AccessData Imager Release Notes

Transcription

1 AccessData Imager Document Date: 10/27/ AccessData Group, Inc. All rights reserved. This document lists the changes in the verion of AccessData Imager. All known issues published with previous release notes still apply until they are listed under Fixed Issues. New Features AccessData Imager has been updated so that it can read AD1 files created by 6.x versions of FTK, Summation, and ediscovery. See Version compatibilty on page 2. The installation files were rebuilt with an updated time stamp on the signature. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) To ensure the latest drivers are used, complete the following steps: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. FTK Imager does not have HPA or DCO support but can leverage technology (like some write-blockers) When installing Imager, a prompt to install device software from the company EldoS Corporation appears. In order to complete the Imager install, you must select the option to Always trust software from EldoS Corporation and then click Install. AccessData Imager

2 Version compatibilty Starting with Imager 3.4.1, AccessData has produced a new AD1v4 image format that is different than the previous AD1v3 format. Older versions of AccessData products cannot recognize the new v4 format. As a result, two versions of Imager are available to download and use: Imager Imager (and later) Use the following table to understand which products can use which AD1 format. AD1 Image versions and supported applications Imager and later FTK 6.0 and later Summation 6.0 and later ediscovery 6.0 and later Imager If you create an AD1 using one of these products, it is created only in the new v4 format. These products can read either AD1v3 or AD1v4 image files. This version can read either AD1v3 or AD1v4 files but creates only AD1v3 files. Use this version when working with AD1 files for 5.x versions of FTK, Summation, or ediscovery You can use this version to open an AD1v4 file and save it as an AD1v3 file. (See below) FTK 5.x and earlier Summation 5.x and earlier ediscovery 5.x and earlier Imager 3.3.x and earlier These products can read only AD1v3 files. These products can create only AD1v3 files. Converting v4 image files to v3 It is important to note that AD1 files created in 6.x versions of FTK, Summation, or ediscovery are the v4 format and cannot be read by 5.x versions and earlier of those products as well as Imager 3.3.x and earlier. Using an older version of Imager will result in an "Image detection failed" error. However, you can open a v4 file in Imager (only) and save it as a v3 file. To use Imager to convert a v4 file to a v3 file, note the following: The verification hashes will be different because a v4 AD1 includes GUID tables that get hashed. To avoid having the top-level (filesystem) node's name changed, the AD1 should be created by doing the following: Correct: File > Create Disk Image (follow wizard) Incorrect: Add AD1, expand, right click on filesystem node in tree, Export Logical Image (AD1) Note: Note: An AD1 image is not really a disk image even though the option you use is Create Disk Image. AccessData Imager Important Things to Know 2

3 Determining the Version of an Image File A hex editor can be used to quickly determine if your AD1 is v3 or v4. Comments? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. AccessData Imager Comments? 3

4 AccessData Imager Document Date: 12/08/ AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) To ensure the latest drivers are used, complete the following steps: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. FTK Imager does not have HPA or DCO support but can leverage technology (like some write-blockers) When installing Imager, a prompt to install device software from the company EldoS Corporation appears. In order to complete the Imager install, you must select the option to Always trust software from EldoS Corporation and then click Install. Fixed Issues When using the Create Disk Image option, and selecting a source that is another image file, the new image file will have the same hash value of the source file because it is a copy of the image file. If you use the Add Evidence option, then select an image file, and then use Export Logical Image, the new image file will have a unique hash value. (13767) AccessData Imager

5 Comments? We value all feedback from our customers. Please contact us at or send documentation issues to AccessData Imager Comments? 5

6 AccessData Imager Document Date: 11/04/ AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) To ensure the latest drivers are used, complete the following steps: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. FTK Imager does not have HPA or DCO support but can leverage technology (like some write-blockers) When installing Imager, a prompt to install device software from the company EldoS Corporation appears. In order to complete the Imager install, you must select the option to Always trust software from EldoS Corporation and then click Install. Fixed Issues Hard links parsed from an HFS+ system now display correctly in Imager. (13767) Comments? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. AccessData Imager

7 AccessData Imager Document Date: 06/20/ AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) In order to ensure the latest are used, do the following: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. AccessData FTK Imager does not have HPA support but can leverage technology (like some writeblockers) AccessData: FTK Imager does not have DCO support but can leverage technology (like some writeblockers) New and Improved The following are enhancements: You can now create an image of WIndows 8/8.1 computers. Fixed Issues When running Imager on a Windows 8 computer, and mounting an ISO, the mounted ISO will now be displayed in the list. (32105) AccessData Imager

8 Comments? We value all feedback from our customers. Please contact us at or send documentation issues to AccessData Imager Comments? 8

9 AccessData Imager Document Date: 11/21/ AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) In order to ensure the latest are used, do the following: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. AccessData FTK Imager does not have HPA support but can leverage technology (like some writeblockers) AccessData: FTK Imager does not have DCO support but can leverage technology (like some writeblockers) New and Improved The following are enhancements: Support for Microsoft Resilient File System (MS ReFS) The Microsoft Resilient File System (ReFS) found in Windows 8 and Windows Server 2012 is now supported. Support of Tableau-created files Opening incomplete Tableau-created E01 files is now supported. Support for Encase Lx01 image files Lx01 files are now supported. AccessData Imager

10 Fixed Issues NTFS support has been enhanced so the MFT is now used to build the file tree, not relying on $I30s directory indexes which may be corrupt. (24868) Fixed the issue that caused L01 files to be shown as a single byte file. (28498) Known Issues When running Imager on a Windows 8 computer, and mounting an ISO, the mounted ISO will not be displayed in the list. (32105) Comments? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. AccessData Imager Fixed Issues 10

11 AccessData Imager Document Date: 6/13/ AccessData Group, Inc. All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) In order to ensure the latest are used, do the following: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. AccessData FTK Imager does not have HPA support but can leverage technology (like some writeblockers) AccessData: FTK Imager does not have DCO support but can leverage technology (like some writeblockers) New and Improved The following are enhancements: Destination Spanning When creating an image, you can now specify secondary locations to be used if the first location fills up. Enhanced Features for Command-line Imager You can now capture the RAM of a target computer You can now capture the Pagefile contents of the target computer AccessData Imager

12 Known Issues For imager CLI, if you type ftkimager.exe and press enter, you get an error rather than getting the command-line help. You can access the help by typing ftkimager.exe -help. (23007) Comments? We value all feedback from our customers. Please contact us at or send documentation issues to AccessData Imager Known Issues 12

13 AccessData Imager Document Date: 2/25/ AccessData Group, LLC All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) In order to ensure the latest are used, do the following: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. AccessData FTK Imager does not have HPA support but can leverage technology (like some writeblockers) AccessData: FTK Imager does not have DCO support but can leverage technology (like some writeblockers) New and Improved The following are enhancements: Improved the detection and handling of corrupt $I30 index allocations. Known Issues There are no new known issues in this release. AccessData Imager

14 AccessData Imager Document Date: 9/6/ AccessData Group, LLC All rights reserved. This document lists the changes in AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. New and Improved The following are enhancements: FTK Imager now supports creating, reading, and verifying E01 files of drives greater than 2TB CLI Imager now supports creating and verifying E01 files of drives greater than 2TB. When performing a memory capture, you can now do the following: Include the pagefile Save the memory capture as an AD1 file Fixed Issues The following issues have been fixed: Imager will now attempt to read exfat file system images even if there is a slight disparity between the sector count of the volume and the exfat partition information. Before, if any disparity existed, it would detect that the image had an invalid volume boot record, and it would not attempt to read the image. (69587) AccessData Imager

15 Important Things to Know Image mounting requires the latest Imager drivers be used on the computer. (58791) In order to ensure the latest are used, do the following: 1. As administrator, open a command prompt, and execute the following commands: sc delete cbdisk sc delete cbdisk2 2. Reboot the computer. Known Issues There are no new known issues in this release. Comments? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. AccessData Imager Important Things to Know 15

16 AccessData FTK Imager This document lists the bug fixes for AccessData Imager All known issues published with previous release notes still apply until they are listed under Fixed Issues. New and Improved The following is an enhancement: There is a new option in FTK Imager s File menu to Decrypt AD1 Images. (56793) EFS Encryption detections now return a message when the encryption is not found as well as when it is found. (57849) Fixed Issues The following issues have been fixed: Fixed an issue where the Content Viewer in Imager would not preview files if Internet Explorer 9 was installed. (59339) Fixed an issue where a.csv file was not created for CDFS images when the Create directory listings of all files in the image after they are created is marked. (60895) Fixed an issue where creating a directory listing of a system containing exfat crashes Imager. (59228) Fixed an issue where a.txt file was not being generated after using the ADEncrypt utility. (56726) Removed a non-functioning button from the Imager toolbar. (57815) The progress bar in the File > Verify dialog has been updated to provide better feedback. (54920) Known Issues The following items are known issues: When mounting an image to a drive, it may be possible to inadvertently choose a mapped drive that is already consumed and unavailable. If this occurs FTK does not change the mapped drive. To work around this, in Windows make sure that the drive letter that you choose to map for mounting the image is free before you select it. (57539) Image mounting does not work in FTK or Imager if the agent is installed on that machine. (58791) AccessData FTK Imager

17 Comments? We value all feedback from our customers. Please contact us at or send documentation issues to AccessData FTK Imager Comments? 17

18 Imager These release notes apply to AccessData FTK Imager New and Improved Added support for AD Encrypted images. Bug Fixes Fixed a problem where an exported directory listing included a size column, but no size data was populated in the column cells. (17425) Comments? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. Imager