This file lists the evidence information, details of the drive, check sums, and times the image acquisition started and finished: Created By AccessData® FTK® Imager 2.6.0.49 090505 You can right-click on the drive name to Verify the Image:įTK Imager also creates a log of the acquisition process and places it in the same directory as the image, image-name.txt. Now is a good time to refill that coffee cup! Once the acquisiton is complete, you can view an image summary and the drive will appear in the evidence list in the left hand side of the main FTK Imager window. Click Finish to complete the wizard.Ī progress window will appear. You can also set the maximum fragment size of image split files. Select the Image Destination folder and file name. If you select raw (dd) format, the image meta data will not be stored in the image file itself. If your version of FTK requests evidence information, you can provide it. The dd format will work with more open source tools, but you might want SMART or E01 if you will primarily be working with ASR Expert Witness or EnCase, respectively. The type you choose will usually depend on what tools you plan to use on the image. Check Verify images after they are created so FTK Imager will calculate MD5 and SHA1 hashes of the acquired image. NOTE: FTK Imager does not guarantee data is not written to the drive, so it is important to use a write blocker like the Tableau T35es.Ĭlick Add.
In the interest of a quick demo, I am going to select a 512MB SD card, but you can select any attached drive. The version used for this posting was downloaded directly from the AccessData web site (FTK Imager version 2.6.0).įrom the File menu, select Create a Disk Image and choose the source of your image.
#Image system ram using accessdata ftk imager lite windows
The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.įTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The truth is: there are plenty of good tools that provide a high level of automation and assurance.
I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors. There are many utilities for acquiring drive images.
0 kommentar(er)
