How to Use FTK Imager: A Step-by-Step Guide

The introduction about the tool and it's features was covered in a previous post, if you want to read about it, please click here : "FTK Imager".

1. Create Disk Image along with Hash Report Generation

  1. First click on ‘File’, then ‘Create Disk Image’.

  2. Select the appropriate source type:

  3. Select the evidence source path.

  4. Click on:

    (1) "Add" - To add the destination path for the created image.

    (2) "Verify images after they are created" - To verify the integrity of the image generated with the source.

  5. Fill out the details as needed (Optional).

  6. Select the "Image Destination Folder" and the "Image Filename" and Click on "Finish".

  7. Click on "Start" to start the Image Creation process.

  8. Once the Image is created, you can check the integrity of the same by clicking on "Image Summary".

The image has been successfully created and present at the destination location specified during the process. The image summary is also present at the destination location along with the hash report as well.

In conclusion, the ability to create disk images along with hash report generation is vital in digital forensics. FTK Imager streamlines this process with its intuitive interface and robust functionality. By ensuring the integrity of the evidence through hash verification, investigators can confidently analyze digital data while maintaining the integrity of the original evidence.


2. Add Evidence Item

  1. Click on "Add Evidence Item".

  2. Select the "Source Evidence Type" and click on "Next".

  3. Select the corresponding file to be added as Evidence Item.

  4. Once the source evidence file is selected, you can click on "Finish".

  5. On the left hand side, under "Evidence Tree" you can see the "Source Evidence File".

  6. You can see the directories and files present within the "Evidence File".

Adding evidence items in FTK Imager provides investigators with the flexibility to incorporate various sources of digital evidence into their investigations. Whether it's a file, directory, or entire disk image, FTK Imager makes the process of adding evidence items simpler which allows investigators to thoroughly examine digital data for forensic analysis.


3. Forensic Image Mounting

  1. Open "File" and click on "Image Mounting".

  2. Add the Image file by browsing and selecting the appropriate file.

  3. From (1), you can see the different settings present:

    a. Mount Type

    b. Drive Letter

    c. Mount Method

    After this, (2) you can click on "Mount" to mount the Image to the Drive

  4. You can see the mounted image on the same Window as well as in File Explorer.

  5. The image can be unmounted, by selecting it and then clicking on "Unmount".

Forensic image mounting is a key feature in digital forensics which allows investigators to access and analyze disk images without altering the original evidence. FTK Imager makes this process with its intuitive interface and customizable mounting options easier and simpler. By mounting images, investigators can conduct thorough examinations of digital evidence while preserving the integrity of the original data.

Conclusion

FTK Imager equips forensic investigators with the tool they need to uncover truth in the digital world, paving the way for successful and secure investigations.

🔍💻 Happy hunting! 🕵️‍♂️🔒

0
Subscribe to my newsletter

Read articles from Herschel Menezes directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Herschel Menezes
Herschel Menezes