Episode 03: Triage Image creation

Hey there, fellow digital detectives! Mohaimin is here to spill the beans on triage imaging using our secret weapon: FTK Imager. Buckle up and get ready to level up your forensic investigations in this blog series!

When it comes to live system triage imaging, there is an important factor to keep in mind. That is order of volatility!

Volatile data: It’s like a ticking time bomb, so we need to grab it before it’s gone!

  • RAM/Memory: The juicy bits are in the RAM. It’s super volatile, but it holds evidence like passwords, encryption keys, and running processes. We need to make a memory dump to save this treasure trove.
  • Network Connections: Let’s check out what’s happening in the network world. Think active connections, open ports, and all things networking.
  • Processes and Services: We need to get the lowdown on running processes and services. Find out what they’re up to, their network connections, and their metadata.
  • Open Files: Oh, and don’t forget to keep an eye out for any files currently open by active processes. They might hold the key to cracking the case!
  • System Information: We should grab the deets about the system itself, like hardware specs, operating system info, user accounts, and installed software. It’ll help us see the big picture.

Now, I will show you a demo of live system triage imaging using FTK Imager. We’ll cover two essential steps: dumping memory and creating a custom content image. To begin, make sure you have FTK Imager downloaded and installed on your forensics workstation from here https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1 . When dealing with a live system, we typically use a USB drive containing FTK Imager. This portable toolkit ensures the integrity of the live system while allowing us to connect and perform imaging. But for this demo, I installed FTK in the machine it self.

Okay, now let’s open FTK Imager and dump the memory as it is the most volatile thing.

Click on the above mentioned option and it will give you a prompt to dump the memory. In real life, you’ll be dumping the memory in a USB drive that is sanitized to keep integrity. But for this demo, I’m out of resources so, I will dump it in my desktop :3.

After dumping the memory, we will promptly verify the presence of disk encryption. To accomplish this, we can utilize the EDD.exe tool, a free forensic tool provided by Magnet Forensics.

Now, let’s move forward and start with creating our custom content image, as if we want to create full image, I will get old!

Start by clicking on the Add evidence item from the very top-left. Then choose the physical drive. Then it will load data into the left pane. Now let’s click and add the most important Artifacts in our custom image.

  1. Start with NTFS Metadata Files:
    • Grab the $Extend folder, which contains crucial metadata files.
  2. Add $Recycle Bin:
    • Right-click and add the $Recycle Bin directory to the custom image.
  3. Include Users Directory:
    • Add the Users directory to capture user-related data.
  4. Capture $Logfile (Filesystem Transaction Journal):
    • Include the $Logfile to gather information from the filesystem transaction journal.
  5. Add $MFT, hiberfil.sys, pagefile.sys, and swap.sys:
    • Include these important system files in the custom image.
  6. Include Program Data > Microsoft > Search > Applications > Windows > Windows.edb:
    • Capture the Windows-related search history file.
  7. Add Windows > appcompat > Programs:
    • Include this directory to gather compatibility information about installed programs.
  8. Include Windows > INF > setupapi.dev.log:
    • Capture the setupapi.dev.log file, which contains device installation information.
  9. Collect Registry Hives from Windows > System32 > Config:
    • Capture the five major registry hives and don’t forget to collect the regback folder.
  10. Include Windows > System32 > Logfiles Directory:
    • Capture files within the Logfiles directory for additional system information.
  11. Include Windows > System32 > sru Directory:
    • Capture files within the sru directory to gather system resource utilization data.
  12. To further enhance our custom content image, we’ll add additional files of interest. Follow these steps to include NTUser, Usrclass.dat, $I30, *.evtx, *.pf, and *.lnk files:
    • Click new to add a new artefacts. It will create * sign in the left-bottom.
    • Then choose that and click on edit, it will give you a prompt.
    • Fill-up the prompt like this

Add all the artefacts and click on create image. It will look like this

Give it a name and save it in external disk. For the demo I’m doing it in my pc. Depending on case to case, it might take near an hour!

Once it is ready, you’ll have a file with a .ad extension. Now we can mount this image using the FTK Imager itself. From the top-left menu, click on mount an image

It gave me E: drive, now if I go to my PC and access this drive, I can see all the juicy stuffs!

One thought on “Episode 03: Triage Image creation

Leave a Reply

Your email address will not be published. Required fields are marked *