Forensic Technology Approaches

While there are many different methods for disk imaging, one of them is performing this process on a running Windows operating system. During imaging on an active Windows system, there is a risk of unintentionally writing data to the disk. This can compromise the integrity of the data under investigation. Therefore, it is recommended that this method be avoided unless absolutely necessary. Imaging with FTK Imager: To perform imaging with the FTK Imager application, the application must be stored on a USB flash drive. After the computer to be imaged is powered on, the FTK Imager application on the USB drive is launched by double-clicking. The application interface that will then appear on the screen is as follows: To image one of the disks on the computer where the application is running, click on the "File" tab in the top left corner, followed by "Add Evidence Item." After clicking on the relevant section, the following screen will appear, where you decide whether t...

One of the most suitable methods for disk imaging is using Linux distributions. For this process, the operating system must have FTK Imager software installed, which allows image capture with the E.01 extension. Among the Linux distributions, only the Deft Zero operating system comes with this application pre-installed. For other Linux distributions, the FTK Imager software needs to be installed within these systems to perform imaging. The Ubuntu operating system allows direct imaging on devices with the new generation (UEFI) boot system without switching to the Legacy Boot Option in the UEFI interface, unlike other Linux versions. Therefore, it is recommended to use Ubuntu on customer devices where the Legacy option does not appear in the Boot Option or where Boot settings cannot be changed. First, a folder is created within the Ubuntu USB with write and delete permissions: sudo mkdir /opt/ftk-imager sudo chmod 777 /opt/ftk-imager The FTK Imager.tar file, located on another USB, is...