Great video , may I ask how to find information from an image by using FTK like : a) What is the computer name? b) What is the TCP/IP Host name? c) Last shutdown time d) Mounted devices e) Information about the network interface cards f) What are the user accounts available in the machine g) List all user accounts h) What is the last password reset time of the users? i) How many disabled user accounts available and what are the user name of those accounts? j) What are the use IDs that have Administrator access?
Hello Sir; thank you for your lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
I am aware FTK supports bitlocker keys however, I have not had a case to implement it. One article I read suggested mounting the drive outside of FTK and providing the key there. Then use FTK to access the new mount and review the data.
Since this last reply I have had use of bitlocker in this format. What I did was use FTK to mount the drive in Windows. When you click the the drive it mounts as it will ask you for the key. Once complete I use FTK to acquire another image of the drive and this image would be without the bitlocker limitation.
FTK Imager is supposed to be able to capture memory, I have had mixed results from it. As for the analysis of the mem files with FTK Imager, it really does not do it. It will open the file and display it but it doesn't provide much insight. I cannot speak for the full FTK product as I do not have access to an instance to test, it may have a richer feature set than the imager when it comes to memory analysis.
If you mean red X, you should still be able to recover those with a right click option. What FTK is telling you is the file has been deleted from the system but it still available. If this is not what you are looking for let me know.
@@h3xxedit Sir, thank you for your response. The ftk export files is exporting the metadata only, with 0 BYTES BEING TRANSFERED. I mean no data is being exported.
@@jassi123jassi I am looking to answer your question. Based on the red X which is what I see when a file has been deleted here is what I believe is going on. When you recover a file and it has 0 bytes it means the pointer is still there however the data is no longer available. You can see this in FTK when you click on the file. Looking in the lower screen it will show you the text it contains, you can also switch to hex view if not selected. Depending on the underlying filesystem ie. FAT, NTFS, etc. you may see the complementing slack space and can get some data out of it.
Hello Sir; thank you for your lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
i like your video, Can you make a video of something like this with Encase too. thanks
Hi, May i ask how can i search the file location in the evidence tree after i found the keyword in the hex section at bottom right
Great video , may I ask how to find information from an image by using FTK like :
a) What is the computer name?
b) What is the TCP/IP Host name?
c) Last shutdown time
d) Mounted devices
e) Information about the network interface cards
f) What are the user accounts available in the machine
g) List all user accounts
h) What is the last password reset time of the users?
i) How many disabled user accounts available and what are the user name of those
accounts?
j) What are the use IDs that have Administrator access?
That is found in the registry keys
Hello Sir; thank you for your lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?
I am aware FTK supports bitlocker keys however, I have not had a case to implement it. One article I read suggested mounting the drive outside of FTK and providing the key there. Then use FTK to access the new mount and review the data.
@@h3xxedit I used Autopsy to mount, it didn't work either. Do you know any other software?
Since this last reply I have had use of bitlocker in this format. What I did was use FTK to mount the drive in Windows. When you click the the drive it mounts as it will ask you for the key. Once complete I use FTK to acquire another image of the drive and this image would be without the bitlocker limitation.
What about pulling the windows password hash file from a ram memory capture. Does FTK do this? Can?
FTK Imager is supposed to be able to capture memory, I have had mixed results from it. As for the analysis of the mem files with FTK Imager, it really does not do it. It will open the file and display it but it doesn't provide much insight. I cannot speak for the full FTK product as I do not have access to an instance to test, it may have a richer feature set than the imager when it comes to memory analysis.
how to export the files marked with red cross.
If you mean red X, you should still be able to recover those with a right click option. What FTK is telling you is the file has been deleted from the system but it still available. If this is not what you are looking for let me know.
@@h3xxedit Sir, thank you for your response. The ftk export files is exporting the metadata only, with 0 BYTES BEING TRANSFERED. I mean no data is being exported.
@@jassi123jassi I am looking to answer your question. Based on the red X which is what I see when a file has been deleted here is what I believe is going on. When you recover a file and it has 0 bytes it means the pointer is still there however the data is no longer available. You can see this in FTK when you click on the file. Looking in the lower screen it will show you the text it contains, you can also switch to hex view if not selected. Depending on the underlying filesystem ie. FAT, NTFS, etc. you may see the complementing slack space and can get some data out of it.
Hello Sir; thank you for your lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?