Imaging Using FTK Imager

AccessData produces a commercial forensic examination program called the Forensic Toolkit, or FTK.  While the FTK examination program costs thousands of dollars, AccessData also offers a no-cost companion program called FTK Imager.  FTK Imager is more flexible than dd in that it allows the user to create images of physical disks, logical drives, CD/DVD drives, and even folders.  It also can save the images in multiple formats, including the proprietary formats .e01 and SMART, and the old standby .dd.

Before starting the imaging process, first be sure that some sort of write protection is in place; see Write-Blocking Using the Windows Registry if you don’t have a hardware write blocker handy.  For this example I imaged a 1 GB USB flash drive.

Launch FTK Imager (if running Vista right-click and “Run as administrator” or FTK will not be able to see the physical disks) and select File > Create Disk Image.  A dialog box will appear like Figure 1 at the bottom of the post; for this example ‘Physical Drive’ should be selected.

Next, the drive to be imaged should be selected from the drop down box.  In this example, the examination workstation has three drives attached.  PHYSICALDRIVE0 is a RAID array that has been detected as a 499GB SCSI device, PHYSICALDRIVE1 is the 1GB USB flash drive, and PHYSICALDRIVE6 is a 500GB USB external hard drive.  For this scenario, PHYSICALDRIVE1 should be selected.

The next screen verifies that the image source chosen was PHYSICALDRIVE1, and then prompts the user to select where the image file should be saved.  Just like dcfldd, FTK Imager has the option to save the image to multiple places concurrently; this is useful if the investigator wants to save both a local copy of the image and a copy over the network to a file server (when saving several gigabytes of data across a LAN/WAN, it is important to be aware of the available bandwidth).  At the bottom of the screen several check boxes are present.  The ‘Verify images after they are created’ option is checked by default, and in the vast majority of cases should always be checked.  The ‘Create directory listings…’ option when checked will generate a .csv file with a list of all the files, including those that have been deleted, present in the image.  To add an image destination, click the ‘Add…’ button.

Select ‘Raw (dd)’ as the image type and click ‘Next >’.  At this screen some optional fields allow the investigator to enter information about the investigation, including case and evidence numbers, description, examiner name, and notes.  These can be filled in if desired, then click ‘Next >’.

This screen prompts the user to select both the image destination folder and filename.  At the bottom are two options.  The first is ‘Image Fragment Size (MB)’.  This field specifies the number of megabytes FTK Imager should split each chuck of the image file into; this can be helpful if the image is very large or will be transported or archived on CDs or DVDs.  If a value is entered in this field larger than the size of the data to be imaged only one file will be created and it will be the size of the data.  For our example, if the default value of 1500 MB is left, FTK Imager will create one 1GB file since the USB drive is only 1GB.  The second option deals with compression; dd images cannot be compressed, but some proprietary formats, like .e01, can.  Once the image destination folder and filename have been entered, the ‘Finish’ button is available and sends the user back to the previous screen when pressed.  At this point more image destinations can be added, or the ‘Start’ button can be pressed, which will begin the imaging process.

Once ‘Start’ is pressed, a box will appear with the elapsed time and the estimated time left.  Once the imaging finishes, FTK will begin verifying the image by hashing both the source device and the generated image with both the MD5 and SHA-1 algorithms.

Once the image has been created and verified, a window with the results of the image and the verification will appear; it lists things like the hash values of the source and destination and whether they match, the name of the generated image file, the number of sectors imaged, and if any bad sectors were found.  Another window will also appear showing the progress of the creation of the directory listing, if that option was checked.  Once these two boxes have been closed, the box that showed the progress of the image creation process will be visible again, this time with an ‘Image Summary…’ button.  This button will open a text file that has been created in the same directory as the image that lists all sorts of important information about the imaging process, including the optional case and investigator information that could have been entered in the imaging process, information about the physical geometry of the imaged disk, model and serial numbers if available, when the data acquisition and verification started and completed, and the hash values.  All this information is very valuable to have, especially if there is the possibility that the results of the forensic investigation could end up in a courtroom.  Figure 9 shows the Image Summary information for the created test image.

Now the investigator has a dd image of the USB drive suitable for examination by a wide range of forensic software and a log file of important information.  Using the dd image format has the benefit of being supported by virtually every forensic program, but it does not offer fancy settings like compression, which can be useful.  From here a variety of tools can be used to analyze this image, both proprietary and open-source.  Some of these tools and analysis methods will be examined in later posts.


Leave a Reply

Your email address will not be published.