Transcription
JUN. 08U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeSpecialREPORTTest Results for Digital Data Acquisition Tool:FTK Imager 2.5.3.14www.ojp.usdoj.gov/nijOffice of Justice ProgramsInnovation Partnerships Safer Neighborhoodswww.ojp.usdoj.gov
U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531Michael B. MukaseyAttorney GeneralJeffrey L. SedgwickActing Assistant Attorney GeneralDavid W. HagyDirector, National Institute of JusticeThis and other publications and products of the National Instituteof Justice can be found at:National Institute of Justicewww.ojp.usdoj.gov/nijOffice of Justice ProgramsInnovation Partnerships Safer Neighborhoodswww.ojp.usdoj.gov
JUN. 08Test Results for Digital Data Acquisition Tool:FTK Imager 2.5.3.14NCJ 222982
David W. HagyDirector, National Institute of JusticeThis report was prepared for the National Institute of Justice, U.S. Department of Justice, by theOffice of Law Enforcement Standards of the National Institute of Standards and Technologyunder Interagency Agreement 2003–IJ–R–029.The National Institute of Justice is a component of the Office of Justice Programs, which alsoincludes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office ofJuvenile Justice and Delinquency Prevention, and the Office for Victims of Crime.
March 3, 2008Test Results for Digital Data Acquisition Tool:FTK Imager 2.5.3.14
June 2008iiResults of FTK Imager 2.5.3.14 3/3/2008
Contents123Results Summary . 2Test Case Selection . 2Results by Test Assertion. 33.1Eight Sectors Omitted from Logical Acquisition of NTFS Partition . 53.2Acquisition of HPA and DCO . 63.3Location of Corrupted Data in Image File. 64Testing Environment. 64.1Test Computers . 64.2Support Software . 65Test Results. 65.1Test Results Report Key . 75.2Test Details . 75.2.1DA-06-ATA28. 75.2.2DA-06-FLOPPY . 95.2.3DA-06-FW . 105.2.4DA-06-USB . 125.2.5DA-07-CF . 145.2.6DA-07-F12. 165.2.7DA-07-F16. 185.2.8DA-07-32 . 205.2.9DA-07-32X . 225.2.10 DA-07-NTFS . 245.2.11 DA-07-THUMB. 265.2.12 DA-08-ATA28. 285.2.13 DA-08-ATA48. 305.2.14 DA-08-DCO. 325.2.15 DA-09 . 345.2.16 DA-10-DD . 375.2.17 DA-10-SMART . 395.2.18 DA-12 . 415.2.19 DA-24-DD . 435.2.20 DA-25-DD . 455.2.21 DA-26-E01-TO-SMART. 465.2.22 DA-26-E01-TO-DD. 475.2.23 DA-26-SMART-TO-E01. 485.2.24 DA-26-SMART-TO-DD. 495.2.25 DA-26-DD-TO-E01. 505.2.26 DA-26-DD-TO-SMART. 51June 2008iiiResults of FTK Imager 2.5.3.14 3/3/2008
June 2008ivResults of FTK Imager 2.5.3.14 3/3/2008
IntroductionThe Computer Forensics Tool Testing (CFTT) program is a joint project of the NationalInstitute of Justice (NIJ), the research and development organization of the U.S.Department of Justice, and the National Institute of Standards and Technology’s (NIST’s)Office of Law Enforcement Standards and Information Technology Laboratory. CFTT issupported by other organizations, including the Federal Bureau of Investigation, the U.S.Department of Defense Cyber Crime Center, U.S. Internal Revenue Service CriminalInvestigation Division Electronic Crimes Program, and the U.S. Department ofHomeland Security’s Bureau of Immigration and Customs Enforcement, U.S. Customsand Border Protection, and U.S. Secret Service. The objective of the CFTT program is toprovide measurable assurance to practitioners, researchers, and other applicable users thatthe tools used in computer forensics investigations provide accurate results.Accomplishing this requires the development of specifications and test methods forcomputer forensics tools and subsequent testing of specific tools against thosespecifications.Test results provide the information necessary for developers to improve tools, users tomake informed choices, and the legal community and others to understand the tools’capabilities. This approach to testing computer forensic tools is based on well-recognizedmethodologies for conformance and quality testing. The specifications and test methodsare posted on the CFTT Web site (http://www.cftt.nist.gov/) for review and comment bythe computer forensics community.This document reports the results from testing FTK Imager, version 2.5.3.14, against theDigital Data Acquisition Tool Assertions and Test Plan Version 1.0, available at theCFTT Web site (http://www.cftt.nist.gov/DA-ATP-pc-01.pdf).Test results from other software packages and the CFTT tool methodology can be foundon NIJ’s computer forensics tool testing Web y/electronic-crime/cftt.htm.
Test Results for Digital Data Acquisition ToolTool Tested:Version:Run Environments:FTK Imager2.5.3.14Windows XP, Windows Server 2003 & Windows 2000Supplier:AccessDataAddress:384 South 400 WestSuite 200Lindon, UT 84042 p://www.accessdata.com/1 Results SummaryExcept for two test cases (DA–07 and DA–08), the tested tool acquired all visible andhidden sectors completely and accurately from the test media without any anomalies. Inone test case (DA-25) image file corruption was detected, but the location of the corruptdata was not reported. The following four anomalies were observed in test cases DA–07,DA–08, and DA–25:1. If a logical acquisition is made of an NTFS partition, the last eight sectors of thephysical partition are not acquired (DA–07–NTFS).2. The sectors hidden by a host protected area (HPA) are not acquired (DA–08–ATA28 and DA–08–ATA48).3. The sectors hidden by a device configuration overlay (DCO) are not acquired(DA–08–DCO).4. The location of corrupted data in an image file is not reported (DA–25).2 Test Case SelectionNot all test cases or test assertions defined in Digital Data Acquisition Tool Assertionsand Test Plan Version 1.0 are appropriate for all tools. In addition to the base test cases,each remaining test case is linked to optional tool features needed for the test case. If agiven tool implements a given feature then the test cases linked to that feature are run.Table 1 lists the features available in FTK Imager 2.5.3.14 and the linked test casesselected for execution. Table 2 lists the features not available in FTK Imager 2.5.3.14 andthe test cases not executed.Table 1 Selected Test CasesSupported Optional FeatureJune 2008Cases selected for execution2 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
Supported Optional FeatureBase CasesRead error during acquisitionCreate an image file in more than one formatInsufficient space for image fileDetect a corrupted (or changed) image fileConvert an image file from one format toanotherCases selected for execution06, 07 & 0809101224 & 2526Table 2 Omitted Test CasesUnsupported Optional FeatureCreate a clone during acquisitionCreate cylinder aligned clonesDevice I/O error generator availableDestination Device SwitchingCreate a clone from an image fileCreate a clone from a subset of an image fileFill excess sectors acquired to a clone deviceFill excess sectors on a clone deviceCases omitted (not executed)01, 02 & 0403, 15, 21 & 2305, 11 & 181314 & 171619 & 2022Some test cases have variant forms to accommodate parameters within test assertions.These variations cover the execution environment, acquisition interface to the sourcedrive, and type of digital object acquired. Variations were also created for image fileformat.The tool was executed in one of the following Microsoft run time environments:Windows XP, Windows Server 2003 or Windows 2000.The following source interfaces were tested: ATA28, ATA48, USB, and FireWire.The following digital sources were tested: partitions (FAT12, FAT16, FAT32, FAT32X,and NTFS), compact flash, and thumb drive.The image files were created on either NTFS or FAT32 partitions.3 Results by Test AssertionTable 3 summarizes the test results by assertion. The column labeled Assertions Testedgives the text of each assertion. The column labeled Tests gives the number of test casesthat use the given assertion. The column labeled Anomaly gives the section number inthis report where any anomalies found for the assertion are discussed.June 20083 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
Table 3 Assertions TestedAssertions TestedAM–01 The tool uses access interface SRC-AI to access the digitalsource.AM–02 The tool acquires digital source DS.AM–03 The tool executes in execution environment XE.AM–05 If image file creation is specified, the tool creates an imagefile on file system type FS.AM–06 All visible sectors are acquired from the digital source.AM–07 All hidden sectors are acquired from the digital source.AM–08 All sectors acquired from the digital source are acquiredaccurately.AM–09 If unresolved errors occur while reading from the selecteddigital source, the tool notifies the user of the error type and locationwithin the digital source.AM–10 If unresolved errors occur while reading from the selecteddigital source, the tool uses a benign fill in the destination object inplace of the inaccessible data.AO–01 If the tool creates an image file, the data represented by theimage file is the same as the data acquired by the tool.AO–02 If an image file format is specified, the tool creates an imagefile in the specified format.AO–04 If the tool is creating an image file and there is insufficientspace on the image destination device to contain the image file, thetool shall notify the user.AO–05 If the tool creates a multi-file image of a requested size thenall the individual files shall be no larger than the requested size.AO–06 If the tool performs an image file integrity check on an imagefile that has not been changed since the file was created, the tool shallnotify the user that the image file has not been changed.AO–07 If the tool performs an image file integrity check on an imagefile that has been changed since the file was created, the tool shallnotify the user that the image file has been changed.AO–08 If the tool performs an image file integrity check on an imagefile that has been changed since the file was created, the tool shallnotify the user of the affected locations.AO–09 If the tool converts a source image file from one format to atarget image file in another format, the acquired data represented inthe target image file is the same as the acquired data in the sourceimage file.AO–23 If the tool logs any log significant information, theinformation is accurately recorded in the log file.Tests Anomaly18182618173173.13.2111721171113.3626Two test assertions only apply in special circumstances. The assertion AO–22 is checkedonly for tools that create block hashes. This assertion does not apply to FTK ImagerJune 20084 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
2.5.3.14. The assertion AO–24 is only checked if the tool is executed in a run timeenvironment that does not modify attached storage devices, such as MS DOS. A writeblocker was used during the tests, so assertion AO–24 was not checked. Table 4 lists theassertions that were not tested, usually due to the tool not supporting some optionalfeature, e.g., creation of cylinder aligned clones.Table 4 Assertions Not TestedAssertions Not TestedAM–04 If clone creation is specified, the tool creates a clone of the digital source.AO–03 If there is an error while writing the image file, the tool notifies the user.AO–10 If there is insufficient space to contain all files of a multi-file image and ifdestination device switching is supported, the image is continued on another device.AO–11 If requested, a clone is created during an acquisition of a digital source.AO–12 If requested, a clone is created from an image file.AO–13 A clone is created using access interface DST-AI to write to the clone device.AO–14 If an unaligned clone is created, each sector written to the clone is accuratelywritten to the same disk address on the clone that the sector occupied on the digitalsource.AO–15 If an aligned clone is created, each sector within a contiguous span of sectorsfrom the source is accurately written to the same disk address on the clone device relativeto the start of the span as the sector occupied on the original digital source. A span ofsectors is defined to be either a mountable partition or a contiguous sequence of sectorsnot part of a mountable partition. Extended partitions, which may contain both mountablepartitions and unallocated sectors, are not mountable partitions.AO–16 If a subset of an image or acquisition is specified, all the subset is cloned.AO–17 If requested, any excess sectors on a clone destination device are not modified.AO–18 If requested, a benign fill is written to excess sectors of a clone.AO–19 If there is insufficient space to create a complete clone, a truncated clone iscreated using all available sectors of the clone device.AO–20 If a truncated clone is created, the tool notifies the user.AO–21 If there is a write error during clone creation, the tool notifies the user.AO–22 If requested, the tool calculates block hashes for a specified block size during anacquisition for each block acquired from the digital source.AO–24 If the tool executes in a forensically safe execution environment, the digitalsource is unchanged by the acquisition process.3.1 Eight Sectors Omitted from Logical Acquisition of NTFSPartitionIf a logical acquisition is made of an NTFS partition the last eight sectors of the physicalpartition are not acquired (DA–07–NTFS). The physical partition used in the test casehad 27,744,192 sectors, but the FTK Imager acquired only the first 27,744,184 sectors.June 20085 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
3.2 Acquisition of HPA and DCOIf a physical acquisition is made of a drive with hidden sectors in either a Host ProtectedArea or a Device Configuration Overlay, the tool does not remove either an HPA or aDCO. The tool did not acquire sectors hidden by an HPA (DA–08–ATA28 and DA–08–ATA48) or a DCO (DA–08–DCO).3.3 Location of Corrupted Data in Image FileIn one test case (DA–25) image file corruption was detected, but the location of thecorrupted data was not reported to the user.4 Testing EnvironmentThe tests were run in the NIST CFTT lab. This section describes the test computersavailable for testing.4.1 Test ComputersTwo test computers were used.Frank and Freddy have the following configuration:Intel Desktop Motherboard D865GB/D865PERC (with ATA–6 IDE on boardcontroller)BIOS Version BF86510A.86A.0053.P13Adaptec SCSI BIOS V3.10.0Intel Pentium 4 CPU 3.4Ghz2577972KB RAMSONY DVD RW DRU–530A, ATAPI CD/DVD-ROM drive1.44 MB floppy driveTwo slots for removable IDE hard disk drivesTwo slots for removable SATA hard disk drivesTwo slots for removable SCSI hard disk drives4.2 Support SoftwareA package of programs to support test analysis, FS–TST Release 2.0, was used. Thesoftware can be obtained from: 5 Test ResultsThe main item of interest for interpreting the test results is determining the conformanceof the tool under test with the test assertions. Conformance with each assertion tested by agiven test case is evaluated by examining the Log Highlights box of the test reportsummary.June 20086 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
5.1 Test Results Report KeyA summary of the actual test results is presented in this report. The following tablepresents a description of each section of the test report summary.HeadingFirst Line:Case Summary:Assertions:Tester Name:Test Host:Test Date:Drives:Source Setup:Log Highlights:Results:Analysis:DescriptionTest case ID, name, and version of tool tested.Test case summary from Digital Data Acquisition ToolAssertions and Test Plan Version 1.0.The test assertions applicable to the test case, selected fromDigital Data Acquisition Tool Assertions and Test PlanVersion 1.0.Name or initials of person executing test procedure.Host computer executing the test.Time and date that test was started.Source drive (the drive acquired), destination drive (if aclone is created) and media drive (to contain a createdimage).Layout of partitions on the source drive and the expectedhash of the drive.Information extracted from various log files to illustrateconformance or nonconformance to the test assertions.Expected and actual results for each assertion tested.Whether or not the expected results were achieved.5.2 Test Details5.2.1 DA-06-ATA28Test Case DA-06-ATA28 FTK Imager 2.5.3.14CaseDA-06 Acquire a physical device using access interface AI to an image file.Summary:Assertions:AM-01 The tool uses access interface SRC-AI to access the digital source.AM-02 The tool acquires digital source DS.AM-03 The tool executes in execution environment XE.AM-05 If image file creation is specified, the tool creates an image fileon file system type FS.AM-06 All visible sectors are acquired from the digital source.AM-08 All sectors acquired from the digital source are acquired accurately.AO-01 If the tool creates an image file, the data represented by the imagefile is the same as the data acquired by the tool.AO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested size.AO-22 If requested, the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital source.AO-23 If the tool logs any log significant information, the information isaccurately recorded in the log file.AO-24 If the tool executes in a forensically safe execution environment,the digital source is unchanged by the acquisition process.Tester Name:Test Host:Test Date:Drives:SourceJune 2008mrmwFreddyTue Oct 30 11:03:37 2007src(43) dst (none) other (01-FU)src hash (SHA1): 888E2E7F7AD237DC7A732281DD93F325065E5871 7 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
Test Case DA-06-ATA28 FTK Imager 2.5.3.14Setup:src hash (MD5): BC39C3F7EE7A50E77B9BA1E65A5AEEF7 78125000 total sectors (40000000000 bytes)Model (0BB-75JHC0) serial # (WD-WMAMC46588)NStart LBA LengthStart C/H/S End C/H/Sboot Partition type1 P 000000063 020980827 0000/001/01 1023/254/630C Fat32X2 X 020980890 057143205 1023/000/01 1023/254/630F extended3 S 000000063 000032067 1023/001/01 1023/254/6301 Fat124 x 000032130 002104515 1023/000/01 1023/254/6305 extended5 S 000000063 002104452 1023/001/01 1023/254/6306 Fat166 x 002136645 004192965 1023/000/01 1023/254/6305 extended7 S 000000063 004192902 1023/001/01 1023/254/6316 other8 x 006329610 008401995 1023/000/01 1023/254/6305 extended9 S 000000063 008401932 1023/001/01 1023/254/630B Fat3210 x 014731605 010490445 1023/000/01 1023/254/6305 extended11 S 000000063 010490382 1023/001/01 1023/254/6383 Linux12 x 025222050 004209030 1023/000/01 1023/254/6305 extended13 S 000000063 004208967 1023/001/01 1023/254/6382 Linux swap14 x 029431080 027712125 1023/000/01 1023/254/6305 extended15 S 000000063 027712062 1023/001/01 1023/254/6307 NTFS16 S 000000000 000000000 0000/000/00 0000/000/0000 empty entry17 P 000000000 000000000 0000/000/00 0000/000/0000 empty entry18 P 000000000 000000000 0000/000/00 0000/000/0000 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027712062 sectors 14188575744 bytesLogHighlights:Created By AccessData FTK Imager 2.5.3.14 071018Sector Count: 78,125,000Source data size: 38146 MBMD5 checksum:bc39c3f7ee7a50e77b9ba1e65a5aeef7SHA1 cquisition started:Tue Oct 30 12:34:11 2007Acquisition finished: Tue Oct 30 14:00:39 2007Verification started: Tue Oct 30 14:00:39 2007Verification finished: Tue Oct 30 14:06:46 2007MD5 checksum:bc39c3f7ee7a50e77b9ba1e65a5aeef7 : verifiedSHA1 checksum:888e2e7f7ad237dc7a732281dd93f325065e5871 : verifiedSettings: size CD (640 MB)Write Block: 19 NoWriteResults:Assertion & Expected ResultAM-01 Source acquired using interface AI.AM-02 Source is type DS.AM-03 Execution environment is XE.AM-05 An image is created on file system type FS.AM-06 All visible sectors acquired.AM-08 All sectors accurately acquired.AO-01 Image file is complete and accurate.AO-05 Multifile image created.AO-22 Tool calculates hashes by block.AO-23 Logged information is correct.AO-24 Source is unchanged by acquisition.Analysis:June 2008Actual Resultas expectedas expectedas expectedas expectedas expectedas expectedas expectedas expectedoption not availableas expectednot checkedExpected results achieved8 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
5.2.2 DA-06-FLOPPYTest Case DA-06-FLOPPY FTK Imager 2.5.3.14CaseDA-06 Acquire a physical device using access interface AI to an image file.Summary:Assertions:AM-01 The tool uses access interface SRC-AI to access the digital source.AM-02 The tool acquires digital source DS.AM-03 The tool executes in execution environment XE.AM-05 If image file creation is specified, the tool creates an image fileon file system type FS.AM-06 All visible sectors are acquired from the digital source.AM-08 All sectors acquired from the digital source are acquired accurately.AO-01 If the tool creates an image file, the data represented by the imagefile is the same as the data acquired by the tool.AO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested size.AO-22 If requested, the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital source.AO-23 If the tool logs any log significant information, the information isaccurately recorded in the log file.AO-24 If the tool executes in a forensically safe execution environment,the digital source is unchanged by the acquisition process.Tester Name:Test Host:Test e Oct 30 14:06:09 2007src(floppy) dst (none) other (01-FU)src hash (SHA1): e2863334ac7eaabc7c8a0d62eb0d3b3af29f2c40 src hash (MD5): 17f6a5925be2f38eedaf435ff8b6a6f4 Floppy diskCreated By AccessData FTK Imager 2.5.3.14 071018Sector Count: 2,880Source data size: 1 MBMD5 checksum:17f6a5925be2f38eedaf435ff8b6a6f4SHA1 cquisition started:Tue Oct 30 14:11:19 2007Acquisition finished: Tue Oct 30 14:12:45 2007Verification started: Tue Oct 30 14:12:45 2007Verification finished: Tue Oct 30 14:12:45 2007MD5 checksum:17f6a5925be2f38eedaf435ff8b6a6f4 : verifiedSHA1 checksum:e2863334ac7eaabc7c8a0d62eb0d3b3af29f2c40 : verifiedSettings: CD (640 MB)Results:Assertion & Expected ResultAM-01 Source acquired using interface AI.AM-02 Source is type DS.AM-03 Execution environment is XE.AM-05 An image is created on file system type FS.AM-06 All visible sectors acquired.AM-08 All sectors accurately acquired.AO-01 Image file is complete and accurate.AO-05 Multifile image created.AO-22 Tool calculates hashes by block.AO-23 Logged information is correct.AO-24 Source is unchanged by acquisition.Analysis:June 2008Actual Resultas expectedas expectedas expectedas expectedas expectedas expectedas expectedas expectedoption not availableas expectednot checkedExpected results achieved9 of 51 Results of FTK Imager 2.5.3.14 3/3/2008
5.2.3 DA-06-FWTest Case DA-06-FW FTK Imager 2.5.3.14CaseDA-06 Acquire a physical device using access interface AI to an image file.Summary:Assertions:AM-01 The tool uses access interface SRC-AI to access the digital source.AM-02 The tool acquires digital source DS.AM-03 The tool executes in execution environment XE.AM-05 If image file creation is specified, the tool creates an image fileon file system type FS.AM-06 All visible sectors are acquired from the digital source.AM-08 All sectors acquired from the digital source are acquired accurately.AO-01 If the tool creates an image file, the data represented by the imagefile is the same as the data acquired by the tool.AO-05 If the tool creates a multi-file image of a requested size then allthe individual files shall be no larger than the requested size.AO-22 If requested, the tool calculates block hashes for a specified blocksize during an acquisition for each block acquired from the digital source.AO-23 If the tool logs any log significant information, the information isaccurately recorded in the log file.AO-24 If the tool executes in a forensically safe execution environment,the digital source is unchanged by the acquisition process.Tester Name:Test Host:Test Date:Drives:SourceSetup:mrmwFreddyWed Oct 31 10:35:32 2007src(01-IDE) dst (none) other (01-FU)src hash (SHA1): A48BB5665D6DC57C22DB68E2F723DA9AA8DF82B9 src hash (MD5): F458F673894753FA6A0EC8B8EC63848E 78165360 total sectors (40020664320 bytes)Model (0BB-00JHC0) serial # (WD-WMAMC74171)NStart LBA LengthStart C/H/S End C/H/Sboot Partition type1 P 000000063 020980827 0000/001/01 1023/254/630C Fat32X2 X 020980890 057175335 1023/000/01 1023/254/630F extended3 S 000000063 000032067 1023/001/01 1023/254/6301 Fat124 x 000032130 002104515 1023/000/01 1023/254/6305 extended5 S 000000063 002104452 1023/001/01 1023/254/6306 Fat166 x 002136645 004192965 1023/000/01 1023/254/6305 extended7 S 000000063 004192902 1023/001/01 1023/254/6316 other8 x 006329610 008401995 1023/000/01 1023/254/6305 extended9 S 000000063 008401932 1023/001/01 1023/254/630B Fat3210 x 014731605 010490445 1023/000/01 1023/254/6305 extended11 S 000000063 010490382 1023/001/01 1023/254/6383 Linux12 x 025222050 004209030 1023/000/01 1023/254/6305 extended13 S 000000063 004208967 1023/001/01 1023/254/6382 Linux swap14 x 029431080 027744255 1023/000/01 1023/254/6305 extended15 S 000000063 027744192 1023/001/01 1023/254/6307 NTFS16 S 000000000 000000000 0000/000/00 0000/000/0000 empty entry17 P 000000000 000000000 0000/000/00 0000/000/0000 empty entry18 P 000000000 000000000 0000/000/00 0000/000/0000 empty entry1 020980827 sectors 10742183424 bytes3 000032067 sectors 16418304 bytes5 002104452 sectors 1077479424 bytes7 004192902 sectors 2146765824 bytes9 008401932 sectors 4301789184 bytes11 010490382 sectors 5371075584 bytes13 004208967 sectors 2154991104 bytes15 027744192 sectors 14205026304 bytesLogHighlights:Created By
June 2008 iii Results of FTK Imager 2.5.3.14 3/3/2008 . June 2008 iv Results of FTK Imager 2.5.3.14 3/3/2008 . Introduction . The Computer Forensics Tool Testing (CFTT) program is a joint project of the National Institute of Justice (NIJ), the research and development organization of the U.S.
