How to Create a Forensic Image with FTK Imager
This is a very simple guide on how to create a forensic image of a physical hard drive that you have connected to your Windows Computer:
Whats Needed:
- FTK Imager from AccessData:
https://accessdata.com/product-download/ftk-imager-version-4.2.0 - A Hard Drive that you would like to create an image of
Who would want to do this?
A Forensic Image is most often needed to verify integrity of image after an acquisition of a Hard Drive has occured. This is usually performed by law enforcement for court because, after a forensic image has been created, its integrity can be checked to verify that it has not been tampered with. Further, a forensic image can be backed up and/or tested on without damaging the original copy or evidence.
Further, you can create a forensic image from a running or dead machine. I guess the best way to explain the forensic image to someone who does not know about computers is that it is a literal snapshot in time that has integrity checking.
There are many ways to create a forensic image. However, the best ease-of-use ways I have found are FTK Imager for Windows and Guymager for Linux. Windows is a simple install. Linux, you would use your package manager to download. Example: apt install guymager.
Guide:
Step 1: For a dead acquisition you will need to plug in the Hard Drive through use of a HDD Dock or by other means to a laptop that has FTK.
Step 2: Open FTK Imager by clicking on the “FTK Imager” icon. A screen shot of the icon can be seen below and once it is open you should be greeted with the FTK Imager dashboard.
Step 3: In the top left location on the dashboard, you will see a tool bar. One of the icons on the toolbar will allow you to add a evidence file. It will be the left-most option and can be seen highlighted or above if you are reading this in Australia:
Step 4: When you click on that icon, you should be prompted with the “Select Source” window. If you have connected a physical Hard Drive to the laptop/computer you are using to make the forensic image, then you will select the “Physical Drive” radial.
Then click Next.
Then Select the Physical Drive that you would like to use. This option will most likely not be PhysicalDrive0 because this is usually the internal OS drive for the computer that you are using. If you only have two Hard Drives connected to the computers, than the Physical Drive you may want to use is PhysicalDrive1.
Please make sure that you are selecting the right drive, or you will waste your time exporting a forensic image of your own OS drive.
Step 5: Exporting the forensic images is simple. First ‘right-click’ the PhysicalDrive that you would like to export in the FTK Imager window. This will provide you with the options seen below.
Once you have select the Export Disk Image you will be prompted with a couple additional steps. First, ‘click’ the Add button for the Image Destination. I would suggest exporting to anther additional external HDD(like a WD passport) instead of the internal computer HDD. unless you got the space.
Select the Type of Forensic Image you would like to export. I almost always choose .E01 because of its hash verification and its ability to used with multiple other programs. You can Bing the other Forensic Images. See what I did there…? I added Bing instead of Google. Yeah, you’re prolly the one of two readers reading this post. Now we have made this connection. Hello Brother. Select .E01 and click next.
Once you click next you will need to add information pertaining to the case. Do not add any sarcastic information in these boxes. Either leave them blank or keep it general. No one wants to hear, Forensic Evidence number 007, Examiner “Mister Fister” in court. It’s a tad unprofessional
Next, you will need to choose the destination that you would like to export the forensic image and designate the image a name. Again be professional
Lastly, you will need to wait for the Forensic Image to be created and then verified. Once both have occurred, you can process them with autopsy or boot the .E01 into a Virtual Machine with VMware for even more fun. This will most likely the next blog post.
Once the verification has finished, you will be greeted with a windows like this. Speed of creating the forensic image will vary based on your hardware.
