Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.


FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (FTK Imager version 2.6.0).


Run FTK Imager.exe to start the tool.


FTK Imager GUI


From the File menu, select Create a Disk Image and choose the source of your image. In the interest of a quick demo, I am going to select a 512MB SD card, but you can select any attached drive. NOTE: FTK Imager does not guarantee data is not written to the drive, so it is important to use a write blocker like the Tableau T35es.


Select Image Source Select Device


Click Add... to add the image destination. Check Verify images after they are created so FTK Imager will calculate MD5 and SHA1 hashes of the acquired image.


Add Destination


Next, select the image type. The type you choose will usually depend on what tools you plan to use on the image. The dd format will work with more open source tools, but you might want SMART or E01 if you will primarily be working with ASR Expert Witness or EnCase, respectively.


Select Image Type


If your version of FTK requests evidence information, you can provide it. If you select raw (dd) format, the image meta data will not be stored in the image file itself.


Evidence Information


Select the Image Destination folder and file name. You can also set the maximum fragment size of image split files. Click Finish to complete the wizard.


Select Destination


Click Start to begin the acquisition:


Create Image


A progress window will appear. Now is a good time to refill that coffee cup! Once the acquisiton is complete, you can view an image summary and the drive will appear in the evidence list in the left hand side of the main FTK Imager window. You can right-click on the drive name to Verify the Image:


Verify Image


FTK Imager also creates a log of the acquisition process and places it in the same directory as the image, image-name.txt. This file lists the evidence information, details of the drive, check sums, and times the image acquisition started and finished:

Created By AccessData® FTK® Imager 2.6.0.49 090505

Case Information:
Case Number: Case-20090611-001
Evidence Number: 1
Unique description: John Doe SD Card 1
Examiner: John Jarocki
Notes:

--------------------------------------------------------------

Information for E:\Case-20090611-001\sdcard1.dd:

Physical Evidentiary Item (Source) Information:
[Drive Geometry]
Cylinders: 61
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 990,976
[Physical Drive Information]
Drive Model: SanDisk Cruzer USB Device
Drive Interface Type: USB
Source data size: 483 MB
Sector count: 990976
[Computed Hashes]
MD5 checksum: d116ed8d064ea3939ba650d6beca6efd
SHA1 checksum: 6951e57e929d48973df627cc4b39c7d950749a70

Image Information:
Acquisition started: Fri Jun 12 07:39:02 2009
Acquisition finished: Fri Jun 12 07:49:55 2009
Segment list:
E:\Case-20090611-001\sdcard1.dd.001

Image Verification Results:
Verification started: Fri Jun 12 07:49:56 2009
Verification finished: Fri Jun 12 07:50:00 2009
MD5 checksum: d116ed8d064ea3939ba650d6beca6efd : verified
SHA1 checksum: 6951e57e929d48973df627cc4b39c7d950749a70 : verified



That's all there is to it!


John Jarocki, GCFA Silver #2161, is an Information Security Analyst specializing in intrusion detection, forensics, and malware analysis. He also holds GCIA, GCIH, GCFW and GSEC certifications and the Treasurer of NM InfraGard.

9 Comments

Posted June 21, 2011 at 11:00 PM | Permalink | Reply

Elirqv76

Hello, has anybody tested this using WinVista? I need to create an image but i am using WinVista and need to make sure FTK will work. Thanks!

Posted December 05, 2012 at 1:29 AM | Permalink | Reply

Anderson

I have tested on WinVista and it works fine.
If you need to make sure, you can install it on a Virtual Machine and run on it.

Best Regards

Posted December 18, 2012 at 8:48 PM | Permalink | Reply

Michael Winslow

I used FTKImager to make an Image of a Failed raid drive, how can I restore this data to a good Drive so I can rebuild the raid???

Posted December 24, 2012 at 7:27 AM | Permalink | Reply

Dale Rowe

Michael - It's not a simple process but there's a good writeup here: http://pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html - this will let you rebuild the volumes from several images.

If all you want to do is recreate a single drive and add it back into the array, then that should (in theory) be easier albeit riskier (as you are adding a manually cloned drive into a live writable array). Here's the basic steps:
1. Take a RAW image using FTK of the drive you want to replace.
2. Use the DD (http://en.wikipedia.org/wiki/Dd_(Unix)) tool to write the image back to new media (CAUTION: New media should be the same model/brand as the one it replaces. If this isn't possible it should be LARGER and FASTER - there is a danger that a non-matching model on a cheap controller such as Intel Matrix RAID can cause corruption when writing large amounts of data if the new drive is too slow).
3. Re-add the new media to the array. (CAUTION: This is VERY controller dependent. Most controllers won't recognize the drive as being part of the array. The steps to fix this vary DRAMATICALLY - usually if there isn't an option it involves deleting the array and recreating it in the exact same drive order/blocksize etc WITHOUT initialization but this is VERY risky - I've done this and the suspense is killer!).

Safest option, image all drives in the array, use the first link to rebuild your data to new storage, then build a new array. At least that way if it breaks, you can try again as you're working from images.

Sorry for the long answer - hope it helps!

Posted February 13, 2013 at 10:03 PM | Permalink | Reply

Rich Tietjens

In what way is this superior to using Clonezilla to clone a drive to an image or disk?

Posted February 20, 2013 at 11:56 PM | Permalink | Reply

tino edu

so after doing everything... how can i find the authentication information??

Posted April 17, 2013 at 12:49 PM | Permalink | Reply

Timothy Small

On my network, users have their own personal storage in addition to Shared data. The personal storage is NTFS and often has Alternate Data Streams, but I can't get FTK Imager to obtain that data when pulling from their specific folder.I can't do the entire disk image because it is several Petabytes in size. Any suggestions?

Posted June 19, 2013 at 8:33 AM | Permalink | Reply

Mac

Hello guys,I have an image of E01 that I need to analyse using Scapel in order to do data carving. However, Scapel do not read E01. Can I use FTK Imager to revert the image to Scapel readable? How?Please advise.

Posted September 18, 2013 at 8:12 AM | Permalink | Reply

santy

hi every one.

in such a imaged disk- a files time stamp- MACE values are as given below, (dd/mm/yyyy) ( time not given here)

File access date: 06/09/2013
File created date: 27/05/2013
Entry modified date: 02/01/2005
last written date: 30/05/2013

how can entry modified be 2005...
if this is a scenario what are the possibilities...
kindly help...

and if there are possibilities of tampering using time-stomp or others, what is the way to prove it....

Post a Comment






* Indicates a required field.