KEMBAR78
FTK Imager | PDF | Computer Architecture | Computing
Scribd
Upload
6 views6 pages

FTK Imager

The document provides an overview of forensic imaging, specifically using FTK Imager, which is a tool for creating exact copies of hard drives without altering data. It outlines the steps to download, install, and use FTK Imager to create a forensic image, including selecting evidence types and providing necessary details for documentation. FTK Imager is capable of capturing both static and volatile memory, making it a valuable tool for forensic analysis.

Uploaded by

hackingking420chor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views6 pages

FTK Imager

The document provides an overview of forensic imaging, specifically using FTK Imager, which is a tool for creating exact copies of hard drives without altering data. It outlines the steps to download, install, and use FTK Imager to create a forensic image, including selecting evidence types and providing necessary details for documentation. FTK Imager is capable of capturing both static and volatile memory, making it a valuable tool for forensic analysis.

Uploaded by

hackingking420chor
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Disk Imaging – FTK Imager for Windows

Evidence Acquisition

What is a Forensic Image?

A Forensic image is an exact copy of hard drive. This image is created using various third-party
tools which can easily capture the image of a hard drive bit by bit without changing even a shred
of data. Forensic software copies data by creating a bitstream which is an exact duplicate. The best
thing about creating a forensic image is that it also copies the deleted data, including files that are
left behind in swap and free spaces. There are many tools available either in open-source or
proprietary version for acquiring drive images such as:

▪ Access Data FTK imager


▪ Encase imager
▪ Forensic imager
▪ Belkasoft acquisition tool

FTK Imager
The Forensic Toolkit Imager (FTK Imager) is a forensic imaging software package distributed by
AccessData. FTK imager, available for free from Access Data, to capture a live memory dump
and the page file (pagefile.sys) which is used as virtual memory storage for Windows or to capture
static memory such as hard disk.

1. Download the FTK Imager form the link below


https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1

2. Fill-in the registration form


3. Download link will be sent to your email address
4. Install FTK imager.
Evidence Acquisition using Access data FTK Imager.

FTK imager can create an image and paging file for windows; along with capturing volatile
memory for analysis purposes. For this purpose I’m using USB Flash Drive.

1. To create an image - go to the file button and from the drop-down menu, select the Create Disk Image
option.

2. After selecting the create disk image it will ask you the evidence type whether i.e. physical drive,
logical drive, etc. and once you have selected the evidence type then press the next button to move
further in the process.
3. Now it will ask for the drive of which you want to create the image. Select that drive and click on Finish
button.

4. Now, we need to provide the image destination i.e. where we want our image to be saved. And to
give the path for the destination, click on Add button.
5. Then select the type you want your image to be i.e. raw or E01, etc. Then click on Next button.

6. Further it will ask you to provide details for the image such as case number, evidence number, unique
description, examiner, notes about the evidence or investigation. Click on Next button after providing
all the details.

HAZWAN JAAFAR

7. After this, it will ask you for the destination folder i.e. where you want your image to be saved along
with its name and fragment size. Once you fill up all the details, click on the Finish button.
8. And now the process to create the image will start and it will simultaneously inform you about the
elapsed time, estimated time left, image source, destination and status.

9. After the progress bar completes and status shows Image created successfully then it means our
forensic image is created successfully .
10. And so, after the creation of the image you can go to the destination folder and verify the image as
shown in the picture below:

You might also like