File System Forensics using FTK Imager & Autopsy

File System Forensics using FTK Imager & Autopsy.

[Audio] The primary objective of file system forensics is to provide a thorough understanding of the file system's layout, including the locations of files, folders, and system metadata. This information is crucial in reconstructing the timeline of events that led to the current state of the file system. The procedure for file system forensics involves several steps, including the acquisition of disk images, analysis of file system structures, and identification of potential evidence. We will delve into the specifics of each step as we progress in our discussion. Autopsy plays a pivotal role in our analysis by providing a detailed examination of the file system, including the identification of deleted files, reconstruction of file system structures, and analysis of system metadata. This tool allows us to visualize the file system layout, track changes, and identify potential evidence. In our analysis, we will also explore the results and conclusions drawn from the file system forensic examination. This will involve a thorough evaluation of the evidence collected and the reconstruction of the events that led to the current state of the file system. Through this examination, we aim to provide a comprehensive understanding of file system forensics, highlighting the importance of this area in digital forensics and the tools used to conduct such examinations. By the end of our discussion, you will have gained a thorough understanding of the principles and practices of file system forensics..

[Audio] The file system is a hierarchical structure that contains various types of files and folders. It is organized by a set of rules and conventions that allow for efficient storage and retrieval of data. The file system consists of several key components: the root directory, the user directories, and the system directories. The root directory serves as the topmost level of the hierarchy, while the user directories contain personal files and documents. The system directories hold administrative and configuration files. The file system also includes metadata such as file names, timestamps, and permissions. Metadata provides valuable information about the creation, modification, and deletion of files. By analyzing metadata, investigators can gain insights into the activities of individuals who have accessed or modified digital data..

[Audio] The process of creating a forensic image involves several steps. First, we need to select a suitable location for the image. This location should be free from any physical interference and ideally located on a separate hard drive. The selected location should also be easily accessible by the analyst. A suitable location may include a network-attached storage device or a USB drive. Next, we need to configure the imaging software to capture the data from the original device. This configuration typically involves setting the imaging parameters such as resolution, compression, and encryption. The imaging software must be configured to capture the entire disk, including all partitions and files. The imaging software should also be able to handle large amounts of data and perform the imaging operation quickly. Once the imaging software is configured, we can begin the imaging process. The imaging process involves capturing the data from the original device and storing it in the selected location. The imaging software will then compress the data and encrypt it to protect it from unauthorized access. The compressed and encrypted data is stored in the selected location, where it can be analyzed later. The imaging process takes several hours to complete, depending on the size of the disk and the speed of the imaging software. After the imaging process is complete, we can retrieve the forensic image and begin analyzing it..

[Audio] The tool that is most commonly used for creating disk images is the FTK Imager. This software allows users to create a copy of a hard drive or other storage device, which can then be analyzed by experts. The FTK Imager also has features such as password recovery and data carving, which are useful for recovering deleted files and other digital artifacts. Another tool that is widely used is the Autopsy. This software is designed to analyze digital evidence and identify digital artifacts. It provides a user-friendly interface and supports multiple operating systems, including Windows, macOS, and Linux. Autopsy also includes features such as data recovery, password cracking, and network analysis. Sample is another tool that is often used in file system forensics. It is a free and open-source software that allows users to extract and analyze digital evidence from various sources. Sample is particularly useful for extracting metadata from files and folders, as well as for analyzing network traffic. USB drives are also an essential tool in file system forensics. They provide a convenient way to transfer digital evidence between devices and can be used to create a bootable image of a computer's hard drive. USB drives are particularly useful for collecting and analyzing digital evidence from mobile devices. Disk Images are a critical component of file system forensics. A disk image is a virtual representation of a hard drive or other storage device, which can be analyzed by experts. Disk images can be created using various tools, including FTK Imager and Autopsy. They are particularly useful for preserving digital evidence and preventing tampering with original data. Windows System is a specialized tool that is specifically designed for analyzing Windows-based computers. It provides a range of features and tools for analyzing digital evidence, including password recovery, data carving, and network analysis. Windows System is particularly useful for analyzing Windows-based computers and identifying digital artifacts..

FTK Imager – Introduction. Forensic acquisition tool Creates bit-by-bit copy Prevents evidence modification.

FTK Imager – Step 1. Launch FTK Imager File → Create Disk Image.

FTK Imager – Step 2. Select Source Type Choose Physical Drive.

FTK Imager – Step 3. Select Correct Source Drive Verify size and drive letter.

Screenshot 2026-01-05 112742.

FTK Imager – Hashing. Enable MD5 & SHA1 Ensures integrity of evidence.

[Audio] The company has been operating for over 50 years, with a history that spans across multiple continents. The company's success can be attributed to its ability to adapt to changing market conditions and its commitment to innovation. The company has developed several innovative products and services that have helped it stay ahead of the competition. Its focus on customer satisfaction and quality has earned it a loyal customer base. The company has also made significant investments in research and development, which has enabled it to maintain its competitive edge. The company's leadership team has demonstrated exceptional leadership skills, guiding the organization through periods of rapid growth and transformation. The company's culture is built around the values of integrity, transparency, and accountability. The company's employees are highly motivated and dedicated to their work, which has contributed to its overall success. The company's commitment to sustainability and social responsibility has also played a key role in its continued success. The company's vision is to continue to innovate and push the boundaries of what is possible. The company's mission is to deliver high-quality products and services that meet the needs of its customers. The company's values are centered around the principles of excellence, innovation, and customer satisfaction. The company's goals are aligned with its vision and mission, and are focused on driving growth and profitability. The company's strategy is designed to drive long-term success, and is based on a deep understanding of the market and its competitors. The company's approach to innovation is centered around the idea that innovation is not just about creating new products, but also about improving existing ones. The company's approach to customer service is centered around the idea that customer satisfaction is paramount. The company's approach to sustainability is centered around the idea that sustainability is not just about reducing costs, but also about creating value for stakeholders. The company's approach to social responsibility is centered around the idea that social responsibility is not just about giving back to the community, but also about creating positive impact. The company's approach to leadership is centered around the idea that leadership is not just about making decisions, but also about empowering others. The company's approach to innovation is centered around the idea that innovation is not just about creating new products, but also about improving existing ones. The company's approach to customer service is centered around the idea that customer satisfaction is paramount. The company's approach to sustainability is centered around the idea that sustainability is not just about reducing costs, but also about creating value for stakeholders. The company's approach to social responsibility is centered around the idea that social responsibility is not just about giving back to the company, but also about creating positive impact. The company's approach to leadership is centered around the idea that leadership is not just about making decisions, but also about empowering others..

[Audio] The digital forensic analysis tools are used to analyze forensic images, extract relevant data, and identify potential evidence. In this context, we're focusing on the FTK Imager and Autopsy tools. These tools enable us to create a forensic image of a storage device, such as a hard drive or solid-state drive. This image captures all the data on the device, allowing us to analyze it later. The FTK Imager creates a bit-for-bit copy of the original data, ensuring that no changes are made during the process. Autopsy provides a more comprehensive platform for analyzing the forensic image. It offers advanced features like artifact detection, which helps identify potential evidence. By utilizing these tools, investigators can gather crucial information from the analyzed data, ultimately aiding in the resolution of cybercrimes and legal cases..

Autopsy – Create Case. Create new case Enter case name and directory.

Autopsy – Add Data Source. Add Disk Image (.E01) Enable ingest modules.

[Audio] The company has been working on a new project for several years, but it has not yet been completed due to various reasons such as lack of funding, technical difficulties, and changes in management. The project was initially planned to be completed within two years, but now it seems unlikely that it will be finished by then..

Expected Results. Image created successfully Hash values verified Artifacts extracted.

Conclusion. Complete forensic workflow demonstrated Evidence integrity maintained.

Thank You. Digital Forensics Laboratory.