Using FTK the Forensics Toolkit to investigate computer crimes. How to install, how it works, and how to create an FTK Imager disk image? Use FTK the Forensics Toolkit to conduct information security incident investigations. Computer technologies are the object of many crimes or play the role of accomplices in them. Phishing, identity theft, electronic financial fraud, ransomware attacks, online defamatory material, and money laundering are just a few examples. Computer forensics specialists deal with these crimes. They search for and correct traces (evidence) of digital artifacts, which can then be used as evidence in court. And computer forensics tools are one way to achieve these goals. While there are different scenarios for investigating different incidents, the basic steps are the same for each. They include searching, collecting, analyzing and documenting digital evidence in the form of a report. To ensure the adequacy of the evidence, it is necessary to use globally recognized computer forensic tools. FTK imager is one such forensic tool used to collect data and analyze evidence. In this article, we will provide a detailed description of FTK imager, explaining its installation and the main workflows of the tool.
How to install FTK Imager
FTK imager is a product of ACCESSDATA and can be downloaded from its official website. To download the distribution, ACCESSDATA requires a valid email address to send the download link to the user’s mailbox. For now, it’s worth using a VPN to access the download section. After downloading the exe file, run the installation wizard to start the FTK installation process and wait for the process to complete.
FTK Imager Interface Overview
Once the FTK Image Forensic Toolkit is installed, open it from the Start menu, Programs list, or the desktop shortcut created during installation. There are two sections in the tool. The left section (Evidence Tree) shows all possible artifact data.
Using FTK the Forensics Toolkit to investigate computer crimes
The section on the right (File List) provides more detailed information about each file selected in the Test Tree section. The top menu bar shows all possible tool options used to extract and analyze data.
How does FTK Imager work?
FTK Imager can be used to perform a variety of computer forensic tasks, such as creating a disk image, capturing data in operating system memory, mounting an image, or recovering protected system data such as user credential (SAM) files.
How to create an FTK disk image?
Creating an image of potential evidence is the most important task in digital forensics. The image is created to duplicate the evidence and preserve the original. It is important to note here that forensic analysis is performed on duplicates (images) and not on original evidence. This is necessary to ensure the integrity and availability of original evidence when needed. We can create a live disk image using the File > Create Disk Image option.