Examination and Reporting Activity

Examinationand Reporting Activity

Useof FTK Imager in

FTKimager refers to the tool used in data preview and imaging to allowthe user examine the folders or files on local hard drives, CDs/DVDs,network drives as well as review content of the forensic images orthe memory dumps. Use of the FTK imager can also enhance generationof the MD5 and SHA1 hashes for the files, review and recover deletedfiles as export the files of folders from the forensic images to thedisk. This is possible especially if the data blocks were notoverwritten.

Thedata about a person can be accessed through file recovery for deletedfiles or through use of the ‘Find’ option.

Recoveryof Deleted Files

Amongthe many roles of forensic expert is file recovery. Through filerecovery, it is very possible to examine the records deleted by theusers or by the system. He FTK imager possesses the capability ofrecovering the entries unavailable in the archive system.Recentstudies indicate that most of the forensic experts use FTK imager toget digital evidence. Therefore, this paper presents a case study incapacity of a forensic expert reporting on the documents found in ‘MyDocuments Folder’.

Inthis case, the FTK imager can be used by the to tap, process andexamine large volumes of data in ‘My documents Folder’ or anyother storage area while at the same time removing superfluousrubbish. Through use of FTK, there is high likelihood of encounteringa user who has saved all the passwords in a text file in a way thatonly a forensic expert can detect. If the user of a machine had notwritten down the passwords, then the forensic can easily guess thepassword and recover any secret information about the user.

Thefirst process to access any personal information involves opening thephysical drive. This way, the contents of the physical drive aredisplayed in Evidence Tree Diagram. Clicking the root of the filesystem and other files displays the contents in a Viewer Pane.

Clickingon the Viewer Pane and pressing Ctrl + F keys opens up a findfunction. From here, the forensic expert can access any kind of datafile or picture as shown below.

Withina very short time, the FTK Imager performs the searches and gives theresults. For instance, in this evaluation, the file name returnedafter the search was IMG00264_20100109-1450.jpg which presents a JPEGfile that has a lot of information. Each of the MFT record contains arecord header and the File0 magic marker. The forensic expert cancarefully consider the options as displayed by the magic marker usingthe lines above it.

Anybyte offset 80 above magic market reflects the file creation timethat is 8 bytes long. To get the byte offset 80, the CTRL option canbe used with ‘G’ from the current position. This implies thatthe forensic expert can easily access the deleted files and accessits content. As such, any information or data by the user of themachine/computer that may have been illegal but is accessed can begotten. Also, the recovery of information reflects the type of theperson that one is. For instance, there are some individuals whoaccess information and since they do not want to be known theyaccesses such information, there is high likelihood that they’lldelete. On the other hand, people may delete sensitive data toprevent accessibility by other people. Such persons are most likelyto delete information or data as they get it.

Findingthe Files

Wheneverthe FTK imager is launched, by using the File &gt Add EvidenceItem…then the forensic expert can easily access any information byloading any piece of evidence for review.

TheMaster File Table, MFT is among the most critical NTFS file system asit helps in keeping the records of all files in a large volume on aphysical location on drive and the file metadata. Among the mostcrucial tasks of the forensic experts is making those file metadataand artifacts visible. The MFT is normally used as the database tokeep track of the files and investigate data with the aim of getdetailed data about the files.

Apartfrom finding the files, the Forensic Experts can easily create copiesfor the digital media. In any forensic investigation, the experts arenot allowed to tamper with the original data/information that can beused as evidence. The FTK manager is used to create duplicates thedigital evidence. This is an indication that the digital forensicexperts can easily use the FKT imager to get access to almost everydata in the computer. In most cases, the data possessed by a personreflects the characters of that person hence easy to tell the kindof person that one is.

Often,when performing the analysis, EXIF data or metadata that isassociated with the files is as critical as the content of the files.The metadata presents the analysts with the embedded created datesfor the files analyzed, camera models for pictures, extendedattributes and Ms Word data amongst others. Other files of particularimportance in FTK Imager include the PLIST files, Mac OS file, DMGfiles and SQLite. Also, the access data files have been critical inincorporating the native viewing capabilities when viewing the data


Jason, M. (2008). NTFS Forensics. A Programmer`s View of the Raw Filesystem Data Extraction. Grayscale Research.

John, R. (2013). Computer and Information Security Handbook. Elsevier.