Digital Evidence - How to Use FTK for Examining Evidence

What is Digital Evidence?

Digital Evidence refers to any actionable information, which is gathered from any electronic device, capable of revealing the mystery behind a crime. Such evidence is admissible in any court of law. Data is retrieved from computer's, electronic devices. Forensic involve sealing the crime scene, collecting fingerprints, electronic evidence, confiscating all related evidence material or otherwise. It is a simple task if the systems are operational. This process forensically is termed as Live Acquisition of Data.

What is Cloning?

Cloning is a method of creating a replica of a system drive. Clones are critical in scenario's where duplication has to be performed to retrieve critical data, for example, establishing a backup environment or retrieving data, which include code. application, software, utilities from a failing hardware environment. Cloning happens in lighting speed with precision, which make the cloning technology indispensable in investigation process.

Conversely, Imaging is similar to taking snapshot of relevant information, store it in a desired format, preferably in spreadsheet's. Whichever method is adopted, it is mandatory to adhere to prescribed standards, steps, and best practices, ensuring that the evidence is protected. in order to preserve the integrity. Acquiring an expert understanding of when, how to use such methods will allow an examiner to discover the truth while safeguarding the integrity of digital evidence.

The FTK Manager

The FTK Manager is a popular is a forensic imaging and analysis tool, which is used for acquiring, creating forensic images, perform compressive analysis of multiple types of digital media. It presents the examiners with a user-friendly interface, exhaustive analytical capabilities, compatibility with multiple operating systems, and near pin-pointed evidence. Here, we have highlighted some of its prominent features -

Forensic Imaging

• Disk Imaging: Investigators can use FTK manager to create forensic images of hard disks, pen drives, any type of storage media. It supports creation of multiple image formats, including the prominent EnCase® Evidence (E01) format.
• Live RAM Acquisition: This is a real-time operational technique that allows to analyze volatile memory (RAM) data, emanating from live system's, generating important data, which is not accessible using traditional disk imaging.

Analysis and Examination

• File Analysis: FTK Imager facilitate the process of examining the file's, folder's, using forensic images, which give investigator to view, extract file's, including the one's which have either been deleted or hidden, and conduct in-depth investigation.
• File Format Support: It supports a wide range of file formats, allowing analysis of different digital artifacts, viz. as documents, images, videos, emails, and system files.
• Metadata Extraction: FTK Imager can extract metadata linked with files, thus generating valuable information, size, format, data of creation, modification history, timestamp's, user details.
• Keyword Search: Examiners are provided with privilege's, to conduct keyword searches across the forensic image, leading to revealing the identification of relevant evidence or pin-pointed information.

Verification and Validation

• Hash Calculation: Configure, the manager to perform calculation and verification of hash values (e.g., MD5, SHA-1, SHA-256) for forensic images, thus guaranteeing, supporting chain of custody documentation..
• Signature Analysis tool: Is developed with features to analyze different signature patterns, that provide insights to different file types, identification of any malicious files or suspicious content.

Why Use FTK Manager?

Here is a list of some of the reasons why the FTK Manager has been one of the preferred tools for collecting digital evidence -

• Protects the storage media: It protects the storage media by guaranteeing the preservation of evidence in a forensically tamper-proof method. Stored images can be analyzed even after a period of time, thus facilitating the process of investigating the key evidence in future to support investigation.
  
• Versatility and simplistic use: FTK Imager's user-friendly interface makes it accessible to both seasoned forensic professionals and those new to the field. Its compatibility with different operating systems allows for seamless integration into existing forensic workflows.
• Efficient Data Analysis: An enhanced analytical capability of FTK Imager, empowers investigators to check files, extract metadata, and perform keyword searches in an efficient manner, which streamlines the process, enhancing the efficiency of discovering of crucial evidence.
• RAM Analysis: RAM acquisition functionality helps investigators to record volatile memory data, that can expose important details viz. running processes, open network connections, and encryption keys, the detailed examination is critical in generating reports of system activity and identifying potential threats. FTK Imager's robust imaging capabilities, comprehensive analysis features, and ease of use make it a go-to solution for acquiring, examining, and validating digital evidence. Whether acquiring forensic images, analyzing files, extracting metadata, or investigating volatile memory, the FTK Imager provides investigators with the necessary tools to uncover vital evidence and support the forensic investigation process.

Disk Cloning

Cloning is similar to creating a mirror image, where all item's including empty pages are copied. If Cloning is performed in a PC, it copies the entire disk including the OS, software, applications and files, without having an intelligence of what to copy.

• Exact Copy: Disk cloning reproduce and produces an un-differentiable copy of the source device, which perform replication of empty space, hidden partitions.
• Quick Duplication: Cloning is considered as swift method compared with imaging, since there is no need to create individual image file, it is just sector-by sector copy.

Creation of Forensic Disk Image with FTK Imager

Here are steps for creating a disk image - 

Download and Install FTK Imager

• Ensure that you install the latest version available, and mention the version, vendor detail. Because, in digital forensics and incident response (DFIR), it helps in any review, post-incident analysis. Also supply the information regarding all the utilities, configurations. and the version's which are used in the report.
• Always configure auto-update for applications and the software, which is one of the criteria for mainlining the integrity, confidentiality, trustworthiness of the process. It is highly recommended to use two exclusive computers for FTK manager, considering the importance of the data.
• Download the latest version from the official website. Post download, install, configure by completing all the process, where it is required to provide details, else installation will not go through.

Launch FTK Imager

After the manager is installed, launch FTK Imager by clicking on the application icon.

• In the "File" menu, choose "Create Disk Image."
• Choose the appropriate source device from the list of drives.
  
• Configure the image destination:
• Select a location, enter a name for the output image file
• Choose the appropriate image format, for example, E01 or DD
• Configure imaging options viz. compression, verification, and hash algorithm as in the design.
  

Start Imaging

• Click the "Start" button to commence
• The image of the source device is created

Verification and Validation

• After the imaging is done, you will get an affirmative message on the console. Then, launch the FTK Imager to check it.
• After imaging is complete, use the FTK Imager to verify the integrity of the image using hash values.
  

View the forensic image in FTK Imager or using third-party tool for analyzing the data and ensuring their veracity of the investigation. It is important to adhere to prescribed chain of custody procedures. While doing so, it is mandatory to adhere to the legal, ethical standard's which has been prescribed in that country.