FTK Imager permits digital forensic professionals to create an image of a local hard drive.
AccessData’s FTK Imager allows the examiner to create both local and remote images.
When a disk image is acquired locally, it indicates that the data storage device such as a hard drive on a system is physically accessible.
When the data storage device is not physically present, remote procurement is viable.
Our tutorial will show how to create a precise copy of a local hard drive that belongs to a suspect (“F:\ Suspect Drive”) which will ultimately assist digital forensic examiners in their digital forensic investigations.
1. Download & Install Latest Version Of FTK Imager From AccessData’s Official Website
The first step is to download and install the latest free FTK Imager software from AccessData’s official site.
Keep in mind that the free edition of FTK Imager solely permits local imaging.
2. Launch FTK Imager From Your Windows Desktop
After installation of FTK Imager, go to your Windows desktop and double-click on the shortcut icon labelled “AccessData FTK Imager”.
The software will immediately launch.
3. Click On “File” > “Create Disk Image”
In the FTK Imager program, click on “File”. We see that there are numerous options for creating images. Let’s select “Create Disk Image”.
4. Select “Logical Drive” In “Select Source” Window
Keep in mind that the proper drive type will depend on the circumstances. Each case will obviously differ.
In our tutorial, we will choose “Logical Drive” and proceed by clicking “Next”.
4. Choose Appropriate
Choose the appropriate drive that you want to image in the “Select Drive” window.
For instance, the drive we wish to image will be “F:\ Suspect Drive”. Proceed by clicking “Finish”.
5. Choose Suitable Image Source In “Create Image” Window
A “Create Image” Window will show and permits us to select the suitable “Image Source” which in our case will be “F:\”
6. In “Create Image” Window And Under “Image Destination(s)”, Click On “Add” To Select Image Type
We will see a new “Create Image” window. For the “Image Destination”, proceed first by clicking “Add” to select our image type.
Choose the appropriate destination image type. For our guide, we’ll be deploying dd which stands for disk dump.
Therefore, choose “Raw (dd)” and proceed by clicking “Next”.
7. In “Evidence Item Information” Window, Enter Important Information Such As Case Number/Evidence Number & Examiner’s Full Name
In the “Evidence Item Information” window, type in relevant information regarding the case for the image. This will help the digital forensics examiner in differentiating between unique cases.
8. In “Select Image Destination” Window, Ensure Proper Folder Is Chosen To Put Image File In, Enter A Filename for Image, & Enter Size of Megabytes Under “Image Fragment Size”
In “Select Image Destination” window, choose the proper folder to put the image file in and enter a filename for the image. For instance, we’ll choose “H:\ Sunny Hoi”
Under “Image Fragment Size”, enter the size of megabytes which determines how to split the image file. This may be handy when the size of the image is substantial or archived on compact discs/digital video discs.
It’s important to note that when the value which is entered into “Image Fragment Size” is bigger than the eventual image’s data size, it will result in solely one created file which ultimately serves as the data’s size.
When the “Image Fragment Size” of 1500 is used, the program will create a single 1-gigabyte file which is evident as the drive being imaged is merely 1 gigabyte.
There is also the choice of employing compression. But dd images may not be compressed. Hence, we refrain from modifying the compression value.
When you are done, proceed by clicking “Finish”.
We can see that the image destination has altered. Depending on what you have set it to, ours will be “H:\ Sunny Hoi” Thus, we’ll see in the window of FTK Imager “H:\Suspect Drive Image [raw/dd]”
Before proceeding, ensure that the option “Verify Images after they are created” is checked. This will all by itself establish a hash for the resulting image.”
To begin the process of creating our image file, go ahead and click “Start”.
9. Wait For Our Image To Be Made
During this process, we may have to wait for a while. This will be contingent on the size of the file.
Patience is vital in digital forensics and cyber investigations.
Do not click “Cancel” if creating the image is taking a long time.
Just wait for the process to finish.
10. Verify Results
A window illustrating the results will indicate two hashes that were made and verified: MD5 and SHA1.
Keep in mind that the hash refers to the disk image’s fingerprint. In circumstances where the disk image has been modified, the hash values will be different.
It’s vital to keep an eye on such hashes since it would permit the digital forensics examiner to regularly verify the image file’s hash during their cyber investigation.
To be able to sustain uprightness, other digital forensic professionals ought to be able to reproduce the hash.
11. Proceed By Clicking On “Image Summary”
Proceed by clicking on “Image Summary” to see the subsequent results related to our newly created image.
The information provided in the window will allow us to verify the hashes and any information essential to the digital forensics process.
For convenience, all of the information is available as a text file where the image has been saved.
In our example, our image file labelled “Suspect Drive Image.001” and the text file of the image summary labelled “Suspect Drive Image.txt” were saved to “H:\ Sunny Hoi”
The .001 extension is employed since it is common that the file that will undergo imaging is enormous. This results in the need to split the file into numerous chunks.
Hence, we’ll see files such as Suspect Drive Image.001, Suspect Drive Image.002, and Suspect Drive Image.003.
Note that the .001 extension can be altered to .dd.
This tutorial has shown how to successfully create a disk image of a suspect’s hard drive.
Creating a disk image is crucial as it is the first step in all digital forensic investigations.
A write blocker should be used to stop alterations to the disk image.
Remember always to make a note of the hashes and retain them for future reference. The hashes ought to be reexamined during the digital forensic investigations.
Our other tutorials illustrate how to use FTK Imager in different ways that are essential in digital forensic investigations such as finding file artifacts in the Master File Table ($MST) and recovering data from files.