FTK Imager is a free tool from Access Data that has a few key functions:
1.Capture live memory and dump to a .mem file (to be used with volatility/rekall etc later)
2.Create a custom content image from the file system. This allows us to obtain event logs,registry hives and other forensic artifacts in one fell swoop
3.Mount Image files to allow perusal of the file system
Key file types to use within the custom content image are as follows:
$MFT
$Logfile
$USN
$J
Registry Hives: SAM,SYSTEM,SECURITY,SOFTWARE,DEFAULT
NTUSER.DAT (Obtained from Users Profile)
USRCLASS.DAT
*.evtx
setupapi.dev.log (This is the plug and play devices log.
Other files that are useful would be the IIS Log (\inetpub\logs\LogFiles,Firewall log)
*.lnk (Shortcut files)
*.pf (Prefetch files)
Pagefile.sys
Hiberfil.sys (Can be converted by Volatility)
Jump Lists from C:\UserPRofile\AppData\Roaming\Microsoft\Windows\Recent\
Users APPDATA folder
[…] If you want to see what else FTK Imager can do, take a look at my blog post on FTK Imager here where I explain how to create a custom content image: https://dfirinsights.com/2018/02/15/ftk-imager-creating-custom-content-images-with-classic-file-type… […]