Would FTK find hash values in the unallocated space?


Fdog

New Member
Feb 24, 2017
15
0
#1
What about in partion 3? When FTK makes a forensic copy, a mirror image, and hashes the whole drive, does it hash all the partions?
Why would IEF find stuff FTK and Encase didn't?
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#2
If it is an image of the drive, it is the whole drive. If you image partitions, unless you use physical start and stop points on the drive, you are imaging the data on the partition and will lose everything except the things that the partition table sees.

Easiest way to put it, imaging a drive will give you a bit level copy. Imaging a partition will give you a data level partition which is the equivalent of a backup.
 

Fdog

New Member
Feb 24, 2017
15
0
#3
Awesome reply. So FTK makes the image, runs a hash check, and finds file names of interest, why would IEF find more? Nothing gets buy FTK. IF what I am reading your reply right, everything gets hashed. All partitions. If anything is residing on that drive, FTK will find it, right?
 
Dec 31, 2006
3,405
0
#4
FTK or FTK Imager? There is a big difference in capabilities.

-FTK or FTK Imager can be used to create a bit for bit image of the original media (if that is the option you selected).
-FTK creates a hash of the forensic image and compares it to the hash of the original media. The imaging information including hash values are stored in the log file named image_name.txt
Fdog said:
and finds file names of interest
- Finds is a very broad term. In your processing options in FTK did you select a carving option where FTK would "find" files? Or do you mean it read the MFT to "find" files? And what processing option did you select for FTK to "find file names of interest?" Did you give it a list of file names of interest?
Fdog said:
why would IEF find more?
It depends on what processing options you select, the type of media you are having the tools analyze, the type of file system, there are a lot of variables.
Fdog said:
Nothing gets buy FTK.
You should probably read more and do some testing before saying that.
Fdog said:
If anything is residing on that drive, FTK will find it, right?
FTK will "find" the ones and zeros that make up the files or fragments of the files. That is significantly different than "finding" and displaying all the files.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu