the system.

Some tools can do that work   

Dumpit

MoonSols DumpIt it is a fusion of Windows 32 bit and Windows 64 bit in one executable, no questions are asked to the user end.

We can download the Dumpit software from here

It is a compact tool that can make it easy to save the contents of your systems RAM. It’s a console utility but no need to open command line or master a host command-line switch. Instead, all we need to do it is Only a double click on the executable is enough to generate a copy of the physical memory in the current directory.

As we can see in the above image this tool is already providing us with the destination of the image that we are going to create by this process and asking us at the user end we want to continue or not.

If we want to continue then we have to press “y”.

If we start the process then after completing the process it shows the message if we got succeeds it shows the message “success”.

Now we can check the path which was given by the software whether we are able to capture the RAM or not.

Now we can see that our captured memory which is known as the RAM image is successfully created.

Magnet Forensics

Magnet Forensics is a free RAM capturing or memory imaging tool which is used to capture the physical memory of suspects system, allows investigators to analyse and recover the valuable facts that are only found in the memory of the system.

We can download the software from here.

Magnet Ram capture has a small memory footprint, that means investigator can run the tool while data is overwritten in memory. We can capture memory data in Raw (.DMP/.RAW/.BIN) format and easily analyse them.

This image can be used as evidence in the forensic investigation. Some evidence that can be found in the RAM is processed, a program running on the system, network connections, evidence of malware intrusion, registry hives, usernames & passwords, decrypted files and keys etc.

Now we can start the Ram capturing process by just executing the software by clicking on it.

Now we can see that our captured memory which is known as the RAM image is successfully created.

As we can see in the above image we have to provide the name of memory image and the format in which we want to capture the memory image.

After providing the above details now our process of capturing the memory image is started it depends on the size of the memory how much time it takes to complete the process.

After completing the process, it shows a pop-up message which indicates the process is successful and provides us the path location were our captured memory is located which we were provided earlier by us.

Now we can check our located path whether our memory image got generated or not as we can see in the above image that our image is successfully created now, we can analyse that memory image.

Access data FTK imager

FTK imager can create the live memory image and paging file for both windows 32bit and 64bit systems. We can download the FTK imager from here and install in our system. The main purpose of building the FTK imager is to process and index data upfront and try to eliminate wasted time for searches to execute. No matter how many different data we are dealing with or amount of data we have to go through, FTK get us their quicker and better than anything else. Download Here

Now start the software of the access data FTK imager

Now to start we need to click on the file button as shown in the above image.

After clicking on the file button our screen would look like this. Now we need to search the capture memory button and click on that button for the start of the capture memory process.

After that now we need to provide some information regarding that image like the destination path of the memory image, the file name of the memory image and we want to include its page file and AD1 file or not.

After providing that information it shows that our process got started along with that it also consistently the status of our process and the final destination or path was our image going to save.

After completing its shows, us the message which says “Memory capture finished successfully” and our memory image location or destination.

Now we are going to check on that location whether our image is saved or not, but as we can see in the above image that we were able to capture the memory image successfully.

Belkasoft Live RAM Capturer

It is a free forensic tool to reliably extract all content of the system volatile memory, even if it was protected by some active anti-debugging system. Were its separate 32bit and 64bit builds are available to minimize the tool footprint as much as possible.

Memory dumps captured with Belkasoft live ram capturer these live rams captured can be analyzed with any RAM analysis software.

But First, we need to download Belkasoft Live RAM capturer from here and install in our system.

Then open this software and select the path where we want to save our memory image and Click on the capture button.

After providing all the details it starts to load its drivers to start the process of capturing the memory image, now it shows the active live progression of the task given by us to capture the memory image.

After completing the overall process, it completes it’s active progression by touching on the right side of its wall and provide us some sneak peeks of our captured memory and suggests to us its image analyser from belkasoft and also provides its link to download it.

Now we need to check whether our memory will be captured or not. As we can see in the image given below, we succeed in our process.

These are some ways or tools to capture the live memory image for analysing it for searching some evidence through it to help in the investigation of an investigator in his cases.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Digital Forensics Investigation through OS Forensics (Part 3)

In Part 2 of this article, we have covered Recent Activity, Deleted File Search, Mismatch File Search, Memory Viewer, and Prefetch Viewer. This article will cover some more features/ functionalities of OSForensics.

To Read Part 2 of this article click here.

Raw Disk Viewer

On a drive, data is generally stored in file system files and directories but when it comes to forensics we need a deeper inspection of drives we can have a piece of evidence within the raw sectors of the drive, image. These sectors are not accessible through the Operating system but we can access the raw sectors through OS Forensic’s Raw Disk Viewer.

Raw Disk Viewer includes text/hex searching, highlighting of relevant disk offsets, and decoding of known disk structures (such as MBR, GPT)

Source: https://www.osforensics.com

To start with open OSF and click on Raw Disk Viewer

From the disk drop down to select the Evidence we want to investigate.

Click on the config button and make the required changes. We can specify the sector range limit, highlight the file types by different colors, include/exclude file system objects.

To look for a particular file/sector/offset click on Jump To button, we can see a screen to select any particular file or offset.

To get the details of any particular file select file and browse the file.

Click on open and then OK, the file will open in HEX for investigation.

Click on the decode button to get the details of the file. This will provide the cluster number and sector of the file.

Right click on the file to get all the available options of the file/offset/cluster.

Click on Search button, a screen will appear where we can search for Hex or Text and continue. This will search the particular text or Hex within the raw sectors and will display the result.

Click on bookmark button on the main screen of Raw Disk Viewer. we can create the bookmarks for the relevant evidence.

Create a new bookmark by specifying its start offset and end offset. We can differentiate the bookmark through its color.

The bookmark saved will get listed.

If we click on the bookmark the offset range will get highlighted on the main screen and will mark the starting of the offset with a flag and color of the flag is that of the bookmark.

This concludes the Raw Disk Viewer.

Registry Viewer

Registry viewer enables to investigate the registries of evidence.

To start with open the registry viewer, we can select the drive/evidence we want to work on. All the registry files in that particular drive/evidence will get listed on the right side.

Double Click on any file and we can navigate to the registries and can get all the details.

This concludes Registry Viewer

File System Browser

File system browser enables us to navigate to the Drive/Evidence.

We can navigate through all the files/directories and perform multiple activities. In file system browser we have the other options of OSF as well like File search, Mismatch search, Create Index, Create signature. Some of these features we have already talked about and some of them we will discuss in coming articles.

We can check the “Show Deleted File” option by clicking on Tools > Option > Show Deleted File.

 The deleted files/directories (if any) will also get listed and will be marked with a red cross.

This concludes the File System Browser.

Passwords

Passwords feature enable us to retrieve the password-related information of the evidence. These passwords could be passwords stored within the browser, Windows Login Passwords, WE can also create a rainbow table by making the multiple combinations of the passwords and retrieve the passwords from the rainbow table. Under OSF passwords also have an option to decrypt an encrypted file.

To start with open OSF and select passwords

The first tab is to Find Passwords & Keys, this will allow recovering the stored password from the browser, outlook, windows auto logon passwords, etc.  We can either do the live acquisition of current machine or Scan Drive and select any drive or evidence.

Click on the Config button, check the passwords you want to recover. Select the decryption settings based on requirements, we can include our dictionary file or can use an automatic dictionary. If credentials are known we can provide windows login credentials and click OK.

Click on Acquire passwords button to start the process.

All the passwords/product keys will get listed.

The below image is the passwords acquisition of the Current Machine for better understanding as the evidence we were working on doesn’t any stored wireless network.

Select Windows Login Password , select the Drive/evidence and click Acquire passwords

All the information will get listed. If there is any saved password it will get listed also we can get info about it also we can get NT hash and LM Hash of the password from which we can recover the password.

We have an option to generate a rainbow table. This is used to create a list of passwords with different combinations and permutations. We can choose from the different options/combinations from the drop down. More huge and complex the inputs are the longer the time it will take.

Browse the file path where we want to save the table and if required modify the parameters. Click on create a rainbow table button to start with the process.

Depending on the complexity the process will start.

Password through a rainbow table. If the password is within the rainbow table we have created and we have the NT hash and LM Hash we can recover the passwords  (however this ). TO achieve this we need to add the folder of the Rainbow table under “Select Rainbow Table” and can either enter the raw hash or can browse the file which may contain the hash, if the password is present within the rainbow table, we will get the password.

In the image we are browsing the file “hash.txt”, we have saved in windows login password (shown above)and the rainbow table we have created.

Click on recover Password/s button to start the process, if the password present in Hash.txt is found in the rainbow table we will get the result.

In the above, we haven’t found the password as it must be not present inside the table. Also, these tables have certain limitations and have a success rate of 95 % (approx). There are other methods as well for the recovery of passwords we will be discussing on other articles.

This concludes Passwords.

For more on OSForensics wait for the next article.

Author: Ankit Gupta, the author, and co-founder of this website, an ethical hacker, forensics investigator, penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)

This is a very handy little application. It’s been developed by the QEMU team. The software is very useful when dealing with virtualization, Qemu-img is available for both Windows and Linux. Its function is to give you the ability to change the format of a given virtual disk file to the majority of the popular virtual disk formats that are used across platforms. Let’s say you are using the virtual box in Windows and want to migrate the virtual disk to be used on a mac, in parallels, you can use this simple program to achieve this with minimum effort.

Our purpose of writing about this today is slightly different from Qemu-img’s mainstream usage, we want to focus on how we can use this application to convert a virtual disk image, whole or split into a .raw file that can be used with most of the popular forensic frameworks that are available.

Let’s start up Qemu-img on our Linux machine

At the terminal prompt type “qemu-img –h”

This will show you all the options that can be used with qemu-img

Right at the end of the information that is presented after the command given above is used, we can see all the formats supported by this application.

Here is a list of all the formats that are compatible with Qemu-img

Now let’s see how this application comes in handy for use in forensics.

In a situation where a virtual disk is part of the acquisition and further dedicated analysis is required, the virtual disk can be converted into the .raw format.

Let’s begin.

Since our goal is to analyze the virtual disk, we are using the image file from Windows 7 installed on VMWare. The file in question is in .vmdk format.

Just a heads up, when you convert a virtual disk file to a .raw file, the size of the converted file can be quite big, so make sure you have enough space.

Here is our .vmdk file

For ease of use, we have placed the .vmdk file in a folder named Qmeu on the desktop. The terminal is opened from within the folder.

At the terminal prompt type “qemu-img convert -f vmdk -O raw Windows\ 7.vmdk win7.raw”

A breakdown of the command that we just gave:

qemu-img convert is invoking the convert function of qemu-img.

-f is the format of the input file, which in this case is .vmdk

-O is the format of the output file that we want, a .raw file.

Windows\ 7.vmdk is the name of the input file that we have in our folder.

win7.raw is the name we have given the output file with its file extension.

Give it a few minutes and check the folder, you will find the converted file.

As you can see, the size of the .raw file is 10.7 GB and the size of the .vmdk file was 6.0 GB, that’s quite a jump in size!

We can now use Foremost to carve the .raw file to see what’s inside.

At the terminal type “foremost -t jpeg, png -i win7 -o output”

With this command, we are carving the .raw file for .jpeg and .png files which will be collected in a folder named output. If you have any doubts about foremost you can refer to this article.

As you can see, our .raw file has been successfully carved, the results are visible below

We have successfully carved a .raw file made from a virtual disk, now let’s mount the .raw file to view its contents. We will be using a Windows for this operation.

Now we will mount this .raw file using FTK Imager to see its contents. The image mounting option can be found under the File menu. Navigate to the .raw file from within the mounting menu.

Select Mount, leave the other options as they are and the file will appear on the Mapped Image List.

Next, we navigate to My Computer and we can see that the .raw has been mounted as a partition.

The windows file system can be seen within and explored for content.

Qemu-img is a very simple application with high potential. It can be a very valuable tool in your forensic toolkit due to its large list of compatible formats. It will make sure that the format of the acquired image does not keep you from using your forensic tool of choice to run your investigation or carve out data.

We hope you enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here