The following transcript was generated by AI and may contain inaccuracies.

Harsh: A very good morning, afternoon, evening to everybody who has joined us today. Thank you for taking the time out. We’ll just give it 30 more seconds for people to join us and then we’ll get going.

All right. I think we have a lot of people who have joined us already, so in interest of time we will get going. Hello everybody. Thank you for joining us on this webinar, Picture the Proof: Powering Investigations with Exterro’s Imager Pro. For this webinar, we’ll walk you through who are your hosts for today, and then we’ll talk about FTK Imager Pro, the evolution of Imager.

A tool that has served the forensic community for years and years, how it is evolving and what has been launched in the market, how it can help in your workflows, and of course, looking forward to all your feedback and how we can make it even better. We are also going to be showing you live in action the features of Imager Pro, what makes Imager truly Pro is what we will be showing you.

And then finally, we will open the floor for all the questions, feedback, concerns, comments, and we’ll try to answer all of those. Today on this webinar, my name is Harsh Behl. I am the Vice President of Product Management for Forensics product line at Exterro.

I’m also joined by our very own wonderful Christine Hall. Christine Hall is Senior Solutions Engineer for digital forensics at Exterro. Has plenty of experience and accolades she’s accomplished over her career in digital forensics and consults with our clients globally on best practices and DFIR, and of course, helps showcase our solutions to the audience.

All right then, Exterro, who’s Exterro? The only data risk management platform out there in the world, which helps organizations manage, identify, mitigate and secure themselves from risks posed by data. We are a global team of over 800 people, and focusing the most on innovations.

Having 500 plus engineers leading customers globally. Recognized and celebrated globally by some of the most prestigious organizations as you see on your screen. And of course, offering you that trust with our safeguard principles that we have implemented throughout our platform, all the way from FedRAMP to high trust, and so on and so forth.

FTK suite of tools: many of you are aware of the range of FTK tools that we offer starting all the way from standalone investigations conducted by FTK, then going to large scale enterprise level solutions in the form of Lab Enterprise and Central, which serves various different needs. And then FTK Connect helping you with orchestration of workflows.

And then last, not the least, FTK Imager, a tool that we’ve been serving to the community for almost 25 plus years, 30 years now. And the latest edition that we are going to be talking about today is the FTK Imager Pro. But before we go to that, just a quick refresher for people who haven’t used Imager yet or are not aware of Imager.

FTK Imager is a free solution that allows examiners across the globe create forensic images of computers. It allows you to create physical, logical images of the drives, computers that you come across, and things that really mark the beginning of your investigations in your lab. The product has become a gold standard in imaging across the industry, has been used by hundreds of thousands of examiners globally, is renowned and has been appreciated for its reliability across the globe.

And we continue serving this to our community. That is what truly motivated us to bring Imager Pro to the market. We continuously heard from the market that there is a gap where you want a solution that sits perfectly between FTK Imager and FTK, or a tool that allows you to do a little bit more from between the imaging to the analysis cycle.

Imager Pro does exactly that. Imager Pro has been launched at a very nominal price range, again, to serve the masses. And it brings to you advanced iOS logical collections. It allows you to detect various different types of encryption technologies, and then decrypt them on the fly and have decrypted data available at your hand.

These are the three key features that have been put into Imager Pro’s latest version that has been launched based on the community feedback, and this is just the beginning. We are just getting started with Imager Pro. Imager Pro will continue to evolve into a solution that will be able to support multiple operating systems and really would become that gold standard of imaging in the forensics or advanced imaging in the forensics world as well.

So as I mentioned already, the three main features that we have put in Imager Pro so far are the logical collections of iOS devices. So for those devices where you have the password of the device, you do not really need a full file system extraction or a file system extraction, and you only need to get the data that exists just on the device, you could do that with this tool.

Encryption detection: we continuously heard from examiners across the globe how they were desperately wanting a solution that could allow them to first detect encryption on the field and then bring just the decrypted data back. Or if they already have acquired images, if they have already got hard drives sitting in the lab waiting for prioritization, they could just now plug those into Imager, quickly decrypt those, and have a quick look at the drive before you decide whether to proceed ahead with it or not.

Or to prioritize which drive or which evidence should be imaged first and what should be imaged in it as well. A massive feature for the industry here. We support various different types of encryption technologies, from BitLocker to many, many others. We will share the handout. We’ll hand out the encryption technologies we support during this webinar in a PDF form as well for you to take a look at.

And as a result, you save tremendous space and time. You no longer have to have encrypted evidence, then a copy of it in a decrypted format, and then keeping both of those in your archival. You do not have to do that. You can simply just keep the decrypted data with you.

Again, I think we have discussed already how we can help in various different forms, all the way from acquiring iPhones to the decryption aspect. On the iPhone aspect, I would like to emphasize here, yes, there are more advanced tools that you would need in your investigations, in your labs to get that access to that data that you would typically not get from logical images.

But there are many instances, there are many scenarios and really a lot of teams that do not do all that work. They are most likely going to be performing logical extractions because that’s what their case warrants. So the price point at which Imager Pro comes becomes a huge value add for our customers.

Instead of spending thousands and thousands of dollars on other solutions that give you physical images or full file system images of iOS devices, I’m not saying you don’t need them, you absolutely need them, but for those units who don’t need those and could just work with the logical images, I think this is a good solution that you may want to try.

All right. Just wanted to put this out there for your reference. What is the difference between Imager and Imager Pro? What features you do not get in Imager versus Imager Pro? As I mentioned earlier, we will continue to offer the free version of Imager. That is not going away anywhere, so that you can still request from our website, but if you go to Imager Pro, you get all of those additional benefits that you do not get from Imager.

And like I said, this is the beginning with Imager Pro. We have bigger, better plans for Imager Pro to evolve into a more holistic solution as well. For imaging across the globe, across various different market segments. We are hearing now from our users how they are using Imager Pro.

So whether you are in a corporate environment, a service provider environment, a law enforcement or public sector organization, you could almost use Imager Pro for a lot of different use cases. We continue to hear how the on field or onsite collection teams want to detect the encryption they find on the scene and just bring the relevant decrypted data back.

Digital forensic investigators can use it to decrypt the data and then take it into FTK for investigation or other tools that they may want to use for investigation. And of course, corporate and e-discovery teams could continue to use that as well for initial triage. And now the time has come for me to hand it over to Christine Hall, who’s going to show you everything I’ve spoken about in detail during a live demo. So over to you, Christine.

Christine: Thank you, Harsh. And I’ll try and address some of the questions that I can see that’s popping up in the chat message as well as I go through the live demo. So one of the things I was going to answer, which I’ve seen was a question that came up, was about running FTK light. So running FTK Imager from a USB stick.

So I have a USB stick plugged in here and I’ve got my FTK Imager Pro installation files and for those of you that run, whether you call it FTK portable, FTK light, FTK from USB stick. When you run that you will see it opens FTK Imager in the normal free version. This means that you will still be able to put the installation files on a USB stick and still run it like old FTK.

And there’s a reason for this because the features that I’m going to discuss on FTK Imager Pro are not features designed for a live running machine. So if you have Imager Pro and you place it on a USB stick, you will still be able to carry out those same workflows that you would’ve done ordinarily.

So you’ve got a live machine running and you want to collect the logical drive. You can still add those drives in. And then continue to get a logical image file, which you normally would. You can collect the files and folders. So when I used to be an analyst and I would do a triage on site, sometimes I don’t want to collect all of the data from a corporate environment.

I just want to go and collect a network shell or files and folders. That’s still available for me to do. And again, one of the main reasons that I wanted to run FTK Imager on a live running machine was to capture the memory. Or to obtain the registry keys, which are normally locked on a live running machine.

So I can still run FTK Imager from a USB stick, but because it can’t see the license, I can only run it in the normal free Imager mode. When you have FTK Imager Pro, it is designed to be installed on either a laptop that you want to take out on site or in your own lab. So once I have FTK Imager installed, it can now see my license key.

So you’ll see that it’s now running in pro mode. What this now gives me some additional features. So this is designed to allow you to use your workstation and to be able to connect drives to it, to be able to do things like encryption detection and customized imaging.

For example, our first workflow that I want to talk about and our first feature for Imager Pro is if I had taken my laptop outside of my lab and I’m doing triaging. So one of the things that I used to do as an analyst is I used to go out with a police force and I would go into environments where we’d go through USB drives, external hard drives, computer devices, et cetera. And the idea was for me to triage devices so we can determine do those devices belong to the suspect or the person of interest?

Do we need to collect it? Now, if I was to come across a BitLocker drive in my old environment. So we’ll add in my BitLocker drive here. I would only be able to in free Imager, be able to look at the encrypted drive. So I would only be able to add it in as an encrypted drive. If it was BitLockered, I would image the whole physical drive, knowing that when I got back to my lab, I could use one of my forensic tools to put in the BitLocker recovery key and then do my examination back in the lab.

What FTK Imager Pro gives you the ability to do is in that same scenario, somebody has given me a drive that’s got a BitLocker on. I’ll connect it to my laptop. So this time when I connect it to my machine and it prompts me, do I want to encrypt it or decrypt it, I can decrypt it either with the user key, with the recovery key or the user password, whichever one that you have at the time, you can add that in. So we’ll just do that quickly.

So now I can decrypt my BitLocker drive within Imager, and I haven’t had to physically image it first to be able to put the key in. So this allows me now when I’m outside of my lab or in a triage environment or in some sort of workflow where I may not want to image the whole drive because I don’t want to collect, or maybe I don’t have the time or the storage space to collect a whole two terabyte drive.

I can now look at that data. I can determine the files that are on there. Does it belong to my person of interest? Do I want to tell the officer they can seize it? Or maybe it belongs to a roommate or another family member. So we move on and we potentially don’t take this one. And the reason why we had that workflow was to reduce the amount of devices coming into the lab. So it was one way to help with the backlog.

So I could then triage the device. One of the questions were asked was about the timestamps. So older Imager used to have the modified date. You can see now that we have the creation date and the access date added. So I can look through these documentations. I can also sort by these columns so I can do some sort of triaging when I’m on site.

I can also, if I need to, now if you take the example of I’ve got a two terabyte drive, I’m outside of my lab, so the time it will take me to image that whole two terabyte drive, when I only need certain data. So what I’m going to do now instead is because I can look at this drive and I can add the password whilst I’m on site, I can see there’s folders that I’m interested in.

So I actually only want to capture the Christine folder so I can add this to one of my custom image. So instead of collecting a whole two terabyte drive, I’ve literally only collected the folders that I need to get access to and I can take them away with me. It’s a much quicker way for me to get the data I want on site and take it back to my lab.

I can also click for a new filter. And here I can actually say not only can I say which folders and files I want, I can also add in things like I only want to capture the picture files, or maybe for this drive over the whole drive, I only want you to image where I’ve got picture files. So once I’ve created that, and I’ve done that earlier, so if I open that file up.

So I’ve done that custom image where I have said, go through this drive, this BitLocker drive, and only capture the JPEG files. So if you go through, you’ll see the same folder structure, but only captured the JPEG images. So you can use these custom imaging filters and criteria in FTK to narrow down the data that you want to collect.

And whilst that workflow in free Imager works for non-encrypted drives, FTK Imager Pro gives you the ability to use that same workflow on encrypted drives for BitLocker. Now, there are two ways that FTK Pro deals with encryption. Now in our handouts, we will supply you with a guide on the supported encryption that we have for Imager Pro, and you will see within that guide some encryption like BitLocker.

You can connect directly to the drive, add in the passcode password, and then you can decrypt on the fly. And there’s some others where you’ll need to add in the image file instead. This might be useful if you are in a corporate environment, for example, or an IT team and you want some sort of forensic capability, but you don’t need all bells and whistles forensic tool like FTK.

You might want something in a more lighter environment. So let’s say you have an employee leaving or maybe a possible investigation, but you can’t quite start the investigation yet pending legal decisions or the decisions that needs to be made, but you don’t want to take the hardware out of service.

So maybe an employee leaves, you need to recycle the laptop for the next employee, but you want to capture the data of that environment and your company uses some sort of encryption where you can image that drive as normal with Imager. And then when you are ready to view those image files, you can point to them.

So if I go back to my image files. And I can bring in an E01 image or a DD or whatever the file format is that I’ve imaged it in, and I can bring that into FTK as well. Again, it will prompt me for the BitLocker key, so I’ll just grab the other one. So now if I’m in a corporate environment and I wanted to capture that data.

When I’m ready to view it, I can decrypt it in FTK Imager and then I can view through that data. So if I have a lab where I want some sort of forensic capability, and I want to be able to have the option to create images to then be able to view at a later date, all of that can be done in FTK Imager Pro.

Now the third and final feature that I wanted to go through today is the ability to do iOS collections. So in my environment, I have an Apple iPhone connected to my laptop. The first time it was connected, sorry, that was the wrong option. The first time it was connected, it will ask you to trust the device.

So you’ll now see that when you have Imager Pro, you’ll now get this option to do iOS Advanced Logical Collections. When my device is first connected, it asks me to trust the machine, and then after that I’ll be able to do collections by typing in the pin code when prompted. So I’ll just wait for that to go to the next screen.

When it gets through to the next screen, you’ll see it will show me some details about the device itself, such as the IMEI number and the serial number, and then it will show me the details of the phone so that I can extract it. There we go. So you’ll see these are the details of the handset that I’ve got connected because I have previously extracted it.

This is greyed out, but this gives you the option to put in a password for your iTunes backup. Now, we do recommend using 1, 2, 3, 4, but obviously if you have your own workflows in house where you use different passwords for each handset, you can do that as well. And then you’ll see that everything else looks like Imager.

To put your evidence numbers in your case details, any notes that you want, and then you’ll carry out an image, so you click Start image, and it’ll go on its merry way. I have extracted this phone already, so if I bring those image files back into FTK Imager, you can see what is extracted.

So you’ll see here I’ve got an AD1 of the image files of the mobile phone. And as with imaging a computer device, you’ll also get this text file for your notes, telling you what version of Imager you use, the details that you put in, and your hashes and the dates and times. So this document is quite helpful for your notes as well.

In Imager here you’ll see the files that have been extracted from the iOS device. Now, as you can see here, it is the files and folders that have been extracted. Imager Pro doesn’t parse out the mobile data. This is where the iOS feature of FTK Imager works great with FTK Central and FTK standalone.

If you already have FTK and you want to bring in the ability for mobile captures, when you bring that same data that I’ve just shown you in Imager Pro into FTK, you will be able to use Exterro’s mobile parser to parse out those artifacts, those calls, those messages, those details from that mobile phone.

And then you can take advantage of the mobile capability that we have in FTK to go through things like the smart grid or entity management, where you can see how the communication has broken down between people to be able to filter it out. Using FTK with Imager Pro is another way to add mobile capability into your environment because don’t forget FTK also supports mobile extractions from other tools as well. So it’s a way to enhance that capability that you have in your lab.

So I hope that went through the main features of FTK Pro and if you do have any more questions, please add it on to the Q&A session and we’ll answer as many as we can. We also have, if you would like any more information, please scan this QR code and you’ll find more information, webinars, questions on our website for Imager Pro.

And if you are FTK users, don’t forget, in this last week, we have also released a new patch, a Hotfix three, which you can find on our Exterro product download page. So please go to our website and you’ll be able to find that. Just quickly check if we’ve got any questions now. All the questions have been answered. So thank you very much.

Harsh: So, Christine, I’m so sorry. I would just like to do a little bit of housekeeping here towards the end. So lots and lots of requests are coming in for us on some really good ideas. If, for example, one is a common thing we are hearing is if there will be a Mad version of it. So the answer to that is today, it’s not there, but we are working towards that as well.

Also, we would encourage you to submit your ideas to us using our Canny portal or our forensics ideas portal. I am going to paste the link for it in the chat window, so please feel free to go there and submit all your ideas you may have for forensics or Imager Pro or any of our tools. It doesn’t matter whether it’s our tool or the problem that you run into, we would encourage you all to publish or put your ideas on that board.

That board is continuously monitored by our product team and we would really appreciate it. A question has just come in, does it work with the latest iOS? Yes, it absolutely does work with the latest iOS operating system for what it does. So for the logical acquisition, yes, it does work.

Currently Android is not supported for logical acquisitions on Imager Pro. Again, we would love to hear from you if you would like this to be included in Imager Pro. Please go and submit your idea at our portal. Once an idea receives enough votes, I think that gives us an indication of whether it’s relevant to the market or not. So please definitely submit your ideas there.

We’ll give another few minutes for you to ask us more questions, so feel free to put your questions in the Q&A box or in the chat window, whatever you prefer. We’ll give it a couple of minutes. We did receive a lot of questions, but almost all of those have been answered already.

So if there are no other questions, we could absolutely call it today here. All right. Christine, anything else that I may have missed? Can FTK Imager also do iOS or is it only Pro? Only Pro version can do iOS. The usual Imager cannot acquire logical images from iOS devices.

All right. Thank you again for joining the webinar today. It was short and sweet. We hope to receive your further feedback. And feel free to reach out to any of us if you need to have any questions. Thank you again. Have a good rest of your day.

Christine: Thank you all.