# FTK Imager

FTK Imager isn't typically used as a 'forensic analysis' tool, it's mostly used to acquire and verify images. That being said, it can be used to mount images (E01, dd, VMDK, etc) and quickly inspect them. It's also helpful when you're examining images from Linux hosts, as it supports most Linux file systems (ext3/ext4 etc) and it's easy to inspect text-based logs using the in-built data previewer.

For Windows hosts, we can quickly export event logs for further processing with another tool.

## Verifying an image using FTK Imager

Our first step should be to add the image, verify it, and continue with our initial examination.

Load FTK Imager

File > Add Evidence Item

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FnmJxohYbLXrtSD2L3LwN%2Fimage.png?alt=media&#x26;token=579b0efb-a1cf-48d2-aaf9-604de68d03f3" alt=""><figcaption></figcaption></figure></div>

Select Source > Image File

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FRclXKys902fLNRwtZGaR%2Fimage.png?alt=media&#x26;token=94c1112e-7744-4ae2-abb6-d7b18e2df949" alt=""><figcaption></figcaption></figure></div>

Browse > Select first segment (.E01) of the spanned image set > Open > Finish

<figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2Fuf3eyvNyqZRFZqSt2aux%2Fimage.png?alt=media&#x26;token=f8322342-09ba-4f12-bfbb-c0f798fc8834" alt=""><figcaption></figcaption></figure>

It should now appear like this. You should be able to expand the item under the evidence tree.

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FTyknfMXbDmd94oyvfsL1%2Fimage.png?alt=media&#x26;token=d0eb9578-e14d-426b-a666-81ac4d0f327f" alt=""><figcaption></figcaption></figure></div>

The first and third partitions are typically setup during install, and partition 1 is for UEFI, and partition 3 is the recovery partition for the OS.

Expand Partition 2 and you can see the typical Windows folder structure.

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FEKXG6nQ0sCusibAnBhL8%2Fimage.png?alt=media&#x26;token=36f19412-419e-43a0-aac6-3f12bf961d7a" alt=""><figcaption></figcaption></figure></div>

Right click the image item (20240212-decrypted-Windows\_Server\_2022.E01) and select Verify Drive/Image

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FWCYTb73oZacWFoFY2zPZ%2Fimage.png?alt=media&#x26;token=ffb45d5d-97f1-417e-916f-1e5fe59eeab7" alt=""><figcaption></figcaption></figure></div>

Progress statistics are displayed and once it's finished, you should see the following;

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2F6JVzDiokXvUYEV1usFjw%2Fimage.png?alt=media&#x26;token=ea8f6d28-774b-48b7-b12f-af2023dfda16" alt=""><figcaption></figcaption></figure></div>

This image is telling us that the hash of the stream of data within the E01 set matches the hash which was just calculated. This ensures we are working with a valid set of data. In addition to this, it's also good practice to generate SHA1/SHA256 sums of each E01 segment before transit, and then verify them after. This helps identify changes during download/upload/transfer, and again ensures you have a reliable set of data.

[Read this ](https://www.forensicsware.com/blog/e01-file-format/)to understand more about the E01 file structure (including headers, block size, CRC references etc)&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/ftk-imager.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.