Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: TheresaDelcas
New Today: 0
New Yesterday: 0
Overall: 29232

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Jollyhers : Boutique Dresses For Little Girls2017
 welcome to buy safewow 6% or 8% off wow cheap gold from July
 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack
 Case Study exam questions

Computer Forensics World Forums


Pages Served
We received
48641053
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Would FTK find hash values in the unallocated space?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Would FTK find hash values in the unallocated space?

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools
View previous topic :: View next topic  
Author Message
Fdog
Newbie
Newbie


Joined: Feb 25, 2017
Posts: 5

PostPosted: Thu Mar 02, 2017 8:14 am    Post subject: Would FTK find hash values in the unallocated space? Reply with quote

What about in partion 3? When FTK makes a forensic copy, a mirror image, and hashes the whole drive, does it hash all the partions?
Why would IEF find stuff FTK and Encase didn't?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Mar 02, 2017 9:15 pm    Post subject: Reply with quote

If it is an image of the drive, it is the whole drive. If you image partitions, unless you use physical start and stop points on the drive, you are imaging the data on the partition and will lose everything except the things that the partition table sees.

Easiest way to put it, imaging a drive will give you a bit level copy. Imaging a partition will give you a data level partition which is the equivalent of a backup.
Back to top
View user's profile
Fdog
Newbie
Newbie


Joined: Feb 25, 2017
Posts: 5

PostPosted: Fri Mar 03, 2017 4:10 am    Post subject: Reply with quote

Awesome reply. So FTK makes the image, runs a hash check, and finds file names of interest, why would IEF find more? Nothing gets buy FTK. IF what I am reading your reply right, everything gets hashed. All partitions. If anything is residing on that drive, FTK will find it, right?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Mar 05, 2017 9:47 am    Post subject: Reply with quote

FTK or FTK Imager? There is a big difference in capabilities.

-FTK or FTK Imager can be used to create a bit for bit image of the original media (if that is the option you selected).
-FTK creates a hash of the forensic image and compares it to the hash of the original media. The imaging information including hash values are stored in the log file named image_name.txt
Fdog wrote:
and finds file names of interest

- Finds is a very broad term. In your processing options in FTK did you select a carving option where FTK would "find" files? Or do you mean it read the MFT to "find" files? And what processing option did you select for FTK to "find file names of interest?" Did you give it a list of file names of interest?
Fdog wrote:
why would IEF find more?
It depends on what processing options you select, the type of media you are having the tools analyze, the type of file system, there are a lot of variables.
Fdog wrote:
Nothing gets buy FTK.

You should probably read more and do some testing before saying that.
Fdog wrote:
If anything is residing on that drive, FTK will find it, right?

FTK will "find" the ones and zeros that make up the files or fragments of the files. That is significantly different than "finding" and displaying all the files.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.