Lab: Viewing Content of Forensic Image Using Access Data FTK Imager Tool

Lab Objective:

All the system related data remains saved in the system hard disk. When an incident occurs, there is a probability that the system is shutdown and switching it on would make changes in the evidence present on it. Even if the system is on, the investigators should not use forensics techniques on it directly, as it may tamper the evidence and render it useless during the trial. Therefore, an investigator should always create a duplicate of the storage and this lab will help you to create an image of the file you need to investigate. The objective of this lab is to help students learn how to use AccessData FTK Imager for creating forensics images.

Lab Description:

FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData®Forensic Toolkit® (FTK) is warranted.

Lab Scenario: As part of investigation in an information theft case, the senior investigator Alex has come to a conclusion of scanning all the systems using the AccessData FTK Imager tool to know if the deleted files on the systems contain any desired information. The tool has not only saved the investigator’s time but also saved the hectic process of recovering every deleted file from the system. To be an expert forensic investigator, you must understand how to analyze file systems and collect the data from those file systems.

Lab Task:

• Log on to your Windows 10 Virtual Machine
• Navigate to https://accessdata.com/product-download/ftk-imager-version-4-5 and download the latest version of FTK Imager.
• Double-click AccessData_FTK_Imager.exe to launch the setup, and follow the wizard-driven installation instructions.
• The system will launch AccessData FTK Imager automatically after installation. The AccessData FTK Imager main window appears.
• Click File -> Add Evidence Item to add evidence, or click the Add Evidence Item button on the toolbar.
• Select the Image File option from the Select Source wizard and then click Next.
• Click the Browse button to specify the image file path for your image from the previous two hands on assignments and then click Finish.
• The evidence appears in a tree
• Select any file or folder from the Evidence Tree to view the file list in the Right pane under File List.
• To view the Hex value of that particular file, select the file from the File List and click the Hex icon on the toolbar.
• Hex values of the selected file will be displayed in the bottom-right pane
• Click the Properties tab in the lower-left pane to view the properties such as file class, size, date, start cluster, etc. of the selected file.
• Click the Hex Value Interpreter tab in the lower-left pane to view the properties such as signed integer, DOS date, etc. of the selected file.