Cloning a Disk - Without tampering a drive using FTK Imager

This is a post on how to clone a disk or a drive without tampering or changing the integrity of the drive or a folder or a disc. This is the best and easy process to clone a drive without damaging it. To clone a drive, we are going to use FTK Imager. This is the software which is most widely used for forensic investigation because of its ease of access and accuracy.  



What is FTK IMAGER:

Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information.  It can, for example, locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

The toolkit also includes a standalone disk imaging program called FTK Imager. The FTK Imager is a simple but concise tool. It saves an image of a hard disk in one file or in segments that may be later on reconstructed. It calculates MD5 hash values and confirms the integrity of the data before closing the files. The result is an image file(s) that can be saved in several formats, including DD raw.

Requirements:

  1)   FTK Imager -- Download
  2)   USB Flash Drive/ Hard Disk/ Any Drive
  3)   Sterile Drive (Another drive in which the contents are to be cloned)
è For tutorial purpose I will use my system hard disk as sterile drive or output source, you can use what ever you want.  
è Output Drive should be at least double size of the drive that you are cloning.


How to Clone any Disk without tampering it using FTK Imager


  1)   Open FTK Imager and click on “File




   2)   Click on "Create Disk Image"




   3)   Click on "Physical Drive", Choose the one which is applicable to you, as i am going to Clone my flash drive: I Selected Physical Drive


   4)   Select Your Drive and click "Finish"



   5)   Click on "Add



   6)   Select "E01", you can select what ever image type you wish to create the clone with. 

Eo1: EnCase's Evidence File (.E01) format contains a physical bitstream of an acquired disk, prefixed with a "Case Info" header, interlaced with checksums (Adler-32) for every block of 64 sectors (32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own checksum.
Though some have reverse-engineered the format for compatibility's sake, Guidances extensions to the format remains closed.

Raw Image Format

This format is a RAW bit-by-bit copy of the original. It is often accompanied by meta data stored in separate formats.

SMART's Formats

SMART, a software utility for Linux designed by the original authors of Expert Witness (now sold under the name of EnCase), can store disk images as pure bitstreams (compressed or uncompressed) and also in ASR Data's Expert Witness Compression Format. Images stored in the latter format can be stored as a single file or in multiple segment files, each of which consist of a standard 13-byte header followed by a series of sections, each of type "header", "volume", "table", "next", or "done". Each section includes its type string, a 64-bit offset to the next section, its 64-bit size, padding, and a CRC, in addition to actual data or comments, if applicable. Although the format's "header" section supports free-form notes, an image can have only one such section (in its first segment file only).

AFF: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata.




   7)   Enter the description for your Evidence and click "Next"



   8)   Destination should be selected to be stored in any drive and provide a name for your file. which will appear as name.e01 





   9)   Change the "Image Fragment Size to 0" and make the compression rate to "9" and click on "Finish"




   10)   Disk Image file has been created. Make sure you have selected "Verify Image file after they are created", so that you can check if the integrity of the cloned file is lost or not. if there are any modifications done during the process the hash value will change and the integrity of the data is lost. So, make sure you do not edit or modify the data while the process is running. --> click on "Start"



   11)   Cloning process has started, wait for sometime. 




   12)    "Image Created Successfully", now the verification process starts 




   13)   Wait for the verification process to be completed.



   14)   Verification Completed Successfully. 



   15)   Two files are created :  Clone.e01  and clone.eo1.txt 


   16)    Now open the clone.e01.txt file to check the integrity of the file. 
        As you can see the Image Verification Results Stated " Verified" . 


  
     That's how drives/ flash drives/ hard disk's or any files are cloned with out any loss of data. This is a  technique used by forensic acquisition team. If you face any issue or problem while cloning your drive; do let me know in comments, so that i can help you solve your problem. 

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment