What is the Use FTK Imager Forensics Tool?
There is a plethora of software currently in use in the law/legal line of work. One of the most important types of software is computer forensics software. Among forensics apps, the FTK Imager is probably the most popular.
Today, we’ll be taking a close look at the FTK Imager forensics tool, what it’s used for, and how to use it.
- Use of FTK Imager in Forensic Tool
- Enumeration Ethical Hacking
- Footprinting in Ethical Hacking
- What is FTK Imager
- Use FTK Imager Create Image
What is FTK Imager?
The FTK Imager is a forensics software developed by AccessData, and it is very useful in gathering digital data from a storage drive. This software can scan for and retrieve various information from a hard disk.
It can also retrieve files that have already been deleted from the recycle bin, crack passwords, and decrypt files.
FTK Imager not only works on hard drives. It can create forensic images and process a wide range of data types from many sources, including mobile devices.
Using the FTK Imager tool, you can create an image of an entire drive and send it to another computer.
AccessData claims that, since v4.3, FTK Imager has cut imaging time in half. The company showed this in a test run of v4.3. See quoted details of the test below:
The imaged computer was in another building with a 10Gbps link between the imaged machine and the server. Below are the details:
System 1 where the image was taken from a physical drive
HP® EliteDesk® 800Windows® 10 Pro
Intel® Core™ i7-8700 CPU @3.20GHz
32 Gig RAM
477 GB SSD drive
System 2 where the image was stored:
Dell Poweredge® R720
Windows Server 2016 Standard
Intel Xeon® CPU E5-2620 0 @2.00GHz
32 Gig RAM
4TB Dell PERC H710 SCSI Disk Device (RAID 0, 4 – 1TB 7200 HD)
The results are as follows:
FTK Imager version 4.2.x and earlier:
Compressed images: 2:21:00
Non-compressed images: 4:16:23
FTK Imager version 4.3.x and newer:
Compressed images: 1:03:41
Non-compressed images: 1:29:25
What are the use of FTK Imager?
Although they revolve around data retrieval and processing, there are several things you can do with the FTK Imager forensics tool. They include:
- You can use FTK Imager to create forensic images from several sources, including hard drives, floppy disks, flash drives, mobile, etc.
- You can use it as a kind of file manager to preview files and folders in an image.
- It can be used to mount a data image for read-only permission that allows the data to be viewed exactly the same way as the original.
- It can scan for and retrieve files that have been deleted from the recycle bin but have not yet been overwritten on the drive.
- It can export files from forensic images.
- It can create hashes of files in MD5 and SHA-1.
- It can generate hash reports that can be used to verify the integrity of the forensic image.
Use of FTK Imager create an image file.
- Download FTK Imager from the AccessData website.
- Install FTK Imager on an accessible computer, not the one you want to image.
- Insert a flash drive formatted with FAT32 or NTSF file system (i.e a bootable flash drive) into the computer.
- Copy the entire “FTK Imager” installation folder (usually found at “C:\Program Files\AccessData\FTK Imager” or “C:\Program Files(x86)\AccessData\FTK Imager“) to your flash drive.
- After successful copying, insert the flash drive into the computer you want to image.
- Open the “FTK Imager” folder on the flash drive and run FTK Imager.exe as an administrator.
- From the file menu, select “Create Disk Image
- To image an entire drive, select “Physical Drive”.
- To image an image file, select “Image File”.
- To image a folder, select “Contents of a Folder”; etc.
Continuing with “physical drive”, select the drive you want to image. If you have over one drive plugged into the computer, double-check you selected the right one.
On the “Create Image” prompt, add a destination path for the image file that will be created. We recommend this path should be on a different drive than the one being imaged. Also, always choose “verify images after they’re created.
On the “Select Image Type” prompt, choose the image file type you want. Raw(dd) is an uncompressed duplicate of the original, while the others are designed to work with specific forensics programs.
On the “Evidence Item Information” prompt, enter key information about the image you’re about to create.
On the “Select Image Destination” prompt, choose a destination folder and input the file name.
Click “Finish” to begin the imaging process.
On the next prompt, tick “verify images after they’re created” and click on the start
Wait till your image file is created