AccessData offers FTK Imager, an open-source software that creates accurate copies of the original evidence without making any changes to it. The original evidence image remains the same and enables us to copy data at a much faster rate, which we can soon preserve and analyze further.

The FTK imager also provides you with the inbuilt integrity checking function which generates a hash report which helps in matching the hash of the evidence before and after creating the image of the original Evidence.

Table of Contents

• Creating a Forensic Image
• Capturing Memory
• Analyzing Image dump
• Mounting Image to Drive
• Custom Content Image using AD encryption
• Decrypt AD Encryption
• Obtain Protected Files
• Detect EFS Encryption
• Export Files

Lets us begin with creating an image copy of the original evidence.

Creating a Forensic Image

Forensic Imaging is one of the most crucial steps in a digital forensic investigation. It is the process of making an archival or backup copy of the entire hard drive. It is a storage file that contains all the necessary information to boot to the operating system. However, you need to apply this imaged disk to the hard drive to work. You cannot restore a hard drive by placing the disk image files on it, as you need to open and install them on the drive using an imaging program. A single hard drive can store many disk images. You can also store disk images on flash drives with a larger capacity.

Launching FTK Imager and Creating Disk Image 

Open FTK Imager by AccessData after installing it, and you will see the window pop-up which is the first page to which this tool opens.

Now, to create a Disk Image. Click on File > Create Disk Image.

Now you can choose the source based on the drive you have. It can be a physical or a logical Drive depending on your evidence.

Understanding Physical and Logical Drives

A device uses a Physical Drive as the primary storage hardware or component to store, retrieve, and organize data. 

A physical hard disk generally creates a Logical Drive as a drive space. A logical drive has its parameters and functions because it operates independently.

Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic perspective, It should be copied in a separate hard drive and multiple copies of the original evidence should be created to prevent loss of evidence.

Selecting the Image Format

Select the format of the image that you want to create. The different formats for creating the image are:

Raw(dd): A bit-by-bit copy of the original evidence is created without any additions or deletions. It does not contain any metadata.

SMART: An image format that was used for Linux has fallen out of popularly.

E01: EnCase Evidence File commonly used for imaging stands for E01 and is similar to

AFF: It stands for Advanced Forensic Format that is an open-source format type.

Now, add the details of the image to proceed.

Now finally add the destination of the image file, name the image file and then click on Finish.

Once you have added the destination path, you can now start with the Imaging and also click on the verify option to generate a hash.

Now let us wait for a few minutes for the image to be created.

After the image is created, a Hash result is generated which verifies the MD5 Hash, SHA1 Hash, and the presence of any bad sector.

Capturing Memory

It is the method of capturing and dumping the contents of a volatile content into a non-volatile storage device to preserve it for further investigation. A ram analysis can only be successfully conducted when the acquisition has been performed accurately without corrupting the image of the volatile memory. In this phase, the investigator has to be careful about his decisions to collect the volatile data as it won’t exist after the system undergoes a reboot. 

Now, let us begin with capturing the memory.

To capture the memory, click on File > Capture Memory.

Choose the destination path and the destination file name, and click on capture memory.

Now let us wait for a few minutes till the ram is being captured.

Analyzing Image Dump

Now let us analyze the Dump RAW Image once it has been acquired using FTK imager. To start with analysis, click on File> Add Evidence Item.

Now select the source of the dump file that you have already created, so here you have to select the image file option and click on Next.

Choose the path of the image dump that you have captured by clicking on Browse.

Once you attach the image dump to the analysis part, you will see an evidence tree that contains the contents of the files of the image dump. This could have deleted as well as overwritten data.

To analyze other things further, we will now remove this evidence item by right-clicking on the case and click on Remove Evidence Item

Mounting Image to Drive

To mount the image as a drive in your system, click on File > Image Mounting

Once the Mount Image to Drive window appears, you can add the path to the image file that you want to mount and click on Mount.

Now you can see that the image file has now been mounted as a drive.

Custom Content Image with AD Encryption

FTK imager has a feature that allows it to encrypt files of a particular type according to the requirement of the examiner. Click on the files that you want to add to the custom content Image along with AD encryption.

All the selected files will be displayed in a new window and then click on Create Image to proceed.

Fill in the required details to create the evidence.

Now specify the destination of the image file you want to create, name the image file, check the box with AD encryption, and then click on Finish.

A new window will pop-up to encrypt the image, Now renter and re-enter the password that you want to add for your image.

Now to see the encrypted files, click on File> Add Evidence Item…

The window to decrypt the encrypted files will appear once you add the file source. Enter the password and click OK.

You will now see the two encrypted files on entering the valid passwords.

Decrypt AD1 Image

To decrypt the custom content image, click on File> Decrypt AD1 Image.

Now you need to enter the password for the image file that was encrypted and click on Ok.

Now, wait for a few minutes till the decrypted image is created.

To view the decrypted custom content image, add the path of the decrypted file and click on Finish.

You will now be able to see the encrypted files by using the correct password to decrypt it.

Obtain Protected Files

Certain files are protected on recovery, to obtain those files,  click on File> Obtain Protected Files

A new window will pop up, and you should click on browse to add the destination of the protected file, then click on the option that says password recovery and all registry files, and finally click on OK.

Now you will see all the protected files in one place

Detect EFS Encryption

When we encrypt a folder or a file, we can detect it using this feature of the FTK Imager. 

A user encrypts a file in a folder to secure its content.

To detect the EFS encryption, click on File >Detect EFS Encryption

You can see that the encryption is detected.

Export Files

To export the files and folders from the imaged file to your folder, you can click File > Export Files.

You can now see the results of the export showing the number of files and folders that the system has copied.

To learn more about Cyber Forensics. Follow this Link

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here