This preview shows page 1. Sign up to view the full content.
Unformatted text preview: s contents. An ‘image’ thus includes all the unused space of the drive.
c. One of the first things that a forensic expert would do is to acquire the image of the
hard drive and calculate is Hash, in order to protect its integrity during the
investigation process. INFOSYS 727 DEPARTMENT OF INFORMATION SYSTEMS
AND OPERATIONS MANAGEMENT Advanced Information
Security 2. Analysis
Once the Image is acquired it is analyzed using special tools such as FTK. The software
indexes contents (used + unused space) of the image in a flexible and easy to access manner.
The Forensic expert looks for specific evidence as informed by the stakeholders in the case.
After the analysis is done, the forensics expert formulates the report and sends it for judicial
In this lab you will only deal with Step 2 – “Analysis” process using FTK toolkit.
1. Download the image “Precious Encase.01” from CECIL and save it to your Desktop.
2. To present the case in the court, you need to calculate the hash of the image before starting...
View Full Document
- Spring '14