FTKImagerUG Imager 2.9.0 User Guide
Imager Userguide Imager_UserGuide Imager_UserGuide ad
2014-07-03
: Pdf Imager 2.9.0 User Guide Imager 2.9.0 User Guide
Open the PDF directly: View PDF
Page Count: 52
- AccessData FTK Imager
- Table of Contents
- Chapter 1 Introduction and Installation of FTK Imager
- FTK Imager
- Installing FTK Imager
- Installing Locally
- 1. Browse to the FTK Imager setup file, either from an installation disc, or from the saved file downloaded from http://www.accessdata.com/downloads.html.
- 2. Under Utilities, look for FTK Imager. Click Download to download the latest released version.
- 3. Click Save File.
- 4. Browse to the location where you wish to save the install file, and click Save.
- 5. When the download is complete, browse to the location where it was saved.
- 6. Execute the setup file by double-clicking it.
- 7. Click Run.
- 8. Click Next to continue the installation.
- 9. Read and accept the License Agreement, then click Next.
- 10. Accept the default installation location, or browse to a different location, then click Next.
- 11. Mark Run the FTK Imager box to force Imager to run immediately after the install is complete.
- 12. Click Finish to complete the installation and close the wizard.
- Installing to a portable device
- Installing Locally
- Running FTK Imager
- Chapter 2 Using FTK Imager
- FTK Imager Interface
- Previewing Evidence
- Adding Evidence Items
- Removing An Evidence Item
- 1. In the Evidence Tree, select the evidence item you want to remove.
- 2. Click File > Remove Evidence Item,
- Removing All Evidence Items
- Obtaining Protected Registry Files
- Accessing Protected Registry Files on a local machine
- 1. Launch FTK Imager.
- 2. Click File > Obtain Protected Files,
- 3. Designate a destination directory and specify file options.
- 4. Select the option that suits your needs:
- 5. Click OK.
- 6. Add the files to the case.
- 7. To open the Registry files, click File, and then Registry Viewer, or right-click a Registry file in the file list, and then select Registry Viewer.
- Accessing Registry files from a drive image
- Accessing Protected Registry Files on a local machine
- Detecting EFS Encryption
- AD Encryption
- Export By SID
- Figure 2-3 Select Image Destination
- Figure 2-4
- Creating Forensic Images
- 1. Click File > Create Disk Image,
- 2. Select the source you want to make an image of and click Next.
- 3. Select the drive or browse to the source of the image you want, and then click Finish.
- 4. In the Create Image dialog, click Add.
- 5. Select the type of image you want to create, then click Next.
- 6. In the Image Destination Folder field, type the location path where you want to save the image file, or click Browse to find and select the desired location.
- 7. In the Image Filename field, specify a name for the image file but do not specify a file extension.
- 8. In the Image Fragment Size field, specify the maximum size in MB for each fragment of the image file.
- 9. To encrypt the new image with AD Encryption, mark the Use AD Encryption box. For more information, see “AD Encryption” on page 16.
- 10. To add another image destination (i.e., a different saved location or image file type), click Add, and repeat steps 5-10.
- 11. Click Start to begin the imaging process. A progress dialog appears that shows the following:
- 12. After the images are successfully created, click Image Summary to view detailed file information, including MD5 and SHA1 checksums
- 13. When finished, click Close.
- Creating Custom Content Images
- 1. Add a drive or folder to Imager as an evidence item, and review the contents for the information you want to add to a custom image.
- 2. Click File > Add to Custom Content Image,
- 3. Continue adding content by repeating this step until you’ve specified or selected all the evidence you want to add to this Custom Content image.
- TABLE 2-2 Wild Card Naming Examples
- 4. When all Custom Content Sources have been identified and added, click Create Image. The Create Image dialog opens and allows you to specify options for this AD1 image
- 5. Click Add to specify the location for the saved image file.
- 6. Enter optional Evidence Item Information such as Case Number, Evidence Number, Unique Description, Examiner, and Notes.
- 7. Click Next to continue.
- 8. The Select Image Destination dialog opens.
- 9. Specify or click Browse to locate the destination folder for the new image.
- 10. Specify a filename for the new image, with no extension.
- 11. Specify the fragment size for the image. Default is 1500 MB. To save image segments that can be burned to a CD, specify 650 MB. To save image segments that can be burned to a DVD, specify 4GB. RAW and E01 format images can be set to 0 to produce ...
- 12. Select the compression level to use. Selecting 0 (zero) produces the largest file, with no compression. Selecting 9 (nine) produces the smallest file with the greatest compression, however it is the slowest image to produce. Compression level 1 (...
- 13. Choose whether to Use AD Encryption. For more information, see Step 9 under “Creating Forensic Images” on page 18.
- 14. Choose whether to Filter by File Owner. For more information, see “Export By SID” on page 17.
- 15. Click Start when you are ready to create the custom image, or Cancel to abandon the process.
- Exporting Forensic Images
- Exporting Files
- 1. In the Evidence Tree, select the folder that contains the files you want to export. The folder’s contents are displayed in the File List.
- 2. In the File List, select the files you want to export.
- 3. Click File > Export Files,
- 4. In the Browse for Folder dialog, browse to the location where you want to save the exported files.
- 5. Click OK. The files are copied to the specified location.
- Exporting File Hash Lists
- 1. In the Evidence Tree, select the folder that contains the objects you want to hash. The object’s contents are displayed in the File List.
- 2. In the File List, select the folders or files you want to hash. If you select a folder, all the files contained in the folder and its subfolders are hashed.
- 3. Click File > Export File Hash List,
- 4. In the Save As dialog, type a name for the file hash list in the File Name field.
- 5. Click Save.
- Evidence Item Information
- 1. In the Evidence Tree, select the content you want to export as a logical image.
- 2. Click File > Export AD1 Logical Image.
- 3. In the Create Image dialog, click Add.
- 4. In the Image Destination Folder field, type the path and filename for the new image file,
- 5. In the Image Filename field, specify a name for the new image file, but do not specify an extension.
- 6. In the Image Fragment Size field, specify the maximum size in MB for each fragment of the new image file. Image Fragment Size has nomaximum size limit, except available drive space.
- 7. Click Finish to return to the Create Image dialog.
- 8. Click Add to specify a destination for your custom image.
- 9. Click Start to begin the export process. A progress dialog appears that shows the following:
- 10. When the Status field reads “Image created successfully,” you can choose to do the following:
- Exporting Directory Listings
- Verifying Drives and Images
- Importing Sets of Files
- 1. List the files and folders to include with the Create Custom Content Image dialog.
- 2. Click Export to save the folders and files to a drive.
- 3. Start an image on a new device.
- 4. Open the Create Custom Content Image dialog, and click Import.
- 5. Navigate to the folders and files you exported.
- 6. Select the files you want to include in the new image, then click Add.
- 7. On the Create Custom Content Image dialog, click Create Image.
- Chapter 3 Using a Logicube Device
- Integrating a Logicube Forensic MD5
- 1. Connect the Logicube Forensic MD5 to your computer’s parallel port and turn on the device.
- 2. Start FTK Imager. The Tools menu opens only if the Logicube Forensic MD5 is connected to your computer and turned on before you start FTK Imager.
- 3. From the menu, select Tools, and then Logicube Forensic MD5.
- 4. In the Logicube MD5 dialog, you can perform the following functions:
- 5. To exit the Logicube MD5 dialog, click OK.
- Creating an Image File with the Logicube Forensic MD5
- 1. In the Logicube MD5 dialog, click Image Source Drive. The Image Parameters dialog appears.
- 2. In the File Size drop-down list, select the maximum size for each fragment of the image file.
- 3. In the Filename field, type a name for the image file, but do not specify a file extension. Filenames must be eight characters or fewer, and alphanumeric characters only.
- 4. From the Verify Mode drop-down list, select the type of data checking you want to use.
- 5. From the Speed drop-down list, select the data transfer speed.
- 6. Click OK to begin the imaging process. Progress information is displayed in the Image Parameters dialog and includes the following:
- Formatting the Logicube Forensic MD5 Internal Hard Drive
- Using the Logicube Forensic MD5 Internal Drive as a USB Drive
- 1. In the Logicube MD5 dialog, click USB Internal Drive. The Logicube Forensic MD5 switches to USB mode.
- 2. Connect the USB cable from the Logicube Forensic MD5’s dock to your USB port. Windows assigns a drive letter to the Forensic MD5’s internal drive, allowing you to access it as a logical drive.
- 3. When finished, use Window’s Safely Remove Hardware feature to disconnect the drive.
- 4. In the FTK Imager dialog, click OK to switch the Logicube Forensic MD5 out of USB mode.
- Accessing the Logicube Forensic MD5 Compact Flash Drive as a USB Drive
- 1. In the Logicube MD5 dialog, click USB Compact Flash. The Logicube Forensic MD5 switches to USB mode.
- 2. Connect the USB cable from the Logicube Forensic MD5’s dock to your USB port. Windows assigns a drive letter to the Forensic MD5’s compact flash drive, allowing you to access it as a logical drive.
- 3. When finished, use Window’s Safely Remove Hardware feature to disconnect the drive.
- 4. In the FTK Imager dialog, click OK to switch the Logicube Forensic MD5 out of USB mode.
- Viewing the Logicube Forensic MD5 Hardware Information
- Integrating a Logicube Forensic MD5
- Chapter 4 Using a Fernico Device
- Integrating a Fernico FAR System
- Accessing the Fernico FAR System from Imager
- 1. Select the Fernico Device (multiple CD/DVD), and then click Next. The Fernico Device dialog opens.
- 2. In the Num of Discs field, type the number of discs loaded into the device.
- 3. In the Num of Copies field, type the number of copies to be placed on the discs.
- 4. The Fernico device will image all subfolders by default. Select the No radio button if you don’t want subfolders imaged.
- 5. Type a destination for the image in the Image Folder Path field, or use the Browse button.
- 6. Type a name for the image folder in the Image File Folder Name field.
- 7. Click Finish. A DOS window will open showing the imaging progress.
- Accessing the Fernico FAR System from Imager
- Integrating a Fernico FAR System
- Appendix A Recognized Image Formats