How to Keep Digital Evidence Safe: A Simple Guide Using FTK Imager and E3

When investigating digital evidence, like files from a computer, it's super important to make sure nothing changes along the way. One way to do this is by creating and checking "hash codes"—a kind of digital fingerprint for each file. This guide will show you how to use two tools, FTK Imager and E3, to make sure your evidence stays safe and unchanged.

Step 1: Getting Started with FTK Imager

FTK Imager is a tool that helps investigators look at files on a digital drive without changing anything. It also creates hash codes for those files, which can be used to prove that the files haven’t been tampered with.

Loading Your Evidence

First, you need to load the drive with the files you want to investigate into FTK Imager. This lets you see everything on the drive without actually touching or changing the original files.

Finding Important Files

Once the drive is loaded, you can start looking through it to find any files that seem suspicious or important for your case. When you find something, you should save a copy of it so you can check it out more closely later.

Creating Hash Codes

After you’ve found and saved the files you need, FTK Imager can create hash codes for them. Think of these hash codes like a digital fingerprint—if the hash code stays the same, you know the file hasn’t been changed.

Step 2: Double-Checking with E3

To be extra sure that the files haven’t changed, it’s a good idea to check the hash codes with another tool. That’s where E3 comes in. By comparing the hash codes from both FTK Imager and E3, you can be confident the files are exactly the same.

Loading the Files in E3

Just like with FTK Imager, you start by loading the drive with the files into E3. This helps you see the files and check their hash codes without changing anything.

Comparing the Hash Codes

Now, you’ll look at the hash codes for the files in E3. If these hash codes match the ones you got from FTK Imager, it means the files haven’t been tampered with—they’re still in their original state.

Conclusion

Keeping digital evidence safe and unchanged is really important in any investigation. By using tools like FTK Imager and E3 to create and check hash codes, you can make sure that the evidence you have is solid and hasn’t been messed with. Following these simple steps will help you protect your evidence and make sure it holds up in court.