Information Technology Reference
In-Depth Information
compares.the.two.data.streams.using.an.algorithm.to.ensure.
they.are.the.same..Once.the.image.process.is.complete,.FTK.
runs.both.an.MD5.and.a.SHA1.hash.algorithm.to.compare.
the.source.drive.and.the.resulting.image.of.the.source.drive.
These.hashes.serve.two.purposes:.irst,.they.verify.that.the.
original. source. drive. was. not. altered. in. any. way;. and. sec-
ond,. they. verify. that. the. resulting. image. is. identical. to. the.
source.drive..Both.of.these.types.of.hashes.are.large.numbers.
obtained.by.running.an.algorithm.against.the.data.stream.of.
the.drives..These.numbers.uniquely.describe.the.contents.of.
a.ile.or.drive.and.are.essentially.a.“digital.ingerprint”.of.a.
ile.or.an.entire.disk..The.odds.that.two.iles.or.disks.with.dif-
ferent.contents.will.have.the.same.hash.value.are.roughly.1.
×.10.to.the.38th.power.(a.1.followed.by.38.zeros)..By.using.
two.different.hash.algorithms.we.increase.those.odds.expo-
nentially..The.point.to.be.understood.from.this.is.that.if.the.
hash.values.of.two.iles.or.drives.match,.you.can.be.assured.
that.the.ile.or.disk.contents.match.as.well.
Once.the.technician.obtained.the.image.of.the.hard.drive,.he.
stored.it.on.his.computer.and.shared.the.folder.out.to.me,.so.
that.I.could.begin.the.analysis..Sharing.a.folder.means.that.
he.set.the.permissions.on.that.folder.so.that.I.could.log.into.
his.computer.and.have.read.rights.to.the.data.on.that.folder.
I.began.my.analysis.by.beginning.a.new.case.using.Forensics.
Toolkit.(FTK).version.1.61a..FTK.goes.through.all.of.the.data.
on.the.image.and.indexes.and.organizes.it.for.easier.analysis..
This.process.can.take.a.considerable.amount.of.time.depend-
ing.on.the.amount.of.data.
I.irst.browsed.through.all.of.the.graphics.iles..I.found.a.sub-
stantial.amount.of.iles.in.some.folders.labeled.. . . . . . ,.
that.did.not.seem.to.be.organization.business.related..I.then.
analyzed.the.metadata.of.the.photos.to.gather.more.informa-
tion..Metadata.are.part.of.the.ile.in.a.graphic.image..When.a.
graphic.image.is.opened.in.a.text.or.hex.editor,.you.are.able.
to.identify.metadata.that.can.show.if.the.graphic.came.from.a.
