Now is a good time to refill that coffee cup! Once the acquisiton is complete, you can view an image summary and the drive will appear in the evidence list in the left hand side of the main FTK Imager window. Click Finish to complete the wizard.Ī progress window will appear. You can also set the maximum fragment size of image split files. Select the Image Destination folder and file name. If you select raw (dd) format, the image meta data will not be stored in the image file itself. If your version of FTK requests evidence information, you can provide it. The dd format will work with more open source tools, but you might want SMART or E01 if you will primarily be working with ASR Expert Witness or EnCase, respectively. The type you choose will usually depend on what tools you plan to use on the image. Check Verify images after they are created so FTK Imager will calculate MD5 and SHA1 hashes of the acquired image. NOTE: FTK Imager does not guarantee data is not written to the drive, so it is important to use a write blocker like the Tableau T35es.Ĭlick Add. In the interest of a quick demo, I am going to select a 512MB SD card, but you can select any attached drive. The version used for this posting was downloaded directly from the AccessData web site (FTK Imager version 2.6.0).įrom the File menu, select Create a Disk Image and choose the source of your image. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.įTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The truth is: there are plenty of good tools that provide a high level of automation and assurance. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. There are many utilities for acquiring drive images.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |