SecureState Blog

Read SecureState's award winning blog.

A breakdown of your options on our favorite drive imaging tool

Begin blog: 16:10 EST, Restarting Windows Server 2012

For whatever reason, I used to always manage to click the wrong option when I was asked to do something in FTK Imager at my college internship. Somehow the person I was working under did not completely give up on me, but it did inspire me to do a quick rundown of your various options if you are trying to get started with something in the program.

Which one you actually need depends on what you are doing, but your three options that we will cover today are:

1. Loading in an evidence item
2. Mounting an image
3. Creating an image

Adding an evidence item

Evidence Item

If you have something (a drive, an image, etc.) that you would like to analyze in some way with Imager, this is what you want to choose. I used to always get it mixed up with image mounting for some reason. In any case, once you pick it, things should explain themselves as you get this prompt.

Add Item prompt

It is from here that you can choose whatever you are trying to look at with Imager.

Mounting an image

Image Mounting

Somehow I used to get this one mixed up with loading in images – my supervisor would ask me to pull something up to look at and I would instinctively try to mount the image instead. In any case, this is what you want when your goal is to mount an image of a drive as if it were a drive on the system. You can then choose either physical, logical, or both types of mounting. After selecting the option you see this:

Image Mount

 

Create Disk Image

Create Disk Image

This one was harder for me to mistake, but I wanted to include it as it is one of the main three options I tend to use in Imager. This is our go-to option for taking an image of a hard drive if we are doing dead-drive analysis: plug in the drive with your favorite read/write blocker (do not tell the other ones which is my favorite) and start here.

Imager Imaging

We almost always go with physical drive images, but that is for another blog!

 

Conclusion

End blog: 16:40 EST. Winner: Windows.

I probably should not have stopped for a snack when I was racing a machine.