ftk 4.0 manual

Use License Manager to view your current registration information, to check for product updates and to download the latest product versions, where they are available for download. You can also visit our web site, www.accessdata.com anytime to find the latest releases of our products. For more information, see Managing Licenses in your product manual or on the AccessData website. AccessData Contact Information Your AccessData Sales Representative is your main contact with AccessData. Their collective experience in working with both government and commercial entities, as well as in providing expert testimony, enables them to provide a full range of computer forensic and eDiscovery services. At this time, Professional Services provides support for sales, installation, training, and utilization of Summation, FTK, FTK Pro, Enterprise, eDiscovery, Lab and the entire Resolution One platform. They can help you resolve any questions or problems you may have regarding these solutions. Decrypting AD1 Images... Verifying Drives and Images. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence. When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition. Important: When using FTK Imager to create a forensic image of a hard drive or other electronic device, be sure you are using a hardware-based write-blocker. This ensures that your operating system does not alter the original source drive when you attach it to your computer. To prevent accidental or intentional manipulation of the original evidence, FTK Imager makes a bit-for-bit duplicate image of the media. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space.

• ftk 4.0 manual, ftk 4.0 manual download, ftk 4.0 manual pdf, ftk 4.0 manual free, ftk 4.0 manual downloads.

No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc.Further, AccessData Group, Inc.Further, AccessData Group, Inc.Further, AccessData Group, Inc.You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products. All rights reserved.All rights reserved.Documentation Conventions In AccessData documentation, a number of text variations are used to indicate meanings or actions. Steps that require the user to click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in the user interface. Registration The AccessData product registration is done at AccessData after a purchase is made, and before the product is shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your purchase. Subscriptions AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows you to access technical support, and to download and install the latest releases for your licensed products during the active license period. Following the initial licensing period, a subscription renewal is required annually for continued support and for updating your products. You can renew your subscriptions through your AccessData Sales Representative.

Note: On MS Windows Server 2008R2 running User Account Control (UAC), marking the Launch box does nothing. You must manually run FTK Imager after installation. 13. Click Finish to complete the installation and close the wizard. Installing To a Portable Device There are two ways to use Imager on a portable device: ??Copy the FTK Imager Lite files directly to the device, avoiding installing to a local computer first. Unzip the downloaded files to the portable drive and execute the file from there. The FTK Imager Lite program has fewer files (only the essentials) and does not require a separate installation, although you must unzip the downloaded file to extract its contents into a folder before use. With either method, you will need to make a target drive available for saving the imaged data, and a reliable write-blocker must still be used.To run FTK Imager using the Command Line Options 1. Close FTK Imager, then from the Windows Start Menu, click Run. 2. In the Run text box, browse to the path and folder containing FTK Imager.exe, then click Open. 3. At the end of the resulting text line: 3a. Add one space before the option you wish to use 3b. The FTK Imager UI The FTK Imager User Interface is divided into several panes; each is dockable. The Evidence Tree, File List, Properties, Hex Value Interpreter, Custom Content Sources panes, Menu, and Toolbar can all be undocked and resized to best fit your needs. Each can be re-docked individually, or you can reset the entire view for the next investigation. To undock a pane or toolbar ??Select it and click and drag its title bar to the desired location. To re-dock a pane or toolbar ??Drag the pane inside the FTK Imager window until an outline shape snaps into place in the desired position, then release the pane. Menu Bar Use the Menu Bar to access all the features of FTK Imager. The Menu Bar is always visible and accessible. There are four items on the Menu Bar. They are discussed in detail in this section.

This allows you to store the original media away, safe from harm while the investigation proceeds using the image. After you create an image of the data, you can then use AccessData Forensic Toolkit (FTK) to perform a complete and thorough forensic examination and create a report of your findings. Older versions of AccessData products cannot recognize the new v4 format. As a result, two versions of Imager are available to download and use: ??Imager 3.4.0 ??Imager 3.4.2 (and later) Use the following table to understand which products can use which AD1 format. These products can read either AD1v3 or AD1v4 image files. This version can read either AD1v3 or AD1v4 files but creates only AD1v3 files. Use this version when working with AD1 files for 5.x versions of FTK, Summation, or eDiscovery You can use this version to open an AD1v4 file and save it as an AD1v3 file. (See below) These products can read only AD1v3 files. These products can create only AD1v3 files. However, you can open a v4 file in Imager 3.4.0 (only) and save it as a v3 file. Starting with version 3.4.2, Imager is a 64-bit application. Installing Locally Install FTK Imager to a local hard drive when you intend to attach evidence hardware to that computer for previewing and imaging evidence. To install FTK Imager 1. Browse to the FTK Imager setup file, either from an installation disc, or from the saved file downloaded from The following is an example of what you will find on the web site, however, the version number and its MD5 hash number will change. AccessData Web Site: Imager Downloads 2. Under Utilities, look for FTK Imager. Click Download to download the latest released version. 3. Click Save File. 4. Browse to the location where you wish to save the install file, and click Save. 5. When the download is complete, browse to the location where it was saved. 6. Execute the setup file by double-clicking it.

The Properties Tab Properties include information such as object type, size, location on the storage media, flags, and time stamps. The Hex Value Interpreter Tab To convert hexadecimal values, highlight one to eight adjacent bytes of hexadecimal code in the Viewer. A variety of possible interpretations of the selected code are automatically displayed in the Hex Value Interpreter. This feature is most useful if you are familiar with the internal code structure of different file types and know exactly where to look for specific data patterns or time and date information. Custom Content Sources Each time you add an item to be included in a Custom Content image, it is listed here. The Custom Content Sources Tab You can add, edit, and remove one or all sources, and create the image from here. Click Edit to open the Wild Card Options dialog box. Viewer The Viewer shows the content of the currently selected file, based on the Preview Mode selected: Natural, Text, or Hex. See Preview Modes (page 22) for more information. The content can be scrolled through so you can see the entire file content. In addition, with Hex Mode selected, and the Combo Pane Hex Value Interpreter open, the hex interpretation of text selected in the Viewer pane can be viewed simultaneously. You can then choose to image the entire evidence object, or choose specific items to add to a Custom Content (AD1) image. This chapter discusses working with evidence and using FTK Imager to accomplish the creation of forensic images that meet your exact needs. Previewing Evidence Evidence items can be previewed prior to deciding what should be included in an image. Beginning with FTK Imager 3.0 support is included for VXFS, exFAT, and Ext4 file systems. W A R N I N G: If the machine running FTK Imager has an active Internet connection and you are using Imager to preview HTML content from the systems cache, there is a potential risk associated with Microsoft Security Bulletin MS-09-054.

File Menu The File menu provides access to all the features you can use from the Toolbar. View Menu The View menu allows you to customize the appearance of FTK Imager, including showing or hiding panes and control bars. Each of the viewing modes is discussed in more detail in Chapter 3. See Preview Modes (page 22). The Mode Menu Help Menu The Help menu provides access to the FTK Imager User Guide, and to information about the program version and so forth. The Help Menu Toolbar The Toolbar contains all the tools, functions, or features, that can be accessed from the File menu, except Exit. The following table provides basic information on each feature. FTK Imager Toolbar Components Button Description Add Evidence Item Add All Attached Devices Image Mounting. Opens the Map Image to Drive dialog. View Panes There are several basic view panes in FTK Imager. They are described in this section. At the root of the tree are the selected evidence sources. Listed below each source are the folders and files it contains. Click the plus sign Click the minus sign next to a source or folder to expand the view to display its sub folders.When you select an object in the Evidence Tree, its contents are displayed in the File List. The properties of the selected object, such as object type, location on the storage media, and size, are displayed in the Properties pane. Any data contained in the selected object is displayed in the Viewer pane. File List Pane The File List pane shows the files and folders contained in whichever item is currently selected in the Evidence Tree. It changes as your selection changes. Combination Pane FTK Imager’s lower-left pane has three tabs: Properties, Hex Value Interpreter, and Custom Content Sources. Each is described here. Properties The Properties tab displays a variety of information about the object currently selected in either the Evidence Tree or the File List.

Click the first, then Shift-click the last to select a block of contiguous mappings. ??Click a mapping in the list, then Ctrl-click individual mappings to select multiple non-contiguous mappings. ??Click 2. and drag to select multiple Mounted Images. Click Done to close the Mount Image to Drive dialog and return to FTK Imager. Both methods are discussed in this section. Removing a Single Evidence Item You can remove evidence items individually, or start over again by removing all evidence at once. To remove an evidence item 1. In the Evidence Tree, select the evidence item you want to remove. The evidence item is removed from the Evidence Tree. All evidence items are removed from the Evidence Tree. Without FTK Imager, users have had to image their hard drive and then extract the Registry files, or boot their computer from a boot disk and copy the Registry files from the inactive operating system on the drive. FTK Imager provides a much easier solution. It circumvents the Windows operating system and its file locks, thus allowing you to copy the live Registry files. Acquiring Protected Registry Files on a Local Machine You can acquire the Protected Registry Files using FTK Imager running on the machine whose Registry files you need. Note: These steps will not acquire Protected Files from a drive image; only from the live system running Imager. See the directions below to acquire Protected Files from a drive image. The use of encrypted images is discussed below. Detecting EFS Encryption You can check for encrypted data on a physical drive or an image with FTK Imager. The program scans the evidence and notifies you if encrypted files are located. As illustrated in the figure above, EFS Encrypted files are indicated by a key icon, Chapter 4 Working With Evidence, in the Evidence Tree. This feature is know as AD Encryption. AD Encryption Credentials Options Certificates use public keys for encryption and corresponding private keys for decryption. ??

To encrypt with a password, mark Password, then type and re-type the password to use. ??To encrypt with a certificate, mark Certificate then browse to the certificate to use. AFF Encryption New beginning in FTK Imager 3.0 is the ability to create images using AFF Encryption. When you create an AFF encrypted image, a password is required. If you wish to open that encypted image later, you will need to supply the password that was used when it was created. In addition, drive content and hash lists can be exported. This chapter discusses the available options. Creating Forensic Images FTK Imager allows you to write an image file to a single destination or to simultaneously write multiple image files to multiple destinations using the same source data or drive. Imaging Complete Drives or Partitions Important: The following important information should be reviewed and understood prior to imaging complete drives or complete partitions on drives: ??When using FTK Imager to create a forensic image of a hard drive, be sure you are using a hardwarebased write-blocking device. This ensures that your operating system does not alter the hard drive when you attach it to your imaging computer. ??When exporting data to an image from an encrypted drive, create the image physically, not logically. A physical image is often required for decrypting full disk encryption. Select Source 2. In the Select Source dialog box, select the source you want to make an image of. Imager will automatically increment the case numbers with each image, and if something interrupts the process, you may assign case number manually. 5. Select the drive or browse to the source of the image you want, and then click Finish. 6. In the Create Image dialog, click Add. Create Image ??Compare the stored hashes of your image content by checking the Verify images after they are created box. If a file doesn’t have a hash, this option will generate one. ??

AccessData recommends that, wherever possible, users not have an active internet connection while Imager is running. Preview Modes FTK Imager offers three modes for previewing electronic data: Automatic mode, Text mode, and Hex mode. These modes are selectable from the Mode menu, or from the Toolbar, as introduced in Chapter 2. Each is described in more detail here. Automatic Mode Automatic mode automatically chooses the best method for previewing a file’s contents, according to the file type. For example: ??Web pages, Web-related graphics (JPEGs and GIFs), and any other media types for which Internet Explorer plug-ins have been installed are displayed by an embedded version of Internet Explorer in the Viewer. ??Text files are displayed in the Viewer as ASCII or Unicode characters. ??File types that cannot be viewed in Internet Explorer are displayed outside of FTK Imager in their native application provided those applications are installed locally, and the appropriate file associations have been configured in Windows. ??File types that cannot be viewed in Internet Explorer and that do not have a known native viewer are displayed by default in Hexadecimal Mode in the Viewer. This mode can be useful for viewing text and binary data that is not visible when a file is viewed in its native application. Hex Mode Hex mode allows you to view every byte of data in a file as hexadecimal code. You can use the Hex Value Interpreter to interpret hexadecimal values as decimal integers and possible time and date values. Note: Preview modes apply only when displaying file data. The data contained in folders or other non-file objects is always displayed in hexadecimal format. These procedures are explained in this section. The Add All Attached Devices function, also known as auto-mount, scans all connected physical and logical devices for media. If no media is present in an attached device such as a CD- or DVD-ROM or a DVD-RW, the device is skipped.

Image Mounting New beginning in version 3.0 of FTK Imager, Image Mounting allows forensic images to be mounted as a drive or physical device, for read-only viewing. This action opens the image as a drive and allows you to browse the content in Windows and other applications. Partitions contained within full disk images, as well as Custom Content Images of AD1 and L01 formats can be mounted Logically. The differences are explained in this section. Note: AD encrypted images can now be mounted as either a drive or a physical device. Other types of encrypted images are not supported for mounting as either a drive or physical device. Thus, these images do not have the option of being mounted Physically. However, when you open the “drive” from there, the folders and files contained within the mounted image do display correctly. Characteristics of a Physically Mounted Image When you mount an image physically, while it cannot be viewed by Windows Explorer, it can be viewed outside of Imager using any Windows application that performs Physical Name Querying. A physical disk image can be mounted Physically; and its disk image partition(s) can be mounted Logically. Type in the path and filename, or click Browse to populate the Source box with the path and filename of the image to be mounted. After selecting an image, the Mount Type will default to the supported mapping based on the image type selected. Click the drop-down to display other available Mount Types. Mount Image to Drive 4. Select the Mount Type to use for mounting.If selected, provide path information for the cache file in the Write Cache Folder field. All the related mount information will be displayed in the Mapped Image List. You can continue to mount images as needed, until you run out of evidence to add, or mount points to use. Mounted images remain available until unmounted, or until Imager is closed. 10. Click Close to return to FTK Imager. To unmount multiple mappings 1. Choose one of the following: ??

List the entire contents of your images with path, creation dates, whether files were deleted, and other metadata. The list is saved in tab-separated value (.TSV) format. 7. Select the type of image you want to create. Hashes are not generated for CD and DVD images so they will not be verified, as well. If you select the Raw (dd) type, be sure to have adequate available drive space for the resulting image. 7a. If you are creating an AFF image type, choose AFF. The Image Destination Folder dialog box you see will be different than that seen when selecting ay other image type Select Image Type with AFF Selected. 7b. 8. Click Next. Specify Evidence Item Information. All Evidence Item Information is optional, but it is helpful to have the information easily accessible in case it is called into question at any time after creation Evidence Item Information 9. Complete the fields in the Evidence Item Information dialog. Note: If the destination folder you select is on a drive that does not have sufficient free space to store the entire image file, FTK Imager prompts for a new destination folder when all available space has been used in the first location. To encrypt the new image with AD Encryption, mark the Use AD Encryption box. 14b. To encrypt the new image with AFF Encryption, mark the Use AFF Encryption box. Click Finish. For more information, see Detecting EFS Encryption (page 32). 16. When AD Encryption is selected, you can choose between encrypting with a password, or encrypting with a certificate. AD Encryption Credentials If you use a password, you must type, then retype that password to confirm. ??Click Show Password to display the password in plain text as you type it the first time, to verify you are typing it correctly. ??Uncheck Show Password to replace the characters with asterisks. 16a. When AFF Encryption is selected, type the password, and retype the password to confirm. AFF Encryption 16b.

Click Show Password to see that you have typed it correctly the first time. 17. When encryption selections are made, click OK to save selections and return to the Create Image dialog. Click it to open the Image Summary window as shown below: Image Summary The Image Summary also includes the data you entered in the Evidence Item Information dialog. 22. Click OK to close the Image Summary. 23. Click OK to return to the Creating Image dialog. 24. Click Close to exit back to Imager. With the Custom Content Image feature, you can select specific files from a live file system or an existing image to make a smaller, more specific image. You can also search an existing image using a wild-card character to create a custom image having only those files that fit your exact criteria. Custom Images serve investigators who must acquire evidence quickly, or who need only particular items of information to create evidence. Images can also be customized to fit on a thumb-drive or other portable media. Note: When exporting the contents of a folder to a Custom Content Image (AD1), or Logical Image (AD1), if a file in the folder being exported is locked (in use by another process or program), an error message pops up showing the problem and the name of the file that is in use. Select Add to Custom Content Image (AD1). The item is listed in the Custom Content Sources pane. Custom Content Sources Note: The Custom Content Sources pane is dockable; that is, you can move it to any corner of the Imager window, or you can even undock it from the Imager window entirely, and drag it to a second monitor screen. 3. Continue adding content by repeating this step until you’ve specified or selected all the evidence you want to add to this Custom Content image. You can change the items in your custom image list. Use the New and Remove buttons to include or exclude items, and the Edit button to open the Wild Card Options dialog.

It eliminates the need to right-click each node in the evidence tree and selecting Add to Custom Content Image (AD1) one by one. For example, if you wanted to collect all files ending in.doc that reside in all folders named My Documents, FTK Imager would search all the added evidence for each occurrence of My Documents, and then collect all.doc files under that directory. Unchecking Include Subdirectories causes Imager to find only the files in the root of the My Documents folder. 4. When all Custom Content Sources have been identified and added, click Create Image. All evidence item information is optional, but it is helpful to have the information easily accessible in case it is called into question at any time after creation. For more information, see Step 9 under “Creating Forensic Images” beginning on page 35. 9f. Choose whether to Filter by File Owner. For more information, see Exporting By SID (page 47). 10. Click Finish in the Select Image Destination dialog to save these settings and return to the Create Image dialog. 11. To add another image destination (i.e., a different, additional saved location), click Add and repeat steps 5 through 8. 12. To change an image destination, select the destination to change and click Edit. 13. To delete an image destination, select the destination and click Remove. 14. Mark the additional options as desired: ??Check Verify Images after they are created to check the image hash signature. This detects whether the content of the original data has changed since it was copied to the image. ??Check Create directory listings of all files in the image to record the file names and paths of the image contents. This record will be saved in Microsoft Excel format, and often functions as evidence. ??Check Precalculate Progress Statistics to see approximately how much time and storage space creating the custom image will require before you start, and as the imaging proceeds. Click Start to begin the export process.

A progress dialog appears showing the following: ??The source image file that is being exported ??The location where the new image is being saved ??The status of the export process ??A graphical progress bar ??The amount of data in MB that has been copied and the total amount to be copied ??Elapsed time since the export process began ??Estimated time left until the process is complete Creating Image (Progress Window) 16. By default, when the image creation is complete, a status box opens to display a window showing the files and the hashes (MD5 and SHA1) of your custom image. 16a. Click Close when you are done viewing the hash information. 16b. Click Close again to return to the Creating Image dialog. At this point, the Status window will say Image Created Successfully. 17. Click Image Summary to open the Image Summary window that displays the Image Creation Log Evidence Item Information you entered at the beginning. 18. Click OK to return to the Creating Image dialog. 19. Click Close to exit back to Imager. Each is discussed below. Exporting Forensic Images Convert an existing image file to a different format by exporting it, and choosing a different image format from the original. Export whole image files to convert them from one format type to another. Export selected contents of a drive or image to create a Custom Content Image (AD1). Exporting Files Exporting or copying files from an evidence item allows you to print, e-mail, salvage files, or organize files as needed, without altering the original evidence. Note: This feature comes in handy if your OS fails, but the drive is still operational. Image your drive and export your data, photos, etc.The folder’s contents are displayed in the File List. 2. In the File List, select the files you want to export. 3. ??Click the first, then Shift-click the last to select a block of contiguous files. ??Click a file, then Ctrl-click individual files to select multiple non-contiguous files.

Exporting By SID Windows assigns unique identifiers to each process, user, machine, and so forth within its system. A system identifier (SID) is unique to the system, and most often applies to users. The Export to Logical Image (AD1) and Add to Custom Content Image (AD1) features now allow the user to select and export files owned by particular SID(s), or add them to the image. This will take you to the same screen you would see if you had directly selected Export Logical Image. 5. In the Create Image dialog box, click Add to specify an image destination Create Image. 6. Specify Evidence Item Information. In the Choose File Owners dialog box, mark the names of the Users and their SIDs whose files you want to export. 15a. If the desired SID does not appear on the list, click Add to manually enter one. Copy and paste the SID from another location, or type it in manually. This allows a user to create an image containing files owned by the SID of a domain account. This value can then be used to prove that a copy of a file has not been altered in any way from the original file. It is computationally infeasible for an altered file to generate the same hash number as the original version of that file. The Export File Hash List feature in FTK Imager uses the MD5 and SHA1 hash algorithms to generate hash numbers for files. To generate and export hash values to a list 1. In the Evidence Tree, select the folder that contains the objects you want to hash. The object’s contents are displayed in the File List. 2. In the File List, select the folders or files you want to hash. If you select a folder, all the files contained in the folder and its sub folders are hashed. Note: Click the first, then Shift-click the last to select a block of contiguous files. Evidence Item Information When creating or exporting a forensic image, you can enter information and notes about the evidence contained in the image you are creating.