Purpose: To introduce some of the FTK Imager features which include some of the core functions related to acquiring case evidence.
Application location: Virtual Computing Lab
Preparation: Review user guide and lab video/slides (on Blackboard)
Evidence file: Washer.E01 file (located in \\144.175.196.12\Forensic Data\Washer.E01)
Questions to answer:
Who was the examiner for this drive and what software was used to acquire this image?
How many sectors are on this drive?
What is the volume serial number for the WASHER volume?
When was the [root] directory created? Provide the full timestamp.
What is the file system and operating system of Partition 1?
What is the purpose of the pagefile.sys file?
What is the starting cluster for the pagefile.sys file?
What is the Master File Table (MFT)? Why is it important?
What is the MFT record number of the MFT?
What is the MFT record number for the WINDOWS directory?
Convert Washer.E01 into the AFF format. Password protect the image with the
Load the new image into FTK Imager to verify that the password is set.