FTK Imager

2.6.1
http://www.accessdata.com/downloa
ds.html

FTK Imager Interface

Menu
Bar

Tool
Bar
Evidence
Tree View

File
List

Native
Viewer

Properties
Status

Viewer

Propertie
s
General

Properti
esDOS
Attribs
&
NTFS
Info

Propertie
s
Access
Conrol
Entry

Interpreters
Values

Interpreters
Dates

Hex Interpreter

Hex
Viewer

Hex
Interpreter

Hex View

Right-Click Menu options

Export Files...

Choose where. Go for it!

Export Hash List ...

Hash value of each file in
directory

Add to Custom Content

Image
(AD1)

More on this later

Drive Free Space

Unallocated Space

Unpartitioned Space

FTK Imager
Image a Device

Choose the Device

Where to put it. What to call it

E01 Permits Compression

Single Source - Multiple

Images

Multiple Images Multiple

Sources

Once one is started you

Can start another.

Progress

Success

FTK Creates a Couple of

Files

.csv Listing of files found

.txt Properties of Device

Details from FTK Imager

Information for C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\
08-0001\Image\08-0001.dd:
Physical Evidentiary Item (Source) Information:
[Drive Geometry]
Cylinders: 31
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 499,712
[Physical Drive Information]
Drive Model: Kingston DataTraveler 2.0 USB Device
Drive Interface Type: USB
Source data size: 244 MB
Sector count: 499712
[Computed Hashes]
MD5 checksum: c78f258d9661b2086bb37658527290f6
SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8
Image Information:
Segment list:
C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\08-0001\08-0001.dd.001
Thu Oct 02 11:40:12 2008 - Image Verification Results:
MD5 checksum: c78f258d9661b2086bb37658527290f6 : verified
SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8 : verified

List of Undeleted Files

Using FTK Imager

Triage

Choose Source

Find the Image

Image Added to FTK

Imager

Explore the Image

Converting from One Format to

Another
Open image file
Select it
File->Export Disk Image
Create image dialog
Add
Provide the requested info

Image Verification
dd Image

EnCase E01 Image

Custom Content Image

(AD1)
Logical images that contain all sorts
of content

Portions of a file system

Entire file systems
Individual files or folders
Portions of free space

Contains content from diverse

forensic images
Case in a file

Add Content to the

Custom Content Image

Create Custom Content

Image

Review the Content

Create Image

Create Image

Creates a .csv file

of the contents of
the AD1 file.

Name and Place

CCI.txt
The Custom Content Image was made from the following list:
-------------------------------------------------USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_SecII\CS_457.2010.doc
MD5,SHA1,Filename
"d41d8cd98f00b204e9800998ecf8427e","da39a3ee5e6b4b0d3255bfef95601
890afd80709","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\
[root]\Comp_Sec-II\CS_457.2010.doc\CS_457.2010.doc"
USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412
MD5,SHA1,Filename
"9da2a3b792a0d032fd7fd0363886e910","a6dbd978d9512abfba6a170598acf
9b78c825120","USB.E01\Partition 1 [243MB]\KINGSTON
[FAT16]\unallocated space\00412\00412"

FTK Imager

Acquisition Tools
Image Formats
FTK Imager Interface
FTK Functionality

Lab

Sanitize your thumb drive

Make case folder
Seize the thumb drive (Red)
Image the evidence thumb drive
(Red)
Write a Imaging Report