Drive Imaging With FTK Imager

The purpose of this document is to show how a forensic image can be easily acquired using the AccessData FTK Imager software. Before any operation involving the original evidence is undertaken it is imperative that the evidence is protected. Hardware and software should be tested often to ensure that it is functioning as expected. Testing should be incorporated by the forensic computer examiner as a standard part of the acquisition and examination process. Only after the examiner is certain that the evidence will be protected should the process begin.

For this acquisition demonstration, as shown in the photo above, the evidence drive is connected to a properly functioning write blocker. The write blocker is connected to the acquisition machine via USB 3.0. Should a drive be attached to a Windows machine without write blocking to protect it, the information on the drive will be altered.

Robert Leigh, CCE - February 2012

The FTK Imager software is launched and, from the File menu item, Add Evidence Item is selected.

The Physical Drive radio button is selected and Next button is clicked opening the drive selection form.

From the drop down box on the drive selection form, we select the physical drive connected to the USB port via the write blocker and click the Finish button.

Robert Leigh, CCE - February 2012

We are now ready to verify the drive. The verification process will create hash values that act as unique fingerprints of the drive. We can compare these hash values to the final image to ensure that the image is a complete representation of the original media.

The evidence drive is then displayed in Evidence Tree pane of FTK Imager. By right-clicking on the drive name, a drop down box is displayed. Verify Drive/Image is selected.

FTK will run the verification process, as shown above. When verification is complete, a box containing the drive name, sector count MD5 Hash, SHA1 Hash and bad sector list is displayed. We will compare the hash values to the image once acquired for match confirmation.

Robert Leigh, CCE - February 2012

To begin the acquisition process, from the file menu in FTK Imager, select Create Disk Image as shown below.

In the Select Source form, shown above, the Physical Drive radio button is selected and the Next button clicked.

Robert Leigh, CCE - February 2012

In the subsequent form, shown above, the evidence drive is selected from the drop down box and the Finish button clicked, producing the following form.

The Add button in the above form opens the following:

For this demonstration, a Raw (dd) image will be created by clicking the Next button in the

Robert Leigh, CCE - February 2012

form above.

Next, information about the evidence is entered into the preceding Evidence Item Information form.

The Browse button can be used to open the location where the image is to be created. In this demonstration case, the image will be created on the c:\ drive of the acquisition machine. Note the other options available. For this demo, the image will not be fragmented or encrypted. Clicking the Finish button after the information is entered opens the following form.

Robert Leigh, CCE - February 2012

The Verify images after they are created box is checked. This will create hash values of the drive and the image to ensure they match. The hash values produced can also be compared to those produced at the beginning of the process to show that the evidence has not been altered. Clicking the Start button begins the imaging and opens the following form indicating the imaging progress.

When the imaging process is complete, verification will begin automatically and the following form will automatically pop-up:

Robert Leigh, CCE - February 2012

Once the image has been verified, the following form will be displayed showing the results of the process. Note that the hash values match. These hash values are then compared to the original hash value and prove that the evidence has not been altered.

FTK Imager also creates a summary with details of the drive, the image and the process itself. The following is the text of the summary:
Image Summary: Created By AccessData FTK Imager 3.1.0.1514 Case Information: Acquired using: ADI3.1.0.1514 Case Number: NH001-02122012 Evidence Number: HD001 Unique description: NH001-02122012-DriveImage Examiner: Robert_Leigh Notes: Image Demonstration -------------------------------------------------------------Information for C:\Images\NH001-01122012: Physical Evidentiary Item (Source) Information: [Drive Geometry] Cylinders: 9,729 Tracks per Cylinder: 255 Sectors per Track: 63

Robert Leigh, CCE - February 2012

Bytes per Sector: 512 Sector Count: 156,301,488 [Physical Drive Information] Drive Model: Jmicron Corp. USB Device Drive Serial Number: # Drive Interface Type: USB Source data size: 76319 MB Sector count: 156301488 [Computed Hashes] MD5 checksum: 7783f6015754c09485250cc021eb5935 SHA1 checksum: afd9e7b8721246d5758ed6f69f8f2c8d1dcf1ffe Image Information: Acquisition started: Sun Feb 12 18:34:26 2012 Acquisition finished: Sun Feb 12 19:08:11 2012 Segment list: C:\Images\NH001-01122012.001 Image Verification Results: Verification started: Sun Feb 12 19:08:14 2012 Verification finished: Sun Feb 12 19:28:17 2012 MD5 checksum: 7783f6015754c09485250cc021eb5935 : verified SHA1 checksum: afd9e7b8721246d5758ed6f69f8f2c8d1dcf1ffe : verified

With FTK Imager, AccessData has created an easy to use tool that is great aid to any examiner tasked with data acquisition. No software can protect the examiner from himself. Every effort must made to ensure that the integrity of the original evidence is protected. Along with properly functioning hardware, FTK Imager should be part of every forensic computer examiner's toolbox.

Robert Leigh, CCE - February 2012