FTK Imager

7 min readJan 26, 2022

--

FTK Imager is an open-source software by AccessData that is used for creating accurate copies of the original evidence without actually making any changes to it. The Image of the original evidence is remaining the same and allows us to copy data at a much faster rate, which can be soon be preserved and can be analyzed further. The FTK imager also provides you with the inbuilt integrity checking function which generates a hash report which helps in matching the hash of the evidence before and after creating the image of the original Evidence.

Introduction To Images And FTK Imager

The data acquisition of a Hard Drive is known as an image, a forensic image perhaps when performed in an investigation. Creating a forensics image is one of the most crucial steps involved in digital forensic investigation. However, this imaged disk needs to be applied to the hard drive to work. One cannot restore a hard drive by placing the disk image files on it as it needs to be opened and installed on the drive using an imaging program. A single hard drive can store many disk images on it. Disk images can also be stored on flash drives with a larger capacity.

How to Create a Forensic Image with FTK Imager

Menu Bar
Use the Menu Bar to access all the features of FTK Imager. The Menu Bar is always visible and accessible.
There are four items on the Menu Bar. They are discussed in detail in this section.

Toolbar

Creating A Forensics Image

Open FTK Imager by AccessData after installing it, and you will see the window pop-up which is the first page to which this tool opens.

Now, to create a Disk Image. Click on File > Create Disk Image.

Now you can choose the source based on the drive you have. It can be a physical or a logical Drive depending on your evidence.

A Physical Drive is the primary storage hardware or the component within a device, which is used to store, retrieve, and organize data.

A Logical Drive is generally a drive space that is created over a physical hard disk. A logical drive has its parameters and functions because it operates independently.

Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic perspective, It should be copied in a separate hard drive and multiple copies of the original evidence should be created to prevent loss of evidence.

Select the format of the image that you want to create. The different formats for creating the image are:

Raw(dd): It is a bit-by-bit copy of the original evidence which is created without any additions and or deletions. They do not contain any metadata.

SMART: It is an image format that was used for Linux which is not popularly used anymore.

E01: It stands for EnCase Evidence File, which is a commonly used format for imaging and is similar to

AFF: It stands for Advanced Forensic Format that is an open-source format type.

A Now, add the details of the image to proceed.

Now finally add the destination of the image file, name the image file and then click on Finish.

Once you have added the destination path, you can now start with the Imaging and also click on the verify option to generate a hash.

Now let us wait for a few minutes for the image to be created.

After the image is created, a Hash result is generated which verifies the MD5 Hash, SHA1 Hash, and the presence of any bad sector.

The Image Summary also includes the data you entered in the Evidence Item Information dialog.

Use FTK Imager to preview evidence prior to creating the image file(s). You can then choose to image the entire evidence object, or choose specific items to add to a Custom Content (AD1,001,ETC) image

CAPTURING MEMORY

It is the method of capturing and dumping the contents of a volatile content into a non-volatile storage device to preserve it for further investigation. A ram analysis can only be successfully conducted when the acquisition has been performed accurately without corrupting the image of the volatile memory. In this phase, the investigator has to be careful about his decisions to collect the volatile data as it won’t exist after the system undergoes a reboot.

Now, let us begin with capturing the memory. To capture the memory,

click on File > Capture Memory

Choose the destination path and the destination file name, and click on capture memory.

Now let us wait for a few minutes till the ram is being captured

You can get lucky with RAM captures at time as they contain: — Passwords — Credentials — Unsaved documents

Analyzing Image Dump

I Now let us analyze the Dump RAW Image once it has been acquired using FTK imager. To start with analysis,

Now select the source of the dump file that you have already created, so here you have to select the image file option and click on Next.

Choose the path of the image dump that you have captured by clicking on Browse.

Once the image dump is attached to the analysis part, you will see an evidence tree which has the contents of the files of the image dump. This could have deleted as well as overwritten data.