Detailed Plan for Forensic Acquisition of SD Card with FTK Imager

Verified

Added on 2022/10/02

AI Summary

This assignment provides a comprehensive plan for the forensic acquisition of data from an SD card, formatted with a FAT32 file system, using the FTK Imager tool. The plan begins with establishing the scope and identifying key players, followed by the use of FTK Imager to create a forensically sound image of the SD card. The process includes selecting the SD card as the source, choosing the image format, and entering case details. The assignment also describes the tools used for data recovery, such as MjM Free Photo Recovery Software and Inspector Smart Recovery, and provides insights into the file system structure, including the NTFS segment and the MFT record. The student's methodology ensures the reliability and admissibility of the evidence, emphasizing the importance of a structured report understandable to both technical and non-technical readers. The assignment also references relevant academic papers to support the methodology and tools used, demonstrating a strong understanding of digital forensic principles and practices.

1
Forensic Analysis
Student’s Name:
Institution Affiliation:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2
Plan of a digital forensic collection of data from a specific device
Step 1: Distinguishing proof is a critical initial phase in the scientific assessment process. It
legitimately impacts endeavors to build up a strategy and, eventually, the achievement of the
venture. It additionally enables the client to control costs.
Step 2: Before any computerized measurable assessment starts, the extent of activities must be
recognized. Who are the key players and overseers? What are the best wellsprings of potential
electronic proof that should be gotten to for gathering?
Step 3: Leading meetings is a significant early advance in a fruitful computerized scientific
assessment. When deciding important gadgets from which to gather information for a case
Step 4: Take a gander at the scope of factors and figure out what variables are affecting
everything for the situation.
Step 5: Archive what you have gathered.
Step 6: On the off chance that it is resolved that extra electronic proof (excluded in the first
arrangement) should be assembled, it's critical to decide whether there is a requirement for a
legitimate warrant, corrected assent structure, or some other changes to the first extent of work.

3
Computerized proof should be altogether evaluated concerning the extent of the case. The extent
of a criminological assessment ca exclude "everything." At least, not except if there is boundless
time and spending plan included.
Forensic acquisition of the SD card
Experiment procedure
In carrying out our experiment, we used a 256 MB SD card, which has photos, word, pdf,
and other file formats. Our system for testing the SD card is running a Windows
operating system. We first formatted our SD card using our Windows machine(Kebande,
and Ray, 2016).
Tools used
Forensic Tool Kit (FTK) Imager software
It is an information preview and imaging device used to obtain information (proof) in a
forensically stable way by making duplicates of information without making changes to
the first proof. Here is our FTK tool(Shrivastava, 2017).
Click on the source for our case is SD card

4
Selecting drive and click finish

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

5
We then select the image format
Our next step is to enter case details.

6
We choose destination folder in our PC

7
Evidence found in SD card using FTK
MjM Free Photo Recovery Software
The apparatus naturally finds the memory card once it's been connected to the card
peruser and is at that point prepared to examine. It shows what is contained on the card as
thumbnail pictures. It can see photographs in full size or recuperate them all(Kouwen et
al., 2018).
Tool functionality

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

8
The instrument utilizes a drop-down menu to choose the size of the record with the most
extreme and least document size by Default most extreme (2048k) and least (128k). The
instrument bolsters profound sweep usefulness where the client ticks the container will
show a back rub setting saying "profound can just be utilized on the off chance that your
photographs don't show utilizing default settings, utilizing an ordinary sweep or if the
memory document framework is degenerate."
Evidence from SD card

9
Inspector Smart Recovery
It is an examination based program to take a gander at removable media, for example,
securely computerized. Furthermore, mixed media cards. This device has been promoted
to work with any removable media from computerized cameras and recoup any
documents that have been erased.

10
The interface of the instrument is primary. It comprises of two drop-down menus and a
program bar to choose the goal of the recovered pictures. The first drop-down menu is to
choose the removable drive expected for review and recovery. The gadget determination
subtleties the gadget, for example, the size of media drive and on the off chance that it is
fixed or removable. While a subsequent drop-down menu offers, a determination of the
arrangement of the records means to be recovered as appeared in Figure 4. Since this
paper will look into the adequacy of the device in recovering pictures from an SD card,
the device was set to recoup the JPG photograph position. In choosing the JPG group,
additional help ends up accessible, called upgraded alternatives to show with or without
thumbnail pictures. The instrument bolsters diverse picture design anyway with the end
goal of this examination, and the device recouped JPG records as it were(Valjarevic, and
Venter, 2015).
Evidence from SD card

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

12
File system
An NTFS segment itself has a straightforward structure. Toward the start is the single
NTFS boot division. Some places in the sector are the two reflections of the Master File
Table. The Master File Table (MFT) has large passages. Without a doubt, numerous little
records are wholly put away inside the MFT. Ordinarily, the MFT is distributed about
12.5% of the segment size. However, this worth can be changed to accommodate a record
framework with untypically numerous huge or untypically little documents. If necessary,
some portion of this assignment is utilized to provide different materials. The rest of a
few vast records are put away in the File System Data zone, which makes up the more
significant part of the parcel. From this design, we can see that NTFS is a substantial
takeoff from FAT, adjusted to the monstrous (by principles of 10 years prior) circle sizes
and volume of information. A duplicate of the ace record table stores the initial four
framework passages (or of the MFT to fix the document framework if a plate square turns
terrible.
$MFT FILE Record