Disk Imaging Lab via FTK Imager

1. Exploring FTK Basic Features

1.1. Memory Capture

1.2. Adding Existing Drive to Evidence Tree

1.2.1. VMDisk

1.2.2. Primary Disk

1.3. Adding custom content for custom image

1.3.1. #Extend $Extend is a legacy NTFS system directory containing optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl. It is not used by Windows any longer, but it is also not safe to delete that folder, some software on your PC use that folder.


1.3.3. #LogFile $LogFile is an NTFS metadata file which catching all changes to your file system. It is not only be used by System, but also by your programs e.g. Chrome.exe or iTunes.exe.

1.3.4. User directory

1.3.5. $MFT MFT or $MFT can be considered one of the most important files in the NTFS file system. It keeps records of all files in a volume, the files' location in the directory, the physical location of the files in on the drive, and file metadata

1.3.6. pagefile.sys & swapfile.sys hiberfil.sys The Swapfile. sys in Windows 11/10 is a special type of pagefile used internally by the system to make certain types of paging operations more efficient. It is used to Suspend or Resume UWP Windows apps. Pagefile.sys is a system file in Windows set aside for your computer’s Random Access Memory (RAM), also known as physical memory. When your computer's RAM begins to run out of memory, it uses the pagefile to offload data it doesn't need, such as files and apps. hiberfil. sys is a system file in Windows operating systems that contains the current memory contents of the machine state and is used by the “Sleep” and “Hibernate” power-saving options.

1.3.7. ProgramData/Microsoft/Search/Data/Applications/Windows.EDB By default, Windows 11/10/8 will index your documents for faster searches. As a result, all the data relating to the indexes are stored in this Windows.edb file.

1.3.8. Windows/Appcompact/programs/amcache.hve The Amcache. hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs.

1.3.9. Windows/INF/setupapi.dev.log In Windows Vista and later versions of Windows, SetupAPI logs information about device installation in a plain-text log file that you can use to verify the installation of a device and to troubleshoot device installation problems.

1.3.10. C:\Windows\System32\Config DEFAULT SAM SECURITY SOFTWARE SYSTEM Regback Directory Creating backup of Registry

1.3.11. C:\Windows\System32\LogFiles

1.3.12. New - * (Modify) - NTUSER.DAT - Ignore case - Match all occurrences

2. Download FTK Imager