Join Us!

FTK Imager 3.0 rele...
 
Notifications
Clear all

FTK Imager 3.0 released  

  RSS
Patrick4n6
(@patrick4n6)
Senior Member

FTK Imager 3.0 was released (remember, it's FREE). It now comes with a very simple tool to mount images as if they were disks. I just tried out a quick test against my 3 test images, and it worked quickly and easily.

Also, FTK 3.2 is out. Looks like some memory forensics enhancements, expanded FS support including exFAT and ext4fs amongst others, and they claim to have improved email container processing by 200%. Would love to hear from anyone who can attest to that. Bunch of other small enhancements.

http//www.accessdata.com/downloads.html

Quote
Posted : 08/10/2010 8:22 am
darren_q
(@darren_q)
Junior Member

I also tested mounting some images. Works a treat, and really easy to use. Thanks AD

Will DL 3.2 and test the other changes, work permitting!

ReplyQuote
Posted : 08/10/2010 9:12 am
kalin
(@kalin)
New Member

I have been trying to download the 3.2.0 iso files and I keep getting different MD5 for the first iso (4176019456 bytes)
9347dcb00c75046a7901d4d513fce6ec FTK 3.2.0 App Install.iso
Have you verified yours?
According to http//www.accessdata.com/ftk/ it should be
5f0d746ad17798ec4c4c152b1a6468c9 FTK 3.2.0 App Install.iso

(NB Oracle DB 6.0 Install.iso downloaded OK)

ReplyQuote
Posted : 14/10/2010 1:09 pm
benfindlay
(@benfindlay)
Active Member

Just checked my copy, and I get 17a60118ab51199c919083a29ee2ccbf
How bizarre…

ReplyQuote
Posted : 14/10/2010 1:27 pm
kalin
(@kalin)
New Member

Well, just to make things clearer, we are talking about the iso file, not the burned DVD (since it it usually padded by the burner software).

Is it the same size as mine (4176019456 bytes)?
I downloaded it twice from ftp1 and ftp2 and got the same result.

ReplyQuote
Posted : 14/10/2010 1:54 pm
benfindlay
(@benfindlay)
Active Member

Yes, mine is the ISO file too, and it's exactly the same size. Probably time to email AD and just check what's going on.

ReplyQuote
Posted : 14/10/2010 1:59 pm
Jonathan
(@jonathan)
Senior Member

I do wish AccessData would change the distribution method of their massive ISO files. Downloading 5GB+ using their current method is slow, clunky and prone to errors. I did mention to them that distribution by torrent would cost them nothing and be a lot less painful for their customers. Didn't hear anything back though.

ReplyQuote
Posted : 14/10/2010 2:24 pm
benfindlay
(@benfindlay)
Active Member

i've posted over on the AccessData forums, here regarding this issue. Time to play the waiting game. Out of interest, what program did you do the downloading with kalin?

ReplyQuote
Posted : 14/10/2010 3:09 pm
kalin
(@kalin)
New Member

Ben,

I used wget on Linux, as millions of other times. I tired to get to AD, but am still waiting for their forum registration approval.

Kalin.

ReplyQuote
Posted : 14/10/2010 9:17 pm
kalin
(@kalin)
New Member

At present, the MD5 posted on the site matches what I have donwloaded… http//www.accessdata.com/ftk/

There is no official explanation however to what was wrong, but I suppose my guess was right?

If I take a wild guess, the "FTK 3.2.0 App Install.iso" has been remastered at a later date (Oct 12th), after the release page was uploaded (after Oct 6th?) ???

Anyway, now I am burning the images…

ReplyQuote
Posted : 18/10/2010 2:55 pm
taurean25
(@taurean25)
Member

Hi guys,

I am using a writer blocker from the high tech crime institute with ftk imager 3.0.0.1443. I made a DD image;however, the report does not indicate that a write blocker was used. The write is definitely working because I tried copying a file via windows explorer in XP, and I get a write protect error.

Has anyone experienced this problem? Is there any programs out there that report a write blocker is used in the report after an image is made?

ReplyQuote
Posted : 08/02/2011 1:09 am
allend
(@allend)
New Member

It all depends on what tool you used for acquisition, forensic image format saved, and the type of write blocker that you used. It is not uncommon for it to not report that a write blocker was used.

I don't believe it is possible to get a report after the fact but you still have your documentation, assuming you are documenting everything. Just make sure you described the acquisition setup, the write blocker make and model, and more importantly, the acquisition and verification hashes.

I sure hope that you didn't test if the write blocker was working by attempting to add a file to your suspect media 😉

ReplyQuote
Posted : 08/02/2011 1:47 am
taurean25
(@taurean25)
Member

It all depends on what tool you used for acquisition, forensic image format saved, and the type of write blocker that you used. It is not uncommon for it to not report that a write blocker was used.

I don't believe it is possible to get a report after the fact but you still have your documentation, assuming you are documenting everything. Just make sure you described the acquisition setup, the write blocker make and model, and more importantly, the acquisition and verification hashes.

I sure hope that you didn't test if the write blocker was working by attempting to add a file to your suspect media 😉

hey allend,

lol no my friend, this is a test lab I am conducting. All electronic evidence is for testing purposes not real evidence.

ReplyQuote
Posted : 08/02/2011 1:56 am
BitHead
(@bithead)
Community Legend

If you use a Tableau write blocker, they have a couple of cool utilities on their site that should give you the reports you desire.

ReplyQuote
Posted : 08/02/2011 9:22 am
Share: