Comparing FTK Imager and Autopsy
Comparing FTK Imager and Autopsy
CSOL-590-04-FA21 – Cyber Incident Resp/Forensics
CSOL-590-04-FA21 – Cyber Incident Resp/Forensics
2021
2021
What is FTK?
FTK imager is a data preview and imaging tool used to acquire data (Accessdata, 2021). The imager software creates copies of data without making changes to the original data. Once the data has been collected, the imager performs a forensic examination and creates reports of the findings. FTK imager creates different file formats such as .E01, SMART, AFF, and RAW.
Adding Files to FTK Imager vs. Autopsy
FTK Imager
Open FTK Imager and Select the add
Select the evidence type on this case it is an image file.
Select the Evidence Source Location
The file will be addedin FTK and visible
Autopsy Imager
Open Autopsy and Click New Case
Choose Case Name and Base Directory
Fill in all pertinent information
Select Generate a new hostname based on the data source name.
Select Data Source Type
Select Data Source path
The Data Source will load within the application
Hexadecimal View vs. Text View
Hexadecimal is a number system which also sometimes called base 16 referring to the prefix hex. This system has unique way of representing a particular value using 16 unique symbols. These symbols consist of 0-9 and A-F. Since it is called hexadecimal is based on the decimal system ranging from 0-9 to represent specific values. The standard way of expressing values is the use of binary. For example, 1,000,000 in binary would be 1111 0100 0010 0100 0000 which is super long and inefficient. The use of hexadecimal shortens this long binary string in to F4240.
Strength and Weakness of FTK