You are given a PC and you are faced with this scenario: you don’t know the password to the PC which means you can’t login so you can use a forensic tool like FTK IMAGER to capture the hard drive as a bit-for-bit forensic image AND/OR
1. The hard drive is either soldiered onto the motherboard (there are some new hard drives like this!) or cannot be removed because the screws are stripped (this has happened to me);
2. Even if you figured out the password or got an admin password the PC may have its USB ports blocked via a GPO policy (this is very common in corporations now);
3. Even if you can get the GPO policy overridden you may have some concerns about putting it on the network (which is true especially if you are dealing with malware).
So what you can you do? The best solution is to boot the PC up into forensically sound environment that lets you bypass the password aspect; GPO policy; etc and take a bit-for-bit image. One software that has done the job very well for me is Paladin.
How to get points
If you can send me a screenshot showing me that you had installed Paladin .ISO and made your USB device a bootable device with Paladin using Rufus then you get 10 points.
If you can send me a screenshot showing that you had a chance to boot your computer into Paladin then you will earn an extra 10 points. It is not necessary for you to take a forensic image of your PC but I have included generic instructions here.
1. You have downloaded Rufus on your computer
2. You have downloaded Paladin on your computer.
1. Make sure you have at least one USB drive.
2. If not down already, download Rufus from https://rufus.ie/.
3. If not done already, download the Paladin ISO image from this website: https://sumuri.com/product/paladin-64-bit-version-7/ which is free. It’s suggested price is $25.00 but you can adjust the price to $0 then order. To be clear – do not pay anything.
4. Insert the USB device in your computer.
5. Run Rufus where you install the Paladin .ISO file on the USB device and make it bootable. Now I could provide you step by step instructions, but this is a Masters class so I want you to explore a bit and figure this out. One good video is this: https://www.youtube.com/watch?v=V6JehM0WDTI.
6. After you are done using Rufus where you have installed Paladin.ISO on the USB device and made it bootable then make sure the USB device is in the PC.
7. Restart your PC. Press F9(HP) laptop) or F12 (Dell laptop) so you can be taken into the BIOS bootup menu.
8. This is where things get a bit tricky e.g. your compute may be configured differently where you have to adjust your BIOS settings. If you do not feel comfortable doing this then stop here. I do not want you to mess up your computer. You have already earned ten extra points!
9. If you still proceed then you will see a list of bootable devices. You may, for example, see a list of devices. Pick the device that most closely resembles your USB device. Select that so you can boot into your Paladin USB device.
10. If you see an error message that says “Operating System Not Found” then go back to Sumuri and download Paladin Edge which is free.
11. From there, you will then see a series of options. Select the first mode which is Forensic Mode. See sample screenshot.
12. After that, you are NOW in PALADIN. See sample screenshot.
13. Click and start the Paladin Toolbox. See sample screenshot.
14. If you have a LARGE USB device that is larger than your computer’s hard drive (e.g. 1 TB) then insert that drive into your computer. See sample screenshot.
15. Click “Disk Manager” in PALADIN TOOLBOX and you should see that second drive show up. Be sure to mount it as Mounted-RW. See sample screenshot.
16. Now go back to Imager and then click on the source and be sure to select your computer’s hard drive as the source.
17. For the Image Type, it is recommended to click “DD/Raw” as “Image Type”. See sample screenshot.
18. Now for the Destination field, be sure to select your USB device that will hold the image.
19. Check “Verify the files after creation”.
20. Write the name of the image file as “Hard Drive” or whatever name you want to give it.
21. Click “Start”.
22. Copying this image’s waiting time is at least 30 minutes depends on how much the space.
23. Verification’s waiting time as same as above.
24. Then for proof , send me a screenshot showing that you have created the image.