Custom Image Using FTK and Mounting Image for Analysis

Forensic Acquisition and Analysis Using FTK Imager

FTK Imager is an essential tool for targeted forensic data acquisition and efficient analysis. Below is a detailed guide on how to use it for creating and analyzing custom images.

1. Custom Image Creation Using FTK Imager

Step 1: Launch FTK Imager as Administrator

  • Why? Ensures access to all system files, including protected or locked files.

  • How? Right-click the FTK Imager icon and select Run as Administrator.

Step 2: Add Evidence Item

  • Navigate to File > Add Evidence Item.

  • Choose the source type based on your investigation:

    • Physical Drive: Acquires the entire disk, including unallocated space.

    • Logical Drive: Captures only allocated space (e.g., active files).

    • Image File: Load previously captured forensic images.

    • Contents of a Folder: Focus on specific folders for targeted acquisition.

Step 3: Select Evidence Source

  • Select the desired drive or folder:

    • Example: Choose *C:* for logical drive acquisition on Windows systems.

Step 4: Navigate and Add Files/Folders

  • Expand the evidence tree, such as NONAME [NTFS] > root.

  • Right-click critical items and select Add to Custom Content Image:

    • Documents, Downloads, Desktop.

    • Event logs: %SYSTEMROOT%\System32\winevt\Logs\

    • Registry hives: %SYSTEMROOT%\config\

    • PowerShell scripts or other specific files.

Step 5: Create Custom Image

  1. Click Create Image.

  2. Set:

    • Destination Path: Where the image will be saved.

    • Image Filename: A descriptive name for easy identification.

  3. Enable:

    • Verify images after they are created.

    • Create directory listings for report generation.

  4. Click Start to begin the imaging process.

Step 6: Verify Completion

  • FTK Imager calculates and displays hash values to verify data integrity.

  • The custom image is now ready for analysis.

Benefits of Mounting Images

  1. Interactive Analysis:

    • View and analyze the data in a user-friendly manner.

    • Directly access critical forensic artifacts without altering the original image.

  2. Triage Investigations:

    • Quickly locate and analyze key files such as event logs and registry entries.

  3. Efficient Workflow:

    • Reduces time spent on acquisition and allows focused investigations.

Key Considerations

  1. Data Integrity:

    • Hash the image post-acquisition using MD5 or SHA-256 to ensure no data is altered.

  2. Storage Requirements:

    • Ensure sufficient space for storing images, as even custom images can be large depending on the selected files.

  3. Evidence Isolation:

    • Always perform analysis on a dedicated forensic workstation to avoid evidence tampering.

Key Points

FTK Imager provides a powerful and flexible method for forensic acquisition and analysis. By creating custom images and mounting them for interactive review, investigators can efficiently gather and analyze evidence, ensuring both thoroughness and speed during incident response.

PreviousAcquiring Memory Image From Windows and LinuxNextKAPE Targets for Acquisition

Last updated