Scribd
Upload
61 views

Evidence Acquisition: Lab: Disk Imaging

A forensic image is an exact bit-by-bit copy of a hard drive that can be created using various forensic imaging tools. These tools copy all data, including deleted files, to capture everything stored on the drive. The document then focuses on using Access Data's FTK Imager, a free forensic imaging software. It provides step-by-step instructions for creating a disk image with FTK Imager, including selecting the drive to image, destination path, file format, and other case details. Once complete, the image file is saved and can be verified to contain an exact duplicate of the original drive's contents.

Uploaded by

alex lim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
61 views

Evidence Acquisition: Lab: Disk Imaging

A forensic image is an exact bit-by-bit copy of a hard drive that can be created using various forensic imaging tools. These tools copy all data, including deleted files, to capture everything stored on the drive. The document then focuses on using Access Data's FTK Imager, a free forensic imaging software. It provides step-by-step instructions for creating a disk image with FTK Imager, including selecting the drive to image, destination path, file format, and other case details. Once complete, the image file is saved and can be verified to contain an exact duplicate of the original drive's contents.

Uploaded by

alex lim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

Lab: Disk Imaging

Evidence Acquisition

What is a Forensic Image?

A Forensic image is an exact copy of hard drive. This image is created using various third-
party tools which can easily capture the image of a hard drive bit by bit without changing
even a shred of data. Forensic software copies data by creating a bitstream which is an exact
duplicate. The best thing about creating a forensic image is that it also copies the deleted data,
including files that are left behind in swap and free spaces. There are many tools available
either in open-source or proprietary version for acquiring drive images such as:

 Access Data FTK imager


 Encase imager
 Forensic imager
 Belkasoft acquisition tool

FTK Imager

The Forensic Toolkit Imager (FTK Imager) is a forensic imaging software package
distributed by AccessData. FTK imager, available for free from Access Data, to capture a live
memory dump and the page file (pagefile.sys) which is used as virtual memory storage for
Windows or to capture static memory such as hard disk.

1- Download the FTK Imager form the link below


https://accessdata.com/product-download/ftk-imager-version-3.4.3
2- Fill the registration form
3- The download link will be send to your email address
4- Install FTK imager to your system.

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

Evidence Acquisition using Access data FTK Imager.

FTK imager can create an image and paging file for windows; along with capturing volatile
memory for analysis purpose.

1. To create an image - go to the file button and from the drop-down menu, select the Create Disk
Image option.

2. After selecting the create disk image it will ask you the evidence type whether i.e. physical drive,
logical drive, etc. and once you have selected the evidence type then press the next button to
move further in the process.

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

3. Now it will ask for the drive of which you want to create the image. Select that drive and click on
Finish button.

4. Now, we need to provide the image destination i.e. where we want our image to be saved. And
to give the path for the destination, click on Add button.

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

5. Then select the type you want your image to be i.e. raw or E01, etc. Then click on Next button.

6. Further it will ask you to provide details for the image such as case number, evidence number,
unique description, examiner, notes about the evidence or investigation. Click on Next button
after providing all the details.

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

7. After this, it will ask you for the destination folder i.e. where you want your image to be saved
along with its name and fragment size. Once you fill up all the details, click on the Finish button.

8. And now the process to create the image will start and it will simultaneously inform you about
the elapsed time, estimated time left, image source, destination and status.

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

9. After the progress bar completes and status shows Image created successfully then it means our
forensic image is created successfully .

10. And so, after the creation of the image you can go to the destination folder and verify the image
as shown in the picture below :

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1


AICT006-4-2-DSF Digital Security and Forensics Introduction to Forensics

Diploma Asia Pacific University of Technology & Innovation Page 1 of 1

You might also like