DIGITAL FORENSICS: HOW TO CREATE A FORENSIC IMAGE IN WINHEX

Digital Forensics: How to Create a Forensic Image in WinHex

การสำเนาหลักฐานดิจิทัลโดยใช้โปรแกรม WinHex

Hex Editor & Disk Editor

WinHex: Computer Forensics & Data Recovery Software,

Hex Editor & Disk Editor

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery,

List Tools

- 

- USB dataTraveler G4 16GB (digital evidence)

- WinHex V.19

- FTK Imager 3.4.0.1

- write Blocker Tools (Write Blocking a Disk Image File Using WinHex) Or Hardware write Blocker 

1. Open WinHex. 

Write Blocking a Disk Image File Using WinHex

**Best practices in digital forensics demand the use of write-blockers when creating forensic.

2. From the “Tools” menu select “Open Disk...”

Open Disk

3. In the following dialog, select the physical disk that you would like to image. In this example, a  USB drive is being used.

NOTE: It is important that you select the Physical Media, to ensure you are taking an image of the entire disk. If you select a Logical Drive Letter, you are only going to get an image of a single partition.

3.1 Compute hash md5 before Create Disk Image.

Compute hash MD5= 9F132B55502368A6064186A74614032B

4. Once the disk has been opened in WinHex, select “Create Disk Image...” from the File menu.

Create Disk Image 

5. You will then get the following dialog box:

Create Disk Image 

 You will need to make sure to select “Raw image (dd)” for the image file format, choose a location to save it too by clicking the three dot button in the Path and filename box, Also, check off “Compute hash” in the right hand box and leave everything else as default. Click OK.

หมายเหตุ: ต้องเป็น winhex license activated  จะสามารถใช้คำสั่ง Raw Image ได้

Path and Filename

6. Once you click OK, you will need to select the type of hash you want to do, select MD5 from the drop-down menu. Your disk will begin to image.

7. When the image is finished, you will get a dialog that gives the hash value that was computed.

MD5= 9F132B55502368A6064186A74614032B

8. Your image is complete. NOTE: Your destination folder will now contain the dd image file and a txt file that contains the hash value that was computed as a part of the applications task.

dd image file and a txt file

9. Check image file  by FTK Imager > To mount an image file, click on Image Mounting option.

10. Select virtual drive image. CF-DFE-winhex_01.001

11. Select Mount Type, Drive Letter and Mount Method and click on mount option.

12. Image is Ok

ที่มา:

https://www.x-ways.net/winhex/

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud