This document provides an overview of using FTK Imager for computer forensics. It discusses data storage media types, acquisition tools, image formats, and the key functions of FTK Imager including previewing/triage, acquiring disk images, converting/verifying images, creating custom content images, mounting images, and acquiring memory. The objectives are to understand data storage, how to use FTK Imager's interface and functionality to acquire forensically-sound disk images from various sources in different standard formats.

1. Computer Forensics – Mobile Forensics – Incident Response – Litigation Support

2. Module Objectives
• Data Storage Media
• Acquisition Tools
− Software
− Hardware
• Image Formats
• FTK Imager Interface
− File System Support
− File Properties and Interpreters
− Right-click Menu Options
• FTK Imager Functionality
− Previewing and Triage
− Acquisition
− Conversion / Verification
− Custom Content Images
− Mounting Images
− Acquire Memory

3. Data Storage Media
Magnetic
• Floppy Disk
• Hard Drives
• USB, PC Card, etc.
• Zip & Tape Drives
Optical
• CD
• DVD
Alternative Media
• MP3 Players
• Tablets
• Smartphones
• Who Knows What …

4. Using FTK Imager
Hardware
Write Protect
Device
Preview
Triage
Image
Export
Hash
Convert

5. File System Support
• FAT (12,16,32)
• exFAT
• NTFS
• HFS (Macintosh)
• Ext (Linux)
• Reiser3
• CD/DVD
• VXFS (Veritas)
FTK Imager supports the following file systems:

6. Encrypted Disks
• Below is a lists of AccessData Imager-identified
and analyzed Whole Disk Encryption (WDE)
decryption products (these all require the
examiner to enter the password, AccessData
forensic products don’t “crack "these):
• Recognized and Analyzed Whole Disk Encryption
Formats
• PGP®
• Utimaco
• Credant
• Guardian Edge
• SafeBoot
• EFS
• JFS
• LVM
• Vmware
• LVM2
• UFS1
• UFS2

7. The Interface
Menu Bar
Viewer
File List
Status Bar
Properties /
Hex Value
Interpreter
Evidence
Tree View
Toolbar

8. Properties
FAT and NTFS• Varies by file system
• Also shows image
information
Evidence Info

9. Properties
MAC/HFS
Varies by file system
Linux/EXT

10. Hex Value Interpreter

11. Custom Content Sources

12. Right Click Menu Options

13. Unallocated Space

14. Imaging
A-Card
Airlite Forensic
Workstation
Tableau
Write-Blocker

15. Software Acquisition Process
Hashing and Verification
The goal is
to make an
Identical
Bit-by-Bit
Image
The goal is
to make an
Identical
Bit-by-Bit
Image
=

16. Image Formats
• Raw-DD (.001)
• SMART (.s01)
• Encase (.e01)
• AFF (.aff)
• AD1 (.ad1)
• ISO/CUE
(.iso/.cue)
Imager Can Read
These Formats
Imager Can
Create These
Formats

17. SelectView Source
Verify the source to be acquired, then Export Disk Image.

18. Acquisition

19. Acquisition
Image Verification Text File

20. Single Source – Multi Image
Create multiple
image formats
from a single
source at once

21. Multi Source – Multi Image
Create multiple
images from
multiple sources
at once !!

22. CD / DVD Images
Use the .CUE file to map
sessions
.CUE files
.ISO files

23. Converting a Disk Image

24. Image Verification
Encase / DD ??
Verified based on
image format

25. Custom Content Sources

26. Custom Content Images
• Can be from multiple
sources
• Can include Unallocated
Space
• Results in an .ad1 format
image
• Can include specific SID(s)

27. Custom Content Images

28. Custom Content Images

29. Export Files
Select the file
Select the
destination

30. Export Folders

31. Export File Hash List

32. Detecting EFS Encryption

33. Capture Active Memory

34. Image Mounting

35. Module Review
• Data Storage Media
• Acquisition Tools
− Software
− Hardware
• Image Formats
• FTK Imager Interface
− File System Support
− File Properties and Interpreters
− Right-click Menu Options
• FTK Imager Functionality
− Previewing and Triage
− Acquisition
− Conversion / Verification
− Custom Content Images
− Mounting Images
− Acquire Memory