FTK Imager

FTK Imager isn't typically used as a 'forensic analysis' tool, it's mostly used to acquire and verify images. That being said, it can be used to mount images (E01, dd, VMDK, etc) and quickly inspect them. It's also helpful when you're examining images from Linux hosts, as it supports most Linux file systems (ext3/ext4 etc) and it's easy to inspect text-based logs using the in-built data previewer.

For Windows hosts, we can quickly export event logs for further processing with another tool.

Verifying an image using FTK Imager

Our first step should be to add the image, verify it, and continue with our initial examination.

Load FTK Imager

File > Add Evidence Item

Select Source > Image File

Browse > Select first segment (.E01) of the spanned image set > Open > Finish

It should now appear like this. You should be able to expand the item under the evidence tree.

The first and third partitions are typically setup during install, and partition 1 is for UEFI, and partition 3 is the recovery partition for the OS.

Expand Partition 2 and you can see the typical Windows folder structure.

Right click the image item (20240212-decrypted-Windows_Server_2022.E01) and select Verify Drive/Image

Progress statistics are displayed and once it's finished, you should see the following;

This image is telling us that the hash of the stream of data within the E01 set matches the hash which was just calculated. This ensures we are working with a valid set of data. In addition to this, it's also good practice to generate SHA1/SHA256 sums of each E01 segment before transit, and then verify them after. This helps identify changes during download/upload/transfer, and again ensures you have a reliable set of data.

Read this to understand more about the E01 file structure (including headers, block size, CRC references etc)