Saturday, 9 October 2010

FTK Imager 3

FTK Imager has always been the crème de la crème of free forensic tools and now with the introduction of FTK Imager 3 it is even better.

Access Data have added some amazing functionality to this programs already extensive list of capabilities - in fact to steal a phrase - its almost magical and it is certainly available at an unbelievable price. So what am I referring to?

The answer of course is the new image mounting feature which allows a user to mount an image as a drive or physical device. Encase evidence files, Smart image files, Advanced Forensic Format images and dd images are supported. Additionally Encase Logical Evidence Files and Access Data's AD1 custom content images can be mounted logically. Full details in the Release Notes.

This functionality is accessed via File/Image Mounting

In this screen shot I have chosen to mount a drive from a Mac which includes a Bootcamp partition


This resulted in the EFI partition, the HFS+ partition and the NTFS Bootcamp partition all being given a drive letter. The whole drive is allocated the Physical Drive Number 4 in this example.

All of these resources are now available natively upon the machine that FTK Imager 3 is running on. The Physical Disk however is not listed in Disk Management nor does this functionality appear to install any devices within Device Manager.

Logical mounting of non windows partitions (HFS+, EXT3 et al) will present an explorer view of these file systems as FTK imager itself sees them (à la Encase VFS).

This functionality provides many benefits and at first look at least, renders the costly alternatives of PFS/VFS and Mount Image Pro redundant. It also raises the bar in how we can construct virtual machines from images due to the ability to mount more than one drive at once, thus simplifying the creation of multi drive VMs. The functionality also facilitates non techies (lawyers, fraud investigators et al ) to easily peruse images.

FTK Imager 3 also introduces support for VXFS, ex FAT and EXT4 file systems. As we sometimes say in England it's the dogs...


4 comments:

Anonymous said...

If you have Quick View Plus installed, you can preview supported files in the view pane. Handy for triage.

John Douglas said...

Your link to "the dogs" is 404.

Anonymous said...

Richard

Another useful posting,

All the best on your retirement and many thanks for all the work you have done on this site and with the C4P updates

Gary Probert
Gwent

alistair1 said...
This comment has been removed by the author.