A county detective asks you, a Forensics Investigator, to help him catch a serial arsonist, who has set fire to multiple Walmart and Lumbermill stores in the county. The detective has obtained a suspect’s USB drive that might be clues to solving the case. The detective wants you to perform a preliminary investigation of the USB drive because he needs a search warrant (subpoena) to seize further evidence in the suspect’s home and workplace. The law prohibits searching a suspect’s home or workplace without specific evidence. After a preliminary investigation, you conclude that you might have found the arsonist, who documented his crimes on his computer. During your analysis of the files, you recovered images of fires in a folder named “Pleasure.” You also found folders named “Walmart” and “Lumbermill.” You submit the results of the preliminary investigation to the detective, and he obtains a subpoena from the County Judge.

Frist, by using a FTK Imager, you create the image by going to “File” and “Create Disk Image” and from Select Source, select Logical Drive. From the Source Drive Selection, choose D (USB) and click “Add…” from the Create Image. From the Select Image Type, choose “E01” and follow the Evidence Item Information.