Image acquisition in FTK imager

 Image acquisition in FTK imager

What is mounting and verifying?

Mounting is making the image accessible

And verification is simply proving that it is what it is supposed to be

Step 1) Run FTK imager

 

Step 2) Click add evidence item

 

Step 3) create a disk image

Step 4) Select the type- I will be doing an image file  and then find the file

Step 5) click finish and you will be taken the a screen similar to below- by ticking the verification option FTK imager will calculate MD5 and SHA1 hashes of the image

Step 6) Click add destination on image destination and you will need to pick the type

Note: raw (dd) works for most but if using encase you will probably want to pick SMART or E01

Clicking next will then give the following available descriptions- THESE ARE VERY USEFUL FOR DOCUMENTATION

Note- it is vital to make use of these as you do not want to risk mixing your data up!

I have put one simply as this is a practice however in a real event you may benefit more by adding the date

Step 7) Clicking next gives you the following options- remember that your path should be different to where data was originally found

Note the fragment sizes? This means that you have the option to set the maximum fragment size of image split file-

Clicking finish will start the acquisition- this is the best time to get a snack!

Once finished you will find a report similar to the one below

On top of this, FTK also produces a log of the process, which is in the same directory as the image 

Opening shows the following information

Now that’s done, its time to explore!