FTK Imager - Introduction

March 05, 2023

Forensic Toolkit, or FTK, is a computer forensics open-source software made by AccessData. It searches a hard drive for different types of data. For instance, it might be able to find deleted emails and search a disc for text strings to use as a dictionary of passwords to break encryption.

FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData Forensic Toolkit (FTK) is necessary. 

A bit-by-bit duplicate image of the media is created by FTK Imager to prevent accidental or intentional modification of the original evidence. The file slack, unallocated space, and drive-free space in the forensic image are all exactly the same as they were in the original. By using the image for the investigation, you are able to save the original media somewhere safe.

AccessData Forensic Toolkit (FTK) is a program that may be used to analyze data once you have created an image of it.

KEY FEATURES

  • Create forensic images of entire folders or single files from different locations on local hard drives, floppy discs, Zip discs, CDs, and DVDs.
  • You can preview files and directories on local hard drives, network drives, floppy discs, Zip discs, CDs, and DVDs.
  • Preview the contents of forensic images stored on the local machine or on a network drive
  • The content of an image can be seen in a read-only view by mounting it and using Windows Explorer to see the file just as the user saw it on the original drive.
  • Export files and folders from forensic images.
  • See deleted files that have not yet been overwritten on the device in the Recycle Bin and retrieve them.
  • Create hashes of files using either of the hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
  • The FTK imager additionally offers you a built-in integrity testing feature that creates a hash report that aids in comparing the evidence's hash before and after the image of the original Evidence was created. 
  • Create hash reports for shared files and disc images (together with any files contained inside those images) that you can later use as a standard to demonstrate the integrity of your case's supporting documentation. When a whole drive is imaged, a hash produced by FTK Imager can be used to confirm that the image hasn't changed while being acquired and that the image and the drive's hashes match after the image is made.
Make sure you are utilizing a hardware-based write-blocker while using FTK Imager to create a forensic image of a hard drive or other electronic devices. This makes sure that when you connect the original source drive to your computer, your operating system won't change it.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
, ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)