Fluke Networks Optiview XG ver 11 Software Reflector (by Tony Fortunato)
Latency and the Fed (by D.C. Palter)

How to copy what cannot be seen! (by Casey Mullis)

We first must give a great shout out to Accessdata for this great tool, they named FTK Imager. Thank you Accessdata! You ask “But why Casey” and I tell you this is a tool developed by Accessdata and given freely to the computer forensic community for use. Yes, I know there are many tools out there, so why write about this one today? Well I contribute this article to a friend of mine “Michael”, I talked to him about FTK Imager and he has not used it, so I told him I would do a write up on it. So Michael here’s to you my friend.


Accessdata has done a great job with this program. It comes in many flavors for Windows, Mac, and Linux. They created an install version and a portable version that will run from CD or USB. I like the portable version as it does all things that the installed version does. So we will be using the portable one here today. This version will also be for Windows only. What does that mean? You can only run this version on Windows Systems, not Linux or Mac’s.

What can you image with this version? Anything your computer can see. If your computer cannot see it, then neither can FTK Imager.

Let us start with the “MENU” bar at the top.


As you can see there are many items to choose from. We will move along to the “FILE” selection at the very top left.


As you can see in this selection alone, you have many options to choice from. I cannot go in to each and every one of these in great detail. Why, because I would bore you to death; when what I want to do is get you interested in it so you will try it for yourself. You can see that there are several items grayed out. This is due to the fact that you have not loaded any evidence into FTK Imager yet.

“Add Evidence Item” being the first selection, it would seem very simple, and it is. This is where you can select the evidence type you want to add. If you are not sure about the naming convention listed below in the screen shot, I would suggest researching (aka. Google) each one.


Once you have selected the type of evidence, you can then move forward to looking through the evidence file or imaging the drive. You have many options when it comes to imaging as well as evidence type to load and view. As you see below, the file types that FTK Imager can handle is large.

8-12-2013 9-06-12 AM

If you select the “Physical Drive” you will get the following:

8-12-2013 9-02-02 AM

Select your drive or physical drive from the drop down list.

The one that was used in this example is a USB drive that was created for the Raptor training course we put together in the past. If you asked... Yes it is free also!

8-12-2013 8-37-32 AM

In this example you can see files and folders. One thing we want to point out is the ones with red X’s on them. These are deleted files and it did not take any action on our part to carve or load them. FTK Imager automatically shows this to you. Do not misunderstand us, when we say this tool will show you deleted items. This is not a fix it for data recovery, it just gives you some of these files.

If you need data recovery, then we suggest that you obtain the right tool for the job you have at hand. If you were only looking for an image that you just deleted, then maybe this tool will work for you. This tool is primarily designed for imaging drives or devices for future analysis by a computer forensics person.

The other thing about this tool is, it will load an image file as well as an actual device (AKA Physical Device).

The tool will allow you to capture DRAM from a live system. This is a great tool to have on a 32GB USB Drive. Not only does it capture live DRAM but it will also capture the system files for password cracking later.

FTK Imager will allow you to capture a hard drive image (Format of your choice). It will let you browse a drive and see some deleted items. It also shows you hidden files. You are able to look at some items found in unallocated space also. Again this is no substitute for a complete forensic exam.

8-12-2013 8-53-17 AM

You can also see some of the metadata embedded in the images as well (If it is there)…

8-12-2013 8-40-26 AM

Another great tool built into this program is the image mount. Yes that is right, it can mount most image files for your viewing pleasure.

8-12-2013 9-05-01 AM

Let’s say you want the SAM and SYSTEM files for password recovery before pulling the plug on a live system. Can FTK Imager do that? Why yes it can!

8-12-2013 9-02-46 AM

Need to capture RAM before pulling that plug? Then FTK Imager Lite is for you. Get you a 16 to 32 GB USB Drive and put this bad boy on it and you will be ready for most things you encounter.


This program does a lot more than what is listed here today. We do not want to hold class here today but we do want you to get an idea of what this tool can do and inspire you to go download to explore on your own. If you have questions or feedback, please we look forward to hearing from you. Please feel free to leave feedback below.

Accessdata has done a great job with this tool and give it freely to use. Please take the time to send them a thank you email. This is the least we can do. If you need a great computer forensic tool then consider their Forensic Tool Kit program.

I have taken a few screen shots for your viewing pleasure. Make note of the meta data to the left and what can be seen by this program.

8-12-2013 8-39-38 AM

8-12-2013 8-54-57 AM

8-12-2013 8-54-28 AM




Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!