How To Use FTK Imager to Recover Deleted Files

Digital Forensics involves acquiring digital evidence such as disk drives from computers, memory sticks from phones, portable memory like flash drives. The collected hard drives and portable memory are copied bit by bit in a process called disk imaging and the copies are analyzed.

When a file is deleted, the directory entry for it is wiped out, but the actual file contents are not erased from the disk. Deleted files can be recovered unless overwritten by new files.

FTK Imager is a forensic took kit that can create memory image files and analyze them to see if there are any deleted files.

To use FTK Imager:

  1. Download the FTK Imager if you do not have it from here (or from Access Data).
  2. Start FTK Imager by double clicking on it.
  3. Click on Add Evidence Item.
  4. Choose Image File and browse to Desktop to find your downloaded evidence image file
  5. Open all the folders in the left window by clicking on +'s.
  6. Click on root.
  7. Click on the files shown in the middle window. FTK shows deleted files that are not overwritten with red Xs.