SANS Digital Forensics and Incident Response Blog: Tag - Add new tag

Forensics 101: Acquiring an Image with FTK Imager

There are many utilities for acquiring drive images. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. The truth is: there are plenty of good tools that provide a high level of automation and assurance. The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.

FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site (

Hex Dumping Flash From a Mobile

Most mobile phone manufacturers sell or provide tools allowing for the management of data. There are some exceptions with the very low cost devices. The problem that arises is that few of these tools are forensically sound. Hence the need for an alternative, hex dumps from a flasher.

Model: UN-0412100 Flasher by Twister

A Hex dump of the device is a physical acquisition of the device's memory. In the majority of devices available this will necessitate the use of a "flasher" or "twister" device. These are specialist support tools that are designed for the repair and servicing of mobile devices. The benefit to the