ftk imager 2.6.1
DESCRIPTION
FTK Imager 2.6.1. http://www.accessdata.com/downloads.html. FTK Imager Interface. Menu Bar. Tool Bar. Evidence Tree View. File List. Native Viewer. Viewer. Properties. Status Bar. Properties General. Properties DOS Attribs & NTFS Info. Properties Access Conrol Entry. - PowerPoint PPT PresentationTRANSCRIPT
FTK Imager2.6.1
http://www.accessdata.com/downloads.html
FTK Imager Interface
Viewer
File List
Evidence Tree View
Properties
Status Bar
Tool Bar
Menu Bar
Native Viewer
PropertiesGeneral
PropertiesDOS
Attribs&
NTFS Info
PropertiesAccess Conrol Entry
InterpretersValues
InterpretersDates
Hex Interpreter
Hex ViewHex Interpreter
Hex Viewer
Right-Click Menu options
Export Files...
Choose where. Go for it!
Export Hash List ...Hash value of each file in directory
Add to Custom Content Image(AD1)
Drive Free SpaceUnallocated Space
Unpartitioned Space
FTK ImagerImage a Device
Choose the Device
Where to put it. What to call it
E01 Permits Compression
Single Source - Multiple Images
Multiple Images – Multiple Sources
Once one is started youCan start another.
Progress Success
FTK Creates a Couple of Files
.csv – Listing of files found
.txt – Properties of Device
Details from FTK ImagerInformation for C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\
08-0001\Image\08-0001.dd:
Physical Evidentiary Item (Source) Information:[Drive Geometry] Cylinders: 31 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 499,712[Physical Drive Information] Drive Model: Kingston DataTraveler 2.0 USB Device Drive Interface Type: USB Source data size: 244 MB Sector count: 499712[Computed Hashes] MD5 checksum: c78f258d9661b2086bb37658527290f6 SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8
Image Information: Segment list: C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\08-0001\08-0001.dd.001
Thu Oct 02 11:40:12 2008 - Image Verification Results: MD5 checksum: c78f258d9661b2086bb37658527290f6 : verified SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8 : verified
List of Undeleted Files
Using FTK ImagerTriage
Choose Source
Find the Image
Image Added to FTK Imager
Explore the Image
Converting from One Format to Another
Open image fileSelect itFile->Export Disk ImageCreate image dialog
AddProvide the requested info
Image Verification
dd Image
EnCase E01 Image
Custom Content Image (AD1)
• Logical images that contain all sorts of content• Portions of a file system• Entire file systems• Individual files or folders• Portions of free space
• Contains content from diverse forensic images• “Case in a file”
Add Content to the Custom Content Image
Create Custom Content Image
Review the Content
Create Image
Create Image
Creates a .csv file of the contents of the AD1 file.
Name and Place
CCI.txtThe Custom Content Image was made from the following list:--------------------------------------------------USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.docMD5,SHA1,Filename
"d41d8cd98f00b204e9800998ecf8427e","da39a3ee5e6b4b0d3255bfef95601890afd80709","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.doc\CS_457.2010.doc"
USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412MD5,SHA1,Filename
"9da2a3b792a0d032fd7fd0363886e910","a6dbd978d9512abfba6a170598acf9b78c825120","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412\00412"
FTK Imager
• Acquisition Tools• Image Formats• FTK Imager Interface• FTK Functionality
Lab
• Sanitize your thumb drive• Make case folder• Seize the thumb drive (Red)• Image the evidence thumb drive (Red)• Write a Imaging Report