FTK ANALYZER(HARD DISK ANALYSIS)

AIM: Hard Disk Analysis using FTK analyzer.

APPARATUS: Hard Disk Image, FTK Analyzer CodeMeter v4.50b run time software for
Codemeter,A WIBU-Systems CodeMeter USB or virtual CM stick, Evidence Processing Engine.

PROCEDURE:

● Open FTK analyzer and Authenticate With username and password..

● the very first screen where authentication details are to be entered.

● Enter username and Password to Authenticate.
● Click on “Case” and select “New”, To create a new case, Once you select new case a
new window is popped up.

● In the window, Enter details of the case I.e The Owner name, The case name,
Description of the case, Select Directory location for storing the case related information,
Select processing profile as “Forensic Processing”, Click on “OK” to create a new case.
● The following screen gets opened, after entering all the details from the previous screen.
Click on “Evidence” to add new evidence item i.e the hard disk image that is to be
entered.

● Click on “Add” to Add image of the hard disk, Fill name of the Evidence, Description of
the Evidence, Select the correct Time Zone of the case, Click on OK to continue.
● Once the Evidence is loaded, All the items present in the evidence are shown on the left
pane as seen in the above image.
● The “Overview” Tab shows all the files and directories present in the image file.
● The “Email” Tab shows all the emails sent,received by the user.
● The “Video” Tab shows all the videos present in the image.

● The “Internet” Tab shows the cookies stored, The websites visited by the user.
● The data can be seen by clicking on the file you want to view. The file can be viewed, In
Text, Hex and Filtered tab shows the file’s text created during indexing.

FTK Analyzer can read deleted data from the image. In the Above image, The files with
a “X”(cross icon) indicate the deleted emails.The data in those emails is shown below.
SEARCHING FOR EVIDENCE USING FTK ANALYZER

There are two types of searches in FTK analyzer, they are:

● Live search
● Indexed search

LIVE SEARCH
A live search is a bit-by-bit comparison of the entire evidence set with the search term and takes
slightly more time than an index search.
Live searches also allow you to search regular expressions and hex values.
To conduct a live search, you can perform the following steps:
● Click on the Live Search tab.
● In the Text tab, insert your keyword and click on Add
● You will now see the keyword inserted in the Search Terms list; click on Search.
● The results will appear in Live Search Results with the numbers of hits.

● The above image shows How to add a keyword which is to be searched through out the
Hard disk image given to the Analyzer.
● The Right part of the image shows the files that contain the keyword. All the results have
the key word given as input.
INDEX SEARCH
The Index Search option compares search terms with the indexed database.
To perform an index search, you can perform the following steps:
● Click on the Index Search tab.
● In the Terms section, insert your keyword and click on Add.
● The possible hits of your keyword will be displayed immediately. Select the most
appropriate and double-click on it.
● You will see the keyword inserted in the Search Terms list; click on Search Now.
● The results will appear in Index Search Results with the numbers of hits:

● The above image shows how to add keyword to be searched,Unlike live search, The
search is applied on the indexed database or hard disk which was created earlier. On
the right side the results are displayed, i.e what files contain the keyword are shown
along with number of hits.
● It’s very fast compared to live search.
FTK DATA VISUALIZATION
Data visualization is a feature that provides a graphical interface to enhance understanding and
analysis of the files and emails in a case. You view data based on the file and email dates.
Data visualization supports the following data types:
● File data: This lets you view file data from either the Explore tab or the Overview tab
● E-mail data: This lets you view e-mail data from the Email tab
● Internet browser history: This lets you view Internet browser history data
● To open data visualization, see the Explorer, Overview, or Email tab to select your
dataset. Click on Tools and select Visualization.

The above image shows visualisation of the data, The data or file is visualised and is shown
using various graphs via a Graphical User Interface.
FTK REPORT GENERATION

● Click on File, “Report” To create a new report and save the inferences generated by
looking through out the evidence.

Select all the necessary files that are needed to investigate the case further and click on export
to “Export” all the selected files.
● Click on “OK” for selecting a folder and add dependencies for saving the case related
information in the folder.

● Select the directory, Where all the dependency files and case information files are to be
stored.
● All the case related Information is successfully stored in XML format, As shown in the
above pic.

● Select the folder, Where all the outputs or results, generated are to be stored. The
results can be stored in various formats as shown above.
● Select the folder where all the reports are to be stored. Click on “...” to browse the
directory where reports are to be stored.

● Select the Directory where the reports are to be saved and Click on “OK” to generate
and save the report in the particular Directory.
 OUTPUT

● At the End, A report is saved with all the inferences.