1) Download FTK Imager from Access Data: https://accessdata.com/product-download/ftk-imager-version-4.2.0 (you may have to give some personal information to get the download)

2) Using the image Lab04.E01 found at: https://drive.google.com/open?id=1aCMLjk1z1PZZo6y2EV21aryI-2rShBta. Add the image as an Evidence item, using the File Menu (FTK Imager allows you to add evidence from physical volumes, logical volumes, image files, and folders.)

i. You will select Image File and browse to find the image.

ii. Load the image and explore it.

1. Find two deleted files and export them to your machine. Take screenshots showing that they are deleted (Red X over file icon). Take screenshots showing the files on your desktop.

2. Find KittyMontage.mov and TiggerTheCat.m4v and export them to your machine. Take screenshots showing the files on your desktop.

3. Find the free space file with filename 2047941 and tell me how many sectors it contains.

iii. Export the image as a file (.001).

1. Make sure the Verify images after they are created button is checked.

2. What is the difference in size between the two image files?

3. What are the MD5 and SHA1 hash values of the two files?

3) Now, add a thumb drive or something else as both a physical drive and logical drive and observe the differences.

a. Describe the differences between the files. Are the hash values different? Why or why not?