Cyber Security

Incident Response Tools: FTK for Linux

January 11, 2016

Guest Author

Incident response is an essential component of an IT security team and plan. Within an incident response plan, forensics should play a critical role for recovering, copying, and preserving digital evidence. This blog post elucidates why the free version of FTK for Linux is sufficient for IT professionals looking to get started in a forensics career.

What does the free FTK for Linux do?

FTK scans the hard drive, can make a copy of the hard drive , and save it in several formats, including raw format. FTK has the ability to parse a number of filesystems, scan for emails, text strings, and other info. The toolkit allows you to execute fast and accurate analysis for processing, indexing, searching, and filtering data to identify evidence critical within a data breach. Also, you have the ability to perform manual data carving with FTK, which is not possible with similar tools such as TestDisk.

Overall, FTK software toolkit allows incident response and forensic professionals to work across massive data sets on multiple device types, network data, hard drives, and Internet storage. The paid version of FTK groups together all the forensics tools available with FTK into one friendly GUI interface. However, if you call yourself a capable Linux security professional, then you won’t need the paid version of FTK or EnCase for forensics work.

Why is FTK Imager better for you than EnCase Imager on Linux?

Brett Muir wrote a great blog post called “EnCase Imager vs. FTK Imager“, where he concludes that he would still turn to FTK imager over EnCase for several reasons. His conclusions include the fact that FTK Imager has a smaller footprint in RAM, can mount images, preview most files, detect EFS encryption, and it supports more image formats. His analysis lends further support to use FTK Imager over EnCase due to the performance advantages stated above.

Blogger Josh Lowery’s opinion, in a blog post titled “Installing FTK Imager Lite in Linux Command Line“, concurs with Muir’s view as well. The Computer Forensics Analyst based out of NYC, says he prefers FTK since it is a “lightweight, fast, and efficient means to extract the image from your suspect drive.”

Linux systems contain or have the ability to install most forensic tools for free. Yes, you can opt for GUI friendly, all-inclusive FTK paid GUI or EnCase Imager suite, but if you are familiar working with a Linux system and stick to open source tools, then you’ll either opt for FTK Imager (the free download) for copying data, indexing it, searching, and its carving abilities. Then you’ll learn about free tools such as xxd for hex dumps, gdb for debugging, The Sleuth Kit with other forensics tools.

FTK, EnCase and other tools are addressed in our Incident Response course

subscribe by email

Stay Ahead