Next week, we will begin to discuss how to use FTK Imager to preview files, create forensic images, recover deleted files and use hash values to validate your image. Look for the link for FTK Imager in “Current Releases” (it’s currently the seventh item on the list) and open the folder and select the current version of FTK Imager (currently v3.1.2, released on 12/13/12). To download FTK Imager, you can go to the AccessData Product Downloads page here. You can also provide Case Number, Evidence Number, Unique Description, Examiner, and any Notes for tracking purposes to aid in chain of custody tracking. Like all forensically-sound collection tools, it retains the file system metadata (and the file path) and creates a log of the files copied.
When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition.