Posts

FTK Imager Issue

I was using FTK Imager for many years and really liked it. Compared with EnCase Imager, it gives you much better estimate of time to completion, creates acquisition log with hashes, etc. Recently I had a case involving a number of computers and rather significant number of USB storage devices both, flash drives and hard drives. All the devices were imaged using FTK Imager. One of the goals was to establish which USB devices were used with which computers. I was comparing serial numbers extracted by Imager against data from Registry (System) and setuapi.dev.log for Windows machines and against kernel.log for Macs. There were much less hits than anticipated and it forced me to take a second look at the USB devices, this time using EnCase. To my surprise, in many instances FTK and EnCase produced different serial numbers. Sometimes correlation could be established (ASCII versus Hx, or reverse sequence), sometimes not. During the last week I run tests on as many different USB dev