How To Use FTK Imager To Recover Data

by Sunny Hoi

In this tutorial, we will show how to use FTK Imager to recover data from files that may be difficult to find or have been deleted by a suspect under investigation by digital forensic professionals.

Our previous tutorial illustrated how to use FTK Imager to find file artifacts in the Master File Table ($MFT). We consider the other tutorial and the current tutorial as complementary.

1. Press Shortcut Keys “CTRL” + “F” To Move Precisely To The $DATA Section Of Particular $MFT While Magic Marker “FILE0” Is Selected And Type “80 00 00 00” In “Find Window”

The $DATA section is an attribute of Master File Table ($MFT). It begins with the code “80 00 00 00” aka “0 x 80 00 00 00”.

Refer back to the magic marker FILE0 (As taught in our other tutorial). The FILE0 line is above some lines of the search word.

With the magic marker FILE0 selected, Press the shortcut keys “CTRL + F” and proceed with a “Binary (hex) search for “80 00 00 00”. This will accentuate precisely the $DATA section of the particular Master File Table record.

2. Check $DATA Section’s Length

After the “Binary (hex)” search of “80 00 00 00” from the previous step, we will be taken directly to the $DATA section of the particular Master File Table record.

The $DATA section’s length is “48 00 00 00” aka “0 x 48 00 00 00”.

The “Hex Value Interpreter” in FTK Imager indicates 72 decimal.

3. Examine Binary (Hex) Code Next To “48 00 00 00” To Determine State Of File/Folder

We can see that the binary (hex) code next to “48 00 00 00” is “01 00” aka “0 x 01 00”.

The image we have interested in recovering has not been removed from the inspected hard drive.

  • “01 00” indicates an existing file.
  • “00 00” indicates a deleted file.
  • “03 00” indicates an existing folder.
  • “04 00” indicates a deleted folder.

4. Select (Highlight) Entire Row Of “80 00 00 00” And Subsequent Row

Information regarding the image’s true location on the hard drive is accessible in data runs, beginning at byte offset 32.

Ensure that the entire row of “80 00 00 00” and the subsequent row “00 00 00 00” (In our tutorial) is selected (Highlighted). Note that there are 16 codes in each row.

Therefore, $DATA section’s byte offset 32 is “40” aka “0 x 40”.

The “Hex Value Interpreter” indicates 64 decimal.

5. Select (Highlight) Entire Row Of “80 00 00 00” And Subsequent Three Rows

Go back to the Binary (hex) code “80 00 00 00” at the outset of the $DATA section.

We will locate the data run that tells us the image data’s first cluster.

Ensure that the entire row of “80 00 00 00” is selected (Highlighted). Remember that there are 16 codes in each row.

Proceed by selecting the next three subsequent rows. After selecting all four rows, we will have selected a total of 64 bytes. Thus, 16 x 4 is 64. This refers back to step three where the $DATA section’s byte offset 32 is “40” aka “0 x 40” which the “Hex Value Interpreter” indicates 64 decimal.

It is common to see that the data run begins with “31” aka “0 x 31” and finishes with “0” aka “0 x 0”. However, this does not occur every time.

In our tutorial, we see that the data run begins with “31” aka “0 x 31”.

6. Determining Quantity Of Clusters

The Binary (Hex) code that is next to “31” is “0D” (In our tutorial) illustrates the number of clusters pertaining to the image data.

The “Hex Value Interpreter” indicates 13 decimal. This signifies that the image data occupies 13 decimal.

The next three subsequent bytes “1D 6C 04” aka “0 x 1D 6C 04” illustrate the cluster’s number. The “Hex Value Interpreter” shows 289821 decimal.

Go to the Evidence Tree Pane in FTK Imager and proceed by clicking on the volume “Windows 10 [NTFS]”. Go and click on the “Properties” tab at the bottom left which is next to the “Hex Value Interpreter”.

The “Properties” tab will display a cluster’s size which is 4096 bytes.

7. Calculating Number Of Clusters And Cluster Size

We will multiply the number of clusters (13) by a cluster’s size (4096).

13 x 4096 = 53248

Therefore, the image’s size is 53248 bytes.

8. Click On Volume “Windows 10 [NTFS]” In Evidence Tree Pane, Right Click Viewer Pane, Click On “Go To Sector/Cluster” And Enter Our Starting Cluster In “Go To Sector/Cluster” Window

Proceed by clicking on the volume “Windows 10 [NTFS]” in the Evidence Tree Pane of FTK Imager, right-click the Viewer Pane on the bottom right, click on “Go to sector/cluster” and enter our starting cluster in the “Go To Sector/Cluster” window.

Our starting cluster is 289821.

9. Select Image File Header In Viewer Pane

As a result of the preceding step, we will have landed precisely at the image’s file header (ÿØÿà..JFIF) in the Viewer Pane of FTK Imager.

Ensure that you have selected the bytes of the image file header in the Viewer Pane.

Keep in mind that our image is formatted as a JPEG file.

10. Right-Click Viewer Pane, Click On “Set Selection Length”, And Enter Image’s Size In “Selection Size”

Right-click the Viewer Pane, click on “Set Selection Length”, and continue by entering the image’s size in “Selection Size”.

The image’s size is 53248 bytes.

10. Right-Click Selection And Click On “Save Selection”

We can see that our image data has been selected (Highlighted) in the Viewer Pane.

Right-click the image data and click “Save Selection”. This will permit us to save the image data as a file that we can view.

We can save the image as SunnyHoi.jpg in the Pictures folder.

To view the image, go to the Pictures folder.

Conclusion

This tutorial has illustrated how to use FTK Imager to recover a suspect’s data successfully.

Recovering data is essential in every digital forensic investigation.

Without data, there would be no evidence to support the digital forensic investigation.

We have also created a tutorial on how to use FTK Imager to create a disk image of a local hard drive.

Related Posts