FTK Imager
Purpose: To introduce some of the FTK Imager features which include some of the core
functions related to acquiring case evidence.
Application location: Virtual Computing Lab
Preparation: Review user guide and lab video/slides (on Blackboard)
Evidence file: Washer.E01 file (located in \\144.175.196.12\Forensic Data\Washer.E01)
Questions to answer:
- Who was the examiner for this drive and what software was used to acquire this image?
- How many sectors are on this drive?
- What is the volume serial number for the WASHER volume?
- When was the [root] directory created? Provide the full timestamp.
- What is the file system and operating system of Partition 1?
- What is the purpose of the pagefile.sys file?
- What is the starting cluster for the pagefile.sys file?
- What is the Master File Table (MFT)? Why is it important?
- What is the MFT record number of the MFT?
- What is the MFT record number for the WINDOWS directory?
- Convert Washer.E01 into the AFF format. Password protect the image with the
password “password123”. Save it on the desktop and call it <lastname>Washer. Put
your last name in place of <lastname>. Insert a picture of the new file(s) using the
Snipping Tool.
- Load the new image into FTK Imager to verify that the password is set. Insert a picture
of the window asking for the password using the Snipping Tool.
- Mount the Washer.E01 image. Attach a picture of the hard disk drives connected to
the computer showing the mounted image. Unmount the image.