1 / 40

FTK Imager 2.6.1

FTK Imager 2.6.1. http://www.accessdata.com/downloads.html. FTK Imager Interface. Menu Bar. Tool Bar. Evidence Tree View. File List. Native Viewer. Viewer. Properties. Status Bar. Properties General. Properties DOS Attribs & NTFS Info. Properties Access Conrol Entry.

esben
Download Presentation

FTK Imager 2.6.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FTK Imager2.6.1 http://www.accessdata.com/downloads.html

  2. FTK Imager Interface Menu Bar Tool Bar Evidence Tree View File List Native Viewer Viewer Properties Status Bar

  3. PropertiesGeneral

  4. PropertiesDOS Attribs&NTFS Info

  5. PropertiesAccess Conrol Entry

  6. InterpretersValues

  7. InterpretersDates

  8. Hex Interpreter Hex Viewer Hex View Hex Interpreter

  9. Right-Click Menu options

  10. Export Files... Choose where. Go for it!

  11. Export Hash List ...Hash value of each file in directory

  12. Add to Custom Content Image(AD1) More on this later

  13. Drive Free SpaceUnallocated Space

  14. Unpartitioned Space

  15. FTK ImagerImage a Device

  16. Choose the Device

  17. Where to put it. What to call it

  18. E01 Permits Compression

  19. Single Source - Multiple Images

  20. Multiple Images – Multiple Sources Once one is started you Can start another.

  21. Progress Success

  22. FTK Creates a Couple of Files .csv – Listing of files found .txt – Properties of Device

  23. Details from FTK Imager Information for C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\ 08-0001\Image\08-0001.dd: Physical Evidentiary Item (Source) Information: [Drive Geometry] Cylinders: 31 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 499,712 [Physical Drive Information] Drive Model: Kingston DataTraveler 2.0 USB Device Drive Interface Type: USB Source data size: 244 MB Sector count: 499712 [Computed Hashes] MD5 checksum: c78f258d9661b2086bb37658527290f6 SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8 Image Information: Segment list: C:\Documents and Settings\Admin\My Documents\Courses\Forensics\Case\Case-USB\08-0001\08-0001.dd.001 Thu Oct 02 11:40:12 2008 - Image Verification Results: MD5 checksum: c78f258d9661b2086bb37658527290f6 : verified SHA1 checksum: ee8f4315cdc0911f0467dfdb5ea8a5148ab415e8 : verified

  24. List of Undeleted Files

  25. Using FTK ImagerTriage

  26. Choose Source

  27. Find the Image

  28. Image Added to FTK Imager

  29. Explore the Image

  30. Converting from One Format to Another Open image file Select it File->Export Disk Image Create image dialog Add Provide the requested info

  31. Image Verification dd Image EnCase E01 Image

  32. Custom Content Image (AD1) • Logical images that contain all sorts of content • Portions of a file system • Entire file systems • Individual files or folders • Portions of free space • Contains content from diverse forensic images • “Case in a file”

  33. Add Content to the Custom Content Image

  34. Create Custom Content Image

  35. Review the Content Create Image

  36. Create Image Creates a .csv file of the contents of the AD1 file.

  37. Name and Place

  38. CCI.txt The Custom Content Image was made from the following list: -------------------------------------------------- USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.doc MD5,SHA1,Filename "d41d8cd98f00b204e9800998ecf8427e","da39a3ee5e6b4b0d3255bfef95601890afd80709","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\[root]\Comp_Sec-II\CS_457.2010.doc\CS_457.2010.doc" USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412 MD5,SHA1,Filename "9da2a3b792a0d032fd7fd0363886e910","a6dbd978d9512abfba6a170598acf9b78c825120","USB.E01\Partition 1 [243MB]\KINGSTON [FAT16]\unallocated space\00412\00412"

  39. FTK Imager • Acquisition Tools • Image Formats • FTK Imager Interface • FTK Functionality

  40. Lab • Sanitize your thumb drive • Make case folder • Seize the thumb drive (Red) • Image the evidence thumb drive (Red) • Write a Imaging Report

More Related