How do I search in ftk imager


tdo061803

New Member
Aug 2, 2008
27
0
#1
I already created an image of a hard drive. I want to search for a deleted folder full of pictures. Since the computer is formated and had a fresh install of Windows xp, I should look for the folder in unallocated space, correct? How do I search for and recover these pictures in FTK Imager( I am a newbie)? I have the folder name but I have never seen the pictures inside that folder. Thanks in advace.
 
Dec 31, 2006
3,405
0
#2
There is not a "search" function in Imager.

You can manually search the unallocated space. If detected, Imager will show deleted files with a red "X".

If you find the files, you can recover/export them from the image. The directions are on page 18-19 of the User Guide.
 

Complete

Administrator
Aug 19, 2006
861
0
#3
Just for reference, there are a couple of other things you can try. Download WinHex and then open the image under "Disk Tools". You can also do data carving/file recovery under the same menu.

I've also had excellent luck with PhotoRec. It normally runs against a mounted drive and not an image, but you could download the trial version of Mount Image Pro to mount your image and then let PhotoRec do its thing.
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#5
You can search by file type with FTK Imager, including unallocated space.
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#7
That's what I meant. The filter will be the best 'search' function you can get out of FTK Imager. It does work well when you need to export a certain file type(s) directly from an image or media.
 
May 3, 2010
6
0
#8
Hi,
The objective is to remotely image a live machine for internal inquiries. Encase venture is not an option for me. The end objective is to have an image format that can be used in FTK and/or Encase and/or I Look. I'd prefer to not "install" anything and to instead execute a package on the target and send the result to a server share.
Thanks
 

Ancient

New Member
Apr 3, 2007
513
0
#9
alexcarlson said:
Hi,
The objective is to remotely image a live machine for internal inquiries. Encase venture is not an option for me. The end objective is to have an image format that can be used in FTK and/or Encase and/or I Look. I'd prefer to not "install" anything and to instead execute a package on the target and send the result to a server share.
Thanks
This is not meant to offend you but I would pay attention to the dates of the posts you reply to. This one was two years ago, a good rule of thumb on forums is to not bring up "dead" threads unless needed.
 
A

Admin5

Guest
#11
As the same nonsensical pattern was evident throughout his 14 posts, his account has been suspended and most posts removed. Somewhat bizarre.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu