FTK Imager is a forensic data imaging and preview tool widely used by professionals to acquire and analyze electronic evidence. It allows users to create forensic images of hard drives, USB devices, CDs, and more, without altering the original data. However, it can also be used by regular users if they accidentally deleted their files/folders and want to retrieve it.
The best part of FTK Imager is the price. It is FREE!!! FTK Imager was part of AccessData’s suite when I started my career in digital forensics. When I looked it up today, it seems like it’s now owned by Exterro. The link to download the tool is: https://www.exterro.com/digital-forensics-software/ftk-imager
This tutorial would likely be in three parts as there are a lot of features that FTK offers. Let’s start with running the application:
Click on File and it shows you four different options. You will likely use only the first and third options, i.e. ‘Physical Drive’ and ‘Image File’. The second option, ‘Logical Drive’ shows the contents of a drive like you see it within Windows Explorer. The fourth option, ‘Contents of a Folder’, is exactly as it says.
Physical Drive:
Selecting this option and clicking on ‘Next’ will load all the ‘Physical Drives’ that are connected to the computer (Caution: It might take a few seconds to load the next screen, depending on the drives that are connected).
What is a Physical Drive???
It is the hardware drive that is connected to your computer. It can range from HDD’s, SSD’s, USB drives or SD cards.
Once the drive is loaded in the next screen, you will see the screen divided into four parts. The top left displays the partitions/folders in a tree structure and is called Evidence Tree. It displays all the partitions on the drive to include any unpartitioned space.
The top right reflects the files/folders within a selected partition (FTK reads the Master File Table, in case of NTFS file system and loads the folders on the right) or the sub menu within the partition. It is called File List. The bottom left displays the properties of the partition/folders or the drive itself that is selected on the top left and is called Properties.
e.g., when the drive is selected, the following is displayed:
When a partition is selected, the following is displayed:
The bottom right displays the content of what you selected in the top right, in Hex and Text. It doesn't have a name that I see.
The most important folder on the left navigation column is ‘Root’. Selecting it will load all the folders and files within the partition on the right column. In the below example, it shows your C: drive that also includes the Operating System and the Recycle Bin.
The partition also displays ‘unallocated space’ (the portion of storage media that has not been assigned or allocated to existing files and documents. Despite appearing empty, it may contain information). You can export that data and use file carver tools to extract data (This topic will be covered in future).
Properties:
This section provides a wealth of information. It has three tabs at the bottom
- Properties
- Hex Value Interpreter
- Custom Content Sources
Properties reflects information about what you selected on the 'Evidence Tree' section. For example, clicking on 'Physical Drive 0' displays hardware information on the drive like Drive Model and Serial; Cylinders, Sectors, Bytes per Sector etc.
Clicking on the partition gives you partition information like 'Starting Sector', 'Sector Count', etc.
Clicking on a Directory or File gives you information like MFT Record Number, Created, Modified and Accessed dates.
Hex Value Interpreter: This interprets what you selected on the bottom right section. You have the option of 'Big Endian' and 'Little Endian'
That's it for Part I. Stay tuned for Part II