(FTK Imager: Lesson 4)

{ Mount Image File, Recover Deleted File  }

1. What is FTK Imager?
   • The FTK toolkit includes a standalone disk imaging program called FTK Imager. The FTK Imager has the ability to save an image of a hard disk in one file or in segments that may be later reconstructed.
   • It calculates MD5 hash values and confirms the integrity of the data before closing the files.
   • In addition to the FTK Imager tool can mount devices (e.g., drives) and recover deleted files.
   
   
2. Pre-Requisite
   1. FTK Imager: Lesson 1: Install FTK Imager
   2. FTK Imager: Lesson 2: Create Virtual Hard Drive, Delete File, Recover File
      • Note: This lab is necessary, because you will need to create a Virtual Hard Drive.
   3. FTK Imager: Lesson 3: Create Disk Image after Deleting a Picture
      • Note: This lab is necessary, because you will need to create an image after deleting a file.
   
   
3. Lab Notes
   • In this lab we will do the following:
     1. Mount the Image File.
     2. View the deleted file.
     3. Recover the deleted file.
     4. Compare the MD5 sum of the image after work has been completed to its' original MD5 sum.
     
     
4. Legal Disclaimer
   • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
   • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
   • In addition, this is a teaching website that does not condone malicious behavior of any kind.
   • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
   • © 2012 No content replication of any kind is allowed without express written permission.

    

1. Start VMware Player
   • Instructions
     1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
     2. For Windows XP
        • Starts --> Programs --> VMware Player
   • 

    

2. Start Up Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Edit virtual machine Settings
   • Note(FYI):
     • For those of you not part of my class, this is a Windows XP machine running SP2.
   • 

    

3. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

    

4. Play Virtual Machine
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Play virtual machine
   • 

    

5. Logging into Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Administrator
     2. Password: Supply Password
     3. Press <Enter> or Click the Arrow
   • 

    

6. Open a Command Prompt
   • Instructions:
     1. Start --> All Programs --> Accessories --> Command Prompt
   • 

    

7. Obtain Damn Vulnerable WXP-SP2's IP Address
   • Instructions:
     1. ipconfig
   • Note(FYI):
     • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
     • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
     • Record your Damn Vulnerable WXP-SP2's IP Address.
   • .

    

1. Start FTK Imager
   • Instructions:
     1. Click on the Start Button
     2. All Programs --> AccessData --> FTK Imager --> FTK Imager
   • 
    

1. Add Evidence
   • Instructions:
     1. File --> Add Evidence Item...
   • 

    

2. Select Source
   • Instructions:
     1. Click on the Image File radio button
     2. Click the Next Button
   • 

    

3. Select File
   • Instructions:
     1. Click the Browse Button
     2. Navigate to C:\FORENSICS
     3. Select practice-01.001
     4. Click the Open Button
     5. Click the Finish Button
   • 

1. View Deleted File(s) in the Recycler  
   • Instructions:
     1. Navigate to practice-01-001 --> Partition 1 --> FTK[NTFS] --> [root] --> RECYCLER --> RECYCLER SUBDIR
        • The RECYCLER SUBDIR Directory name varies
     2. Click on the jpg file if it exists.
        • The naming convention of existing jpg's also varies.
   • 

    

2. View Deleted File(s) in [unallocated space]  
   • Instructions:
     1. Navigate to practice-01-001 --> Partition 1 --> FTK [NTFS] --> [root] --> [unallocated space]
     2. Scroll through all the files until you see the Captain Crunch Picture
   • 

    

1. Export File
   • Instructions:
     1. Right Click on the file that contains the picture
     2. Select Export Files...
   • 

    

2. Select the destination folder
   • Instructions:
     1. Navigate to C:\FORENSICS
     2. Click the OK Button
   • 

    

3. Export Results
   • Instructions:
     1. Click the OK Button
   • 

1. Open My Computer
   • Instructions:
     1. Click the Start Button
     2. Click on My Computer
   • 

    

2. Rename File
   • Instructions:
     1. Navigate to C:\FORENSICS
     2. Right Click on the filename that contain all numbers
        • In my case the filename is 103415.  In your case, it will probably be named differently.
     3. Click Rename
   • 

    

3. Name File
   • Instructions:
     1. Rename file to "captain.jpg"
   • 

    

4. Open File
   • Instructions:
     1. Right Click "captain.jpg"
     2. Open With --> Windows Picture and Fax Viewer
   • 

    

5. View File
   • Note(FYI):
     1. CAP'N Crunch was a h4x0r.... nice whistle.
   • 

1. Verify Image
   • Instructions:
     1. Right Click practice-01-001
     2. Click on Verify Drive/Image
   • 

    

2. Drive/Image Verify Results
   • Instructions:
     1. Copy the last 4 characters of your MD5 Hash
        • In my case, it is 6e9c.
     2. Do Not Click the Close Button
   •