In this project, we need to conduct an internal digital investigations and forensics examinations on a USB drive belonging to Terry, this USB might contain company’s M57 patent information. Hands-on Project 4–3, Examining M57 Patent Case For instance, in this image acquisition process, we used standard 1500 MB volume segments to acquire the image and store it on the forensic workstation.
We learned image acquisition through the following activities on the suspect’s drive, how to conduct the investigation on the drive by creating a disk to image copies and store the image on the destination folder with a single volume or split volumes. Step 1: First, Open the “FTK Imager Lite tool” Home screen window on your PC. For this activity, you use your work folder (C:\Work\Chap03\Chapter), but in real life, you’d use a folder name such as C:\Evidence. Create a storage folder on the target drive. Connect the suspect drive to the USB or FireWire write-blocker device.ĥ.
(Note: This step doesn’t apply to SATA or USB drives.)Ĥ. For IDE drives, configure the suspect drive’s jumpers as needed. Remove the drive from the suspect’s computer.ģ. Document the chain of evidence for the drive you plan to acquire.Ģ. In this section, we need to examine its contents and carry out the following activities on the drive using the FTK image viewer lite tool. Our main investigational focus is to examine a drive.
To conduct a digital investigations and forensics examinations on the suspect’s drive. Investigation and Development Procedures: How to capture your Disk Image for Forensic Investigations? Capture your Disk Image for Forensic Investigations.