ftk imager 2.6.1

FTK Imager2.6.1

http://www.accessdata.com/downloads.html

FTK Imager Interface

Viewer

File List

Evidence Tree View

Properties

Status Bar

Tool Bar

Menu Bar

Native Viewer

PropertiesGeneral

PropertiesDOS

Attribs&

NTFS Info

PropertiesAccess Conrol Entry

InterpretersValues

InterpretersDates

Hex Interpreter

Hex ViewHex Interpreter

Hex Viewer

Right-Click Menu options

Export Files...

Choose where. Go for it!

Export Hash List ...Hash value of each file in directory

Add to Custom Content Image(AD1)

More on this later

Drive Free SpaceUnallocated Space

Unpartitioned Space

FTK ImagerImage a Device

Choose the Device

Where to put it. What to call it

E01 Permits Compression

Single Source - Multiple Images

Multiple Images – Multiple Sources

Once one is started youCan start another.

Progress Success

FTK Creates a Couple of Files

.csv – Listing of files found

.txt – Properties of Device

Details from FTK ImagerInformation for C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\

08-0001\Image\08-0001.dd:

Physical Evidentiary Item (Source) Information:[Drive Geometry] Cylinders: 31 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 499,712[Physical Drive Information] Drive Model: Kingston DataTraveler 2.0 USB Device Drive Interface Type: USB Source data size: 244 MB Sector count: 499712[Computed Hashes] MD5 checksum: c78f258d9661b2086bb37658527290f6 SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8

Image Information: Segment list: C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\08-0001\08-0001.dd.001

Thu Oct 02 11:40:12 2008 - Image Verification Results: MD5 checksum: c78f258d9661b2086bb37658527290f6 : verified SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8 : verified

List of Undeleted Files

Using FTK ImagerTriage

Choose Source

Find the Image

Image Added to FTK Imager

Explore the Image

Converting from One Format to Another

Open image fileSelect itFile->Export Disk ImageCreate image dialog

AddProvide the requested info

Image Verification

dd Image

EnCase E01 Image

Custom Content Image (AD1)

• Logical images that contain all sorts of content• Portions of a file system• Entire file systems• Individual files or folders• Portions of free space

• Contains content from diverse forensic images• “Case in a file”

Add Content to the Custom Content Image

Create Custom Content Image

Review the Content

Create Image

Create Image

Creates a .csv file of the contents of the AD1 file.

Name and Place

CCI.txtThe Custom Content Image was made from the following list:--------------------------------------------------USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.docMD5,SHA1,Filename

"d41d8cd98f00b204e9800998ecf8427e","da39a3ee5e6b4b0d3255bfef95601890afd80709","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.doc\CS_457.2010.doc"

USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412MD5,SHA1,Filename

"9da2a3b792a0d032fd7fd0363886e910","a6dbd978d9512abfba6a170598acf9b78c825120","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412\00412"

FTK Imager

• Acquisition Tools• Image Formats• FTK Imager Interface• FTK Functionality

Lab

• Sanitize your thumb drive• Make case folder• Seize the thumb drive (Red)• Image the evidence thumb drive (Red)• Write a Imaging Report