07.Disk Acquisition FTK imager windows
π Quick Introduction
-
Disk Acquisition refers to creating a bit-by-bit copy of a storage disk or partition for the purpose of digital forensic analysis without affecting the original.
-
On Windows, we donβt use the well-known
ddtool from Linux. Instead, we use a free tool called FTK Imager.
π₯ Downloading FTK Imager
-
The tool is free and released by Exterro (owner of AccessData).
-
It can be downloaded from the official website:
-
Search:
FTK Imager download Exterro -
You may be asked to enter information such as an email address before downloading.
-
Alternatively: You can download it from third-party sites, but those are often outdated versions.
π§ Overview of FTK Imager
The tool is not only for image acquisition, but also allows you to:
-
Browse files inside disks.
-
Preview protected files.
-
Acquire RAM images.
ποΈ Key Interface Functions
-
File β Create Disk Image: To create a full disk image.
-
Mount Image to Drive: To mount and read an image as if it were a real disk.
-
Add Evidence Item: To add files or evidence for analysis.
-
Export Files: To export selected files.
π οΈ Starting the Disk Acquisition Process
1. From the main screen:
Select: File > Create Disk Image
2. Choose the source type:
-
Physical Drive: If you want to image an entire disk.
-
Logical Drive / Partition: If you want to image a specific partition.
-
Image File: To clone from an existing image.
π You can also perform a Partial Acquisition (for specific files or folders) instead of the entire disk.
π₯οΈ Selecting the Hard Drive or Partition to Image
-
A list of connected disks will appear.
-
Select the desired disk (e.g., USB drive or small test disk).
πΎ Setting Image Parameters
-
Choose the save location for the image.
-
Choose the format:
-
Raw (dd): A single file with no metadata.
-
E01: Includes metadata, encryption, and segmentation capabilities.
-
SMART / AFF: Less commonly used.
Then:
-
Fill in the required data:
-
Case Number: (use the current date)
-
Evidence Number: (evidence number)
-
Unique Description: (a unique description)
-
Examiner Name: (your name)
-
Notes (if any)
𧱠Additional Options
-
Compression: Compress the image to save space.
-
Split Image: Split the image into smaller files (e.g., every 1500 MB).
-
Verify Image after Creation β Very important: To verify image integrity by checking the hash.
Click Finish
βΆοΈ Start Acquisition
Click:
Start
The imaging process will begin. Once completed:
-
It will display the Hash Value (e.g., SHA1 or MD5) of the image, which must be documented in the forensic report.
-
The data is saved in a folder containing:
-
The image file itself (e.g.,
.dd) -
Metadata file (if using Raw format)
Image Summary:
π Mounting the Image
After acquisition, you may want to read the image contents:
- From the menu, select:
File > Image Mounting
- Select the image you created.
-
Assign a drive letter (e.g., D or E).
-
Choose the mount mode:
-
Read-Only (highly recommended)
-
Read/Write (not recommended for investigations)
π Important Note:\ It is not recommended to change the image type or convert it (e.g., from dd to VHD), as this may result in data loss or alter the hash, invalidating the image as court-admissible evidence.
π‘ Extra Feature: Extracting Protected System Files
FTK Imager allows you to extract sensitive files such as:
-
SAM File: Contains user password hashes.
-
SYSTEM File: Contains registry keys.
-
User Profile Files: Such as desktop and document folders for each user.
β Verifying Image Integrity
After completion, the software displays an image summary including:
-
Path
-
Hash
-
Verification status β
π Opening and Reviewing the Image
On Windows:
-
Use Windows Explorer or other tools to review the image if it was mounted.
-
If it's in E01 format, you can use FTK Imager or tools like Autopsy.
π§Ύ Important Tips
-
Always save the hash value of the image in your report.
-
Never analyze the original media directly.
-
Always work with Read-Only images.
-
Organize case files neatly in clearly labeled folders.